--- Day changed Sat Jan 01 2011 01:27 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out] 02:23 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn 02:26 < linze> have a healty newyear 02:26 < linze> all of you of course 02:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 02:50 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood] 02:50 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn 02:55 -!- LowKey [rhel@unaffiliated/lowkey] has left #openvpn [] 03:07 -!- gallatin [~gallatin@dslb-094-220-127-133.pools.arcor-ip.net] has joined #openvpn 03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds] 03:49 -!- master_of_master [~master_of@p57B56EC1.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 03:51 -!- master_of_master [~master_of@p57B53150.dip.t-dialin.net] has joined #openvpn 03:53 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 04:36 -!- common- [~common@p5DDA4282.dip0.t-ipconnect.de] has joined #openvpn 04:39 -!- common [~common@p5DDA49B5.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 04:39 -!- common- is now known as common 04:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds] 05:04 < reiffert> http://mirror.netcologne.de/CCC/27C3/mp4-h264-HQ/4245-en-adventures_in_analyzing_stuxnet.mp4 05:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 05:06 < hyper_ch> hi reiffert 05:43 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 05:48 -!- gallatin [~gallatin@dslb-094-220-127-133.pools.arcor-ip.net] has quit [Quit: Client exiting] 06:09 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: tot kijk] 07:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 07:25 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 07:25 -!- mode/#openvpn [+o mattock] by ChanServ 08:53 -!- p3rror [~mezgani@41.140.182.165] has joined #openvpn 09:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 09:35 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Ping timeout: 246 seconds] 09:37 -!- s7r [~s7r@66.90.75.126] has joined #openvpn 09:50 -!- pa [~pa@host129-21-dynamic.61-82-r.retail.telecomitalia.it] has joined #openvpn 09:50 -!- pa [~pa@host129-21-dynamic.61-82-r.retail.telecomitalia.it] has quit [Changing host] 09:50 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 10:11 -!- albech [~thomas@119.42.78.92] has quit [Quit: Ex-Chat] 10:15 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn 10:22 -!- p3rror [~mezgani@41.140.182.165] has quit [Read error: Connection reset by peer] 10:28 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Ping timeout: 240 seconds] 10:55 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn 10:57 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Read error: Operation timed out] 11:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds] 11:10 -!- seekwill [~wfong@c-76-121-185-117.hsd1.wa.comcast.net] has joined #openvpn 11:10 -!- seekwill [~wfong@c-76-121-185-117.hsd1.wa.comcast.net] has quit [Changing host] 11:10 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn 11:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 11:20 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Ping timeout: 272 seconds] 11:20 -!- seekwill [~wfong@c-76-121-185-117.hsd1.wa.comcast.net] has joined #openvpn 11:20 -!- seekwill [~wfong@c-76-121-185-117.hsd1.wa.comcast.net] has quit [Changing host] 11:20 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn 11:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds] 11:33 -!- p3rror [~mezgani@41.140.156.236] has joined #openvpn 11:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 11:49 -!- p3rror [~mezgani@41.140.156.236] has quit [Ping timeout: 240 seconds] 11:56 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn 11:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 12:42 -!- p3rror [~mezgani@41.140.170.36] has joined #openvpn 12:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds] 12:49 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has joined #openvpn 12:50 < Some_Person> Besides disconnecting/reconnecting, is there any way to quickly shut off and turn on the OpenVPN connection on a Windows PC? (hopefully via command line) 12:56 < Some_Person> Is anybody here? 12:56 * qermit is here 12:57 < Some_Person> In case I wasn't clear, I want to be able to leave the OpenVPN client connected to the server, but disable/enable its routing on the PC 12:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 12:58 < qermit> Some_Person: uno momento :) 13:01 < Some_Person> thanks 13:03 < qermit> i think you can write some script (in VBS or sth like that) 13:04 < qermit> just drop routes 13:06 < Some_Person> How? 13:08 < Some_Person> Sorry, but I'm really a newbie with OpenVPN and network stuff. How do I accomplish this? 13:08 < qermit> i use route command 13:11 < qermit> http://www.bigresource.com/VB-Detect-route-table-change-GKCP3tuY3H.html 13:11 <@vpnHelper> Title: Visual Basic :: Detect Route Table Change (at www.bigresource.com) 13:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out] 13:42 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has quit [Quit: Leaving] 13:44 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 13:44 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 13:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 13:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:57 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.] 13:58 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 14:18 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Ping timeout: 255 seconds] 14:26 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection] 14:26 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: tot kijk] 14:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds] 14:43 -!- Rolybrau [~Rolybrau@207-167.79-83.cust.bluewin.ch] has joined #openvpn 14:43 -!- Rolybrau [~Rolybrau@207-167.79-83.cust.bluewin.ch] has quit [Changing host] 14:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 15:03 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 15:12 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 15:12 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 15:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 15:15 -!- p3rror [~mezgani@41.140.170.36] has quit [Read error: Connection reset by peer] 15:25 <@vpnHelper> RSS Update - forum: Ubuntu 10.4 configuration 15:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds] 15:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 15:51 -!- maxJadi [~maxJadi@cust-95-80-31-205.csbnet.se] has joined #openvpn 16:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds] 16:18 -!- p3rror [~mezgani@41.140.100.35] has joined #openvpn 16:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 16:42 -!- p3rror [~mezgani@41.140.100.35] has quit [Ping timeout: 240 seconds] 16:56 -!- maxJadi [~maxJadi@cust-95-80-31-205.csbnet.se] has quit [Ping timeout: 264 seconds] 16:56 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 17:20 -!- boswarrior [~mrnice@84.115.26.221] has quit [Quit: Ex-Chat] 17:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection] 18:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 18:21 -!- s7r [~s7r@66.90.75.126] has left #openvpn [] 18:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 19:59 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 19:59 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 19:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:02 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 20:06 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds] 20:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 20:11 -!- n0de_ [~n0de@ns301443.ovh.net] has joined #openvpn 20:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 20:21 -!- n0de_ [~n0de@ns301443.ovh.net] has quit [Quit: n0de_] 20:44 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 20:44 < ashes> hello 20:46 < ashes> i'm trying to setup openvpn over ad-hoc wifi. my two systems can communicate when openvpn is not running, but not when it is running. the openvpn log doesn't seem to log anything 20:47 < ashes> i get host unreachable when i try to ping 20:47 < ashes> linux to linux 20:51 < ashes> no iptables 20:58 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Read error: Connection reset by peer] 20:58 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 21:09 -!- chuckf [~chuckf@ubuntu/member/chuckf] has joined #openvpn 21:09 < chuckf> !welcome 21:09 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:10 < chuckf> !route 21:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:10 < chuckf> !goal 21:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:27 -!- CheBuzz_Home [~CheBuzz_H@72-57-90-84.pools.spcsdns.net] has joined #openvpn 21:30 < CheBuzz_Home> I have OpenVPN running in routed configuration. I want to route traffic between two clients, 10.1.0.6 with ptp of 10.1.0.5 and 10.1.0.14 with ptp 10.1.0.13. I have setup routing on the two local networks to send all traffic through the VPN, but I don't see how to setup routing on the server to allow the two to talk. Any help? 21:31 < CheBuzz_Home> Local net 1: 192.168.2.0/24 I used route add -net 192.168.3.0/24 gw 10.1.0.5 21:31 < CheBuzz_Home> Local net 2: 192.168.3.0/24 I used route add -net 192.168.2.0/24 gw 10.1.0.13 21:34 -!- chuckf [~chuckf@ubuntu/member/chuckf] has quit [Ping timeout: 272 seconds] 21:54 < CheBuzz_Home> Nevermind, found the answer here: http://openvpn.net/index.php/open-source/documentation/howto.html#scope 21:54 <@vpnHelper> Title: HOWTO (at openvpn.net) 22:02 -!- chuckf [~chuckf@ubuntu/member/chuckf] has joined #openvpn 22:15 < krzee> also 22:15 < krzee> !c2c 22:15 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 22:15 <@vpnHelper> clients 22:23 -!- atan [~atan@unaffiliated/atan] has left #openvpn ["null"] 22:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 22:40 < krzee> ohh the local nets 22:40 < krzee> see my routing document 22:40 < krzee> !route 22:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:41 < krzee> even if you already solved it, you may enjoy that read 22:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 22:56 < CheBuzz_Home> krzee: Thanks! Will definitely read over it, even though I did already solve it. 22:57 < CheBuzz_Home> What I don't understand is what the iroute command does. 22:57 < krzee> its explained there ;) 22:57 < krzee> but the cliffs notes version: 22:57 < krzee> !iroute 22:57 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 22:58 < CheBuzz_Home> Ah, so it adjusts internal routing with the openvpn process. 22:59 < krzee> exactly 22:59 < krzee> any time there is a foreign subnet behind the client which communicates over the vpn, you need iroute 22:59 < CheBuzz_Home> So technically I wouldn't even need the route command, if I didn't want the server to be able to talk to the LANs. 23:00 < krzee> correct, but youd still need iroute and push routes in order for the clients to still be able to 23:00 < krzee> and youd need client-to-client 23:00 < CheBuzz_Home> Right. That makes sense. 23:00 < krzee> thats the piece of magic that would make that work 23:01 < krzee> because with that option, the routing takes place within openvpn 23:01 < krzee> !c2c 23:01 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 23:01 <@vpnHelper> clients 23:01 < krzee> without it, the servers routing table would come into play 23:05 -!- roue [~roue@75-134-143-252.dhcp.roch.mn.charter.com] has joined #openvpn 23:05 < roue> hola 23:05 < krzee> buenas 23:07 < krzee> si hablas ingles, es la idioma preferida aqui 23:09 < roue> I'm trying to run and openvpn client on my holiday-acquired Chumby (insiginia 8" infocast). I already have an openvpn server (2.1_rc11, packaged with Debian 5) running fine and clients connect with no problem. For the chumby I needed to build the tun.ko kernel module (which seems to load properly), and cross compiled liblzo, openssl, and openvpn 2.1.4 without serious issue. I've generated keys and can start up the client and everythin 23:09 < roue> g seems to negotiate properly, but then once the connection is established I can't ping anything from the chumby or access anything on my internal network that the vpn permits access to from other clients. The configuration is identical to my debian 5 laptop (except for new private key and cert), so I'm not sure what's going on. 23:09 < roue> When connecting the chumby reports that the initialization sequence completed, but a few minutes later I get and inactivity timeout and everything shuts down. 23:10 < roue> hola is the only Spanish I know. :) 23:10 < krzee> lol 23:11 < krzee> ill reply as i read... 23:11 < krzee> a) update your server 23:11 < krzee> what OS is a chumby? 23:11 < krzee> post logfile with verb 5 from the chumby 23:12 < krzee> i would venture to guess that its having issues adding the routes or something 23:14 < roue> the chumby runs linux (it's an arm cpu, 800mhz, 128m ram, basically a souped up digital picture frame). I can upgrade the server, but running the distro packaged version lets me be lazy. Course, lazy doesn't help if it doesn't work :) I do see routes in place after the connection starts up (and before the timeout) and they look correct. I'll try the verbose logging. 23:15 < krzee> in case chumby doesnt log with syslog (common on embedded devices with low storage) 23:15 < krzee> !logfile 23:15 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info 23:16 < krzee> rc11 certainly has bugs 23:16 < krzee> it was only an rc for a reason ;) 23:17 < krzee> try to hurry 23:17 < krzee> to you have til the end of the fight before im going home 23:17 < roue> ha. 23:17 < roue> what fight? 23:17 < krzee> sitting around the office with beer watching the UFC fights 23:17 < roue> ahh. 23:17 < krzee> only place i found that got the fight, lol 23:18 < roue> who has you working on new year's day? 23:18 < roue> or, I guess you're not working ... 23:18 < krzee> lol i worked christmas 23:18 < roue> geeze. 23:18 < krzee> networks dont stop for holidays 23:18 < roue> depends on which networks :) 23:18 < krzee> ;] 23:19 < krzee> but the fatty xmas bonus takes away any complaints 23:21 < roue> ah, then you must work somewhere more serious than I do. 23:21 < krzee> plus the owner never harasses when i say "if we buy *this* i can do some serious shit with it, it will be good for us" 23:21 < krzee> hes more like "do you need 2?" 23:21 < krzee> heh 23:21 < roue> mind if I ask where you work? 23:22 < krzee> i garuntee you wouldnt have heard of it 23:23 < roue> secret military skunkworks, then, eh? 23:23 < krzee> heh 23:23 < krzee> im not even in usa 23:23 < roue> Lots of people have a military. 23:23 < krzee> ok you caught me, i run networks for the kgb ;) 23:24 < krzee> its round 4 out of 5... should be getting that logfile 23:28 < roue> the extended log file isn't showing squat different. There's a line of "WWrWrWrWrWRWrWrWrWr... and then the timeout happens just as I saw before. route shows the internal network address listed with tun0 as the Iface and my default gateway looks right. 23:28 < roue> here's the log http://pastebin.ca/2036392 23:29 < roue> the output from route is at the bottom. 23:30 < roue> network topology is (internet)<--> linux router running deb 5 openvpn server <--> netgear wireless route <--> chumby where the chumby gets it's 192.168.x.x ip from the netgear. 23:31 < roue> and the internal network that the vpn normally provides access to is 10.0.1.0/24, and the vpn is 10.0.2.0/24 23:31 < krzee> the chumby cant ping ITS OWN vpn ip? 23:32 < roue> it can. 23:32 < roue> that's the 10.0.2.13 23:32 < krzee> nope 23:32 < roue> 10.0.2.14 is the server endpoint (I think) 23:32 < krzee> !/30 23:32 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 23:32 < krzee> .13 is internal to openvpn, part of the net30 topology 23:33 < roue> I've probably been doing this wrong all along. 23:34 < roue> I'm using /etc/openvpn/ccd files to configure each client manually. 23:34 < roue> mostly they say "ifconfig-push 10.0.2.2 10.0.2.3" where I thought 10.0.2.2 was the ip address that the client had assigned to tun0 23:35 < krzee> !static 23:35 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 23:35 < krzee> i think you found your problem =] 23:36 < krzee> wow they called the fight a draw 23:36 < krzee> such BS 23:36 < krzee> maynard won that fight 23:36 < roue> so it only stopped working because I hit some magic number? 23:36 < roue> not sure I follow, yet. But I'll read the docs you outlined. 23:36 < krzee> do you have anything special setup with firewalling where certain clients get special access? 23:37 < roue> no 23:37 < krzee> if not, consider using topology subnet (assuming ALL endpoints use 2.1+) 23:37 < roue> that would dynamically assign ip addresses? 23:37 < krzee> then you get to forget about all the net30 specific crap 23:37 < krzee> you could still assign via ccd 23:37 < krzee> "example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0" 23:38 < krzee> (from above factoid) 23:38 < krzee> !topology 23:38 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 23:38 < ashes> when i use tap openvpn, and ping, work. when i use tun, there is no route. what am i doing wrong? 23:38 < krzee> net30 only exists because of some windows lamesauce that prevented them from doing it this way from the start, until they came up with a way to do it (which is outlined in the above mail post) 23:39 < krzee> ashes, 23:39 < krzee> !configs 23:39 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 23:39 < krzee> i will be online from krzie in a bit 23:39 < krzee> for now, ill bbiaf =] 23:39 < krzee> feel free to pastebin them now, show me when i get back 23:41 < roue> thanks for your help. 23:43 < ashes> http://pastebin.com/XyZNNp63 23:45 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Quit: Leaving] 23:46 < ashes> i haven't seen an example client config for linux. it's always windows 23:48 < CheBuzz_Home> krzee: So by default ifconfig-pool-linear will be used in later releases? 23:51 < krzee> ok i didnt leave yet... so ill answer stuff then go 23:51 < krzee> roue, np =] 23:51 < krzee> ashes, 23:51 < krzee> try commenting ifconfig-pool-persist ipp.txt when you go to tun 23:52 < krzee> OR try adding topology subnet 23:52 < krzee> regarding having not seen sample configs outside of windows 23:52 < krzee> !sample 23:52 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 23:53 < krzee> CheBuzz_Home, not quite, topology subnet is said to be on the table for future default settings... but i cant confirm that is true (i should ask that in a dev meeting sometime) 23:53 < krzee> topology subnet and ifconfig-pool-linear are similar, but different ;) 23:53 < krzee> now, bbiaf, headed home 23:54 < ashes> krzee: i commented it out, and no change 23:55 < ashes> the client/server can ping eachother, until i run openvpn server with tun, then the ping has no route. stop the openvpn server and ping works again 23:55 < ashes> with tap everything is fine too 23:58 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has quit [Read error: Connection reset by peer] --- Day changed Sun Jan 02 2011 00:00 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 00:07 < CheBuzz_Home> Add topology subnet, does ifconfig-pool-persist no longer have effect with that? 00:09 < ashes> i'm not even sure which device i should use, tun or tap. for the moment i want to use openvpn to authenticate wifi clients, and encrypt wifi traffic, from within my home, to secure my network from my neighbours and people in the coffee shop downstairs, using NAT. later, i want to tunnel from a remote coffee shop's wifi to my house, as a wide area default gateway, so that again my network traffic coming in an out of my laptop is encry 00:11 < ashes> within my home i think tun is the right device, because it's just routing, but from a remote location i might need a bridge 00:15 < ashes> in either case, i think my client can behave the same way. get an ip from a dhcp server, connect to the openvpn server's external ip, and get NAT from there 00:20 -!- me345 [~me345@adsl-75-15-250-79.dsl.bkfd14.sbcglobal.net] has joined #openvpn 00:25 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 00:35 < krzie> werd 00:35 < krzie> im back 01:36 -!- Andy253 [~andrew@00022a00c408.click-network.com] has joined #openvpn 01:37 < Andy253> Hello, I would like to finish setting up my VPN, such that when I access the server, I can access any resource the server can (Not bridged, but NAT), how would I go about doing this? 02:00 < CheBuzz_Home> krzie: Add topology subnet, does ifconfig-pool-persist no longer have effect with that? 02:01 < krzie> reiffert, you're right, dialog is awesome 02:01 < krzie> CheBuzz_Home, its not that... its that by default tap will give ips like .2 .3 .4 and so will tun with topology subnet 02:01 < krzie> tun by default will only be able to use .6 .10 .14 etc 02:02 < krzie> !ipp 02:02 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 02:02 < krzie> your openvpn may be suggesting bad ips 02:02 < krzie> its worth checking 02:02 < CheBuzz_Home> Ok, I moved the old file to ipp.txt.old 02:02 < CheBuzz_Home> I wonder if it might still be picking that up? 02:03 < krzie> shouldnt 02:03 < krzie> (no) 02:03 < krzie> and you stopped and started the server process after, right? 02:04 < CheBuzz_Home> Correct. 02:06 < krzie> i cant scroll up, can you paste the logs and configs (without comments) on pastebin 02:11 < ashes> when my openvpn server (10.17.103.1) starts, when comparing the output of tap and tun, using tun adds this "/sbin/ip route add 10.17.103.0/24 via 10.17.103.2". my client is "10.17.103.2". could this be why ping stops working when i use tun ? 02:13 < krzie> nope 02:13 < krzie> well 02:13 < ashes> i don't know where it's getting the "10.17.103.2" ip from, except maybe from an arp lookup 02:13 < krzie> are you using static ips? 02:13 < ashes> yes, static ips 02:13 < krzie> ok then yes 02:13 < krzie> unless you use topology subnet or change the ips 02:14 < krzie> didnt we go over that? it feels like i was just talking about that 02:15 < ashes> i think i missed some of the conversation 02:15 < ashes> topology subnet worked 02:16 < krzie> !static 02:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 02:16 < krzie> !/30 02:16 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 02:17 < krzie> !topology 02:17 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 02:18 < Andy253> Would I be wanting a bridge between my WAN interface and tap0 to access any service on the WAN interface, without allocating another IP? 02:19 < krzie> huh? 02:19 < Andy253> I have one public IP assigned to a box, I need a VPN to access any resource beyond that IP 02:19 < Andy253> So, effectively, a NAT 02:20 < krzie> !redirect 02:20 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:20 < krzie> that? 02:20 < Andy253> That sounds like client-side 02:20 < krzie> you want all traffic from the client to flow through the server? 02:20 < Andy253> All the internet traffic will flow through the VPN, that part should be ready to go, but the server side is wrong 02:21 < Andy253> Yes 02:21 < krzie> that is the above redirect 02:21 < krzie> !redirect 02:21 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:21 < krzie> what OS is your server? 02:21 < Andy253> Linux 02:21 < krzie> !linnat 02:21 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) openvz see !openvzlinnat 02:22 < krzie> !linipforward 02:22 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware 02:22 < Andy253> IP forwarding is on 02:22 < krzie> and the NAT rule...? 02:22 < Andy253> http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html <- is what I was following 02:22 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 02:22 < krzie> you dont need a bridge 02:23 < krzie> !tunortap 02:23 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 02:23 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 02:27 < Andy253> I still can't see any traffic on tap0 from the VPN client 02:28 < krzie> you're doing it wrong 02:28 < krzie> !sample 02:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 02:28 < krzie> you want something like that 02:28 < krzie> with !def1 02:28 < krzie> !def1 02:28 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 02:28 < Andy253> oh right, I need to change the server line 02:28 < krzie> and the NAT rule on your server from above 02:28 < krzie> and you want tun, not tap 02:35 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 02:36 < Andy253> krzie, how about http://pastebin.com/2JxRCHd2 ? 02:36 < Andy253> The client is handled by NM, so that will be a whole long troubleshooting process 02:37 < Andy253> The server just spits ou "bad source address from client [IP], packet dropped" over and over 02:37 < Andy253> s/ou/out/ 02:38 < krzie> lets take it from the top 02:39 < krzie> why are you using tcp? 02:39 < Andy253> I don't really have a reason 02:39 < krzie> !tcp 02:39 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) 02:40 < krzie> you can remove: 02:40 < krzie> local 0.0.0.0 02:40 < krzie> port 1194 02:40 < krzie> tls-server 02:40 < Andy253> Ah, I wasn't thinking of TCP over TCP 02:40 < krzie> (they are redundant) 02:41 < krzie> whats in the ccd file? 02:42 < Andy253> Nothing right now 02:42 < krzie> ok 02:42 < krzie> so you are running that now? 02:42 < Andy253> Right 02:43 < krzie> can your client ping 10.8.1.1? 02:43 < Andy253> Nope 02:43 < krzie> did you try NAT on the client side? sounds like you may have 02:44 < Andy253> Well, now its timing out on connecting with UDP 02:44 < krzie> must change both configs... 02:46 < Andy253> More like iptables getting in the way :) 02:46 < Andy253> Okay, now the client is connected. 02:47 < Andy253> SENT CONTROL [andrew]: 'PUSH_REPLY,route 10.8.1.0 255.255.255.0,topology net30,ping 30,ping-restart 120,ifconfig 10.8.1.6 10.8.1.5' (status=1) 02:48 < krzie> can your client ping 10.8.1.1? 02:48 < Andy253> Nope 02:48 < krzie> can your server ping 10.8.1.6? 02:48 < Andy253> Now its back to the bad source address from client, packet dropped 02:48 < krzie> paste that error 02:49 < Andy253> MULTI: bad source address from client [172.16.1.166], packet dropped 02:49 < krzie> ahh 02:49 < krzie> and that is its LAN ip, right? 02:49 < Andy253> Yes 02:49 < Andy253> The server has no access to that subnet 02:49 < krzie> ive seen this a time or 2, never known why it happens 02:50 < krzie> for some reason your OS is sending traffic out your tun0 with src address of its eth0 IP 02:50 < krzie> i have NO idea why it is doing this, wish i did 02:50 < Andy253> Well, I guess that's NM's fault 02:50 < krzie> but there is a workaround 02:50 < krzie> first of all 02:50 < krzie> !netman 02:50 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list 02:50 < Andy253> Ugh 02:51 < krzie> or at least make it work without netman first 02:51 < Andy253> I was hoping not to have install more software 02:51 < krzie> more!? 02:51 < Andy253> As every machine I need to access from has nm-openvpn ready to go 02:51 < reiffert> krzie: have a look here, it's great fun: http://mirror.netcologne.de/CCC/27C3/mp4-h264-HQ/4245-en-adventures_in_analyzing_stuxnet.mp4 02:51 < krzie> you have openvpn installed 02:52 < krzie> you dont need netman 02:52 < krzie> just run openvpn 02:52 < krzie> lol 02:52 < Andy253> True on that 02:52 < krzie> you are actually adding an extra piece of software when using netman 02:52 < Andy253> Netman was allready approved though 02:52 < krzie> i dont care, im saying that while i help you dont use it 02:53 < krzie> then if you want it after, go for it 02:53 < Andy253> So what about using Netman + openvpn client? 02:53 < krzie> what? 02:53 < Andy253> Will they conflict? 02:53 < krzie> you dont need openvpn client 02:53 < Andy253> I bet they will fight over default routes 02:53 < krzie> you already have openvpn 02:54 < Andy253> -client 02:54 < Andy253> Just openvpn vs NM 02:54 < krzie> dude, forget about netman for a min 02:54 < Andy253> Well, it's what is managing the wireless card in these devices 02:54 < krzie> thats fine 02:54 < krzie> minimize it and forget about it 02:56 < krzie> reiffert, nice thanx! 02:56 < krzie> reiffert, did you go? 02:58 * krzie goes back a dir and wgets 02:59 < Andy253> Hm, apparently it doesn't want to run because it can't find the GID for group www 03:00 < Andy253> There is no group "www" either.. 03:00 < krzie> oh right, you must have missed 1 part 03:00 < krzie> !sample 03:00 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 03:00 < Andy253> Oh yes. 03:00 < Andy253> Of coure 03:00 < krzie> see #2 03:00 < Andy253> Of course* 03:00 < krzie> ;] 03:00 < Andy253> -_- 03:01 < reiffert> krzie: I was working when 27c3 took place, so nah, I was just watching some lectures 03:01 < krzie> weird the index page is actually downloading as index.html 03:02 < krzie> ill scan wget page but instead i might just parse the html for all to wget 03:04 < Andy253> Now it's connected, but still unable to ping gateway 03:05 < krzie> can your client ping 10.8.1.1? 03:06 < krzie> can your server ping 10.8.1.6? 03:06 < Andy253> No, and the client thinks the gateway is 10.8.1.9 now 03:06 < Andy253> Server can't ping 10.8.1.10 either 03:06 < krzie> ok so client is 10.8.1.10 03:06 < Andy253> It changed 03:07 < krzie> add topology subnet to the server config 03:07 < krzie> it will be less confusing to you 03:07 < krzie> also be sure to adjust firewalls 03:07 < Andy253> I have two tun devices on the server now 03:07 < krzie> oh you are running openvpn 2x 03:07 < krzie> lol 03:07 < krzie> kill both and start another, but only 1 03:07 < Andy253> pgrep openvpn | wc -l returns 2, yep... 03:09 < Andy253> Nice, my init script starts 2 copies now 03:10 < Andy253> And there is a tun0 even when openvpn is not running 03:15 < krzie> your init script starts 2 copies cause you have 2 configs in the dir it scans 03:16 < Andy253> so much for my file.conf.old standard. 03:17 < krzie> mkdir old 03:17 < Andy253> Still 2 server instances though 03:18 < krzie> you saying it still starts both configs? 03:19 < Andy253> It's starting two servers from the same config file 03:20 < Andy253> One is running as root, other as nobody 03:21 < Andy253> now I have two running as root 03:21 < krzie> ifconfig 03:22 < Andy253> tap0 and tun1 exist 03:22 < krzie> how do you know its starting 2 from the same config? 03:22 < Andy253> the process command line argument has the same configuration file listed 03:23 < Andy253> http://pastebin.com/JANBeEe3 03:23 < krzie> kill them both 03:23 < krzie> for now just start openvpn with openvpn 03:24 < Essobi> sup krzzzzz 03:24 < krzie> kill -9 5181 5193 03:24 < krzie> openvpn /etc/openvpn/server.conf 03:24 < krzie> wassup Essobi! 03:24 < Essobi> krzie: happy nude year 03:24 < krzie> i hope so! 03:24 < krzie> same to you 03:24 < Essobi> hehe 03:24 < Essobi> spanks 03:25 < Andy253> Still makes two instances 03:25 < krzie> add this to the config file: 03:26 < krzie> log /etc/openvpn/openvpn.log 03:26 < Andy253> I already have a log file 03:28 < Andy253> openvpn-auth-pam.so is causing the multiple instances. 03:28 < krzie> pastebin it 03:29 < Andy253> http://pastebin.com/kL6G80xp 03:31 < krzie> whoa 03:31 < krzie> OpenVPN 2.1.0 03:31 < krzie> could be time to update ;) 03:31 < krzie> but should be fine 03:31 < Andy253> It's Ubuntu 10.04 LTS 03:32 < Andy253> It would be running gentoo, but the machine is too old to really mean much in gentoo 03:32 < Andy253> And CentOS wasn't an option because I was going to hold off until CentOS6 03:33 < krzie> ok, so connect in the client 03:33 < krzie> the 2 processes is normal 03:34 < Andy253> The client is connected. 03:34 < krzie> can they ping eachother? 03:35 < krzie> have you added entries in the firewall for them to be able to? 03:36 < Andy253> That part is working now 03:36 < krzie> they can ping eachother? 03:36 < Andy253> Yep 03:36 < krzie> does the server have its NAT rule? 03:37 < krzie> add this to the server config 03:37 < krzie> !def1 03:37 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 03:37 < krzie> push "redirect-gateway def1" 03:39 < Andy253> What about client side? 03:39 < krzie> what about it? 03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds] 03:40 < Andy253> It's not using the VPN outside of the 10.8/24 gateway 03:40 < krzie> [05:37] add this to the server config 03:40 < krzie> [05:37] push "redirect-gateway def1" 03:42 < Andy253> Okay, so I had to restart the openvpn client, because apparently on auto-reconnect it does not reaload settings, anyway. 03:43 < krzie> right 03:43 < Andy253> Now everything outside of 172.16.0.0/13 and 10.8.0.0/24 is dead 03:43 < krzie> your NAT is wrong, you dont have ip forwarding enabled, or your firewall is blocking it in the forward chain 03:43 < krzie> show me the NAT rule 03:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 03:44 < Andy253> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE 03:44 < Andy253> eth1 = WAN 03:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit] 03:44 < krzie> Sun Jan 2 01:28:19 2011 us=778457 /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.1.2 03:44 < krzie> your log says you use 10.8.1./24 03:45 < Andy253> There we go 03:45 < Andy253> It's working now 03:46 < Andy253> 0.25Mb/s and correct IP 03:46 < krzie> =] 03:46 < Andy253> I need to fix my bandwith limits 03:47 < Andy253> also, what can I do about ping-times? (keepalive) 03:47 < Andy253> I need to get my phone connected up, and I don't want to waste battery life. 03:47 < krzie> huh? 03:48 < Andy253> My phone will be connecting via VPN as well, and I don't want to waste battery life with PINGs every 10 seconds 03:49 < krzie> make your own decisions re: keepalive 03:49 < krzie> theres a trade-off between it seeing its disconnected and reconnecting vs needing to send pings 03:49 < Andy253> I'd rather set it on a per-client basis, if that is possible 03:49 < krzie> sure, but not using the keepalive setting 03:49 < Andy253> Right 03:49 < krzie> see the manual 03:49 < krzie> keepalive is just a helper 03:50 < krzie> it sets a couple settings, and pushes settings to the clients 03:50 -!- master_of_master [~master_of@p57B53150.dip.t-dialin.net] has quit [Ping timeout: 272 seconds] 03:50 < krzie> set them yourself, and dont push to clients 03:50 < krzie> !push 03:50 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 03:50 < Andy253> NetworkManager is now working btw. 03:50 < krzie> cool 03:50 < krzie> i needed it out of my way 03:51 < krzie> if you wanna use it now that it works, go for it ;] 03:51 < Andy253> Now I just need to run my script to deploy the changes against all my machines and I will be good to go 03:51 -!- master_of_master [~master_of@p57B53E65.dip.t-dialin.net] has joined #openvpn 03:51 < krzie> =] 03:52 < Andy253> And get my Nokia N900 ready 03:52 < krzie> that sucker has a internal wifi that can crack WEP 03:52 < Andy253> It can do just about anything 03:52 < krzie> which is badass for a phone 03:53 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 03:53 < Andy253> Looks like my rollout went good 03:54 < Andy253> I had openvpn setup before, but my certificates expired 03:54 < krzie> they just gotta be re-signed 03:55 < Andy253> I took the time to redo openvpn because it was on a different machine 03:56 < Andy253> I may setup per-machine certs now, I coulden't before because of the network access 03:56 < krzie> its a good idea to 04:22 -!- m4rku5 [~markus@cl-2320.ham-01.de.sixxs.net] has joined #openvpn 04:22 < m4rku5> !welcome 04:22 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:24 < m4rku5> hi, I am using ifconfig-push which the server reads from client-config-dir, on the server i can see client/...:1194 ... Learn: 172.17.2.11 -> client/...:1194 however the client does not use this ip (i.e. the tun0 interfae has no IP assigned) 04:40 -!- common [~common@p5DDA4282.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 04:40 -!- CheBuzz_Home [~CheBuzz_H@72-57-90-84.pools.spcsdns.net] has quit [Ping timeout: 260 seconds] 04:41 -!- common [~common@p5DDA460C.dip0.t-ipconnect.de] has joined #openvpn 04:44 < ashes> what keeps someone from bypassing openvpn authentication, on a wifi network, and using my nat directly? 04:47 -!- CheBuzz_Home [~CheBuzz_H@99-204-6-112.pools.spcsdns.net] has joined #openvpn 04:50 -!- m4rku5 [~markus@cl-2320.ham-01.de.sixxs.net] has left #openvpn ["Leaving"] 04:51 -!- Andy253 [~andrew@00022a00c408.click-network.com] has quit [Quit: Never trust a computer you can't throw out a window. - Steve Wozniak] 04:51 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 04:54 < krzie> ashes, encryption... 04:56 < ashes> i mean, just spoof the client mac address, get an ip from dhcp, and use the NAT, without openvpn 04:57 < krzie> use what NAT 04:58 < krzie> the one on the other side of an openvpn tunnel...? 04:58 < ashes> a home setup, where openvpn, NAT, and dhcpd, are running on the same system, with a wifi network 04:58 < krzie> you are only NAT'ing the vpn network 04:59 < ashes> the vpn's ip 05:00 < krzie> the encryption stops it 05:04 < ashes> i'm not talking about my legit traffic. i mean someone using my server as a gateway, without encryption 05:05 < ashes> what is used to default deny non-authenticated connections? 05:08 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Quit: alhadi] 05:12 < ashes> the iptables rules, or firewall rules, i find for openvpn would allow anyone to use the server as a gateway, including hosts that have not authenticated with openvpn 05:12 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 05:44 < reiffert> ashes: what keeps you from changing your firwall rules, so that your server gets more secure? 06:03 < krzie> ashes, your NAT rule only NATs the vpn subnet, which your routing table says only goes over tun0 06:05 < ashes> ok 06:11 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has joined #openvpn 06:14 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has quit [Remote host closed the connection] 06:14 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 06:23 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has quit [Quit: Verlassend] 06:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 07:04 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Read error: Operation timed out] 07:42 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn 07:45 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds] 07:48 -!- me345 [~me345@adsl-75-15-250-79.dsl.bkfd14.sbcglobal.net] has quit [Remote host closed the connection] 07:49 -!- atan [~atan@unaffiliated/atan] has joined #openvpn 07:49 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 07:49 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:50 -!- atan3 [~atan@unaffiliated/atan] has quit [Quit: null] 07:51 -!- CheBuzz_Home [~CheBuzz_H@99-204-6-112.pools.spcsdns.net] has quit [Ping timeout: 240 seconds] 07:51 -!- atan [~atan@unaffiliated/atan] has left #openvpn [] 07:52 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 07:52 -!- mode/#openvpn [+o mattock] by ChanServ 08:03 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has joined #openvpn 08:03 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has left #openvpn [] 08:22 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Ping timeout: 246 seconds] 08:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 08:46 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- Like it? Visit #hydrairc on EFNet] 09:29 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn 09:39 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 09:39 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 09:39 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 09:52 -!- SOG [~SOG@n11649233137.netvigator.com] has joined #openvpn 09:54 -!- SOG [~SOG@n11649233137.netvigator.com] has quit [Client Quit] 10:20 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 11:10 -!- s7r [~s7r@66.90.75.87] has joined #openvpn 11:10 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Remote host closed the connection] 11:19 -!- ki7rw [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 11:20 -!- ki7rw is now known as n0sq 11:20 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 11:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer] 11:37 -!- hanasaki [~hanasaki@76.92.220.37] has joined #openvpn 11:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer] 11:38 < hanasaki> any way to do openvpn w/o distributing client certs? 11:38 < ecrist> you can use static keys, but it's no where near as secure. 11:41 -!- ki7rw [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 11:43 -!- ki7rw [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer] 11:43 < hyper_ch> hi ecrist 11:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 12:03 < hanasaki> what's a static key? hmmm maybe use pptpd instead? 12:10 < Bushmills> !howto 12:10 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:10 < Bushmills> quickstart tells 12:19 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 12:25 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn 12:27 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has left #openvpn [] 12:29 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 12:36 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 12:36 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer] 12:36 -!- UnterPerro_ is now known as UnterPerro 12:45 -!- hanasaki [~hanasaki@76.92.220.37] has left #openvpn [] 13:04 < Rienzilla> hmm 13:04 < Rienzilla> is it possible to use a certificate on a smartcard for authentication with openvpn? 13:08 < Rienzilla> hmm lmgtfy... nm :) 13:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds] 13:12 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Ping timeout: 246 seconds] 13:14 -!- s7r [~s7r@66.90.75.87] has left #openvpn [] 13:19 < reiffert> Rienzilla: smartcard stuff should work with pam. there is an pam plugin for openvpn. 13:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:31 < Essobi> Rienzilla: I read a whitepaper on that somewhere.. 13:34 -!- hacim [~micah@debian/developer/micah] has left #openvpn [] 13:41 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 13:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer] 13:41 -!- UnterPerro_ is now known as UnterPerro 13:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit] 13:47 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Changing host] 13:47 -!- secretary_linux [~bplunkert@unaffiliated/secretary-linux/x-6720546] has joined #openvpn 13:56 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 14:21 < krzie> im sure it can be done, but have never attempted it 14:22 < krzie> (jjk's book has a chapter on it) 14:32 <@vpnHelper> RSS Update - forum: Need help with config files/keys will pay 14:51 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 15:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 15:09 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Read error: Operation timed out] 15:14 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 15:15 -!- sia^pwnnt is now known as sia 15:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 15:20 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Quit: alhadi] 15:29 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn 15:33 -!- n0de_ [~n0de@ns301443.ovh.net] has joined #openvpn 15:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 16:12 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds] 16:13 -!- n0de_ [~n0de@ns301443.ovh.net] has quit [Quit: n0de_] 16:31 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 16:32 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 16:35 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 16:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 16:37 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 276 seconds] 16:37 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn 16:38 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 276 seconds] 16:38 -!- ksk [ksk@im.knubz.de] has quit [Ping timeout: 276 seconds] 16:38 -!- tessier [~treed@mail.copilotco.com] has quit [Ping timeout: 276 seconds] 16:38 -!- diphthong [~diphthong@69.172.135.243] has quit [Ping timeout: 276 seconds] 16:38 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 276 seconds] 16:39 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 276 seconds] 16:40 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn 16:40 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds] 16:40 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn 16:40 -!- ksk [ksk@im.knubz.de] has joined #openvpn 16:44 -!- Netsplit *.net <-> *.split quits: jhelwig, jfkw, dictvm, juhovh, nb, DarthGandalf, daemon, Antarez, tjz, openvpn2009, (+2 more, use /NETSPLIT to show all of them) 16:44 -!- nb_ is now known as nb 16:44 -!- Netsplit *.net <-> *.split quits: Hamlin, Visual` 16:44 -!- Martin` is now known as Martin 16:45 -!- Martin is now known as Guest99287 16:46 -!- reiffert_ [~thomas@mail.reifferscheid.org] has joined #openvpn 16:46 -!- Netsplit over, joins: openvpn2009, jfkw, batrick, tjz 16:46 -!- 92AAB05FD [~nb@fedora/nb] has joined #openvpn 16:46 -!- Netsplit over, joins: jhelwig, juhovh, Antarez, daemon, dictvm, DarthGandalf, oc80z 16:46 -!- rkantos_ [robin@hp1.jaketus.net] has joined #openvpn 16:47 -!- Netsplit over, joins: Hamlin, Visual` 16:48 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Quit: Leaving] 16:51 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn 16:52 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 16:54 -!- Netsplit *.net <-> *.split quits: lupine_85, blackpenguin, rkantos_, Hamlin, Meliorator, abeehc, Visual`, renihs 17:03 -!- abeehc_ [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn 17:03 -!- rkantos_ [robin@hp1.jaketus.net] has joined #openvpn 17:03 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn 17:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 17:08 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn 17:11 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 17:13 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn 17:27 -!- Netsplit *.net <-> *.split quits: jhelwig, jfkw, dictvm, juhovh, reiffert_, DarthGandalf, nijotz, daemon, Antarez, 92AAB05FD, (+4 more, use /NETSPLIT to show all of them) 17:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:27 -!- Guest99287 is now known as Martin 17:28 -!- Martin is now known as Guest93089 17:28 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer] 17:28 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:29 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 17:29 -!- Meliorator [~m@dunnington.eu] has joined #openvpn 17:29 -!- Netsplit over, joins: openvpn2009, nijotz, reiffert_, jfkw, batrick, tjz, 92AAB05FD, jhelwig, juhovh, Antarez (+4 more) 17:29 -!- UnterPerro_ [~UnterPerr@32.161.24.124] has joined #openvpn 17:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds] 17:32 -!- UnterPerro_ is now known as UnterPerro 17:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds] 17:41 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 17:44 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 17:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 17:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 17:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 17:50 -!- n0de_ [~n0de@ns301443.ovh.net] has joined #openvpn 17:52 -!- 92AAB05FD is now known as nb_ 18:06 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 18:14 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 18:17 -!- n0de_ [~n0de@ns301443.ovh.net] has quit [Quit: n0de_] 18:17 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn 18:19 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 18:19 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 18:58 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 18:58 -!- UnterPerro [~UnterPerr@32.161.24.124] has quit [Read error: Connection reset by peer] 18:58 -!- UnterPerro_ is now known as UnterPerro 19:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds] 19:31 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds] 19:40 -!- sia is now known as sia^pwnnt 19:41 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 19:44 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn 19:48 < krzee> hyper_ch, i got my web interface up =] 19:48 < krzee> i ended up scratching the php... it was doable in bash with cgi 19:49 < krzee> im sure if i was a php guy that would be better, but this is perfect for my needs 19:50 < dschuett> krzee: may i ask what you did? web interface for? 19:51 < krzee> internal access only interface for running accounting bash scripts 19:51 < dschuett> nice! 19:51 < krzee> so the boss can run it from his cell phone by clicking a button 19:52 < krzee> thanx 19:52 < krzee> im pretty stoked about it =] 19:52 < dschuett> it is always fun finishing a new program... i write a lot of php programs 19:52 < dschuett> php-mysql 19:53 < krzee> i had to access mssql 19:53 < krzee> that was a journey 19:53 < krzee> heh 19:53 < dschuett> haha, do you write a lot? 19:54 < krzee> but perl::sybase and freetds+unixODBC got it done 19:54 <@vpnHelper> RSS Update - forum: OpenVPN Adapter Order / DNS issues 19:54 < krzee> really i only write bash 19:54 < krzee> but i have been writing tons of bash ;] 19:54 < dschuett> bash is ALWAYS useful! - you really can't go wrong with bash 19:56 < krzee> might have to customize the loading.gif now ;) 19:56 < dschuett> of course...gotta make it pretty :D 19:57 < krzee> along those lines i need to play with outputting my page in columns, its fairly ugly as is 19:57 < krzee> but yanno... first you make it work, then you make it nice 19:57 < dschuett> yeah, the hard part is done! 19:57 < krzee> and if i never make it look nice, im still happy with the results! 19:59 -!- CheBuzz_Home [~CheBuzz_H@99-204-6-112.pools.spcsdns.net] has joined #openvpn 20:00 < dschuett> i'm sure you'll get it looking good! 20:00 < krzee> thanx 20:00 -!- n0de_ [~n0de@ns301443.ovh.net] has joined #openvpn 20:01 -!- CheBuzz_Home [~CheBuzz_H@99-204-6-112.pools.spcsdns.net] has left #openvpn [] 20:19 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 20:27 -!- n0de_ [~n0de@ns301443.ovh.net] has quit [Ping timeout: 255 seconds] 20:28 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 20:28 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 20:28 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:33 -!- n0de_ [~n0de@ns301443.ovh.net] has joined #openvpn 20:37 -!- WinstonSmith [~true@g231241145.adsl.alicedsl.de] has joined #openvpn 20:37 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 272 seconds] 20:38 -!- WinstonSmith_ [~true@g231228010.adsl.alicedsl.de] has joined #openvpn 20:40 -!- WinstonSmith__ [~true@g231228010.adsl.alicedsl.de] has joined #openvpn 20:42 -!- WinstonSmith [~true@g231241145.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:43 -!- WinstonSmith_ [~true@g231228010.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:52 -!- albech [~thomas@119.42.78.242] has joined #openvpn 21:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 21:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 21:29 -!- n0de_ [~n0de@ns301443.ovh.net] has quit [Ping timeout: 255 seconds] 21:34 -!- sia^pwnnt is now known as sia 21:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 22:28 <@vpnHelper> RSS Update - forum: Check my config files please 22:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 22:58 -!- EvilMachine [~navid@dslb-088-077-145-003.pools.arcor-ip.net] has joined #openvpn 22:58 < EvilMachine> hello. :) 22:59 < EvilMachine> guys, is there a way to trigger a script when openvpn is *completely done*? 22:59 < EvilMachine> i mean when the initialization is complete 22:59 < EvilMachine> right now the up script gets triggered before ititialization is done 23:00 < EvilMachine> t=n 23:00 < EvilMachine> which means one can't use it to trigger starting the bridge on top of it 23:01 < EvilMachine> because dhcp will fail without openvpn fully working 23:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 23:08 < EvilMachine> even --up-delay doesn't help. :/ 23:11 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Ping timeout: 240 seconds] 23:14 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 23:17 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined #openvpn 23:21 -!- EvilMachine [~navid@dslb-088-077-145-003.pools.arcor-ip.net] has quit [Quit: leaving] 23:24 < krzie> !script 23:24 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 23:24 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Ping timeout: 276 seconds] 23:24 < krzie> heh, he left quick 23:25 < krzie> well if he comes back, show him --route-up cmd along with --up-delay 23:26 < krzie> but for starting a bridge i believe he wants --up 23:29 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined #openvpn --- Day changed Mon Jan 03 2011 00:12 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 00:59 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 00:59 -!- mode/#openvpn [+o mattock] by ChanServ 01:45 -!- WinstonSmith__ [~true@g231228010.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 01:49 -!- WinstonSmith [~true@g231228010.adsl.alicedsl.de] has joined #openvpn 01:57 < krzie> reiffert_, stuxnet took this guy for a ride! 01:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:00 -!- dazol is now known as dazo 02:00 -!- dazo [~dazo@nat/redhat/x-zpucjklrmralavmn] has quit [Changing host] 02:00 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 02:04 -!- reiffert_ is now known as reiffert 02:04 < reiffert> krzie: it would have take me months to analyze. Their speed is impressive. 02:05 < reiffert> taken 02:09 < reiffert> krzie: what I dislike is their way of doing things. MS didnt analyze, they just were discovering things. 02:10 < reiffert> e.g. their first thoughtt was "Of, this is a userspace hack". and then by accident they recognized two kernel drivers. 02:11 < reiffert> s,Of,Oh, 02:19 < krzie> aye 03:15 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds] 03:17 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 03:17 < kraut> moin 03:19 -!- tjz [~pc@bb116-14-171-63.singnet.com.sg] has joined #openvpn 03:19 -!- tjz [~pc@bb116-14-171-63.singnet.com.sg] has quit [Changing host] 03:19 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn 03:23 < reiffert> moin krzie 03:24 < reiffert> moin kraut 03:24 < reiffert> :) 03:24 < kraut> gude reiffert und frohes neues 03:25 < reiffert> jo frohes neues jahr 03:49 -!- master_of_master [~master_of@p57B53E65.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 03:51 -!- ultramage [umage@kurobara.netvor.sk] has joined #openvpn 03:51 -!- master_of_master [~master_of@p57B5775B.dip.t-dialin.net] has joined #openvpn 03:52 < ultramage> hi, I want openvpn's tap interface to have a certain ethernet address, so that a specific ipv6 address is auto-assigned to it... is this possible? 03:52 < ultramage> I defined an ifconfig action in the 'up' handler, but it seems that's too late 03:53 < dazo> ultramage: yes, create the device manually (openvpn --mktun) ... and then use ifconfig (or iproute2?) to change the MAC address 03:54 < ultramage> the interface is created automatically at startup :/ 03:54 < ultramage> doing it manually every time is not an option 03:54 < dazo> you need to hack that script then 03:54 < dazo> hmmm .... have you checkout --lladdr? 03:54 < dazo> --lladdr address 03:54 < dazo> Specify the link layer address, more commonly known as the MAC 03:54 < dazo> address. Only applied to TAP devices. 03:55 < ultramage> O.o 03:55 < ultramage> o.O 03:55 < ultramage> I'm sure I scanned for 'MAC' when I was looking in the manual earlier 03:56 < ultramage> I guess google gave me the 2.0 manual which does not have this -.- 03:56 < dazo> why google when you have man? ;-) 03:57 < ultramage> reading the manual in my browser is a bit easier than reading it in a ssh console 03:57 < dazo> gah ... this gui generation .... 03:57 < dazo> :-P 03:58 < reiffert> searching in manpages: / searchterm return 03:58 < reiffert> skip spaces 03:59 < ultramage> yea, but it's not as good as a pointy clicky 1920x1080 browser 03:59 < reiffert> searching case insensitive: man -i 03:59 < ultramage> plus reading monospaced font is not good for the eyes =p 03:59 < dazo> ultramage: what is not possible to do from a command line is not worth doing ;-) 03:59 < reiffert> pointing and clicking on a 1920x1080 browser on a website without links gives you faster results? 03:59 < ultramage> ctrl+f 04:00 < reiffert> ultramage: / so saved one char 04:00 < ultramage> anyways, thanks for the config setting, works like a charm 04:00 < dazo> ultramage: try '/' when viewing a man page ... and then 'n' for next it 04:00 < reiffert> or p(revious) 04:00 < reiffert> and man -j 5 to have more context 04:00 < ultramage> I can tell you that it's ass compared to doing it in a gui... and if I have a gui I'm not going to cripple myself for no real reason :) 04:00 < reiffert> (all the browsers that I do know cant do that) 04:01 < reiffert> alias gui=man 04:01 < ultramage> xD 04:02 < dazo> that's the difference between users and lusers ... gui makes you dumber ... really ... 04:02 < ultramage> now now 04:02 < dazo> (Just think about the 80's, where it was expected that you needed to know programming to use a computer in general) 04:02 < Bushmills> ultramage: http://docs.verhau.de/cgi-bin/dwww?type=runman&location=openvpn/8 04:02 <@vpnHelper> Title: openvpn(8) - Man pages (at docs.verhau.de) 04:02 < ultramage> yes yes 04:02 < ultramage> I just prefer the official site for official docs :p 04:03 < ultramage> and I'm used to the color scheme 04:04 < reiffert> color scheme like bold and plain text? 04:04 < ultramage> :) and the white/blue background with blue text 04:04 < reiffert> you can have that with your ssh terminal as well 04:04 < dazo> reiffert: you know the gui generation ... it's not the contents which is important, just how it looks like 04:04 < reiffert> yeah. 04:04 < Bushmills> why not let somebody read it to you 04:05 < reiffert> Bushmills: he's the guy supposed to do the reading. 04:05 < dazo> Bushmills: do you have links to audio-man pages? ;-) 04:05 < ultramage> you must have some hidden grudge 04:06 < Bushmills> reiffert: didn't say "for you" but "to you" 04:06 < reiffert> ultramage: "experience" 04:06 < Bushmills> just as a way to avoid colour scheme and font issues and such 04:07 < ultramage> my experience says a badly done ui is inferior to commandline 04:07 < ultramage> but a properly done ui dominates console 04:08 < ultramage> that is unless all you do all day is writing automated shell scripts 04:09 < Bushmills> searching a man page doesn'r require writing shell scripts all day 04:09 < Bushmills> regardless whether you search using a browser or a command line 04:10 < reiffert> 10:55 < ultramage> I'm sure I scanned for 'MAC' when I was looking in the manual earlier 04:12 < reiffert> using gui's should be done when you are able to. 04:12 <@vpnHelper> RSS Update - forum: JonDo vs OpenVPN - They Claim To Be More Secure 04:32 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 04:32 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 04:32 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:37 -!- common- [~common@p5DDA4794.dip0.t-ipconnect.de] has joined #openvpn 04:38 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 04:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 04:40 -!- common [~common@p5DDA460C.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 04:40 -!- common- is now known as common 04:51 -!- ksk [ksk@im.knubz.de] has quit [Quit: leaving] 04:52 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:52 -!- ksk [ksk@im.knubz.de] has joined #openvpn 05:13 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:13 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:14 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 05:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds] 05:34 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 05:41 -!- ksk [ksk@im.knubz.de] has quit [Quit: leaving] 05:49 -!- ThiefMaster [~thief@unaffiliated/thiefmaster] has joined #openvpn 05:49 < ThiefMaster> hi, is it possible to have openvpn listen on an ipv6 address? 05:51 < dazo> ThiefMaster: yes and no ... with the official releases, no ... but with the openvpn-testing 'allmerged' version (development test version) it is possible 05:52 < dazo> ThiefMaster: Complete IPv6 support is planned for OpenVPN 2.3 .... we're expecting to start beta of 2.3 in 3-4 months 05:52 < ThiefMaster> k 05:54 < dazo> ThiefMaster: we need people to test the allmerged and the beta releases ... so if you're willing to help out and report issues to us, that would be great! 05:54 < ThiefMaster> maybe later ;) i need something working right now so i'm lazy and using the version from gentoo portage 05:54 < ultramage> oh, one more random thing: 05:55 < dazo> fair enough ... the gentoo patch for IPv6 support is what's included into the -testing tree ... so that still helps out :) 05:55 < ultramage> on freebsd, when the vpn connection comes up, for some reason the default link-local route is not added for the tap interface 05:55 < dazo> ultramage: which version? 05:56 < ultramage> I'm currently working around this by a scripted ifconfig action on 'up', but it's not idea 05:56 < ultramage> *l 05:56 < ultramage> OpenVPN 2.1.3 i386-portbld-freebsd8.1 [SSL] [LZO2] built on Sep 9 2010 05:56 < dazo> ThiefMaster: https://community.openvpn.net/openvpn/wiki/TesterDocumentation ... there are links here to devel snapshots ... just in case you're curious ;-) 05:56 <@vpnHelper> Title: TesterDocumentation – OpenVPN Community (at community.openvpn.net) 05:56 < ultramage> I wasn't doing ipv6 over vpn before so I don't remember if 8.0/2.0.x was doing this before as well 05:57 < dazo> ultramage: Just to be sure I understand you correctly ... the FreeBSD build is with IPv6 support or not? 05:58 < ultramage> yes, ipv6 works :) 05:58 < dazo> ecrist: do you know which patches FreeBSD adds for IPv6 support? 05:59 < ultramage> I just restarted openvpn with the script disabled, and suddenly couldn't talk link-local ipv6 with my freebsd machine because the route didn't get added 05:59 < dazo> ultramage: My immediate thought is that this is something JJO (IPv6 transport patch writer) needs to have a look at ... 05:59 < ultramage> I have no clue what's causing this, could be some oversight during interface creation 06:00 < ultramage> I think freebsd runs a rc script when interfaces are created, I could be mistaken though 06:00 < ultramage> I have the suspicion that sometimes it works, sometimes it doesn't 06:00 < dazo> It might either be specific to FreeBSD ... or a more general issue in the implementation ... but I don't know yet, leaning towards specific FreeBSD issue ... at least if it is JJO's patch which FreeBSD uses 06:00 < ultramage> I'll let you know what happens after tomorrow's restart 06:01 * ultramage checks 06:01 < reiffert> "sometimes it works and sometimes it doesnt" reminds me of a gui os. 06:01 < dazo> ultramage: please bring this one up to the openvpn-devel mailing list ... JJO pays attention to that list 06:01 < dazo> reiffert: I didn't know FreeBSD was a gui OS :-P 06:01 < reiffert> :) 06:01 < ultramage> hm, all I see is a rc script 06:02 < ultramage> unless you're referring to an internal patch that your configure script applies during build time 06:02 < ultramage> freebsd ports do not include any source-level patches to openvpn 06:03 < ultramage> /sbin/route add -inet6 fe80::1\%tap1 -prefixlen 64 -interface tap1 06:04 < ultramage> (this is my workaround) 06:04 < dazo> ultramage: OpenVPN 2.1.3 does not support IPv6 at all, out of the box ... but JJO has written the transport patch (listen/connect to IPv6 addresses), which FreeBSD obviously must have added ... unless they added another patch doing pretty much the same 06:05 < ultramage> although I have two other virtual interfaces and their fe80:: routes get assigned fine 06:05 < dazo> so this is a compile time patch 06:05 < ultramage> dazo: I'm not referring to ipv6 transport... I'm using a tap interface so it shouldn't matter 06:06 < dazo> ultramage: well, then you need to add that yourself ... as OpenVPN knows nothing about IPv6 at all, thus it will not configure any IPv6 addresses 06:06 < ultramage> it's that after the opevnpn connection is established between the two endpoints, and they start talking to each other, the link-local mechanism fails because one of the endpoints does not set a route 06:06 < ultramage> I'm not sure openvpn is even supposed to do that... I thought it is done automagically by the OS somehow 06:07 < ultramage> I'll monitor the issue for a few more days, draw some conclusions and post on the mailing list if it keeps occuring 06:07 < dazo> that's a different issue then ... that's either a bug in the FreeBSD TUN/TAP driver ... or the case that no IPv6 addresses are configured on the interface, thus no need to add link-local stuff automatically 06:07 < ultramage> fe80::%ng0/64 link#5 U ng0 06:07 < ultramage> fe80::%tun0/64 link#6 U tun0 06:08 < ultramage> these two come up just fine, so :/ 06:08 < ultramage> hopefully someone will know a way to fix that, because I have no idea at all :) 06:12 -!- albech [~thomas@119.42.78.242] has quit [Quit: Ex-Chat] 06:12 -!- sia is now known as sia^pwnnt 06:18 < ecrist> dazo: not off hand, but I can look it up 06:19 < dazo> ecrist: thx ... after some more enlightening info in the discussion, I doubt any IPv6 patches are added 06:21 < reiffert> ultramage: why tun0 comes up when using tap0? 06:23 < ultramage> reiffert: tun0 is another virtual interface (sixxs.net ipv6 tunnel) 06:27 < reiffert> try again please, bringing tun0 down first. 06:27 < ThiefMaster> how do i allow vpn clients to access the physical network of the server? 06:28 < ultramage> heh, right, as if I was going to cut off my only alternative means of talking to the machine 06:28 < reiffert> ultramage: my crystal ball is broken, sorry that I didnt know. 06:28 < dazo> ThiefMaster: firewalling and routing, that's the things you need to look at 06:28 < reiffert> ThiefMaster: read this: 06:28 < reiffert> !route 06:28 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:29 < ultramage> ThiefMaster: either make the server a router on the OS level, or fudge around with openvpn to get some pseudo-equivalent of a router 06:35 -!- Kurogane [~kuro@190.87.80.64] has quit [Read error: Connection reset by peer] 06:37 -!- Netsplit *.net <-> *.split quits: krzee, lupine_85, krzie, ThiefMaster, qermit, Fiouz, nb, hyper_ch, APTX, mace, (+4 more, use /NETSPLIT to show all of them) 06:43 -!- ThiefMaster [~thief@port-92-200-112-159.dynamic.qsc.de] has joined #openvpn 06:43 -!- ThiefMaster [~thief@port-92-200-112-159.dynamic.qsc.de] has quit [Changing host] 06:43 -!- ThiefMaster [~thief@unaffiliated/thiefmaster] has joined #openvpn 06:44 < ThiefMaster> bah it really sucks.. no unprotected wireless lans in my area.. so how the fuck am i supposed to test if my vpn stuff works :x 06:44 < dazo> ThiefMaster: mobile network? 06:45 < ultramage> what do you mean 'test'? :) 06:45 < ThiefMaster> nope - expensive and i don't have umts etc anyway 06:45 < ThiefMaster> ultramage: testing if i can access machines in my LAN via vpn for example 06:45 < ultramage> ah. 06:45 < ultramage> virtual machine ? 06:46 < reiffert> send me a client cert and I will try out. 06:46 < ThiefMaster> would also have access to the lan, wouldn't it? 06:46 < ultramage> well, technically yes :S 06:46 < ThiefMaster> reiffert: nice offer, but i'd rather do that with someone i know ;) 06:46 < ultramage> give him a temporary cert :) 06:46 < reiffert> ThiefMaster: ultramage knows me. 06:48 < ultramage> ThiefMaster: actually, the VM approach will work 06:48 < ultramage> you just need to say "route through the vpn connection" 06:49 < ultramage> then it won't matter if the machine can actually get to them directly 06:49 < ThiefMaster> push "route 192.168.2.0 255.255.255.0" in the server's config (192.168.2/24 is my lan)? 06:49 < ultramage> route add 192.168.0.1/24 10.0.0.1 metric 10 06:50 < ultramage> if it's a one-time test, you can just cripple your own routing tables directly from the commandline 06:51 < ThiefMaster> k 06:51 < ultramage> or even adding a permanent route to your vpn server, then changing 0.0.0.0/0's gateway (it's how I run from here) 06:52 -!- freaky[t]_ [alpha@freakyy.de] has quit [Ping timeout: 240 seconds] 06:53 -!- Netsplit over, joins: maxJadi, lupine_85, krzie, krzee, nb, wolfric, hyper_ch, APTX, fahadsadah, qermit (+3 more) 07:01 < ThiefMaster> ultramage: won't that kill the vpn connection as i'm also using the 192.128.2.x ip to connect to the vpn server 07:01 < ultramage> that's why I said to first add a permanent route with highest priority to that one machine :) 07:01 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 07:01 < ThiefMaster> ah 07:02 < ThiefMaster> do you know how i do that on windows? never used its route command much 07:02 < ultramage> route -p add RealIP/32 RealGateway METRIC 1 07:02 < ThiefMaster> ty 07:02 < ecrist> dazo: there are no patches added to openvpn on freebsd 07:03 < ultramage> route -p change 0.0.0.0/0 VpnGateway METRIC 300 07:03 < ecrist> that's what I thought but wanted to confirm before i started spouting off. 07:03 < dazo> ecrist: thx! That's what I began to sense 07:03 < ultramage> ThiefMaster: also, netstat -arn (or 'route print') will show you what the current rules are 07:04 < ecrist> had there been any patches, I would have gotten them cleaned up long ago. 07:04 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn 07:08 < ultramage> heh, I love new year... my CA certificate expired, taking my entire cluster test setup down with it 07:08 < reiffert> happy easter then. 07:15 * dazo never uses anything less than 10 years on certificates used for test purposes only 07:19 < ThiefMaster> ok.. using 'push "route 192.168.2.0 255.255.255.0"' pinging a machine in the lan works - at least it receives the ping. however, the responses are lost 07:20 < ThiefMaster> do i need to configure something else on the vpn server to route the responses back through the vpn? 07:21 < ThiefMaster> oh.. do i need to add routes on the machines in the LAN so they know the gateway for the vpn? 07:22 < dazo> ThiefMaster: you might need to have a reverse route too ... put that on the default gateway, or on the client itself ... so that the packet from the LAN client goes through the OpenVPN server 07:22 < ThiefMaster> on the gateway itself.. so a 10.66.66.0/24 via 192.168.2.123 route on my lan's router would do it? for all clients in it? 07:23 < dazo> yes, in most cases 07:23 < dazo> some routers do not like to route traffic back to another gateway on the same network where the traffic came from ... but that's more and more seldom this is seen 07:24 < ThiefMaster> i'm using a dd-wrt router 07:24 < dazo> should be good enough 07:24 < ThiefMaster> should 'route add -net 10.66.66.0/24 192.168.2.123 dev br0' work? 07:24 < dazo> (even though I personally wouldn't trust the dd-wrt firmware, but that's a different story) 07:24 < dazo> ThiefMaster: yeahm that looks correct 07:25 < dazo> not sure if you need 'dev br0' 07:26 < ThiefMaster> bah.. i hate those stripped utils on routers.. no error message but apparently it did not add the route 07:26 < dazo> heh ... try OpenWRT instead :-P 07:29 < ThiefMaster> ah.. route add -net 10.66.66.0/24 gw 192.168.2.123 dev br0 07:29 < ThiefMaster> forgot the 'gw' 07:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 07:34 -!- ksk [ksk@im.knubz.de] has joined #openvpn 07:43 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 08:06 < ThiefMaster> i've decided to simply make all my machines vpn clients.. seems to be less trouble 08:06 < ThiefMaster> however, when i want to make my linux client both server and client the client fails when adding a route 08:06 < ThiefMaster> Jan 03 15:03:49 [openvpn] /sbin/ip route add 10.66.66.0/24 via 10.66.66.10 08:06 < ThiefMaster> Jan 03 15:03:49 [openvpn] ERROR: Linux route add command failed: external program exited with error status: 2 08:09 < ThiefMaster> oh nvm looks like i don't even need to make the server box a client, too 08:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds] 08:24 -!- sia^pwnnt is now known as sia 08:28 < dschuett> ThiefMaster: yeah, i was going to ask why you were making the server a client as well? 08:28 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 08:32 -!- ultramage [umage@kurobara.netvor.sk] has left #openvpn [] 08:52 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 08:54 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 09:10 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn 09:10 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host] 09:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 09:12 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Quit: Leaving] 09:13 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 09:13 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 09:23 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 09:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 09:48 <@vpnHelper> RSS Update - forum: Automatically put on alliases on tun interface 09:57 -!- WinstonSmith [~true@g231228010.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 09:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out] 10:03 < kai_office> !goal 10:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:05 < kai_office> I would like to understand more about the documentation here: http://man.chinaunix.net/linux/efw-admin-guide-html-chunk/efw.vpn.openvpn.html -- Not very far down the page, it has a section titled "block DHCP responses coming from tunnel". I'd like to figure out how to do this. It looks like the OpenVPN-AS software simply has a "checkbox" for this. Is that true? 10:05 <@vpnHelper> Title: OpenVPN (at man.chinaunix.net) 10:07 < kai_office> Oh, a little closer look, and they are running the Endian firewall, which uses OpenVPN as their VPN solution. 10:09 < ThiefMaster> how do i get windows7 to identify my vpn? currently it's always "unidentified network" which also means it's always classified as a "public network" 10:19 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 10:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds] 10:23 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 10:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 10:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 10:30 -!- ThiefMaster [~thief@unaffiliated/thiefmaster] has quit [] 10:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 10:34 -!- AltWalt [~AltWalt@unaffiliated/altwalt] has joined #openvpn 10:38 < AltWalt> I would like to create a openvpn server thats hosted on linux through wmware workstation. I do not want the vpn clients to access resources outside of the vpn. Is this unrealistic? 10:41 < kai_office> AltWalt: Ya, you can limit the VPN network to only see VPN traffic. You can limit it even more, by only allowing VPN Clients to see traffic between it and the VPN server (eliminating client-to-client traffic). 10:46 < AltWalt> kai_office: thank you 10:47 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has joined #openvpn 10:52 <@vpnHelper> RSS Update - forum: Question about what OpenVPN on a DD-WRT router can do? 11:04 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 265 seconds] 11:06 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 11:06 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn 11:09 < reiffert> kai_office: dhcp request dont make it over a layer tunnel. 11:09 < reiffert> kai_office: they do when using bridged setup (layer 2). On linux you can block them with the help of ebtables (yeah, ebtables, not iptables). 11:10 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 240 seconds] 11:10 < kai_office> reiffert: never heard of ebtables. Is it a replacement firewall for iptables, or can it be supplimental? 11:11 < reiffert> It's an additional stuff you need when using bridges (layer 2). 11:12 < reiffert> see here for info http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html 11:12 <@vpnHelper> Title: ebtables/iptables interaction on a Linux-based bridge (at ebtables.sourceforge.net) 11:15 < reiffert> ecrist: how can I reset my password for the bot? 11:16 < reiffert> http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png :) 11:18 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn 11:19 < reiffert> cron2: any idea how to reset the password for the vpnHelper bot? 11:24 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host] 11:24 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn 11:26 -!- AltWalt [~AltWalt@unaffiliated/altwalt] has quit [Quit: leaving] 11:28 < kai_office> reiffert: thanks for pointing me at ebtables. I found something that sounds exactly what I want it to be: http://lists.netfilter.org/pipermail/netfilter/2005-February/058753.html 11:28 <@vpnHelper> Title: blocking dhcp on bridge (at lists.netfilter.org) 11:29 < kai_office> I'm not sure how to make sure how to match exactly their interfaces. They seem to have a private and public interface bridged, where I have a private interface and a VPN interface bridged. 11:29 < kai_office> If I want to block outbound DHCP to the VPN, it seems like I should just set "$PUB" to my tap device (ie: tap0). Does that sound right? 11:30 < reiffert> 50:50 chance to do it right in the beginning. 11:31 < kai_office> reiffert: I don't follow you, sorry. My goal is to simply eliminate the possibility of a machine on one side of the VPN does not see DHCP at all on the other side of the VPN. 11:31 < reiffert> note that there might be an output chain for ebtables as well. 11:31 < kai_office> In either direction. 11:31 < kai_office> reiffert: good point. 11:36 < reiffert> eliminate that a machine on one side does *NOT* see DHCP at all? 11:38 < kai_office> reiffert: I have two gateways running dhcpd. One is logged in via a bridge to the other, so that both LANs appear as a large extended LAN (layer 2 is important.) I want to ensure that each LAN set gets the most "local" gateway via DHCP. 11:39 < kai_office> So each dhcpd server should only serve DHCP to their "half" of the new expanded LAN 11:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 11:40 < reiffert> yeah. 11:41 < reiffert> I once used that setup as well. I switched it to routed setup a while back 11:41 < kai_office> Sounds like I should be blocking FOWARD on the bridge device (br0), and INPUT on the tap device (tap0). Does that sound right? 11:41 < reiffert> Apple can handle remote bonjour registration quite well 11:41 < kai_office> reiffert: Ya, we don't care much for routed, we're only interested in the layer2 broadcasts, with the exception of DHCP :) 11:41 < reiffert> and those network neighbourhood bunnies are a minority in that case 11:42 < reiffert> kai_office: depends on if you have additional road warriors that need an address from your dhcp server. 11:42 < kai_office> I think the road warriors only need the IP they get from OpenVPN. 11:43 < kai_office> The road warriors are not as important as everybody else :) There's only going to be one or two anyway, and they could be routed, and nobody will care :) 11:46 < reiffert> I switched to exactly the opposite. 11:46 < kai_office> reiffert: lol 11:47 < reiffert> Those people who need to access computers on the other side will have to use \\ip.add.ree.ss or \\the-computer-name 11:47 < reiffert> there is *no* other reason to have bridged setup ... just those managers who doesnt understand computers. 11:47 < kai_office> reiffert: we are mostly a Linux shop, so between ssh tunnels and port forwarding, a routed VPN provides very little. 11:48 < reiffert> wheres the broadcast deal then? 11:49 < kai_office> We want UPnP devices to appear on eachother's networks :) 11:49 < kai_office> Which is working great, btw. 11:49 < reiffert> use avahi then. 11:52 < kai_office> reiffert: I haven't been able to figure out how to get any UPnP client to use a routed network to reach or see the UPnP server. Will avahi need to run on the UPnP server or UPnP client? 11:53 < reiffert> it will has to run on your gateways 11:53 < reiffert> doing the announcements 11:53 < reiffert> the SSDP part. 11:54 < kai_office> interesting 11:54 < kai_office> I'll definiately look at that again. I didn't know avahi would plug that hole. 11:54 < kai_office> But, I'm one step away from having what I think I want with OpenVPN, if I can block those pesky DHCP packets. 11:55 < reiffert> e.g. the avai running on site A will announce those services that live on site B 11:56 < kai_office> reiffert: And then with a routed network, UPnP clients at site B will be able to uni-cast to the UPnP server at site A. Is that all that's required then? Routed OpenVPN + Avahi (for SSDP) ? 11:57 < reiffert> jup 12:02 < kai_office> reiffert: cool 12:04 -!- dazo is now known as dazo_afk 12:04 < reiffert> note that is a feature in avahi, preventing forwarding loops 12:04 < reiffert> s,feature,bug, 12:04 < reiffert> so you will have to announce the services in proxy mode 12:04 < reiffert> working just fine. 12:09 < kai_office> reiffert: Ok, I'll look into that if openVPN bridging + etables for DHCP blocking turns into a nightmare. Right now, it looks like it'll do exactly what I want it to do. 12:09 < reiffert> I kept it like your way for over one year. 12:22 < kai_office> reiffert: so what made you change it? 12:30 -!- s7r [~s7r@66.90.75.115] has joined #openvpn 12:32 -!- Cephalon_ [~Cephalon_@eshf72.static.otenet.gr] has joined #openvpn 12:32 < Cephalon_> !welcome 12:32 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:32 < Cephalon_> !goal 12:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:34 < Cephalon_> hello ppl, i have a question, does anyone knows how to do openvpn bonding with two or more vpn connections ?? 12:39 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has quit [Quit: Verlassend] 12:49 <@vpnHelper> RSS Update - forum: Check my config files please || openvpn bonding 12:54 * ecrist is closing paypal account. 12:54 <@vpnHelper> RSS Update - forum: Linux client stall at Initialization Sequence Completed 13:02 -!- lkeijser [~leon@fedora/lkeijser] has joined #openvpn 13:03 < lkeijser> hi, is there a way to keep track who was connected for which period of time? 13:04 < Cephalon_> lkeijser you can enable logs on server 13:05 < lkeijser> Cephalon_: true, and i could probably do some grepping to make an entire "user X was connected for Y hours this month" but i was hoping for a more elegant method 13:06 < Cephalon_> that's the only way i know ;) 13:06 < lkeijser> like for example. if i can have openvpn trigger every time a user (dis)connects, i can log this in a database 13:06 < lkeijser> yeah i was afraid of that :) 13:06 < Cephalon_> if someone knows something different you ll be lucky ;) 13:06 < krzie> sure, you can have it trigger 13:06 < krzie> --client-conect and --client-disconnect 13:06 < krzie> !script 13:06 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 13:07 < lkeijser> krzie: oh nice, let's have a look, thanks 13:07 < Cephalon_> nice option krzie, i didn't know about that...thanx ;) 13:08 < krzie> np 13:09 < hyper_ch> hi krzie 13:09 < krzie> hey hyper_ch 13:09 < hyper_ch> congrats 13:09 < krzie> thanx! 13:09 < hyper_ch> been meaning to work on it but Minecraft interfered 13:09 < krzie> i ended up using bash as a cgi, works great 13:11 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Quit: Leaving] 13:16 < hyper_ch> krzie: how's your hotmail account? 13:16 < krzie> hotmail? 13:17 < reiffert> krzie: how can I reset my vpnHelper password? 13:17 < krzie> ild guess it expired around the time microsoft bought it, lol 13:17 < reiffert> my password was bought by microsof? Uh Oh! 13:17 < reiffert> ecrist: why closing paypal? 13:18 < hyper_ch> paypal is evil 13:18 < reiffert> ecrist: how can I reset my vpnHelper password? 13:18 < krzie> reiffert, i didnt even know you had a password on vpnHelper 13:19 -!- sia is now known as sia^pwnnt 13:19 < reiffert> krzie: ecrist told me that I'm supposed to have the other day 13:19 < reiffert> however. 13:19 < krzie> lemme take a look 13:19 < reiffert> !learn ebtables as http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png 13:19 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:19 < reiffert> just tell him that, no need for a password then. 13:19 < reiffert> !ebtales 13:19 < reiffert> !ebtables 13:20 < reiffert> !factoids search --values ebtables 13:20 <@vpnHelper> "bridge-fw" is in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great. 13:20 < krzie> ahh you do 13:20 < krzie> never end a factoid with a link 13:20 < reiffert> whats my password, something like one two three? 13:20 < krzie> it appends , when you add another 13:21 < krzie> hold on a minute, im working on that, lol 13:21 < krzie> (ive never had to reset a password on it) 13:21 < reiffert> just teach vpnHelper. 13:21 < reiffert> that ebtables thing. you can stop searching that password stuff then 13:22 < krzie> ok, change it to not end with a link 13:22 < reiffert> !learn ebtables as http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png period 13:22 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:23 < krzie> message me a new password 13:23 < krzie> meh, that factoid sucks tho 13:23 -!- sporedi [~chatzilla@mail.utmxtm.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]] 13:23 < krzie> you should actually say something, lol 13:23 < reiffert> something 13:24 < reiffert> !learn ebtables To get some fascinating howtos point your browsers to http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png and be sure to read that fucking stuff. 13:24 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:24 < krzie> ya thats hella motivating me to making it so you can add factoids... 13:25 < reiffert> just use copy and waste 13:25 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 13:26 < reiffert> !learn ebtables To get some fascinating howtos point your browsers to http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png and bla bla bla 13:26 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:26 < krzie> ok, im gunna go take a shower instead 13:26 < reiffert> sigh. 13:26 < reiffert> those links are great. 13:26 < reiffert> !learn ebtables To get some fascinating howtos point your browsers to http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png annever end factoids with a link because krzie says so. 13:26 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:26 < krzie> so i have to read them so i can say what they are in a semi-intelligent factoid? 13:27 -!- CharlieSu [~CharlieSu@ec2-174-129-218-86.compute-1.amazonaws.com] has joined #openvpn 13:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds] 13:28 < reiffert> !learn ebtables as Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables. 13:28 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:28 < krzie> yay 13:28 < krzie> !learn ebtables as Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables 13:28 <@vpnHelper> Joo got it. 13:28 < krzie> that wasnt so hard was it? 13:28 < reiffert> you skipped the last period. 13:29 < CharlieSu> I'm trying to get a openVPN server running that allows multiple nodes to connect to it. The following works for a single host (openvpn --proto tcp-server --port 80 --dev tun1 --secret ovpn.key --ifconfig 10.4.0.1 10.4.2.1) but I want to do multiple hosts like this. (openvpn --proto tcp-server --port 80 --dev tun1 --secret ovpn.key --ifconfig 10.4.0.1 10.4.2.0/24) What am I doing wrong? 13:29 < krzie> if we add a second one it will add a comma 13:29 < reiffert> !bridge-fw 13:29 <@vpnHelper> "bridge-fw" is in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great. 13:29 < reiffert> !learn bridge-fw as see !ebtables 13:29 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:29 < krzie> !learn bridge-fw as [ebtables] 13:29 <@vpnHelper> Joo got it. 13:29 < reiffert> !bridge-fw 13:29 <@vpnHelper> "bridge-fw" is (#1) in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great., or (#2) "ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in 13:29 <@vpnHelper> linux and how to use ebtables 13:30 < krzie> meh 13:30 < reiffert> see, there is ".," 13:30 < krzie> !forget bridge-fw 1 13:30 <@vpnHelper> Joo got it. 13:30 < krzie> not any more 13:30 < reiffert> mhm there you 13:30 < reiffert> !bridge-fw 13:30 <@vpnHelper> "bridge-fw" is "ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables 13:30 < krzie> CharlieSu, you need --server 13:30 < reiffert> can I get my beer now, krzie? 13:31 < krzie> reiffert, ill never stop a man from getting his beer 13:31 < CharlieSu> krzie: ok.. i'll look at that switch.. nothing else? 13:31 < reiffert> thanks pa 13:32 < reiffert> CharlieSu: take a look at the official howto, it comes with sample configs/ 13:32 < krzie> !howto 13:32 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:32 < krzie> !sample 13:32 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 13:33 < krzie> !man 13:33 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:34 < CharlieSu> reiffert: ok. 13:38 -!- lkeijser [~leon@fedora/lkeijser] has quit [Quit: Leaving] 13:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:50 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 13:51 < ecrist> !ebtables 13:51 <@vpnHelper> "ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables 13:51 -!- Kottizen [kottizen@unaffiliated/icanhasfreenode] has joined #openvpn 13:51 < Kottizen> what is the difference between the community vpn and the other? 13:51 < ecrist> reiffert: because paypal has decided to start holding my funds for 21 days upon receipt 13:52 < reiffert> !factoids search as 13:52 <@vpnHelper> 'ask', 'winpass', 'pastebin', '2.1-winpass-script', 'easy-rsa-unix', 'broadcast-relay', 'authpass', 'paste', 'nopaste', 'password-only', 'bcast', 'AS', and 'basic' 13:52 < ecrist> for no reason what so ever. 13:52 < reiffert> !AS 13:52 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations 13:52 <@vpnHelper> options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 13:52 < ecrist> they claim I don't have enough payment receipt history, so this is a safe guard. 13:52 < reiffert> ecrist: uh. paypal sucks. 13:52 < Kottizen> I see 13:52 < ecrist> though, I've been a customer since ~2005 and haven't had a single disputed transaction, and I have a verified address, and I'm registered as a business 13:52 < Kottizen> is there any AS I can use without paying? five concurrent users 13:53 < ecrist> so, I'll use google payments or something else. 13:53 < reiffert> Kottizen: pleae use the links provided above. 13:54 < reiffert> ecrist: and does anyone accept google payments yet? 13:54 < ecrist> you can still pay with paypal as a CC processor. 13:54 < ecrist> you just have to click on the "I don't have an account" link. 13:54 < Kottizen> reiffert: yes, but that one isn't free 13:55 < ecrist> Kottizen: the coummunity/open source OpenVPN doesn't have a gui like AS does 13:55 < reiffert> Kottizen: 20:52 < Kottizen> is there any AS I can use without paying? -> No 13:55 < ecrist> but AS is built upon openvpn. 13:55 < Kottizen> reiffert: ok thanks 13:55 < Kottizen> ecrist: thanks 13:59 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 14:03 -!- Cephalon [~Cephalon@ppp-94-64-44-159.home.otenet.gr] has joined #openvpn 14:17 -!- CSMan [~csman@unaffiliated/csman] has joined #openvpn 14:17 < CSMan> hi there 14:17 < CSMan> I have a problem keeping a connection alive 14:18 < dschuett> CSMan - What is your setup 14:18 < dschuett> ? 14:18 < CSMan> trying to connect from a vmware machine with NAT networking to an external VPN 14:18 < CSMan> it connects but the connection is reset after 60 seconds more or less 14:18 -!- secretary_linux [~bplunkert@unaffiliated/secretary-linux/x-6720546] has quit [Ping timeout: 276 seconds] 14:19 -!- art0rius [~art0rius@mail.botetourtva.us] has joined #openvpn 14:20 < art0rius> hello all 14:20 < CSMan> any hints? 14:21 < art0rius> !goal I have openvpn running on a server, and it's doing fine. I had set up another server configuration file, and my openvpn server starts them both, but it starts my second one twice (I have two separate PID's for the second config file). Any reason why that happens? This is on a CentOS 5.5 server using 2.1.4 14:21 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 14:24 -!- secretary_linux [~bplunkert@unaffiliated/secretary-linux/x-6720546] has joined #openvpn 14:25 < krzee> art0rius, is it using priv seperation? 14:25 < krzee> ie, --user and --group 14:25 < art0rius> hmm, hang on, I'll check, I know that I have the config set up to authenticate through PAM, whereas my original server.conf file isn't using that 14:26 < art0rius> krzee, nope, the daemons aren't running with that 14:27 < krzee> ps auxwww|grep vpn 14:27 < krzee> and pastebin the server config without comments 14:28 < art0rius> actually, in my server config, I do have the service being downgraded to user nobody and group nobody after it is started, this is in both config files 14:28 < krzee> !-- 14:28 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file. 14:28 < krzee> when i asked about --user, thats what i was asking 14:28 < art0rius> sorry, that's not showing up in my ps output, but it is in both server config files 14:28 < krzee> thats why theres 2 procs, it needs root to add ifconfig and routes when each client connects 14:29 < art0rius> so should I not have the daemon downgrade set in my second config file then? since the first config file is already doing that? 14:30 < krzee> no no, its fine 14:30 < krzee> you just shouldnt worry about the extra process ;) 14:31 < art0rius> gotcha, I see nobody as the owner of one of the processes, and root as the other for the second config file, whereas the first one just has nobody running it, that makes sense 14:32 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:41 < secretary_linux> typically speaking, restarting the openvpn service will not interrupt service to current connections, right? looks like the ubuntu script at least just kills the pid listed in the pidfile and no killalls - but I need to be sure I'm not going to disconenct anyone (assuming the service does come back up ok) 14:45 < CharlieSu> Anyone setup OVPN on Ec2 before? I'm trying on a Ubuntu instance and anytime I add a bridge interface and bring it up my instance goes dark. No more network connectivity. Any ideas? This is the config I'm adding. https://gist.github.com/e9ed7188be1d1ee04f16 14:45 <@vpnHelper> Title: gist: e9ed7188be1d1ee04f16 - GitHub (at gist.github.com) 14:47 < dschuett> CharlieSu: have you tried using routed instead of bridged? 14:47 < CharlieSu> dschuett: I haven't. What are the benefits? 14:48 < dschuett> CharlieSu: follow this guide line by line and you will have a fully working vpn: http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid 14:48 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) - Linode Library (at library.linode.com) 14:48 < Kottizen> someone who is good with pptp? 14:48 < CharlieSu> dschuett: does it care that it is ec2? 14:48 < krzee> !pptp 14:48 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read 14:48 <@vpnHelper> about why to not use pptp 14:49 < dschuett> CharlieSu- Shouldn't matter 14:54 < CharlieSu> krzee: is PPTP tied to bridged or routed? Can I use SSL based without a bridged network? 14:54 < krzee> pptp is unrelated to openvpn whatsoever 14:55 < krzee> !notcompat 14:55 <@vpnHelper> "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 14:56 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 255 seconds] 14:58 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn 15:02 < Bushmills> CharlieSu: "Can I use SSL based without a bridged network?" - yes. openvpn (ssl based) can be used in a routed setup 15:02 < reiffert> Bushmills: "Cn I onw?" - yes. openvpn .. two!? 15:03 < reiffert> that sofa is too small. 15:03 < reiffert> Bushmills: "Can I one?" - yes. openvpn .. two!? 15:04 < Bushmills> first question was answered by krzee already. i assume the second question doesn't relate to the first. 15:04 < Bushmills> after all, he asked for "ssl based", not for "pptp" 15:12 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 15:13 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host] 15:13 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn 15:15 < krzee> time for me to figure out getting openvpn onto an HTC evo running android 15:15 * krzee heads to the xda forums 15:16 < hyper_ch> krzee: I started testing a super complicated linux distro :) 15:18 -!- sia^pwnnt is now known as sia 15:21 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has joined #openvpn 15:22 < johnpatcher> Hi, I've got some issues with a bridged mode vpn. I can successfully connect to the server, but can't reach any client with a simple ping. Any clue what this could be? Do I need to push any routes in bridged mode? 15:23 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has quit [Client Quit] 15:23 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has joined #openvpn 15:26 < secretary_linux> johnpatcher: have you checked your firewalls? 15:28 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:30 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has quit [Ping timeout: 246 seconds] 15:30 -!- johnpatcher565 [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has joined #openvpn 15:30 < johnpatcher565> well, i opened up udp port 1194. the openvpn server runs directly on the router. so do i have to check anything else? the connection itself can be established ... 15:32 < secretary_linux> johnpatcher565: seems you may want to make sure the clients don't have firewalls blocking data too 15:32 < johnpatcher565> nope, no firewalls on the clients 15:32 < johnpatcher565> i can't even ping the router itself with its internal ip 15:34 < secretary_linux> johnpatcher565: are you trying to ping the clients from the router or from a machine behind the router? 15:34 < krzee> hyper_ch, what distro? 15:34 < johnpatcher565> I tried to ping machines behind the router, and the router itself from my vpn client, which is, according to the gui, connected successfully 15:34 < hyper_ch> krzee: NixOS 15:35 < krzee> johnpatcher565, why are you using a bridge...? 15:35 < secretary_linux> johnpatcher565: well if you've only opened udp port 1194 on the router, your clients will won't be able to ICMP ping it. you should try pinging the addresses assigned by server to client machines, from the router machine itself 15:36 < secretary_linux> will = still 15:36 < johnpatcher565> secretary_linux: w8, I'm not that fast ;). So I should try to ping the vpn client from the router? 15:37 < hyper_ch> krzee: it's a lot different from confy distros like debian/*buntu/fedora/suse 15:39 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has joined #openvpn 15:39 -!- johnpatcher565 [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has quit [Quit: http://irc2go.com/] 15:45 < johnpatcher> well, i even can't reach the client from the router with a simple ping :( 15:47 < CSMan> openvpn client in vmware w/windows to remote server anybody? 15:47 < CSMan> i keep getting sigusr1 15:50 < krzee> hyper_ch, how ya liking it 15:50 < hyper_ch> it's intersting 15:50 < krzee> johnpatcher, why are you even using a bridge 15:50 < hyper_ch> I like the part about the build from config 15:50 < hyper_ch> so that you can revert anytime to a previous built config 15:52 -!- johnpatcher [~johnpatch@dslb-088-064-225-199.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds] 15:52 < krzee> cool 15:54 -!- s7r [~s7r@66.90.75.115] has left #openvpn [] 15:56 -!- CSMan [~csman@unaffiliated/csman] has left #openvpn [] 15:57 < art0rius> erg, having TLS issues 15:57 < art0rius> I've got two server configs running on the same server, and the main one works fine 15:58 < art0rius> however, my second one keeps giving me TLS-Error messages, such as "fatal tls error check_tls_errors_co restarting" 15:58 < art0rius> I'm using the same ca.crt file between both client configs, so I know my ca.crt file isn't corrupt 15:58 < art0rius> since the one client config connects and routes just fine 15:59 < hyper_ch> krzee: if you're bored, have a look at it 15:59 < krzee> hyper_ch, ild have to be pretty bored... im not much into linux 15:59 < hyper_ch> maybe it will change you 16:00 < krzee> did they make the hier closer to freebsd? do they use gentoo's emerge? 16:00 < krzee> gentoo emerge is the only linux package manager that doesnt annoy me 16:00 < reiffert> :( 16:01 < krzee> portage, whatever its called 16:01 < reiffert> it's the most annoying thing out there. 16:02 < krzee> !? the most annoying is rpms and especially whatever that lamesauce package manager that redhat uses, followed closely by pkg_add and synaptic 16:02 < krzee> my favorite is freebsd ports followed by gentoo's simply because its an attempt to be ports ;) 16:03 < krzee> hell i prefer osX macports to that redhat nastiness (wth is that called again!?) 16:03 < reiffert> I hate macports, ports and emerge. It just never happens to *just work* when I try to compile things. 16:04 < reiffert> then I start fixing stuff and stuff and stuff, getting somewhat closer to the package I was trying to install intentionally 16:04 < reiffert> and then I utterly fail for fixing this particular package I'm after for hours. 16:04 < reiffert> I just hate it. 16:04 < krzee> dunno what you've had problems with, but ive been using it for years and very very rarely have any issue 16:05 < art0rius> here's my pastebin of my server configuration file that's giving me grief: http://pastebin.com/8PMW19Cp 16:05 < reiffert> My last macports attempt made me fix 50 packages within 3 months, gaining maintainer status for things getting faster 16:05 < art0rius> the thing that I wonder about is the duplicate-cn part, 16:06 < krzee> art0rius, pastebin both of them, and the logs from both sides of the failure 16:06 < art0rius> krzee, you want both servers or just the server and client? 16:07 < krzee> both servers 16:07 < krzee> and the client that fails 16:07 < krzee> and logs from server and client that fail 16:07 * Bushmills remembers krzee downloadng and installing 2 GiB of files to install a 500 k program :) 16:07 < reiffert> krzee: we might share thoughts about rpm, for sure. I cant even say anything bad about fbsd ports that *just work* (more often) ;) 16:08 < reiffert> Bushmills: did it "just work"? 16:08 < Bushmills> i think it took about a week 16:09 < krzee> Bushmills, yes... xcode 16:09 < krzee> reiffert, yep, just worked 16:09 < krzee> took awhile to download tho cause i was grabbing over a satellite connection ;) 16:10 < krzee> but i do agree that macports is far from perfect 16:10 < krzee> its freebsd ports that is my favorite 16:11 < art0rius> i just uploaded the server one a moment ago that's causing me issues, here's the client for that connection (this is the log output): www.pastebin.com/skLw95n7 16:11 < art0rius> I'll get the config up in a moment for the client 16:12 < art0rius> www.pastebin.com/mkKv52k2 is the client config 16:15 < reiffert> krzee: tried debian yet? 16:16 < art0rius> here's my log portion from the server: http://pastebin.com/F0Jj8wTG 16:17 < reiffert> http://213.251.145.96/cable/1990/07/90BAGHDAD4237.html 16:18 -!- Kottizen [kottizen@unaffiliated/icanhasfreenode] has left #openvpn [] 16:19 -!- caesay [~caesay@unvanquished/associate/sniperx] has quit [Read error: Operation timed out] 16:19 -!- caesay [~caesay@173.236.15.70] has joined #openvpn 16:19 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Read error: Operation timed out] 16:20 -!- markus__ [~markus@c83-250-36-93.bredband.comhem.se] has quit [Read error: Operation timed out] 16:20 -!- caesay is now known as Guest66737 16:20 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds] 16:20 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn 16:20 -!- markus__ [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn 16:22 < art0rius> krzee: any thoughts? I've been scouring google for an answer, but it's a common issue with a lot of possible causes 16:23 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 16:23 -!- common [~common@p5DDA4794.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 16:23 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 16:23 < hyper_ch> krzee: it's better than portage 16:24 -!- common [~common@p5DDA4794.dip0.t-ipconnect.de] has joined #openvpn 16:26 < krzee> reiffert, yep, in fact i have a debian virtual machine on the laptop 16:26 < krzee> personally, i prefer gentoo over the other linii 16:27 < krzee> yay just rooted the htc evo 16:29 < krzee> art0rius, a couple of those pastebins already expired 16:29 < krzee> so i never got to see themn 16:32 < art0rius> shoot 16:32 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn 16:33 < art0rius> here's the server log again: http://pastebin.com/TUeeLQPj 16:34 < art0rius> the server config: http://pastebin.com/6eN2vuJp 16:35 -!- Cain` [~Geek@41.141.252.98] has joined #openvpn 16:35 -!- Cain` [~Geek@41.141.252.98] has quit [Changing host] 16:35 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 16:35 < art0rius> the client-config: http://pastebin.com/VuH0N5RY 16:36 -!- ping_pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn 16:36 -!- Clete2_ [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn 16:36 -!- Bushmills1 [~l@scarydevilmonastery.net] has joined #openvpn 16:36 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services] 16:36 < art0rius> the client log: http://pastebin.com/nv9BxUMr 16:36 -!- Netsplit *.net <-> *.split quits: kai_office, Apachez, ping-pong, gdb```, Clete2 16:36 -!- Clete2_ is now known as Clete2 16:37 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Operation timed out] 16:37 -!- Netsplit over, joins: kai_office 16:37 -!- Bushmills1 is now known as Bushmills 16:37 -!- Cain` is now known as Cain 16:42 -!- gdb``` [~user@2001:4830:2446:b5:214:4fff:fe4a:f0] has joined #openvpn 16:42 -!- Apachez [~apachez@unaffiliated/apachez] has joined #openvpn 16:49 < art0rius> krzee: I'm out, I'll take another stab at this tomorrow. 16:51 -!- art0rius [~art0rius@mail.botetourtva.us] has quit [Quit: Nothing to see here, move along] 16:57 -!- lbakalinsky [~levisbaka@99-50-83-21.lightspeed.lsanca.sbcglobal.net] has joined #openvpn 16:57 < lbakalinsky> Hi does openvpn access server have its own channel? 17:01 < krzee> no, it has a support forum 17:01 < krzee> !AS 17:01 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations 17:01 <@vpnHelper> options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 17:01 < krzee> #4 17:01 < krzee> #4 17:05 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 17:06 < lbakalinsky> openvpn_as has a support forum, where? 17:07 < lbakalinsky> I know that openVPN community has a support forum. 17:07 < lbakalinsky> It's just that we use AS 17:07 < lbakalinsky> join /#moodle 17:08 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 17:08 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 17:08 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 17:12 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 17:15 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn 17:15 -!- lbakalinsky [~levisbaka@99-50-83-21.lightspeed.lsanca.sbcglobal.net] has quit [Quit: Leaving] 17:23 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 17:23 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 17:24 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 17:26 -!- Guest66737 is now known as caesay 17:26 -!- caesay [~caesay@173.236.15.70] has quit [Changing host] 17:26 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn 17:32 -!- nb [~nb@fedora/nb] has quit [Ping timeout: 272 seconds] 17:35 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 17:35 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 17:36 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 17:36 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 17:37 -!- Guest93089 is now known as Martin 17:38 -!- Martin is now known as Guest47835 17:40 -!- nb [~nb@fedora/nb] has joined #openvpn 17:40 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 246 seconds] 17:41 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 17:41 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 17:41 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 17:41 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 17:41 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 17:45 < wolfric> i did a openvpn something.conf. I can see it in the log files constantly retrying as it's failed. how can i cancel this? 17:46 < krzee> same way you cancel any running application in your OS 17:46 < krzee> in unix this would be the kill command... 17:46 < reiffert> mhm. 17:47 < reiffert> - or - disabling the service. 17:49 < reiffert> eg launchd on os x 17:52 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn 17:52 < pyther24> Hello 17:53 < pyther24> Does anyone have any suggestions on how to easily give users certs and a config file? 17:53 -!- pyther24 is now known as pyther 17:59 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 18:02 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn 18:10 < Bushmills> pyther: create a temporary ssh/scp account, let them download config+certs packed into an archive. delete user account after pack has been retrieved. 18:19 < reiffert> send by email in password protected zip file 18:19 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 18:28 <@vpnHelper> RSS Update - forum: Question about what OpenVPN on a DD-WRT router can do? 18:31 < pyther> Bushmills: my users aren't that smart :P 18:38 < krzee> !win_rollup 18:38 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn 18:39 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 240 seconds] 18:39 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving] 18:47 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined #openvpn 18:51 -!- cron2_ [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 240 seconds] 18:52 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined #openvpn 18:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 19:03 -!- cron2_ [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 264 seconds] 19:17 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined #openvpn 19:26 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds] 19:28 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 19:30 -!- secretary_linux [~bplunkert@unaffiliated/secretary-linux/x-6720546] has quit [Ping timeout: 255 seconds] 19:31 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn 19:31 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Changing host] 19:31 -!- secretary_linux [~bplunkert@unaffiliated/secretary-linux/x-6720546] has joined #openvpn 19:39 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 19:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 19:51 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 19:51 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit] 20:02 < Bushmills> pyther: mine still manage to drag a file with mouse to local machine 20:05 -!- WinstonSmith [~true@g231228010.adsl.alicedsl.de] has joined #openvpn 20:06 < pyther> Bushmills: yah I was just trynig to make it easier for them instead of having to navigate to C:\program files\openvpn\config 20:08 < Bushmills> i forgot who once said: "make something that even an idiot can use, and only idiots will use it" 20:09 < pyther> Bushmills: well it boils down too... if I don't give them a click here and press extract thing, I'll be getting called up to help them at home :-/ 20:09 -!- WinstonSmith_ [~true@f052097036.adsl.alicedsl.de] has joined #openvpn 20:09 -!- WinstonSmith [~true@g231228010.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:11 < Bushmills> contrary to the experience many others had (or say they had), I found that ordinary users are actually able to learn. it also boosts their self esteem. 20:24 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 20:44 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:06 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 21:06 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 21:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 21:35 < krzee> pyther, 21:35 < krzee> !win_rollup 21:35 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn 21:35 < krzee> bbl 21:38 -!- WinstonSmith_ is now known as WinstonSmith 21:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 21:48 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 276 seconds] 22:17 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 22:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn 22:30 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 265 seconds] 22:53 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 23:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 23:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] --- Day changed Tue Jan 04 2011 00:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 00:34 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 01:21 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 01:21 -!- mode/#openvpn [+o mattock] by ChanServ 01:32 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 01:42 < krzie> heh openvpn on android is a PITA 02:04 -!- krzie [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 02:06 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 02:08 -!- idle-boy [~idle-boy@nat/yahoo/x-ikvfubrpwgkyivuo] has joined #openvpn 02:18 < hyper_ch> krzee: I've heard you're a sed guru :) 02:21 -!- WinstonSmith [~true@f052097036.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 02:31 < krzie> wouldnt say guru, but i use it 02:31 < krzie> if i can help, i will 02:33 -!- WinstonSmith [~true@g231243252.adsl.alicedsl.de] has joined #openvpn 02:34 < krzie> grr im so close to working openvpn on android 02:34 < hyper_ch> krzie: how do you replace the first occurance only in a file and that occurence is even two "''" with sed? 02:35 < krzie> gimme example? 02:35 < krzie> of input and desired output 02:37 < hyper_ch> $webroot = ''; $fileroot = ''; 02:38 < hyper_ch> no, I would like to replace the webroot var with a string and then the fileroot var --> $webroot = '/var/www/some/dir'; $fileroot = '/data/home/'; 02:39 < krzie> and not every occurance, only the one where it assigns to them 02:40 < krzie> and you dont wanna do this manually because its many files 02:40 < krzie> am i right? 02:40 < hyper_ch> Just the first occurence of '' should be replace 02:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:41 < hyper_ch> with the next sed rule I can then replace the second occurence 02:41 < hyper_ch> don't bang your head on it 02:42 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn 02:44 < krzie> ok my way is super ugly, and not the best way 02:44 -!- Netsplit *.net <-> *.split quits: openvpn2009, derekv, Antarez, chuckf, grishnav, daemon, kai_office, nb_, jhelwig, _zero_, (+20 more, use /NETSPLIT to show all of them) 02:44 -!- Netsplit *.net <-> *.split quits: Typone, Bushmills, master_of_master, Guest47835, krphop, Jarpse, Champi, idle-boy, kraut, ashes, (+7 more, use /NETSPLIT to show all of them) 02:44 < krzie> ill msg it 02:47 -!- Netsplit over, joins: freaky[t], ksk, Meliorator, oc80z, DarthGandalf, dictvm, daemon, Antarez, juhovh, jhelwig (+4 more) 02:47 -!- Netsplit over, joins: cron2_, kai_office, renihs, diphthong, grishnav, derekv, rot13, js_ 02:48 -!- Netsplit over, joins: idle-boy, Bushmills, master_of_master, kraut, belZe, ashes, pa, ScriptFanix, Champi, Jarpse (+3 more) 02:48 -!- Martin [martin@shell.ipv6.octocore.net] has joined #openvpn 02:48 -!- Netsplit over, joins: kisom, Typone, LeRrA 02:48 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 02:48 -!- Martin is now known as 14WAAFT4F 02:48 -!- Netsplit over, joins: common, openvpn2009, d457k, Malard|Home, sigius, chuckf 02:48 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 02:48 -!- Netsplit over, joins: _zero_ 02:48 -!- mode/#openvpn [+o dazo] by ChanServ 02:49 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Write error: Broken pipe] 02:49 -!- dazo_ [~dazo@openvpn/community/developer/dazo] has joined #openvpn 02:49 -!- mode/#openvpn [+o dazo_] by ChanServ 02:49 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 02:50 -!- dazo_ is now known as dazo 02:56 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has left #openvpn [] 02:57 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 03:02 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Read error: Connection timed out] 03:03 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 03:03 -!- mode/#openvpn [+o dazo] by ChanServ 03:11 -!- Cephalon [~Cephalon@ppp-94-64-44-159.home.otenet.gr] has quit [Ping timeout: 240 seconds] 03:11 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 03:11 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 03:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 03:24 -!- Cephalon [~Cephalon@ppp-94-64-44-159.home.otenet.gr] has joined #openvpn 03:25 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:25 -!- 14WAAFT4F is now known as Martin 03:26 -!- Martin is now known as Guest93881 03:31 -!- Cephalon_ [~Cephalon_@eshf72.static.otenet.gr] has quit [Ping timeout: 255 seconds] 03:33 -!- Guest93881 is now known as Martin 03:33 -!- Martin is now known as Guest3082 03:36 -!- Cephalon_ [~Cephalon_@eshf72.static.otenet.gr] has joined #openvpn 03:50 -!- master_of_master [~master_of@p57B5775B.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 03:52 -!- master_of_master [~master_of@p57B5330F.dip.t-dialin.net] has joined #openvpn 04:02 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 04:04 <@vpnHelper> RSS Update - forum: Automatically put on alliases on tun interface || Firewall blocked https traffic 04:10 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:10 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 04:10 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 04:10 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 04:18 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 04:18 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 04:21 -!- cron2_ is now known as cron2 04:21 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host] 04:21 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn 04:31 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 264 seconds] 04:34 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic] 04:38 -!- common- [~common@p5DDA4786.dip0.t-ipconnect.de] has joined #openvpn 04:40 -!- common [~common@p5DDA4794.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 04:40 -!- common- is now known as common 05:04 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:18 -!- Cephalon_ [~Cephalon_@eshf72.static.otenet.gr] has quit [] 05:18 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn 05:30 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has joined #openvpn 05:34 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 05:34 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 05:34 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 05:45 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 265 seconds] 05:46 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 05:48 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 06:16 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 06:19 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 250 seconds] 06:20 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 06:45 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 07:01 -!- sia is now known as sia^pwnnt 07:02 -!- sia^pwnnt is now known as sia 07:12 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 07:25 -!- sporedi [~chatzilla@mail.utmxtm.com] has quit [Ping timeout: 240 seconds] 07:28 -!- art0rius [~art0rius@mail.botetourtva.us] has joined #openvpn 07:28 < art0rius> is there an openvpn users mailing list anymore that I can join? I found plenty of archives, but no info on how to subscribe to one 07:57 < ecrist> !list 07:57 < ecrist> !mailinglist 07:57 < ecrist> !maillist 07:57 < ecrist> oh, vpnHelper isn't here. 07:57 < ecrist> yes, there is a mailing list. 07:57 < ecrist> google "openvpn mailing list" 07:59 < art0rius> thanks, found it. 08:03 -!- WinstonSmith [~true@g231243252.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 08:08 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 246 seconds] 08:09 -!- tessier [~treed@mail.copilotco.com] has quit [Ping timeout: 255 seconds] 08:11 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 08:31 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has joined #openvpn 08:32 -!- zmay [~zmay@89-212-225-234.dynamic.t-2.net] has joined #openvpn 08:44 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 08:47 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 08:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds] 08:49 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 09:03 -!- thomaschaaf [5b36fb7f@gateway/web/freenode/ip.91.54.251.127] has joined #openvpn 09:05 -!- nb [~nb@fedora/nb] has quit [Read error: Operation timed out] 09:05 -!- x-demon [xdemon@lex.io] has quit [Read error: Operation timed out] 09:07 < thomaschaaf> I'm having some trouble setting up openvpn :( I want to get this: http://dl.dropbox.com/u/5910/Jing/2011-01-03_2359.png going 09:09 < Rienzilla> if you insist on using the same ip range on both sides, use dev tap, and bridge the tap device with the dom0's lan interface on both dom0's 09:09 < thomaschaaf> I have a connection between the two Xen servers and can ping back and forth but just with the standard setup (10.8.0.0) I want to change the server to server 192.168.0.0 255.255.0.0 but it won't let me 09:10 < Rienzilla> if you want a routed vpn (dev tun), then do no use addresses in the same subnet 09:11 < thomaschaaf> okay so tap :) thanks 09:11 < ecrist> !tunortap 09:12 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 09:12 -!- mode/#openvpn [+o vpnHelper] by ChanServ 09:12 < ecrist> !tunortap 09:12 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 09:12 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 09:13 -!- nb [~nb@fedora/nb] has joined #openvpn 09:13 < Rienzilla> meh, I disagree 09:13 < thomaschaaf> I want to access the mysql from the hosted server in the office so I guess it's "gaming lan" :D 09:13 < Rienzilla> sure, tun is more efficient, but tap can be much much much more easier to set up 09:13 < Rienzilla> -more 09:14 < Rienzilla> not really 09:14 < thomaschaaf> I am open to both sides ;) 09:14 < Rienzilla> well 09:14 < thomaschaaf> I just want it to work in the end 09:14 < ecrist> thomaschaaf: you need routed, no reason for ethernet level vpn 09:14 < Rienzilla> if you use tun, you will have to use different ip ranges on both sides of the tunnel 09:15 < thomaschaaf> ecrist: routed? 09:15 < Rienzilla> routed == tun 09:15 < thomaschaaf> okay great so we have 2 saying tap and 2 saying tun? 09:15 < Rienzilla> well no 09:16 < Rienzilla> you are forgetting my if 09:16 < Rienzilla> IF you don't renumber, you cannot use tun 09:16 < Rienzilla> if you do renumber, you should use tun 09:16 < Rienzilla> the latter probably is a little more work, but more elegant and more efficient 09:17 < thomaschaaf> can I make it 192.168.3.* for the server? and have 192.168.0,1,2.* for office? 09:17 < Rienzilla> yes 09:18 < Rienzilla> (proviuded you use a 255.255.255.0 netmask, which you probably will) 09:18 < thomaschaaf> in the office we have 255.255.0.0 so that desktops (.0.*) can talk to servers(.1.*) 09:19 < thomaschaaf> I would want .3.* to be accessible from the desktops aswell 09:19 < Rienzilla> *shiver* 09:20 < Rienzilla> if you use a routed solution, you will no longer have "one big network" 09:20 < Rienzilla> clients will send packets to the local lan directly to the lan, and packets for any other destination (including your hosted environment) to their default gateway 09:20 < ecrist> thomaschaaf: how many vpn clients are you going to have? 09:21 < Rienzilla> the default gateway will have to decide whether to send the packet out to the internet, or thrugh the vpn 09:21 -!- x-demon [xdemon@lex.io] has joined #openvpn 09:21 < thomaschaaf> ecrist: I just want both virtual machine hosts to be connected through vpn 09:21 < zmay> same question here, i am just playing abit with VPN, nothing serious, setting it up at home, should i use tap then? 09:21 < Rienzilla> (tbh, for a quick solution i'd recommend glueing them together with tap, reading a book about ip networking, and then adjust accordingly) 09:23 < ecrist> we tend to steer folks away from tap as it can cause serious issues if you're not careful, for example, if you're testing locally to the server 09:23 < Rienzilla> yes 09:23 < Rienzilla> it may induce all kind of evil packetloops :P 09:24 < zmay> so tun is the choice then 09:24 < Rienzilla> for most applications, tun is the best choice, yes 09:24 < thomaschaaf> so I think I need to read more about networking :( 09:24 < Rienzilla> thomaschaaf: absolutely 09:25 < thomaschaaf> Rienzilla: small startup founder and have to know everything :D what a great job it is 09:25 < Rienzilla> get some basic idea about ip routing. Then it will be fairly easy to set up 09:26 < thomaschaaf> so final work should be tun right? 09:26 < thomaschaaf> word 09:26 < thomaschaaf> or I should somehow get it to work with tun.. 09:26 < Rienzilla> how are your dom's connected to the net? 09:26 < Rienzilla> (to the public internet, I mean) 09:27 < Rienzilla> ...and are the dom0's the default gateway for the machines in the office and in the hosted environment? 09:28 < Rienzilla> If the answer to both is yes, setting up a routed openvpn is going to be fairly easy 09:28 < Rienzilla> uhm 09:28 < Rienzilla> to the latter 09:28 < Rienzilla> lol 09:29 < CharlieSu> How can I have my openVPN clients automatically handle a openVPN server restart? 09:30 < thomaschaaf> some machines are directly connected to the internet and have two vifs (www server internal net and external net) others like mysql only have one vif which is connected to the internal net) 09:30 <@dazo> !topology 09:30 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 09:30 <@dazo> !/30 09:30 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 09:31 < Rienzilla> meh, then you need static routes on all those clients 09:31 <@dazo> Rienzilla: ^^ tun mode don't need to be complicated with separate /30 subnets ... use --topology subnet 09:31 <@dazo> Rienzilla: you need routes also with tap mode 09:32 < Rienzilla> the tun mode itself isn't complicated, but making sure that all machines on the net send their packets where they're supposed to go can be tricky 09:32 < Rienzilla> if you'd use 192.168/16 on both sides and let the dom0's bridge, you don't need routes 09:32 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has quit [Read error: Connection reset by peer] 09:32 < sno> just spent a week trying to get a vpn client connection shared ^ :) finally working 09:32 * sno needs to learn more iptables 09:33 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has joined #openvpn 09:33 <@dazo> Rienzilla: but you add a lot of overhead, sending broadcast traffic over the tunnel 09:33 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 09:33 < thomaschaaf> Rienzilla: am I not using 192.168/16 on both sides? 09:33 <@dazo> + you get layer 2 headers in addition 09:34 <@dazo> thomaschaaf: I'm recommending tun mode as well, unless you explicitly need ethernet frames to be passed over the tunnel 09:34 < Rienzilla> dazo: I am aware of that. I'm just saying that in thomas's case it's gonna require much less effort to set up. (Which is something different from saying it's the best solution. A mercedes also takes longer to build than a crappy bicycle) 09:37 <@dazo> CharlieSu: have a look at --keepalive in the man page 09:38 < thomaschaaf> can someone recommend me something to read? 09:38 <@dazo> !route 09:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:39 <@dazo> thomaschaaf: ^^^ 09:39 <@dazo> and: 09:39 <@dazo> !howto 09:39 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:39 * Rienzilla generally wants to only make configuration changes on servers and routers. The thought of having to maintain static routes to some subnet via some vpn machine on all clients on both sides of the tunnel gives me severe headaches :-) 09:41 -!- _skrusty is now known as sdkrusty 09:41 -!- sdkrusty is now known as skrusty 09:41 <@dazo> Rienzilla: You do know about --push? 09:41 < Rienzilla> yes 09:42 < Rienzilla> I'm talking about the machines on the lan, that know nothing about openvpn 09:42 <@dazo> then what is this crap about static routes? you need routes no matter which solution you go for ... and --push "route " does the rest, centrally controlled from the server 09:43 <@dazo> they should just contact the default gateway ... which would know about the openvpn subnet 09:43 <@dazo> (subnets) 09:43 < Rienzilla> that's the problem 09:44 <@dazo> the only way to avoid routing tables ... is routing daemons ... or bridging networks, giving you the extra penalty of broadcast traffic over the VPN - which severely can impact the network performance 09:44 < Rienzilla> his machines have 2 interfaces. One public interface, and one for the office network. I'm not even sure he can control the routing on the defalt gateway of the machines, and I;m not even sure the vpn server is on that same network 09:45 <@dazo> in that little setup, there's no gain doing bridging then ... because you just need to have overview over less than a handful of subnets 09:45 < thomaschaaf> I'm gonna go ofline for a bit.. can'T think anymore :( 09:45 < thomaschaaf> thansk guys 09:46 < Rienzilla> np 09:50 < Rienzilla> There is also little harm in bridging, because the handful of clients will only generate very moderate broadcast traffic. Anyway, call me stupid, but I don't see anyone with zero experience in how routing works setting up the routes on their dsl modems and their openvpn servers in the correct way to make a vpn work properly. At least not in an hour or two. 09:50 -!- thomaschaaf [5b36fb7f@gateway/web/freenode/ip.91.54.251.127] has quit [Ping timeout: 265 seconds] 09:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 09:52 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 09:52 <@dazo> Rienzilla: bridging is much more complex .... yes, it sounds darn easy ... but there are many pitfalls with bridging which is tricky to foresee for inexperienced users, hence we recommend tun mode primarily, and let tap mode and bridging for more advanced users 09:52 < CharlieSu> dazo: thanks 09:53 <@dazo> Rienzilla: I'll say as Linus Torvalds says: "If you disagree with me, that's fine! I'll just call you stupid and ugly" ;-) 09:54 < CharlieSu> dazo: says keepalive is for server, not client. 09:54 < Rienzilla> haha :-) 09:54 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 09:55 <@dazo> CharlieSu: it's for both ... in fact, it's a macro for --ping and --ping-restart .... so on the server, it will push --ping and --ping-restart values to the clients 09:55 < CharlieSu> dazo: gotcha.. thanks 09:55 < Rienzilla> yes, I have locked myself out of one of my networks due to XenServer discarding STP packets, resulting in a bridgeloop :) 09:55 <@dazo> CharlieSu: if used on the clients, it will just expand to --ping and --ping-restart directly 09:58 < Rienzilla> so the policy is 'advise tap to inexperienced users' for the same reason you don't let your ten your old play with a chainsaw :P 09:58 < Rienzilla> tean-year-old* 09:58 < Rienzilla> advise tun* 09:58 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Quit: No Ping reply in 180 seconds.] 09:58 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 09:58 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 09:58 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 10:00 <@dazo> Rienzilla: yeah, basically .... when they do get tun working, it's easier to understand what's happening and to take such a config up one more level is much easier ... and after all, if you do networking stuff and don't understand the basic routing practices, you shouldn't do networking and especially not VPN ... you need that knowledge to understand how things works anyway 10:00 <@dazo> no matter tun or tap ... you still need to understand routing 10:01 < Rienzilla> That's true. Unfortunately, a lot of the people who come for help here because it doesn't work lack that knowledge 10:02 <@dazo> yeah, that's true ... that's why I believe it's better to learn these guys the basics first ... learn to walk before running 10:03 -!- takamichi [~pri@85.232.213.54] has quit [Remote host closed the connection] 10:06 < Rienzilla> haha I sometimes tend to give people duct tape to fix their cars :P 10:07 < Rienzilla> anyway 10:07 < Rienzilla> dinner time 10:07 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn 10:10 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 10:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 10:16 < ecrist> a 10:16 -!- Irssi: #openvpn: Total of 130 nicks [3 ops, 0 halfops, 0 voices, 127 normal] 10:16 < ecrist> !factoids 10:16 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:16 -!- macsppadic is now known as plussppadic 10:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds] 10:21 -!- art0rius_ [~art0rius@mail.botetourtva.us] has joined #openvpn 10:24 -!- art0rius [~art0rius@mail.botetourtva.us] has quit [Ping timeout: 240 seconds] 10:27 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 276 seconds] 10:27 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has quit [Remote host closed the connection] 10:29 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 10:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ 10:29 <@vpnHelper> RSS Update - forum: Small issues with a working vpn tunnel 10:29 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 10:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 10:31 -!- zmay [~zmay@89-212-225-234.dynamic.t-2.net] has quit [Remote host closed the connection] 10:47 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 250 seconds] 10:47 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 10:48 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 10:48 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 10:49 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 10:49 -!- mode/#openvpn [+o vpnHelper] by ChanServ 10:50 -!- WinstonSmith [~true@g231243252.adsl.alicedsl.de] has joined #openvpn 10:50 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 10:50 < Essobi> krzie: whatup whatup 10:51 < krzie> wassup man 10:51 < Essobi> sos 10:51 < krzie> i think i have pnuemonia 10:51 < Essobi> awww sheeit, keep that away from me 10:51 < Essobi> umm... like.. invest in a waterpipe? lol 10:51 < krzie> haha 10:52 < krzie> im just gunna go get a nubulizer and antibiotics 10:52 < Essobi> word 10:52 < Essobi> nebs help alot 10:53 < Essobi> hot showers too w/o any airducts going 11:08 -!- plussppadic [~sonupunno@88.211.55.77] has quit [Quit: plussppadic] 11:13 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined #openvpn 11:13 < Essobi> krzie: hope you feel better man. 11:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 11:14 -!- WinstonSmith [~true@g231243252.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 11:17 -!- kai_office [~kai@asa-2.fbp.ore.fiber.net] has left #openvpn [] 11:18 < gladiatr> krzie, pneuomonia, huh? rude... 11:19 < gladiatr> krzie, I just got my over my first dance with gastrointeritis... 11:19 -!- cephalon_ [~Cephalon@ppp-94-64-34-132.home.otenet.gr] has joined #openvpn 11:20 < krzie> ouch 11:20 < krzie> Essobi, thx 11:21 < Essobi> gladiatr: gi shit ain't fun... (pun intended) 11:22 -!- s7r [~s7r@178.73.198.33] has joined #openvpn 11:23 -!- Cephalon [~Cephalon@ppp-94-64-44-159.home.otenet.gr] has quit [Ping timeout: 255 seconds] 11:24 < gladiatr> Essobi, lol. Indeed. Kinda gives you a little taste of the Evil that is cholera (except, of course, that gi goes away) 11:24 < Essobi> Heh. 11:24 -!- pezhore [~pezhore@cpe-67-247-84-194.rochester.res.rr.com] has joined #openvpn 11:24 < Essobi> Drink lots of fluids and keep your BAC low for a while, you'll be fine. ;) 11:25 < pezhore> Hello everyone, quick question. I can't seem to get Openvpn to work on my Ubuntu 10.10 laptop - getting a no such device (errno=19) 11:25 < gladiatr> modprobe tun 11:26 < pezhore> FATAL: Module tun not found. 11:26 < pezhore> I guess that tells me that module hasn't been compiled? maybe? 11:26 < gladiatr> odd 11:26 <@dazo> pezhore: are you running your ubuntu under some kind of virtualisation? 11:26 < gladiatr> that's a stock ubuntu install? 11:27 < gladiatr> find /lib/modules/$( uname -r ) |grep tun.ko 11:27 <@dazo> or have you compiled your own kernel? or using a non-stock kernel? 11:27 < pezhore> stock install... but sort of under virutalization 11:27 <@dazo> what kind of "sort of"? 11:27 < pezhore> Its running on my Cr48 laptop... the only way to get it on there was to first install it under a VM 11:27 < pezhore> then dd it over 11:28 < fahmad> hey everyone 11:28 < gladiatr> hi, fahmad 11:28 < gladiatr> You should still have a complete modules install, regardless. 11:29 < pezhore> gladiatr: that's what I thought... and I see a /dev/net/tun 11:30 < pezhore> hrm is there a way to re-install that module? 11:33 < gladiatr> Where did you do the initial install? 11:33 < gladiatr> Was that in a vm? 11:33 < pezhore> yes it was in Virtualbox 11:33 < gladiatr> I haven't messed with 10.10... I can't imagine they would've statically added that module... 11:34 <@dazo> pezhore: reinstall the kernel packages ... or just kernel modules, if that's a separate package 11:34 <@dazo> it's a while since I played with Ubuntu, so I don't recall 11:34 < krzie> any of you got any experience with android? 11:35 < pezhore> krzie: I do, what are you looking to do? 11:35 < pezhore> dazo: I'll give that a shot. Thanks for your help 11:35 < gladiatr> sudo aptitude reinstall linux-image-$( uname -r) 11:35 < krzie> pezhore, i have tun loaded, am starting openvpn, but it cant find 'route' or 'ifconfig' 11:36 < krzie> and i cant make symbolic links, read-only filesystem 11:36 < pezhore> rooted device? 11:36 < krzie> yes 11:36 < pezhore> do you have adb access? 11:36 < krzie> yes 11:37 < krzie> thats how im starting it during testing 11:37 < pezhore> I would try using adb to remount the /system partition in rw, create the symbolic links, then reboot (or remount as ro) 11:37 < pezhore> that may help 11:37 < pezhore> what device out of curiosity? 11:37 < krzie> your advice is solid, matches the web, but it wont let me remount 11:37 < krzie> EVO (aka supersonic) 11:38 < pezhore> hrm 11:38 < pezhore> I've also got the evo 11:38 < pezhore> let me fire up adb 11:38 < krzie> MacBook-Pro:platform-tools krzee$ ./adb remount 11:38 < krzie> remount failed: Operation not permitted 11:39 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has joined #openvpn 11:41 < pezhore> yea, I think you'll need to do in adb shell something like mount -o rw,remount -t ext2 /dev/block/mtdblock4 /system 11:41 < pezhore> i'm not 100% on it being of typeext2 11:41 < pezhore> *type ext2 11:42 < pezhore> actually looks like its yaffs2 11:43 < krzie> # mount -o rw,remount -t ext2 /dev/block/mtdblock4 /system 11:43 < pezhore> word of advise... when you're working in adb shell, the first thing I do is: busybox sh 11:43 < krzie> # mkdir test 11:43 < krzie> mkdir failed for test, Read-only file system 11:43 < pezhore> oh 11:43 < pezhore> hrm 11:43 < krzie> oh sweet didnt know i had sh 11:43 < pezhore> yea gives you history and auto complete 11:43 < pezhore> :) 11:43 < pezhore> try mkdir /system/test 11:44 < pezhore> because you'll probably be in / still 11:44 < krzie> oh damn, it works@! 11:44 < krzie> you rock 11:44 < pezhore> :D 11:44 < pezhore> I try 11:44 < pezhore> be sure to reboot when you're done with the symbolic links 11:44 < pezhore> having a rw system partition can be a security risk 11:45 < pezhore> rebooting will take care of that 11:45 < gladiatr> /log storage/docs/android/things_to_know_for_when_I_am_forced_onto_an_android_problem_that_will_inevitably_piss_me_off.txt 11:45 < krzie> lol 11:45 < krzie> it was so surprisingl;y easy to root 11:46 -!- sporedi [~chatzilla@mail.utmxtm.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]] 11:46 < gladiatr> nice 11:46 < pezhore> tell me about it. almost as easy as the Nook Color 11:47 < krzie> gladiatr, file this link in that text as well... http://forum.xda-developers.com/showthread.php?t=881747. 11:48 < Essobi> gladiatr: lol, nice log.. 11:48 < gladiatr> kick ass 11:48 < Essobi> gladiatr: ex co-worker of mine had a habit of expressing how he really felt in project names and commit messages. 11:48 < krzie> haha 11:49 < Essobi> gladiatr: Id_rather_stab_my_eyes_out_then_work_on_this_stupid_fing_project 11:49 < Essobi> heh 11:50 < gladiatr> hehe! At work, a past-time of mine is to express things generally spoken of in the expletive or profane using my mad english skills. It's always so much fun to watch the expression on managerial faces when they realize what is being said and at the same time, realizing that they have no basis for getting on my case for saying it. 11:50 < krzie> well in that case... 11:51 < krzie> touch HTC_EVO_is_the_dopest_phone_i_have_ever_seen.txt 11:51 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has joined #openvpn 11:52 < wunderkin> !welcome 11:52 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:52 < gladiatr> krzie, Yeah. I think it looks pretty impressive as well. I picked up this N900 for the low, low price of nothing around the time I was phone shopping, so my choice of android platforms was put off until I'm ready to retire it. 11:53 < wunderkin> !goal 11:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:53 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 11:53 < krzie> gladiatr, n900 can crack wep! 11:53 < Essobi> You guys see the latest Android bug? lol 11:53 < krzie> only phone i know of that has a wifi adapter that can do passive reinjection 11:53 < gladiatr> krzie, Yeah. Sweet, little computer 11:53 < wunderkin> !route 11:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:53 < pezhore> hrm... seems my uname-r is't found... linux-image-2.6.32.23+drm33.10 :( 11:53 < Essobi> krzie: The one where it sens TXTs to the wrong contacts? 11:53 < Essobi> krzie: it's lol worthy 11:54 < krzie> Essobi, the n900 does that?? 11:54 < krzie> ohh 11:54 < krzie> android bug 11:54 < krzie> no didnt hear of that 11:54 < Essobi> yea.. rather humerous. 11:54 < Essobi> no less lol worthy then the iphones alarm app failing after 1-1-11. 11:55 < krzie> i was about to mention that! 11:56 < gladiatr> that's just Apple's way of letting its users know that It's All About to End--take it easy.. 11:57 < wunderkin> heh 11:58 < krzie> but thats no worse than antennagate 11:58 < krzie> "dont hold it like that" 11:59 < Essobi> lol 11:59 < Essobi> gladiatr: That's 2012, not 2011. ;) 11:59 < Essobi> antennagate was lol worthy cause the RF engineer TOLD them it was going to happen and they ignored them. 11:59 < gladiatr> hehe 12:05 < fahmad> hey 12:05 < wunderkin> hey, sorry to interrupt, lol, but how can i config openvpn (or is this another layer?) so that i can assign floating ips behind the client and the other clients will be able to access it.. i'm already using client-to-client.. i'm using tun interface now.. guessing i would need a bridge but not sure how to configure it.. the server has a regular public ip and i want to use local ips for the vpn.. when i tried to bridge with the external i 12:05 < fahmad> i have very strange issue that openvpn is not giving me good speed however on same server i am getting 4 Mbps speed ... 12:06 < fahmad> any idea ? 12:06 < krzie> wunderkin, you saying you want to access the LAN behind a client? 12:06 -!- pezhore [~pezhore@cpe-67-247-84-194.rochester.res.rr.com] has left #openvpn [] 12:06 < wunderkin> krzie: yeah, but it's not like each client is on their own separate network block.. i want to use an ip on the same network and move it between clients (for ha) 12:07 < gladiatr> fahmad, what's the upstream bandwidth on your client connection? 12:08 < fahmad> gladiatr: its 100 Mbps port 12:08 < krzie> wunderkin, i dont understand what you mean 12:08 < gladiatr> fahmad, is that the server or the client? 12:08 < fahmad> server ... 12:09 < gladiatr> fahmad, what's the upstream bandwidth on the client? 12:09 < fahmad> hold 12:09 < gladiatr> k 12:10 < wunderkin> krzie: each client will be assigned an ip on the 10.0.0.0/24 block.. but i want to manually add an ip to 1 of the clients (a floating ip) also on 10.0.0.0/24.. and i want to be able to access it on any of the clients on the vpn.. i can access all clients via their primary ip using client-to-client, but i'm guessing the only way to be able to access other ips on that server (same network) would be to bridge 12:12 < krzie> you want 1 of the clients to have a static ip? 12:12 < fahmad> 10 MB connection @ client end 12:12 < fahmad> wunderkin: use ccd with ifconfig pool 12:13 < fahmad> !ccd 12:13 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:13 < wunderkin> krzie: they all will be assigned a static fixed ip.. that part is fine 12:13 < fahmad> !ifconfig-pool 12:13 < gladiatr> fahmed, 10M on the upstream? 12:13 < fahmad> yup 12:14 < krzie> wunderkin, sorry man, i dont understand what your goal is 12:14 < gladiatr> Are you routing all your client traffic through the bridge? 12:14 < fahmad> i am not using bridge 12:15 < krzie> wunderkin, you dont need a bridge, that i know so far 12:15 < krzie> (you didnt mention needing layer2) 12:15 < gladiatr> ahh.. my vision blurred between yours and wunderkin's entries lol 12:16 < wunderkin> krzie: each client is assigned a static fixed ip, but i also want to assign an ip alias to the vpn interface.. this is a floating ip that will move to different clients, i need to be able to access the floating ip from any of the vpn clients.. they're all on the same network 12:16 < krzie> fahmad, you use udp right? 12:16 -!- dazo is now known as dazo_afk 12:16 < fahmad> krzie: yes also tcp 12:17 < krzie> tcp you can expect speed issues 12:17 < krzie> udp, test your mtu 12:17 < krzie> !mtu 12:17 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 12:17 < fahmad> ok 12:18 < krzie> wunderkin, whats the purpose of the "floating ip" 12:18 < wunderkin> krzie: for high availability.. i assign a particular ip to whatever server is holding that role at the time 12:20 < krzie> if you use topology subnet you can assign whatever ip you want manually 12:20 < krzie> is you use default topology, you cannot 12:20 < krzie> !topology 12:20 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 12:24 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 12:26 < wunderkin> krzie: thanks, i'll check out the different topolgy options, so if i use subnet, this isn't going to require a separate subnet per client? 12:27 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has quit [Read error: Connection reset by peer] 12:27 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has joined #openvpn 12:27 < krzie> correct 12:27 < wunderkin> oh ok.. i'll try that out.. thanks 12:28 < krzie> np 12:34 < wunderkin> with that option, now i can't even ping the static ip from the server 12:37 < krzie> static IPs are different with that option 12:37 < krzie> !static 12:37 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 12:39 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving] 12:41 -!- tacidsky [~tacidsky@vps.tacidsky.com] has joined #openvpn 12:41 < tacidsky> Where can I find the public key to verify that the openvpn source tarball from? 12:42 < tacidsky> Ah I found it, nevermind 12:42 -!- tacidsky [~tacidsky@vps.tacidsky.com] has left #openvpn ["duh"] 12:42 < wunderkin> krzie: aha, thought it looked wrong.. ok well fixed that but i still can't ping any aliased ips on the tun interface from another client 12:43 < krzie> can the server? 12:43 < wunderkin> not from the server no, i added the alias on a client though 12:43 < krzie> oh and btw, how could that possibly help with HA? 12:44 < wunderkin> its for the app side, so i know what server is master and what's a secondary 12:44 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving] 12:45 -!- agrajag [~agrajag^@CAcert/Assurer/agrajag] has joined #openvpn 12:47 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has joined #openvpn 12:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 12:50 < wunderkin> and by server, i don't mean openvpn ;D i'm pretty sure i have to bridge for this.. 12:51 < linguini> I use openvpn to connect two servers, one of which is behind a load-balancing NAT router with 2 public IP addresses. I have added 'remote wan1' and 'remote wan2' along with float to openvpn.conf. But it still seems to choke when one of the 2 IP addresses goes down. Should I expect "float" to work for me? 12:51 < linguini> I see nothing from openvpn in my log files; I just notice that the VPN doesn't work during the outage. 12:53 -!- newmember [~chatzilla@209.82.97.117] has joined #openvpn 12:54 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 12:57 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 13:00 < wunderkin> another question, i believe by default multicast is supported over openvpn? i believe it is converted to broadcast? 13:10 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has joined #openvpn 13:16 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 13:36 <@vpnHelper> RSS Update - forum: Small issues with a working vpn tunnel 13:48 <@vpnHelper> RSS Update - forum: OpenVPN with Small Business Server 2003 13:52 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn 13:53 < grendal_prime> hey guys i need to set up a vpn for quick and dirty work where i will have 10 people dropping in and working on a project. I dont want to have to distribute keys. I would like them to just be given a key from the server for a session. Is there a howto...or..i mean what method of deployment would that be exactly? 13:53 <@vpnHelper> RSS Update - forum: Tapinstall.exe failed to install. Help!!! OpenVPN 1.3.4 13:55 < secretary_linux> grendal_prime: from my understanding, what you want to do is impossible, and for good reason 13:59 < grendal_prime> seems odd it would be impossible. 13:59 < grendal_prime> https works like that 14:11 -!- newmember [~chatzilla@209.82.97.117] has quit [Ping timeout: 264 seconds] 14:20 < dschuett> if i want a linux server to be a client of an openvpn server where do i store the client files in linux? 14:21 -!- s7r [~s7r@178.73.198.33] has quit [Ping timeout: 241 seconds] 14:24 < wunderkin> dschuett: same directory, just make a client config, use different port 14:27 < dschuett> make client config use different port? 14:28 < dschuett> oh, no these are on seperate servers 14:33 < wunderkin> oh.. that depends on your config 14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:34 < wunderkin> if you use a package, etc.. i'm not sure where the default is when compiling by source.. should be in the install how-to 14:37 < dschuett> ok, so i just added client.conf, ca.crt, myname.crt, myname.key to /etc/openvpn/ and restarted openvpn...it says it started ok but i don't see my tun interface ??? - this is a ubuntu 10.04 client. 14:38 < wunderkin> check /var/log/messages 14:40 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.4 Most Current || 2.2-beta5 Released 03-Dec-2010 || Your problem is your firewall, really. || Type !welcome and !goal before asking your questions. || Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel 15:01 -!- fahmad [~linux@unaffiliated/fahmad] has quit [] 15:15 -!- WinstonSmith [~true@g225027135.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 15:19 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 15:20 < alhadi> hello 15:20 < alhadi> have a problem 15:20 < alhadi> using a ubuntu 10.10 and downloaded tar file for openvpn 2.1.4 and it is ./configure , make and make install and then i copied the folder to /etc/openvpn. 15:21 < alhadi> when i type openvpn /etc/openvpn/server.conf 15:21 < alhadi> gives error 15:22 -!- thomaschaaf [59b6dd52@gateway/web/freenode/ip.89.182.221.82] has joined #openvpn 15:22 < alhadi> -bash: /usr/sbin/openvpn: No such file or directory 15:22 < thomaschaaf> Hey I am looking at http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing and don't get what I should put for "server" 15:22 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 15:23 < alhadi> anyone can help 15:24 < thomaschaaf> alhadi: is that a question or an exclamation? 15:25 < alhadi> question that i am waiting for answer 15:25 < alhadi> that how can i start openvpn 15:25 < alhadi> have conf ready 15:27 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:28 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 240 seconds] 15:31 -!- WinstonSmith [~true@e179016111.adsl.alicedsl.de] has joined #openvpn 15:37 -!- blee_laptop [~blee@211.71.118.70.cfl.res.rr.com] has joined #openvpn 15:37 < thomaschaaf> openvpn server.conf 15:39 < blee_laptop> has anyone succesfully set up a tap client in fedora 14? 15:40 < blee_laptop> My tun connection works fine, tap isnt 15:42 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 15:43 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net] 15:45 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn 15:46 < Essobi> blee_laptop: I'm sure someone had. 15:46 < Essobi> blee_laptop: are the devices showing up in ifconfig? Checked logfiles? 15:47 -!- cephalon_ [~Cephalon@ppp-94-64-34-132.home.otenet.gr] has quit [Quit: tin kana] 15:50 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 15:52 -!- nb [~nb@fedora/nb] has joined #openvpn 15:52 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 15:59 -!- agagag [~anton@eudaimonia.goto10.org] has left #openvpn [] 16:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 16:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:12 <@vpnHelper> RSS Update - forum: Connect problem to lan gateway 16:12 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 16:13 -!- chuckf [~chuckf@ubuntu/member/chuckf] has quit [Remote host closed the connection] 16:15 < thomaschaaf> I configured the server like this: http://pastie.org/1429564 on the client I open the connection. When I ping 192.168.1.1 on the client I don't get any response am I doing something wrong? 16:18 -!- frewsxcv [~frewsxcv@pine-green.feralhosting.com] has joined #openvpn 16:18 < krzee> what is 192.168.1.1? 16:18 -!- frewsxcv [~frewsxcv@pine-green.feralhosting.com] has left #openvpn [] 16:19 < thomaschaaf> another computer which is in the 192.168.0.0 network I pushed that network so I thought it would be available? 16:19 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 255 seconds] 16:22 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 240 seconds] 16:23 < krzee> does openvpn run on the router for that LAN? 16:23 < thomaschaaf> the openvpn is connected to the LAN with the eth1 16:24 < krzee> is it the LAN's default gateway? 16:24 < thomaschaaf> krzee: the openvpn is connected to the LAN with the eth1 16:24 < krzee> that doesnt answer my question... 16:25 < thomaschaaf> I'm sorry I don't understand then :( 16:25 < krzee> this should help 16:25 < thomaschaaf> the client is not connected to the LAN 16:25 < krzee> !route_outside_openvpn 16:25 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 16:27 < krzee> the router that 192.168.1.1 uses needs to know about the VPN 16:27 < thomaschaaf> the openvpn server is not the gateway for the entire lan 16:27 < krzee> THAT was the question 16:27 < krzee> you definitely need what i said above 16:27 < thomaschaaf> 192.168.1.1 is the actual nat/dhcp etc server 16:28 < krzee> oh by the way 16:28 < krzee> something makes no sense 16:28 < krzee> you have these: 16:28 < thomaschaaf> krzee: I am woundering wheather my "server" config makes send 16:28 < thomaschaaf> sense 16:28 < krzee> server 10.1.1.0 255.255.255.0 16:28 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn 16:28 < krzee> AND you have 16:28 < krzee> route.1.1.0 255.255.255.0 AND an iroute for 10.1.1.0 16:29 < krzee> is 10.1.1.X the client's LAN? 16:29 < thomaschaaf> well the lan of the "client" is 10.1.1.0 16:29 < krzee> then you need to change the entry for server 16:29 < thomaschaaf> to anything else? 16:29 < krzee> make it server 10.8.0.0 255.255.255.0 16:29 < thomaschaaf> okay 16:29 < krzee> then 16:30 < krzee> your server lan's router needs 2 entries to its routing table 16:30 < krzee> 1 for 10.8.0.0/24 and 1 for 10.1.1.0/24 16:30 < krzee> to go to the LAN ip of your server 16:30 < krzee> and your client lan's router needs 2 entries as well 16:30 < krzee> 1 for 10.8.0.0/24 and 1 for 192.168.0.0/16 16:32 < thomaschaaf> krzee: hmm I am a beginner in these things :( 16:33 < krzee> then go read this 16:33 < krzee> !route 16:33 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:33 < krzee> read the whole thing well, but especially read "ROUTES TO ADD OUTSIDE OPENVPN" 16:33 < krzee> because that section outlines your problem 16:34 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn 16:34 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 16:34 < thomaschaaf> I understand the section but don't know how to actually add routes 16:34 < krzee> what kind of routers do you use? 16:35 < krzee> (also, you're aware that your problem is unrelated to openvpn, right? ;] ) 16:35 < thomaschaaf> just the normal "route" command on debian 16:35 < thomaschaaf> yes I am :( 16:35 < krzee> your routers are running debian? 16:35 < thomaschaaf> yes 16:35 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 16:36 -!- smerz [~smerz@smerz.demon.nl] has quit [Ping timeout: 264 seconds] 16:38 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 16:38 -!- Cain` is now known as Cain 16:38 < thomaschaaf> I give up for the night 16:38 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 240 seconds] 16:40 < alhadi> hello krzee 16:41 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 16:42 -!- thomaschaaf [59b6dd52@gateway/web/freenode/ip.89.182.221.82] has quit [Ping timeout: 265 seconds] 16:46 < krzee> hey alhadi 16:46 <@vpnHelper> RSS Update - forum: openvpn bonding 16:47 < alhadi> i am using your script :) 16:47 < alhadi> open vpn 16:47 < krzee> the confgen? 16:47 < alhadi> yes sir :) 16:47 < krzee> awesome! 16:47 < alhadi> confgen, genserver, genclient 16:47 < krzee> hows it working for you? 16:47 < alhadi> well 16:47 < alhadi> i generate them 16:47 < alhadi> but openvpn dont start 16:47 < alhadi> donno what is mistake 16:48 < krzee> did you look at your logfile? 16:48 < alhadi> actually No tbh. 16:48 < krzee> if you pastebin the logfile ill tell ya whats wrong 16:48 < krzee> !logfile 16:49 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info 16:49 < alhadi> !man verb 16:49 < krzee> !man 16:49 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:51 < alhadi> i used to do the logging stuff in linux but forgot. let me recall 16:52 < alhadi> /var/log/messages 16:52 < alhadi> fianlly 16:52 < alhadi> brb 16:57 -!- art0rius_ [~art0rius@mail.botetourtva.us] has quit [Quit: Nothing to see here, move along] 16:58 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 17:00 < alhadi> krzee irc:~/openvpn-confgen#.. now trying to start openvpn again 17:00 < alhadi> refreshed the install too 17:03 <@vpnHelper> RSS Update - forum: Internet Routing Issue 17:05 < alhadi> irc:/etc/openvpn# /etc/init.d/openvpn start 17:05 < alhadi> Starting virtual private network daemon: server failed! 17:06 < alhadi> after generating keys 17:06 < alhadi> i dont know where it goes 17:08 < alhadi> that script did not configured the keys.. 17:09 < alhadi> http://www.pastie.org/private/j9ijoruxcxq3b61uxnd1w 17:09 < alhadi> krzee if you can check please 17:21 < krzee> i will, work is getting busy so gimme a few 17:21 < krzee> ya my script doesnt do the keys yet 17:22 < krzee> after ecrist re-codes ssl-admin to take cmdline args i will build that in using ssl-admin 17:33 < alhadi> sure 17:33 < alhadi> sounds good. btw i love your script. made life easy for me :) 17:35 < alhadi> i hope it did also keys so the hassle to do it done by the script itself. let me try workaround to see if i can setup keys in anyway. 17:35 < alhadi> its ubuntu and i dont see a folder under /etc/openvpn/easy-ras anywhere 17:36 < alhadi> it just says /etc/openvpn and 2 conf files, one server.conf and update-resolve.conf 17:42 < krzee> find / -name easy-rsa 17:46 < krzee> ahh ya your error was the keys 17:46 < krzee> !pki 17:46 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed 17:46 <@vpnHelper> specially as a server (see !servercert) 17:46 < krzee> once you find your easy-rsa with the above command 17:46 < krzee> you also wanna make: 17:46 < krzee> !dh 17:46 <@vpnHelper> "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 17:46 < krzee> and 17:46 < krzee> !hmac 17:46 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static 17:46 <@vpnHelper> key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 17:49 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn 17:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection] 17:56 <@vpnHelper> RSS Update - forum: Restricted client-client traffic 18:00 < alhadi> ok 18:01 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 18:04 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn 18:18 < blee_laptop> Essobi: no, im getting an error where it says it cant load the tap driver 18:18 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 18:18 < blee_laptop> and the connection dies 18:18 < blee_laptop> sorry, totally late reply 18:19 < |Mike|> windows related blee_laptop ? 18:19 < blee_laptop> No, fedora 14 18:19 < blee_laptop> Using knetworkmanager 18:19 < blee_laptop> let me fpaste a log 18:20 < |Mike|> !ubuntu 18:20 <@vpnHelper> "ubuntu" is dont use network manager! 18:20 < blee_laptop> hmm? 18:20 < blee_laptop> tun's work fine 18:20 < blee_laptop> tap's dont 18:20 < |Mike|> your server is using tun or tap? 18:20 < |Mike|> !tunortap 18:20 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 18:20 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 18:20 < blee_laptop> server is tap 18:21 < blee_laptop> I have a tun and a tap, tun is working great 18:21 < blee_laptop> my tap connection not so much 18:21 < |Mike|> udp versus tcp ":p 18:21 < blee_laptop> http://pastebin.ca/2038475 18:22 < blee_laptop> i think its something to do with line 20 18:22 < blee_laptop> I forgot to mention, that I have plenty of other clients connected to my tap server 18:22 < blee_laptop> but 18:22 < blee_laptop> just not me :-( 18:23 < blee_laptop> I see successful connection server side, then it just disconnects 18:23 < |Mike|> line 10 and 11 are security issue's 18:23 < blee_laptop> i will fix that 18:23 < |Mike|> chmod/chown stuff 18:23 < blee_laptop> I was messing with permissoins during my troubleshooting process 18:24 < |Mike|> line 20 and 21 might be the problem, but i can't see why 18:24 < |Mike|> !tell blee_laptop [logs] 18:25 < blee_laptop> okay just a minute :) 18:29 < blee_laptop> |Mike|: server: http://pastebin.ca/2038477 18:30 < krzee> [16:20] tun's work fine 18:30 < krzee> [16:20] tap's dont 18:30 < krzee> well why do you want tap anyways? 18:30 < krzee> there are some reasons to use it... but normally its not the right choice 18:30 < blee_laptop> I did not set up the tap server 18:30 < krzee> do you know why you want it? 18:30 < blee_laptop> Its bridged onto our local lan 18:30 < krzee> for lan gaming? 18:31 < blee_laptop> for a cluster of windows xp VMs 18:31 < blee_laptop> no 18:31 < blee_laptop> file sharing 18:31 < krzee> !wins 18:31 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 18:31 < blee_laptop> Hmmm? I dont have an issue with wins 18:31 < krzee> you dont need or want tap just to resolve NETBIOS 18:31 < krzee> you can resolve NETBIOS over tun with wins 18:32 < krzee> windows filesharing is layer3 18:32 < krzee> only the NETBIOS resolution is layer2, but if you use wins it is layer3 18:32 < krzee> so use wins, forget about tap, done 18:32 < blee_laptop> all name resolution is set in the routing tables anyways 18:32 < krzee> umm no 18:33 < krzee> routing tables dont have ANYTHING to do with name resolution 18:33 < krzee> maybe you meant hosts file 18:33 < blee_laptop> i think im using the wrong word 18:33 < blee_laptop> right 18:33 < blee_laptop> hosts file 18:33 < krzee> so bottom line, you dont need tap 18:33 < blee_laptop> To be honest, I do not know the reason for choosing a tap device 18:33 < blee_laptop> this system was given to me 18:34 < krzee> cool, time to do it right 18:34 < krzee> and btw you said its all in the hosts file, but i doubt that 18:34 < |Mike|> indeed, you should have red the uttered lines of vpnHelper when i hitted '!tunortap' 18:34 < krzee> that would mean you had the same hosts file in every machine 18:34 < krzee> and if that is true, the 80s called and they want their config back 18:34 < |Mike|> distrubuted, could be 18:35 < |Mike|> but that's insane, nobody would use that since the start of teh internets :P 18:35 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Quit: —I-n-v-i-s-i-o-n— 3.2 (July '10)] 18:35 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 18:35 < |Mike|> damn, i would ban someone for such a quit message :$ 18:36 < blee_laptop> krzee: we have to edit the hosts file because of quickbooks DBM 18:36 < blee_laptop> its really silly and frustrating 18:36 < blee_laptop> and cant wait till we stop using QB 18:37 < krzee> hah 18:37 < blee_laptop> but thats another headache altogether 18:37 < blee_laptop> Anyways 18:37 < krzee> i find it hard to believe that QB cant get info from a NS 18:37 < krzee> but ill choose to believe ya ;) 18:37 < blee_laptop> thanks, because its working now and i dont want to touch it again 18:37 < blee_laptop> :P 18:38 < blee_laptop> so there isnt an issue with bridging a tun onto the virtual network interfaces for our vms? 18:38 < krzee> i can make my door stay shut with duct-tape, but i dont consider it the right way ;] 18:38 < krzee> you dont need a bridge! 18:38 < blee_laptop> Hmm... 18:38 < blee_laptop> We access all the VM's via the openvpn tunnel 18:39 < krzee> you only thought you needed a bridge because of windows filesharing 18:39 < blee_laptop> by bridging the vpn onto their local virtual interfaces 18:39 < blee_laptop> sorry, wow im completely distrated 18:39 < krzee> you connect each VM seperately!? 18:39 < blee_laptop> I guess thats a pretty major component to this whole thing >< 18:39 < blee_laptop> Yeah we have like 6 people who need access to quickbooks 18:39 < krzee> they are in the same lan? 18:39 < blee_laptop> no, all over the state 18:40 < krzee> oh ok 18:40 < krzee> and all they require is windows filesharing? 18:40 < blee_laptop> Windows filesharing is for the QB DBM 18:40 < blee_laptop> off mapped network drives 18:40 < krzee> oh they are mapped drives... you dont even need WINS 18:40 < krzee> lol 18:40 < blee_laptop> that is something I failed miserably at 18:40 < krzee> you can map the drive by vpn IP 18:41 < blee_laptop> anywho 18:41 < blee_laptop> So, with all that being said 18:41 < blee_laptop> yes, I still need to bridge this vpn onto the local vmnet 18:41 < krzee> in other words, you are doing way too much work 18:41 < krzee> no you dont! 18:41 < blee_laptop> :-o 18:41 < krzee> what do you think a bridge is? 18:41 < krzee> what is the purpose of a bridge? 18:42 < blee_laptop> I need to make the local lan of the vm machines 18:42 < blee_laptop> accessible from the vpn >< 18:42 < |Mike|> those lines remind me of beeing a newby with openvpn :P 18:42 < krzee> [16:41] what do you think a bridge is? 18:42 < krzee> [16:41] what is the purpose of a bridge? 18:42 < blee_laptop> im a newbie, i get a pass :P 18:42 < |Mike|> fail. 18:43 < krzee> !route 18:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:43 < blee_laptop> it bridges 2 networks together? 18:43 < krzee> you dont need a bridge for lans 18:43 < krzee> but the internet is a bunch of networks 18:43 < krzee> my network and yours are connected 18:43 < krzee> but not bridged 18:44 < blee_laptop> Hmm, but dont we want to bridge it at layer2 not layer 3 18:44 < krzee> why would you? 18:44 < krzee> what layer2 protocol do you need...? 18:44 < Apachez> arp ? 18:44 < krzee> you said all you use is windows filesharing... that is layer3 18:44 < blee_laptop> mpls? jk 18:45 < Apachez> l2 is also nice if you have the same network on both places 18:45 < |Mike|> Apachez: not in known networks imho 18:45 < blee_laptop> I do follow you 18:45 < Apachez> no need for ip planing 18:45 < krzee> Apachez, until you collide 18:45 < krzee> its better to just do it right 18:45 < krzee> bridging is only needed when you need layer2 to go beyond the endpoints 18:45 < Apachez> you can collide in l3 aswell 18:45 < blee_laptop> I always liked the idea of bridging it 18:46 < blee_laptop> but i guess routing works.. 18:46 < krzee> blee_laptop, i always liked the idea of leaving my house open at night... doesnt make it the best idea 18:47 < krzee> Apachez, yes, you can, if you do it wrong 18:47 < blee_laptop> well you need more guns 18:47 < blee_laptop> brb :-o 18:47 < Apachez> theres nothing that says that L3 is the right choice 18:48 < krzee> Apachez, sure there is 18:48 < krzee> !tunortap 18:48 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 18:48 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 18:48 < Apachez> in your fucked up world perhaps 18:48 < krzee> my bot just said it 18:48 < Apachez> but not in the rest of the world were we live 18:48 < krzee> cool, you supprt his bridge then 18:49 < krzee> instead of just arguing, make yourself useful 18:49 < wunderkin> yeah! help me too ;) 18:49 < wunderkin> krzee = krzie? 18:50 < krzee> yep 18:50 < wunderkin> extra krazies 18:50 < wunderkin> maybe Apachez can help me setup a bridge ;D ;D 18:50 < krzee> yep, sounds like he can 18:50 < wunderkin> i'm not sure how else i can do it 18:51 < krzee> do what? i forget what your goal was 18:52 < Apachez> I guess something with your "mum" and stuff like that 18:52 < Apachez> those horny suckers with a goal in their mind 18:52 < Apachez> and then they find out "ohh wait, I need some line encryption here" 18:52 -!- mode/#openvpn [+o krzee] by ChanServ 18:52 -!- mode/#openvpn [+b *!*apachez@*unaffiliated/apachez] by krzee 18:52 <@krzee> or that 18:52 <@krzee> bye 18:52 -!- Apachez was kicked from #openvpn by krzee [Apachez] 18:52 -!- mode/#openvpn [-o krzee] by krzee 18:54 < wunderkin> unless i add routes and stuff, sounds harder that way 18:54 < wunderkin> the floating ip guy :P 18:54 < krzee> oh right, i still havnt grasped the point of doing it that way 18:55 -!- WinstonSmith [~true@e179016111.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 18:55 < wunderkin> of what? having a floating ip? 18:56 < krzee> having a second VPN ip in the same subnet, only inside the vpn 18:59 < wunderkin> the servers are connected via vpn to secure everything and have a logical network.. h.a. uses a floating ip to assign to the current server that is available for that role.. if that goes down then something else takes it.. 19:01 < krzee> ahh 19:01 < krzee> doesnt i t do some layer2 stuff to accomplish that? 19:01 < krzee> it* 19:02 < wunderkin> it uses vrrp (or carp) and multicasts.. i guess you can use unicast in some software but limited to 2 servers 19:03 < krzee> and everything in this setup is actually connected to the vpn (not a lan)? 19:03 < wunderkin> yeah.. vpn.. they are on vps around the us.. have to start out cheap ;D 19:04 < krzee> i believe you need tap 19:04 < krzee> not a bridge, but tap 19:05 < wunderkin> if i don't bridge, how can i do the floating ip? i believe it has to be turned into like a switch and use arp to see where the ip is.. 19:05 < krzee> tap does arp and all that 19:05 < wunderkin> oh ok 19:05 < krzee> it just doesnt go outside the vpn 19:05 < wunderkin> that's fine.. and then i can multicast too then yeah? 19:05 < krzee> thats why i asked: and everything in this setup is actually connected to the vpn (not a lan)? 19:06 < wunderkin> yeah 19:06 < krzee> correct 19:06 < wunderkin> cool 19:07 < blee_laptop> what have I done :-o 19:07 < blee_laptop> so whose fixing my tap :) 19:08 < dschuett> blee_laptop 19:08 < dschuett> what problem are you having 19:08 < wunderkin> krzee: thanks, will check that out 19:08 < krzee> wunderkin, np 19:09 < blee_laptop> dschuett: my client connects, and then dies 19:09 < dschuett> well that sucks! haha 19:10 < blee_laptop> var/log/messages on client : http://pastebin.ca/2038475 19:10 < dschuett> briged or routed? 19:10 < blee_laptop> server end is bridged 19:12 < wunderkin> krzee: yeah cool.. i'm able to use ip aliases now at least.. will probably take a bit for me to get HA setup 19:13 < secretary_linux> is it possible to bridge on one end and route on the other? 19:13 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer] 19:15 -!- smerz [~smerz@smerz.demon.nl] has quit [Read error: Connection reset by peer] 19:17 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 19:25 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 19:35 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds] 19:42 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 246 seconds] 19:46 < krzie> secretary_linux, no, not possible 19:46 < krzie> wunderkin, cool =] 19:47 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 19:53 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 19:53 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:59 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)] 20:03 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 20:07 < ecrist> secretary_linux: yes, it is, but not from within openvpn. both ends need to be the same, but you can add additional routing from there. 20:17 < krzie> good point, i was only thinkin of as related to openvpn 20:19 < krzie> blee_laptop, you might want to try getting it running without network manager at first, then when your openvpn setup works as you wish you can use network manager if you like 20:20 < krzie> that way your logs may be more useful 20:20 < ecrist> been having a metric crap-load of internet issues at my place lately. 20:20 < ecrist> :\ 20:20 < krzie> ill trade ya 20:20 < krzie> hehe 20:20 < blee_laptop> krzie: yeah i was gonna do it 20:20 < blee_laptop> im getting distracted with trying to flash something onto my phone :P 20:21 < krzie> ahh cool, i went through rooting / flashing / etc a htc evo last night 20:21 < krzie> that phone is amazing, i need to find the equiv phone that will accept a sim chip 20:22 < krzie> ecrist, you been checking out the CCC vids? had some great talks 20:22 < ecrist> CCC? 20:22 < krzie> im watching "recent advances in ipv6 insecurities" 20:22 < ecrist> did you omit a P? 20:23 < ecrist> CCCP 20:23 < krzie> 27C3 20:23 < ecrist> heh 20:23 < ecrist> wow, never heard of 'em 20:23 * ecrist reads 20:24 < krzie> http://mirror.netcologne.de/CCC/27C3/mp4-h264-HQ/ 20:24 <@vpnHelper> Title: Index of /CCC/27C3/mp4-h264-HQ (at mirror.netcologne.de) 20:24 < krzie> enjoy 20:24 < krzie> the vid on stuxnet was good, the one im watching is really good 20:24 * ecrist wonders if it's run by Dan Langille. 20:25 < krzie> im home with pneumonia 20:25 < krzie> the boss sent me home cause i sound like shit 20:25 < ecrist> hrm, it's a german site 20:25 < krzie> ya man, you never heard of CCC? 20:25 < blee_laptop> krzie: I have a samsung captivate/galaxy s 20:26 < blee_laptop> that would be the closest equiv, but wait till after CES alot of new stuff coming out 20:26 < blee_laptop> tegra 2 based stuff 20:27 * ecrist loves his myTouch 4g 20:27 * ecrist hated his Galaxy S 20:27 < krzie> ya someone mentioned the mytouch 4g 20:28 < krzie> ecrist, you played with an EVO? 20:28 < ecrist> yeah, my buddy has one. too big for me, tbh 20:29 < krzie> hows it compare? 20:29 < blee_laptop> ecrist: i hate it 20:29 < blee_laptop> alot 20:29 < blee_laptop> that being said 20:29 < ecrist> krzie: I like my myTouch 20:29 < blee_laptop> alot of improvments in the past few months from rom devs 20:29 < blee_laptop> nothing from samsung, never buying anything that relies on software updates from samsung 20:30 < krzie> i wouldnt take their software updates anyways 20:30 < krzie> ill be an unlocker 20:30 < blee_laptop> Well 20:30 < krzie> <-- not in usa 20:30 < blee_laptop> they need to release the source files 20:30 < blee_laptop> so rom makers and make stuff 20:30 < blee_laptop> they havent released it yet 20:30 < blee_laptop> not for froyo at least 20:31 < ecrist> krzie: IPv6 needs to be enabled on fbsd to get RA to do anything. 20:31 < blee_laptop> Where ya from krzie? 20:32 < krzie> im from california 20:32 < krzie> (from) 20:32 < blee_laptop> where are you located krzie? :P 20:33 < krzie> caribbean 20:33 < blee_laptop> ah nice 20:35 < pyther> if I do something like " ifconfig-push 10.8.1.1 10.8.1.2 20:35 < pyther> " in a ccd file, do I need to excludes those addresses from the address pool in server.conf? 20:38 < krzie> whats your server line look like in the server config pyther ?\ 20:39 < pyther> server 10.25.252.0 255.255.255.0 20:39 < pyther> krzie: ^^ 20:39 < krzie> then 10.8.1.1 10.8.1.2 arent in the pool anways ;] 20:40 < pyther> krzie: I was going to use 10.25.252.3 10.25.252.4 20:40 < krzie> nope 20:40 < krzie> !/30 20:40 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 20:41 < krzie> and if you are using topology subnet or tap, you dont use ptp style ifconfig-push 20:41 < krzie> !static 20:41 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 20:41 < krzie> .4 isnt a valid IP to push 20:42 < pyther> krzie: yah my brain is the gotter 20:42 < krzie> but once you start using the IPs, no there is no way that i know of to exclude IPs from the pool 20:42 < pyther> so 10.25.252.5 and 10.25.252.6 20:42 < pyther> ahh ok 20:42 < krzie> i just give high IPs for the static 20:42 < krzie> but heres what i assume would happen if you used .6 static 20:42 < krzie> lets say someone else connects and gets .6 20:43 < krzie> then your static guy connects 20:43 < pyther> ahh ok so I should just cut my pool size down to 128 20:43 < pyther> !topology 20:43 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 20:43 < krzie> your server gives him .6, now its route to .6 is to the static client, and the first ,.6 will timeout, then reconnect and get .10 20:43 < krzie> with the timeout being defined by your keepalive setting 20:44 < pyther> yah dirty path that I'd prefer not to go down 20:44 < krzie> i just use topology subnet and give out high IPs static 20:44 < krzie> since im not going to have so many people connected at once 20:45 < krzie> hell by the time you use the whole /24 (in topology subnet) you will be having problems with openvpn not being multi-threaded 20:46 < pyther> krzie: is there any down fall to using topology subnet? 20:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 20:47 < krzie> there is a possible one, depending on your needs 20:47 < pyther> krzie: and that is? 20:47 < krzie> if theres a special privledge to being a certain ip (firewall or something) 20:47 < krzie> in net30 a user cannot manually override his IP 20:48 < krzie> in topology subnet he can 20:48 < pyther> ahh, but I could run ifconfig blah blah and get a new ip that would work? 20:50 < pyther> krzie: did I understand that right? 20:53 -!- nb is now known as Guest89494 20:53 -!- nb_ is now known as nb 20:53 < krzie> pyther, correct 20:53 < krzie> in topology subnet that is possible 20:53 < krzie> in net30 it is not 20:53 < pyther> hmm I wonder if I should worry about that 20:54 < pyther> I'm using eurephia which is dynamically adding enteries to the firewall when a user connects 20:54 < krzie> do certain people get certain access based on them being a certain IP? 20:55 < krzie> is eurephia giving them access or taking away access with those firewall entries 20:55 < pyther> krzie: yep pretty much 20:55 < pyther> I was going to have a static rule for one user, my self 20:55 < krzie> if it gives them access, and otherwise they would have none, thats fine, if it takes access, and otherwise they would have more, thats not 20:55 < pyther> and that would just give me ssh access 20:56 < pyther> so all I do is topology subnet? 20:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds] 20:56 < krzie> its up to you 20:56 -!- Guest89494 [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net] 20:56 < pyther> krzie: I better leave it, my "big" boss is going to test it out tomorrow 20:56 < pyther> don't want an egg on my face! 20:57 < krzie> my big boss doesnt know what an IP is 20:57 < krzie> nor does he care to 20:58 < pyther> krzie: mine might know but my point is I don't want to break things :P 20:58 < krzie> [22:40] krzie: I was going to use 10.25.252.3 10.25.252.4 20:58 < krzie> that would have broken things ;) 20:59 < pyther> krzie: it late here well late enough where my brain isn't thinking 100% 20:59 < pyther> and I'm editing firewall rules, oh my! 20:59 < pyther> which leads my to my next question, anyone have a list/website that states the ports that needs to be open for samab/windows file sharing? 21:00 < krzie> !google samba ports 21:00 <@vpnHelper> Chapter 18. Securing Samba: ; [Samba] Samba Ports: ; Samba Server Security: 21:00 < pyther> Should the samba ports be the same as the windows ports? 21:01 < krzie> yes, it only exists for compatibility with windows 21:01 < krzie> they made better protocols that dont share compatibility ;] 21:02 < pyther> hehe 21:02 < krzie> the last link from vpnHelper's google has "using a firewall" with the ports listed 21:03 < pyther> yah I saw that, that should help 21:03 < pyther> krzie: you know much about iptables? 21:04 < krzie> im a freebsd guy 21:04 < blee_laptop> does freebsd not use iptables? 21:04 < pyther> krzie: well I'll ask anyways because I think this is a generic (stupid) question.... 21:06 < krzie> blee_laptop, nope, iptables is a linux thing 21:06 < pyther> In my FORWARD chain I have a rule that calls the vpn_users chain and matches ctstate NEW, any rules that get called under vpn_user don't need to check ctstate NEW, correct? Since it matched the first time in the FORWARD chain 21:06 < krzie> freebsd has pf ipf and ipfw 21:06 * pyther can't type 21:06 < krzie> pyther, dunno, in pf its way more straight forward 21:06 < krzie> no "chains" and whatnot 21:06 < krzie> but there is #iptables 21:07 < pyther> I guess I'll pop my head in there, and try type better :) 21:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 21:09 < pyther> krzie: thanks for the help, I think I might play with topology subnet when the next rc comes out 21:09 < pyther> gives me a reason to play with the server 21:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit] 21:13 < krzie> np 21:13 < krzie> the next rc? 21:14 < pyther> krzie: I meant beta, I'm running 2.2beta5 since it had some code integrated into that eurephia needs 21:14 < krzie> ahh cool 21:14 < pyther> I don't quite remember what it does, some type of extra authentcation/key information is sent over 21:15 < krzie> i dunno either, but im sure its cool, eurephia looks really cool =] 21:16 < pyther> Love the security aspect 21:16 < pyther> a cert is tied to a user 21:16 < pyther> so a users cert and username + password would have to be compromissed 21:17 < pyther> therefore a stolen laptop/mobile device doesn't mean access to the vpn 21:18 < krzie> well that existed prior 21:18 < krzie> but it ties things together better 21:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 21:19 < pyther> did it? I thought the username wasn't directly linked to the cert 21:19 < pyther> but my favorite part is the dynamic iptable updates 21:20 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:22 < krzie> oh ok thats true 21:22 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 21:22 < krzie> the username was not connected to the cert, but the passphrase on the key was ;] 21:22 < krzie> (which is still a good idea) 21:23 < krzie> ecrist, why does vpnHelper keep repeating himself with those pastebins? 21:25 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services] 21:27 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 21:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ 21:27 < krzie> heheh i guess he wont repeat anymore! ;] 21:27 < krzie> ahh nm hes baq 21:29 <@vpnHelper> RSS Update - forum: help with Static Key Mini-HOWTO 21:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:38 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 21:43 -!- mcordoba [~mcordoba@201.203.152.35] has joined #openvpn 21:43 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 21:44 -!- mcordoba [~mcordoba@201.203.152.35] has left #openvpn ["Saliendo"] 21:44 -!- mcordoba [~mcordoba@201.203.152.35] has joined #openvpn 21:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 21:58 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out] 21:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds] 22:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 22:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 22:22 -!- mcordoba [~mcordoba@201.203.152.35] has quit [Quit: Saliendo] 22:35 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn 22:54 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 22:54 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 22:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 23:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 23:07 -!- WinstonSmith [~true@e177090098.adsl.alicedsl.de] has joined #openvpn 23:17 -!- x-demon [xdemon@lex.io] has quit [Ping timeout: 260 seconds] 23:18 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Ping timeout: 260 seconds] 23:19 -!- x-demon [xdemon@lex.io] has joined #openvpn 23:19 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 23:22 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 23:28 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Changing host] 23:28 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined #openvpn 23:28 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has left #openvpn [] 23:29 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined #openvpn 23:29 -!- mode/#openvpn [+o openvpn2009] by ChanServ 23:29 -!- openvpn2009 is now known as patelx 23:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 23:51 * ecrist feels like the local BOFH --- Day changed Wed Jan 05 2011 00:06 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer] 00:06 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn 00:08 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has quit [Ping timeout: 240 seconds] 00:09 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 00:09 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 00:13 < krzie> why? 00:13 < ecrist> just do 00:15 < hyper_ch> howdy 00:15 * Bushmills hands his LART, in a nice gift wrapper, over to ecrist 00:16 < ecrist> LART? 00:16 < Bushmills> http://scarydevilmonastery.net 00:17 < ecrist> 0 00:17 < Bushmills> luser attitude readjustment tool 00:21 < ecrist> I fucking hate comcast. 00:21 * ecrist considers social media bomb. 00:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 00:28 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 01:03 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat] 01:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 01:40 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has quit [Quit: Leaving.] 02:02 -!- moses [~moses@unaffiliated/moses/x-6794817] has joined #openvpn 02:07 < moses> question 02:08 < moses> my sshd server isnt working when im behind my work proxy, so im gonna go with openvpn 02:08 < moses> is this intelligent? 02:14 -!- WinstonSmith_ [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 02:15 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has joined #openvpn 02:15 < HoboSteaux> is there a place with all of the settings and what they do? 02:17 < hyper_ch> moses: not really... as you are at work, there are pretty good reasons why you can't use it... best to clear it up with the tech guys 02:17 < hyper_ch> HoboSteaux: the man pages? 02:17 < hyper_ch> man openvpn > openvpn.txtz 02:17 < hyper_ch> -z 02:18 -!- WinstonSmith [~true@e177090098.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 02:18 < HoboSteaux> oh hahah duh 02:18 < hyper_ch> !tell HoboSteaux [howto] 02:18 < HoboSteaux> ive been dumping webpages for a 5 hr car ride tomorrow 02:21 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has joined #openvpn 02:23 < hyper_ch> why that? 02:30 -!- WuXorT [~WuXorT@fxip-0012a.externet.hu] has joined #openvpn 02:30 < WuXorT> hello 02:31 < WuXorT> !welcome 02:31 < WuXorT> !goal 02:32 < renihs> moses, most likely your ssh server isnt going to "work" behind your work proxy neither ...:) 02:32 < renihs> your openvpn server i mean 02:32 < moses> ok 02:33 < WuXorT> can I get a little bit of information? I'm looking for a router that can do OpenVPN server 02:33 < renihs> i assume "proxy" is a firewall, and i also assume it wont allow connections behind it without modifications :) 02:33 < renihs> speak to your firewall admin :) 02:34 < HoboSteaux> WuXorT: i know dd-wrt firmware supports it 02:34 < WuXorT> without the need of firmware upgrading or tinkering 02:34 < WuXorT> ive heard there are ones that supports them built in 02:34 < hyper_ch> WuXorT: than aks Doctor Google 02:35 < HoboSteaux> if its residential, flashing is your best bet 02:35 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 02:35 < HoboSteaux> & this is a great place to start: http://www.dd-wrt.com/wiki/index.php/Supported_Devices 02:35 < WuXorT> yeah, ive looked at this webpage 02:36 < WuXorT> my boss states he've encountered a draytek router which could do openvpn out of the box 02:36 < WuXorT> without firmware upgrade and anything 02:38 < WuXorT> google said me f u 02:39 < HoboSteaux> so if its for a business, id do a spearate ovpn server 02:39 < HoboSteaux> separations always beautiful 02:40 < WuXorT> yeah, its for business, but he doesnt want to involve a server 02:40 < WuXorT> we currently use a draytek router which supports pptp and l2tp, but now its old, and we have to change a little bit 02:41 < WuXorT> oh brb 02:41 < HoboSteaux> http://www.draytek.us/draytek-vpn-solution.html 02:43 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 255 seconds] 02:44 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Operation timed out] 02:44 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 02:45 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn 02:46 < WuXorT> well primarily looking for a cisco if available :) 02:46 < WuXorT> draytek seems to malfunction when used for years 02:46 < WuXorT> so we kinda going for a "quailtyer" solution 02:48 < WuXorT> but it looks like now we can't avoid flashing 02:50 -!- WinstonSmith_ [~true@g225024003.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 02:52 -!- WinstonSmith_ [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 03:05 -!- WinstonSmith_ is now known as WinstonSmith 03:07 < WuXorT> anyway thanks for your help, goodbye :) 03:07 -!- WuXorT [~WuXorT@fxip-0012a.externet.hu] has quit [] 03:20 -!- WinstonSmith_ [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 03:20 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:20 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 03:21 -!- WinstonSmith_ is now known as WinstonSmith 03:21 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has quit [Client Quit] 03:21 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 03:32 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 03:36 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 03:36 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 03:36 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 03:37 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:47 < renihs> heh, seriously, someone looking for a cisco box with openvpn? :) 03:47 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Ping timeout: 240 seconds] 03:48 < macsppadic> morning 03:48 < renihs> thats funny somehow :) 03:50 -!- master_of_master [~master_of@p57B5330F.dip.t-dialin.net] has quit [Ping timeout: 250 seconds] 03:51 -!- dazo_afk is now known as dazo 03:52 -!- master_of_master [~master_of@p57B57625.dip.t-dialin.net] has joined #openvpn 03:58 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has joined #openvpn 04:01 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has joined #openvpn 04:09 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 04:09 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 04:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:11 -!- Guest3082 is now known as Martink 04:12 -!- Martink is now known as Guest8450 04:12 -!- Guest8450 is now known as Martin` 04:23 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 04:24 < thomaschaaf> why is the p to p on my client "10.8.0.5"? It's ip is 10.8.0.6 and the vpn servers is 10.8.0.1 and it's p to p is 10.8.0.2 04:31 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 04:32 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 04:37 <@dazo> thomaschaaf: that's normal ... and is a p-t-p artefact ... 04:37 <@dazo> !/30 04:37 <@dazo> gah ... vpnhelper is not here 04:37 -!- gregd [~gregd@188-220-38-34.zone11.bethere.co.uk] has joined #openvpn 04:38 <@dazo> thomaschaaf: you can avoid that by adding --topology subnet to your configs 04:38 < thomaschaaf> okay 04:38 < gregd> guys, can someone explain me why the access-server cannot be accessed via any IE borwser? it comes up with an JS error: XMLHttpRequest is undefined 04:38 -!- common- [~common@p5DDA470C.dip0.t-ipconnect.de] has joined #openvpn 04:38 <@dazo> thomaschaaf: normally openvpn uses a /30 (255.255.255.252) subnet for each client ... hence, --topology /30 is the default 04:39 -!- common [~common@p5DDA4786.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:39 -!- common- is now known as common 04:39 <@dazo> gregd: I'm sorry ... we don't support AS here ... we're asked to redirect AS users to it's own user forums/support 04:39 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:40 < gregd> dazo: fair enough 04:45 < thomaschaaf> I have a problem with networking http://dl.getdropbox.com/u/5910/Jing/2011-01-05_1113.png is my setup now when I tracert from the virtual server host to "192.168.1.1" gets stuck on the vpn box http://pastie.org/1430651 this is the routing table on the vpn box also the route on the virtual server: http://pastie.org/1430654 would someone be able to help? I know it is mostly routing but also some openvpn.. and I was told to use tun 04:48 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 04:50 -!- Malard [ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 04:50 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 04:50 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 04:50 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 04:52 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 04:55 -!- gregd [~gregd@188-220-38-34.zone11.bethere.co.uk] has quit [Quit: gregd] 04:59 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:21 -!- Malard [ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 05:21 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 05:23 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has quit [Quit: jhelwig] 05:28 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has joined #openvpn 05:30 <@dazo> thomaschaaf: make sure you have enabled ip_forwarding ... and double check your iptables setup and your routing tables 05:30 <@dazo> ahh ... routing tables are here 05:31 <@dazo> both your openvpn boxes needs ip_forwarding ... and I suspect it might be iptables being the issue here 05:32 < thomaschaaf> dazo: iptables were empty 05:32 < thomaschaaf> I'm now trying to do it with tap :( 05:34 <@dazo> thomaschaaf: this is not a tap issue 05:35 <@dazo> thomaschaaf: check out with tcpdump on the openvpn client and server ... and then see where the traffic goes or do not go 05:35 <@dazo> tcpdump -n -i , is a good starter 05:35 < thomaschaaf> k :) 05:36 <@dazo> thomaschaaf: what you are most probably hitting now, is something which would bite you even in tap mode 05:37 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has joined #openvpn 05:39 < thomaschaaf> back to the tun config :D 05:45 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn 06:00 < thomaschaaf> dazo: it's not really telling me anything except that it never gets a echo reply 06:14 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Read error: Connection reset by peer] 06:14 < thomaschaaf> if someone could help me to the point where I can ping the other machines in the LAN I'd buy them a pizza :/ 06:14 < Bushmills> those machines probably don't like pizzas 06:15 < thomaschaaf> the question is whether you do ;) 06:15 < Bushmills> i tend to think of myself in the first person 06:17 < Bushmills> i s'ppose you'd need to read and apply ... 06:17 < Bushmills> !route 06:17 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has quit [Ping timeout: 246 seconds] 06:18 < Bushmills> you may want to do it once vpnhelper is online again 06:19 < thomaschaaf> I have read that :/ 06:19 < thomaschaaf> thats the sad thing 06:20 < thomaschaaf> is there somekind of tracing tool other than traceroute which tells me where my packets are going? they seem to go to the vpn server and not move 06:20 < thomaschaaf> and I don't understand why 06:20 < Bushmills> mtr 06:21 < Bushmills> routing or firewall 06:21 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn 06:21 < thomaschaaf> I am pretty sure it's routing 06:21 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 250 seconds] 06:21 < Bushmills> s/ or firewall// 06:21 -!- d457k [~heiko@vpn.astaro.de] has quit [Read error: Connection reset by peer] 06:22 < thomaschaaf> does mtr work with command line? or does it need x? 06:22 < Bushmills> X not needed 06:22 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn 06:22 < Bushmills> though it can be called in operation modes which require curses 06:23 < Bushmills> another good way to look at where your packets are going is with netstat -rn or route -n 06:24 < thomaschaaf> http://dl.getdropbox.com/u/5910/Jing/2011-01-05_1324.png 06:24 < thomaschaaf> um yea 06:24 < thomaschaaf> great so they go to ??? 06:25 < thomaschaaf> Bushmills: my routing table looks like this http://pastie.org/1430893 06:25 <@dazo> thomaschaaf: if you use tcpdump on the client and server ... you will see where the packet goes ... check both the internal LAN and the tun device, to see if it goes in/out on the correct devices 06:25 < thomaschaaf> dazo: they just arrive at the tun0 06:26 < thomaschaaf> and never go anywhere from there 06:26 <@dazo> thomaschaaf: on which box? 06:26 < thomaschaaf> but I think the routing looks correct 06:26 < thomaschaaf> vpn 06:26 <@dazo> client or server? 06:26 < thomaschaaf> it goes from client to server to nowhere 06:26 < Bushmills> "just arrive at the tun0" "never go anywhere from there" ... ip forwarding 06:26 <@dazo> thomaschaaf: that's your "vpn box"? 06:27 < thomaschaaf> is turned on 06:27 < thomaschaaf> vpn box = server 06:27 < thomaschaaf> http://dl.dropbox.com/u/5910/Jing/2011-01-05_1113.png 06:27 < thomaschaaf> thats the setup 06:28 < Bushmills> "is turned on" - how do zou know? 06:28 <@dazo> the vpn box ... that's a Xen based VM guest? 06:28 < thomaschaaf> cat /proc/sys/net/ipv4/ip_forward 06:28 < thomaschaaf> dazo: yea on the other system 06:28 <@dazo> "the other system"? That confuses me 06:29 < thomaschaaf> so there is office and hosted 06:29 <@dazo> yeah, and the vpnbox is in the "Xen Office" block? So that's a Xen VM? 06:29 < thomaschaaf> yes 06:31 < thomaschaaf> dazo: so the ping does go vpn client -> vpn server -> ??? 06:31 <@dazo> goodie ... then it can be something with the Xen setup ... I don't know much about Xen and tun devices, but I do know you sometimes need some extra tweaks there .... but if you see the traffic *on* the vpnbox's tun device and not on the eth device *on* the vpnbox (that means, inside the VM) ... then it first something inside that VM which needs to be solved 06:31 < thomaschaaf> and vpn client <-> vpn server is possible 06:31 <@dazo> where is the VPN client in this setup? 06:32 < thomaschaaf> hosted is client 06:32 <@dazo> okay, so if that client can ping the VPN server's IP address on the tun device, that's a first good test 06:33 <@dazo> the second is to ping, from the vpn client, the VPN servers eth interface ... if that's not doable ... you'll have to have some firewalls blocking somewhere, or a route issue 06:33 < thomaschaaf> works 06:34 < thomaschaaf> from the vpn client I can ping "192.168.1.52" 06:34 <@dazo> goodie! Can you ping something behind the VPN eth0 interface? your router, f.ex? 06:34 < thomaschaaf> nope 06:35 <@dazo> if you then do tcpdump on the eth interface on your vpnbox (server) ... what do you see? 06:35 < Bushmills> 192.168.1.x? there's no interface in that subnet in http://dl.dropbox.com/u/5910/Jing/2011-01-05_1113.png 06:35 < Bushmills> oh yes, there is. nm 06:36 <@dazo> :) 06:36 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 06:36 < thomaschaaf> dazo: nothing other than ssh 06:40 < thomaschaaf> on 192.168.1.1 I did a tcpdump too 06:40 < thomaschaaf> 13:40:29.555895 IP 192.168.1.1 > 192.168.1.1: ICMP echo request, id 30060, seq 28, length 64 06:41 <@dazo> uhm ... that's a "ping to self" 06:41 <@dazo> that looks odd 06:41 < thomaschaaf> thats why nothing ever came back.. 06:41 < thomaschaaf> now I just need to get that working 06:42 < thomaschaaf> :( 06:42 <@dazo> do you have some NAT rules which tricks you on that box? 06:42 <@dazo> or somewhere else? 06:42 < thomaschaaf> its the router 06:42 <@dazo> if you do the ping from the VPN client ... you should see the IP address of the VPN client ... either it's LAN IP or VPN IP 06:43 < thomaschaaf> yea I don't know why it's doing that :( 06:43 < Bushmills> when you followed !route, !clientlan or !serverlan, did you applied what !clientlan said, or did you look at !serverlan? 06:44 <@dazo> ecrist: where have you hidden vpnHelper now? 06:44 -!- Kurogane [~kuro@190.87.80.64] has quit [Read error: Connection reset by peer] 06:46 < thomaschaaf> but it looks correct in the routing table or not? 06:47 <@dazo> http://pastie.org/1430651 .... which box is ths again? 06:48 < thomaschaaf> dazo: openvpn server 06:48 < thomaschaaf> (office) 06:49 <@dazo> okay ... it might be you need to have a look at your Xen dom0 to see what happens there as well, on the bridge and interfaces you have there 06:50 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 06:54 -!- d303k [~heiko@vpn.astaro.de] has joined #openvpn 06:54 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds] 06:55 < thomaschaaf> dazo: I think the openvpn server (office) is sending the package wrong.. although I don't understand how it sends it without going through eth1 on it (tcpdump -n -i eth1) gives nothing 06:56 < thomaschaaf> did tcpdump -vv -n -i eth1 | grep ICMP 06:56 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn 06:56 < thomaschaaf> 12:56:20.631907 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.1.1 > 192.168.1.1: ICMP echo request, id 36716, seq 1, length 64 06:57 < reiffert> please add -e to tcpdump 06:57 < eKKiM> Hi, can i force an application to not use OpenVPN if openvpn is active? 06:57 < reiffert> eKKiM: same questions would be: how to tell an application what routing table to choose 06:57 < eKKiM> ok 06:58 < reiffert> eKKiM: but as routing tables are done by the operating system .. 06:58 < eKKiM> how to tell an application what routing table to choose? 06:58 < thomaschaaf> reiffert: 12:57:58.179907 00:16:3e:56:ab:64 > 00:16:3e:1c:fa:97, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.1.1 > 192.168.1.1: ICMP echo request, id 36972, seq 1, length 64 06:58 < eKKiM> i'm using ubuntu.. 06:58 < reiffert> thomaschaaf: so what do we have here, two different MAC Addresses. To whom do they belong? 06:58 <@dazo> eKKiM: it's all defined by the routing tables 06:58 < reiffert> eKKiM: means: no way. 06:58 < eKKiM> problem is the following.. 06:58 < eKKiM> i tunnel openvpn over ssh 06:59 < eKKiM> in windows it works great 06:59 < eKKiM> but in linux if i connect to openvpn it kills my ssh connection thus openvpn fails to connect. 07:00 < reiffert> dazo: something completly different: Will openvpn clients get posiibilities to ignore options that the server pushes (but just some of them)? 07:00 < thomaschaaf> 00:16:3e:56:ab:64 openvpn server(office) (192.168.1.52) and 00:16:3e:1c:fa:97 is the router (192.168.1.1) 07:01 < reiffert> thomaschaaf: why is the openvpn server thinking, that 192.168.1.1 belongs to itself? 07:01 < thomaschaaf> where would such info be stored? 07:01 < thomaschaaf> ifconfig doesn't say that ;) 07:01 < reiffert> thomaschaaf: somewhere around /etc and /var/log for additional helpful places. 07:02 <@dazo> also check the arp tables, maybe? 07:02 < thomaschaaf> I'll grep -i "192.168.1.1" /etc then? 07:02 < reiffert> grep -rli 192.168.1.1 /etc/* 07:02 <@dazo> -R not -r, iirc 07:02 < thomaschaaf> http://pastie.org/1430981 07:02 < reiffert> dazo: -r 07:03 <@dazo> ahh, -r was not available earlier ... -R, -r and --recursive is the same now 07:03 < reiffert> thomaschaaf: add -H to grepoptions 07:03 < reiffert> thomaschaaf: and we really cant rely on what the host thinks is a valid arp table. It just doesnt help here. 07:04 < eKKiM> Can i use static routing to my SSH Server to not disconnect ssh on openvpn connect? 07:04 < reiffert> thomaschaaf: my wild guess is, that you fucked up openvpn config, so that openvpnv thinks that it is 192.168.1.1. 07:04 < reiffert> eKKiM: see here: 07:04 < reiffert> !redirect 07:05 < reiffert> !def1 07:05 < eKKiM> !redirect 07:05 < thomaschaaf> there is nothing in /etc.. 07:05 < reiffert> doh, vpnhelper is gone. 07:05 < eKKiM> =( 07:06 < reiffert> thomaschaaf: from the openvpn server, paste online this: server config, route when openvpn is not started, ifconfig when openvpn is not started, route and ifconfig when openvpn runs. 07:06 < thomaschaaf> reiffert: okay 07:07 < reiffert> thomaschaaf: additionally paste the *same* from an openvpn client. before openvpn connection gets established and after. 07:07 < reiffert> client.conf as well 07:07 < eKKiM> reiffert can i find same info as vpnhelper somewhere on the web? 07:07 < reiffert> eKKiM: the openvpn manpage. see option def1 for --redirect-gateway option 07:08 < reiffert> 14:00 < thomaschaaf> 00:16:3e:56:ab:64 openvpn server(office) (192.168.1.52) and 00:16:3e:1c:fa:97 is the router (192.168.1.1) 07:08 < reiffert> thomaschaaf: be sure to add the routing table of your router as well. as far as you get it. 07:09 < thomaschaaf> k 07:09 < reiffert> 00:16:3e:1c:fa:97 is the router (192.168.1.1) 07:09 < reiffert> this one 07:12 < ecrist> dazo: my home internet connection sucks the past week or two 07:12 < ecrist> I am using IRC from a server at work. :) 07:12 < reiffert> ecrist: could you fire up vpnhelper please 07:12 < ecrist> no, I can't 07:12 < ecrist> my home connection is down still 07:13 < reiffert> The last thing I remember is, that you managed something that it automatically restarts if down 07:13 < ecrist> comCRAP should be here in about an hour 07:13 < reiffert> So it isnt running on krzie's server anymore? 07:13 < ecrist> yeah, and my home connection is down. 07:13 < ecrist> it is, krzee's server is in my basement. 07:13 < reiffert> ah. 07:13 < reiffert> :) 07:16 < thomaschaaf> reiffert: http://pastie.org/1430997 client will folow 07:19 < reiffert> so far this looks ok to me. I remember some bug where openvpn was not working correctly on subnet masks different from /24 ... 07:19 < reiffert> dazo: any ideas on hardcoded /24 masks in openvpn? 07:19 < reiffert> maybe it's me mixing stuff up in my brain 07:20 < thomaschaaf> http://pastie.org/1431006 07:20 < reiffert> thomaschaaf: please plase ifconfig from your router as well 07:20 < reiffert> s,plase,paste, 07:21 < thomaschaaf> reiffert: http://pastie.org/1431009 07:21 < eKKiM> route option fixed it 07:21 < eKKiM> tyvm 07:21 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [] 07:22 < reiffert> thomaschaaf: please plaste complete firewall from openvpn server, especially the nat table. 07:22 < thomaschaaf> iptables -L ? 07:22 < reiffert> iptables -t nat -L -v -n 07:22 < reiffert> iptables -t filter -L FORWARD -v -n 07:23 < thomaschaaf> http://pastie.org/1431018 07:23 < reiffert> both 07:23 < thomaschaaf> other is empty 07:23 < reiffert> thos have a look at your last post 07:23 < reiffert> s,thos,so, 07:23 < reiffert> anything that comes up in your mind? 07:23 < reiffert> send all your money to my paypal account. 07:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds] 07:24 < reiffert> :p 07:24 < thomaschaaf> :D 07:24 < thomaschaaf> no :( 07:24 < thomaschaaf> what does that mean? 07:24 < reiffert> no as in nothing in your brain? 07:24 < reiffert> see line 6 here: http://pastie.org/1431018 07:24 < thomaschaaf> how do I fix it? 07:24 < reiffert> let see for the iptables manpage 07:25 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 07:25 < reiffert> http://pastie.org/1431028 07:26 < reiffert> thomaschaaf: you fucked up the source address in your Source Nat. 07:26 < reiffert> thomaschaaf: it should be ...oooOO 192.168.1.WHATHERE? 07:27 < thomaschaaf> reiffert: I don't understand what I should do now? flush? 07:27 < thomaschaaf> or should I replace it? 07:27 < reiffert> zero points to thomaschaaf. 07:27 < reiffert> yeah, pleace that rule with a correct one. 07:27 < reiffert> but first: 07:28 < reiffert> please answer me, what do you think does that line? 07:28 < thomaschaaf> it sends everything to 192.168.1.1 07:28 < reiffert> wrong. 07:28 < thomaschaaf> it rewrites the to parameter to 192.168.1.1 for everything? 07:29 < reiffert> It replaces the source address (same knows as NAT or MASQUERADING) 07:29 < reiffert> s,knows,known, 07:29 < reiffert> thomaschaaf: so listen, here's the deal: 07:30 < reiffert> either replace that line by --to-source 192.168.1.52 or step away from masquerading and use pure routing instead. 07:30 < reiffert> pure routing has the benefit, that other hosts in your lan can talk to services that run on the openvpn client. 07:31 < thomaschaaf> I want that 07:31 < reiffert> but it requires that you a) remove the masquerading stuff on the openvpn server and b) tell your router 192.168.1.1 to send packets with destination 10.8.0.0/24 to 192.168.1.52. route add -net 10.8.0.0/24 gateway 192.168.1.52 07:31 <@dazo> reiffert: shouldn't be anything like that hardcoded, afaik 07:32 < Rienzilla> i use oepnvpn with /29s 07:32 < reiffert> thomaschaaf: "I want that" is routing or masquerading? 07:32 < Rienzilla> works fine 07:32 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn 07:32 < thomaschaaf> Routing as far as I can tell 07:32 < reiffert> Rienzilla: I once tried with /22 and it failed for some reason I dont remember. 07:33 -!- luneff [~yury@84.51.195.188] has joined #openvpn 07:33 < reiffert> thomaschaaf: great. So after you've done all the changes paste: route routing table, openvpn server iptables nat table. 07:33 < thomaschaaf> reiffert: http://dl.dropbox.com/u/5910/Jing/2011-01-05_1113.png this is what I am trying to accomplish 07:33 < Rienzilla> i have not tried masks larger than 24, but i cant imagine why that wouldnt work 07:33 < reiffert> Rienzilla: for one obvious reason: hardcoded netmasks at some place. 07:33 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 07:34 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:34 < reiffert> !google 3+3 07:34 <@vpnHelper> 3OH!3 on Myspace Music - Free Streaming MP3s, Pictures & Music ...: ; Chelsea 3-3 Aston Villa - Premierleague.com: ; Chelsea 3-3 Aston Villa | Premier League match report | Football ...: 07:34 < reiffert> hrmn, 3+3 should be 6. 07:34 < Rienzilla> i think our uni has an openvpn which you route a /16 through 07:34 < reiffert> thomaschaaf: s,route routing table,routing table of router, 07:34 <@dazo> Rienzilla: OpenVPN supports bigger subnets than /24 ... I think the hard coded limit is /16 07:35 < thomaschaaf> reiffert: I don't quiet understand how that stuff got there :/ 07:35 < reiffert> thomaschaaf: pardon? 07:35 < thomaschaaf> reiffert: to be honest I am confused what to do :( 07:35 < ecrist> reiffert: it seems there is a bug in some python library which is why vpnHelper stops reconnecting on it's own. 07:35 < reiffert> thomaschaaf: nevermind, just do those two little changes, they are: 07:35 < Rienzilla> (why is there a hardcoded limit? 07:36 < reiffert> thomaschaaf: ssh openvpn-server iptables -t nat -D POSTROUTING 1 07:36 < reiffert> thomaschaaf: ssh router route add -net 10.8.0.0/24 gw 192.168.1.52 07:36 < thomaschaaf> done 07:36 < ecrist> http://pastebin.ca/2038759 07:36 <@dazo> Rienzilla: to avoid making people do silly things ... and who needs to route a bigger net than /16 through a VPN? then you're doing something very odd 07:37 < thomaschaaf> reiffert: 07:37 < thomaschaaf> http://pastie.org/1431053 07:37 < reiffert> thomaschaaf: so, does it work now 07:37 < reiffert> ? 07:37 < thomaschaaf> I think it does 07:37 < reiffert> now back to sending all your money to my paypal account 07:37 <@dazo> ecrist: that pastebin indicates a bug in supybot ... lacking typecasting of a string to int, probably 07:38 <@dazo> sorry, int to string, I mean 07:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 07:38 < thomaschaaf> so I am buying 2 people pizza if they like.. 07:38 <@vpnHelper> RSS Update - forum: Connect problem to lan gateway 07:38 < thomaschaaf> of the guys that helps 07:39 < thomaschaaf> helped 07:39 < reiffert> pizza sounds like a great idea. 07:45 < krzie> mmmm 07:45 < krzie> ppizza 07:51 < gladiatr> indeed 07:55 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has quit [Ping timeout: 265 seconds] 07:57 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has joined #openvpn 08:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 08:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit] 08:03 -!- jfk_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 08:04 -!- Malard [ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 08:04 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 08:04 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 08:04 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 08:08 < reiffert> thomaschaaf: does it *still* work? 08:09 < thomaschaaf> reiffert: most things work but some don't work as excepted 08:09 < thomaschaaf> e.g. I can't ping a machine 192.168.1.10 from the vpn client 08:10 < reiffert> should work. 08:10 < reiffert> check that the route to 10.8 exists on your router. 08:10 < thomaschaaf> it does I can ping the router e.g. 192.168.1.1 08:10 < reiffert> paste ifconfig, route iptables etc from 192.168.1.10 host 08:11 < thomaschaaf> it's a windows workstation 08:11 < reiffert> shutdown the firewall on that machin 08:11 < reiffert> e 08:11 < thomaschaaf> the thing is I can ping from the vpn server 08:11 < reiffert> shutdown the firewall on that machine 08:12 < thomaschaaf> hmm okay 08:13 < thomaschaaf> works now I feel stupid :/ 08:13 < reiffert> "for free" :) 08:15 < gladiatr> lol 08:15 < thomaschaaf> reiffert: this might be asking a bit much but I also wanted to be able to ping/ssh into the machines too 08:15 < thomaschaaf> and I am unable to ping 10.1.1.1 or 10.8.0.6 08:15 < reiffert> thomaschaaf: from where to where? 08:16 < thomaschaaf> e.g. from router to openvpn client 08:16 < reiffert> you should be able to ping .. 08:16 < reiffert> start some tcpdumps to see where the packets go. 08:20 < thomaschaaf> the last place I can see them is on the router 15:18:34.897835 IP 192.168.1.10 > 10.8.0.6: ICMP echo request, id 1, seq 42, length 40 08:20 < reiffert> paste routing table of router. 08:20 < thomaschaaf> reiffert: http://pastie.org/1431134 08:21 < reiffert> It's the firewall running on that router. 08:22 < reiffert> something else comes up to mind. 08:22 < reiffert> the router sends an "ICMP REDIRECT" message to 192.168.1.10 telling to talk to 192.168.1.52 directly. so fire up tcpdump on 192.168.1.52 as well 08:22 < thomaschaaf> it does not arrive there 08:23 < reiffert> paste 192.168.1.1's firewall then 08:23 < reiffert> iptables -L -v -n && iptables -t nat -L -v -n 08:24 < thomaschaaf> reiffert: http://pastie.org/1431146 08:24 < thomaschaaf> I haven't looked at it myself yet :( 08:25 < thomaschaaf> 107 11950 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 08:25 < thomaschaaf> thats it huh? 08:25 < reiffert> Just some line. Cant tell, no contect. 08:25 < reiffert> context 08:27 < thomaschaaf> reiffert: http://pastie.org/1431146 line 17 08:27 < thomaschaaf> last of Chain FORWARD (policy DROP 0 packets, 0 bytes) 08:29 < reiffert> start with: 08:29 < reiffert> iptables -I FORWARD -i eth1 -j ACCEPT 08:29 < reiffert> iptables -I FORWARD -o eth1 -j ACCEPT 08:30 < thomaschaaf> reiffert: yey 08:30 < reiffert> what I really dislike is the -t nat POSTROUTING rule .. ! -o lo -j MASQUERADE might cause some trouble here. 08:30 < reiffert> yey? 08:30 < thomaschaaf> ping goes through 08:30 < reiffert> ok, here is the evil and very difficult part: 08:32 < reiffert> starting the ssh connection. You have to open a terminal somehow and enter those characters: ess ess aitch username @ host 08:32 < reiffert> finding the "@" sign is one of harderst. 08:32 < thomaschaaf> what does that do? 08:33 < reiffert> open a secure shell session on "host" 08:33 < reiffert> basically that is what you were trying to do. 08:33 < reiffert> 15:15 < thomaschaaf> reiffert: this might be asking a bit much but I also wanted to be able to ping/ssh into the machines too 08:33 < thomaschaaf> ph :D 08:34 < reiffert> welcome to layer 3. 08:35 < thomaschaaf> reiffert: thank you so much :) 08:35 < reiffert> thanks for the pizza 08:36 < thomaschaaf> reiffert: everything works now as I wanted except one last part I'll try to get that to work on my own *fingers crossed* on the xen I have the tun0 and dummy0 device I want to "route" those so that the xen clients are able to ping the router 192.168.1.1 too :P 08:36 < thomaschaaf> reiffert: I don't know if you saw what I was trying to create: http://dl.dropbox.com/u/5910/Jing/2011-01-05_1113.png 08:41 < thomaschaaf> reiffert: ich könnt jetzt schon aufgeben :'( 08:41 < thomaschaaf> woops wrong language 08:42 * reiffert hides behind Bushmills 08:42 < thomaschaaf> okay okay I understand :( sorry go eat your pizza :P 08:43 < thomaschaaf> btw what did you get? 08:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 08:44 < reiffert> I'm fixing some problems on OX right now with a customer getting mon my nerves and a remote management application driving nuts 08:44 < reiffert> thats what I get right now. 08:47 -!- blee_laptop [~blee@211.71.118.70.cfl.res.rr.com] has quit [Remote host closed the connection] 08:49 < thomaschaaf> why is there no command such as becomefriends tun0 dummy0 :( 08:51 -!- Malard [ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 08:51 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 08:51 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 08:51 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 09:00 < Bushmills> pizza? 09:01 < ecrist> indeed. 09:02 < ecrist> thomaschaaf: OS X doesn't have a bridge interface. 09:02 < ecrist> :\ 09:02 < reiffert> ecrist: apple stopped the bridge part in 2001 and removed it finally 09:03 < ecrist> yeah, really fucking retarded, if you ask me. 09:03 < reiffert> ecrist: so even if you try to compile a custom kernel with network bridging, you have to modernize the code itself for over 10 years. 09:03 < reiffert> and I tried. 09:04 < ecrist> Dear Apple, can we haz bridge interface? kthxbai 09:04 < reiffert> the code itself is still in the sources, but ifdef'ed out by preprocessor macros 09:05 < ecrist> http://icanhascheezburger.files.wordpress.com/2007/07/128287207305861615bridgecatsez1.jpg 09:06 < Bushmills> but didn't he saz he was back to routing config, no more bridge 09:06 < Bushmills> say 09:06 < ecrist> I'm just talking in general. 09:06 < ecrist> it's been a beef of mine for quite a while that OS X doesn't have a bridge interface 09:12 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 09:12 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 09:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 09:14 < gladiatr> hey, ecrist, was it really fucking retarded that apple removed the os x bridge interface? 09:14 < gladiatr> hehe 09:21 < ecrist> it was, indeed. 09:25 < Bushmills> another reason to endorse routed configs 09:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 09:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 09:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 09:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 09:43 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined #openvpn 09:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 09:48 <@vpnHelper> RSS Update - forum: Restricted client-client traffic 09:56 -!- daguz1 [~leo@208.1.63.50] has joined #openvpn 10:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 10:07 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 10:07 -!- dazo is now known as dazo_afk 10:14 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has joined #openvpn 10:25 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 10:36 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 10:37 < ecrist> friggin vpnhelper 11:06 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 11:18 < reiffert> 17:37 < ecrist> friggin vpnhelper 11:19 * gladiatr drowns vpnhelper in a bucket of fat 11:19 < alhadi> hello 11:24 < gladiatr> hi alhadi 11:24 < alhadi> having weird problem 11:24 < Essobi> alhadi: stop picking at it, it's infected. 11:25 < alhadi> hehe 11:26 < alhadi> actually service fail donno why, saw log it says --MARK-- 11:26 < Essobi> ... 11:26 -!- Malard|Home [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 11:26 -!- Malard|Home [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 11:26 -!- Malard|Home [ident@xbmc/staff/malard] has joined #openvpn 11:26 < Essobi> MARK is just a standard watermarking log.. that's your syslogger generating, has nothing to do with openVPN. 11:27 < alhadi> ok.. 11:27 < alhadi> i started using linux like last week. so learning every bit of it 11:27 < Essobi> Yurp.. 11:27 < alhadi> But openvpn is little complicated to me 11:27 < Essobi> Google is your friend. 11:27 < alhadi> but thanks to krzee script 11:27 < alhadi> it helped me make the conf files 11:27 < Essobi> You're got years and years of reading to catchup on. 11:27 < alhadi> but service wont start 11:27 < alhadi> yep 11:28 < Essobi> Not that it's entirely relevant still 11:28 < Essobi> but 11:28 < gladiatr> Be nice to the fetuses, Essobi. Their skin is still very delicate. 11:29 < Essobi> lol 11:29 < Essobi> alhadi: http://www.textfiles.com/hacking/UNIX/unix001.txt 11:29 < Essobi> alhadi: Some Old school unix 11:29 <@vpnHelper> RSS Update - forum: openvpn bonding || Restricted client-client traffic 11:29 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 11:29 < Essobi> 1986 bishes 11:30 < Essobi> I wrecked so much shit back in the day after reading that.. lol 11:30 < gladiatr> g-files ... oh yeah 11:31 < gladiatr> essobi, ever spend much time on the old x.25 nets? 11:31 < Essobi> gladiatr: x25 pads? Fo sho. 11:31 < Essobi> Tymnet, and TelEnet too. 11:31 < gladiatr> good freakin' times 11:31 < Essobi> lol 11:32 < Essobi> Yea, I was in the scene when graybox was what all the 'cool kids' were doing. 11:32 < gladiatr> don't complain too heartily about windows until you've danced with tops20 11:32 < Essobi> It was so lame. 11:33 < Essobi> AT&T conference calls, wrecking COCOTS, and blastin nickletones at the bell phones. 11:33 < gladiatr> I still have the red box I built 11:33 < gladiatr> heh 11:33 < Essobi> Nice. 11:33 < gladiatr> it still worked in my home town til about 10 years ago 11:34 < Essobi> I trashed mine once all the physical detects went in here.. I live near a pretty big metro so we got all the tech backwash. 11:34 < Essobi> The COCOTS were crap thou all the way up through high-school. 11:34 < gladiatr> Yeah. They replaced the step-by-step switch in the old village in 1992 11:34 < gladiatr> (yes. they actually skipped xbar there) 11:35 < Essobi> drop a tollfree vm, and pound out till it hang up and itd drop you right into an unguarded dialtone 11:35 < gladiatr> hehehe 11:35 < Essobi> no shiz? supposedly there's a LEC indiana still running xbar 11:35 < Essobi> in indiana.. 11:36 < Essobi> To bad all his ingress trunks are tone guarded.. Blue boxing was just a hair before mytime, but damnit, it would've been fun. 11:36 < gladiatr> I can't imagine so. The FCC mandated ESS upgrades from coast-to-coast either in the late 80's or early 90's--accompanied all of the federal money that went into t-com upgrades 11:36 < gladiatr> I hear you 11:36 < alhadi> Essobi http://www.pastie.org/private/uu2i4frxcibooj9r75kifq 11:36 < Essobi> they're an ilec. 11:36 < alhadi> cannot generate the key in ubuntu 11:36 < alhadi> pki says no file found 11:36 < alhadi> ./build no file found 11:36 < alhadi> :( 11:37 < Essobi> They're independantly ran, and the population of the town is under 100 people, so I've heard. 11:37 < gladiatr> alhadi, everything is in /etc/openvpn, correct? 11:37 < alhadi> gladiatr only 2 files 11:37 < gladiatr> damn. That's awesome 11:37 < Essobi> gladiatr: Perhaps it's just the shangralah of phreaks but.. *SHRUG* 11:37 < alhadi> one is server.conf and other is update.resolve.conf 11:37 < gladiatr> hehehehe! 11:38 < alhadi> 2 files :( 11:38 < alhadi> cant even generate a key 11:38 * alhadi is stuck 11:38 < Essobi> gladiatr: I wound up working for a LEC for 8 years... Phones lost all their fun for me after that. 11:38 < Essobi> alhadi: Are you running it as root? 11:38 < alhadi> yes 11:38 < alhadi> running as root 11:39 < gladiatr> openssl dhparam -out /etc/openvpnn/dh1024.pem 1024 11:39 < Essobi> Wed Jan 5 17:35:30 2011 us=837960 Cannot open dh2048.pem for DH parameters: err 11:39 < Essobi> Yea.. key's are missing. 11:39 < alhadi> yes 11:39 < alhadi> once this is done server will start 11:39 < thomaschaaf> reiffert: That pizza was worth every penny thank you :-* 11:39 <@vpnHelper> RSS Update - forum: openvpn bonding 11:39 <@vpnHelper> RSS Update - pastebin: Miscellany || lorddoskias || harry_ || harry_ || Mine || Something || Anonymous || Mine || Untitled || Miscellany || So 11:40 < gladiatr> essobi, Yeah. I hear you. Same thing kinda happened with tech in general, for me. Now ahm jus anotha old, soul-sucked bastard hehe 11:41 < gladiatr> alhadi, well you also have no certificates. Man... go here. Read. Re-read. Absorb. Ponder. Play. Implement. Then come ask questions? :) http://openvpn.net/index.php/open-source/documentation.html 11:41 <@vpnHelper> Title: Documentation (at openvpn.net) 11:42 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving] 11:42 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 11:45 -!- Malard|Home [ident@xbmc/staff/malard] has quit [Ping timeout: 246 seconds] 11:56 <@vpnHelper> RSS Update - forum: Connect problem to lan gateway 11:57 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 11:58 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 11:58 -!- mode/#openvpn [+o vpnHelper] by ChanServ 11:58 * ecrist removes pastebin rss feed 11:59 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has joined #openvpn 12:01 < gladiatr> dear god... 12:08 < wunderkin> thank you lol 12:10 <@vpnHelper> RSS Update - forum: openvpn bonding 12:19 -!- CharlesB [8e161032@gateway/web/freenode/ip.142.22.16.50] has joined #openvpn 12:20 < CharlesB> Right so... I have WindowsXP SP2 Pro here behind "dick-admin secured newtork" that blocks connections to anything other than port 80, and everything has to go through the local HTTP proxy. What do? 12:21 < CharlesB> My home box has Linux with SSHD running on port 80 right now. How would I go about setting up a VPN instead, and tunneling all my programs through it so I'd have normal program usage? 12:21 < CharlesB> !welcome 12:21 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:21 < CharlesB> Oh, I see. 12:21 < CharlesB> !goal 12:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:22 < CharlesB> My goal is to be able to use regular internet applications such as "Mumble" and "TeamSpeak" , Skype, etcetera, behind "dick-admin secured network" 12:24 < CharlesB> !redirect 12:24 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:24 < CharlesB> sigh.. seems confusing :/ 12:24 < ecrist> now a days, it's easier to just tether to your cell phone. ;) 12:25 < CharlesB> :( 12:25 < CharlesB> I can't 12:26 < CharlesB> ALL network connections are blocked, signals like wifi and the rest are blocked by the same dick-admin 12:26 < gladiatr> you work for the doe or something? 12:27 < gladiatr> or perhaps an involuntary guest of a psychiatric healthcare facility? :D 12:30 < ecrist> hehe 12:30 < ecrist> what about DNS, CharlesB ? 12:30 < ecrist> is UDP port 53 filtered? 12:31 < CharlesB> Lol... 12:31 < CharlesB> ecrist, I can only connect to externel IPs on port 80 and SOMETIMES 443. 12:31 < CharlesB> That's it. 12:31 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has quit [Quit: Page closed] 12:34 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 12:35 < ecrist> have you tried UDP ports? 12:36 < CharlesB> Yes, I've tried UDP. 12:36 < CharlesB> Basically, I opened all ports on my home box, and ran a portscanner here on it (tcp and udp), nothing go through except TCP port 80 :( 12:37 < ecrist> how did you 'open all ports on your home box' 12:38 < CharlesB> Lol, py script that listens on all ports for something, then dumps each to a file. 12:40 < gladiatr> CharlesB, you're no fun. You were supposed to say something along the lines of "sysctl -w net.inet.fly_open=1" 12:43 < CharlesB> lol... Windows host with linux VMs :/ 12:51 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 12:51 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Changing host] 12:51 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 12:54 -!- CharlesB [8e161032@gateway/web/freenode/ip.142.22.16.50] has left #openvpn [] 12:59 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 12:59 <@vpnHelper> RSS Update - forum: openvpn bonding 13:06 <@vpnHelper> RSS Update - forum: 3g works router adsl don´t 13:18 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has quit [Quit: Verlassend] 13:39 < gladiatr> SCIENCE! 13:58 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Ping timeout: 240 seconds] 14:01 < Essobi> lol 14:01 < Essobi> sysctl -w net.inet.youre_screwed_if_you_enable=0 14:06 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 14:14 < gladiatr> exactly! 14:23 * ecrist imagines ~2000 instances of netcat running. 14:23 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving] 14:24 <@vpnHelper> RSS Update - forum: Restricted client-client traffic 14:28 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 14:29 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn 14:29 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Changing host] 14:29 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 14:33 -!- vtanwyl [~vtanwyl@h-68-167-193-94.mclnva23.static.covad.net] has joined #openvpn 14:36 -!- vtanwyl is now known as toma 14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection] 14:45 -!- toma [~vtanwyl@h-68-167-193-94.mclnva23.static.covad.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12] 14:52 -!- sia is now known as sia^pwnnt 14:59 -!- sia^pwnnt is now known as sia 15:02 < alhadi> http://www.pastie.org/private/zqymkbvk6cvjecyixmnfaw 15:02 < alhadi> unable to connect 15:02 < alhadi> TLS error 15:02 < alhadi> since 11 hours i am configuring 15:02 < alhadi> Help 15:03 < alhadi> krzee u here? 15:03 < alhadi> i have the log now 15:05 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving] 15:09 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Quit: alhadi] 15:10 < Essobi> aww he logged. 15:10 < Essobi> if he shows up again, tell'm krzie is sick and down for the count atm 15:29 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 15:33 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:45 -!- ss0 [~Adium@5.sub-75-222-8.myvzw.com] has joined #openvpn 15:47 < ss0> I have an openvpn server, that I can connect to but I can't even ping the private Ip of the server. It was working previously but we upgraded some switches internally and went with a new ip addressing scheme. Could anyone help me understand what i screwed up? 15:48 < ss0> It seems to be pushing routes properly… 15:50 < Bushmills> ss0: what did your initial trouble shooting yield, besides "can't ping"? 15:51 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn 15:51 * Bushmills diagnoses sharply: "if you can't ping, then the problem is that there i something wrong" 15:51 < Bushmills> is 15:53 < ss0> Bushmills: well i can't contact other hosts also connected to the server. from the logs it shows the routes being pushed. so I am assuming it has to be an issue with how things are routed on the server. 15:53 < Bushmills> from that follows: if there is something wrong, best remedy is often to fix it. 15:53 < ss0> Bushmills: I orignally set this up in bridged mode, several months ago and used it off an on with no problems. I guess I don't know what to do next to get the information needed to narrow down the problem. 15:53 -!- luneff [~yury@84.51.205.26] has joined #openvpn 15:54 < Bushmills> do a bit of trouble shooting. like, use tcpdump, tshark, mtr, traceroute. 15:54 < Bushmills> netcat can also be helpful 15:55 < ss0> Bushmills: well I see zero traffic on the tap0 interface with tcpdump 15:56 < Bushmills> there must be a reason for that 15:57 < ss0> If I had any idea what that reason was I would not be asking for help in irc no offense. The routing tables look like they should work, I can see it grab an ip from the server in the logs with no problem. It must be a routing issue but I don't know what kind. 15:58 < Bushmills> well, i know that you can't ping "something" and that you don't see traffic on tap0. that's not quite enough to say "your problem is on line 15 of your config file /xxx/yyy/zzz 15:58 < Bushmills> " 15:58 < ss0> ip forwarding is set to one, the firewall is stopped. ugh. I guess I could just slap pfsense on the box and be done with it. 15:59 < Bushmills> apart from that, i am of no help with bridged configs 15:59 < ss0> Bushmills: well I appreciate you trying anyway. 15:59 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has quit [Quit: alhadi] 16:01 -!- s7r [~s7r@95.154.230.202] has joined #openvpn 16:04 -!- ss0 [~Adium@5.sub-75-222-8.myvzw.com] has quit [Ping timeout: 240 seconds] 16:06 -!- ss0 [~Adium@131.sub-75-222-121.myvzw.com] has joined #openvpn 16:14 -!- ss0 [~Adium@131.sub-75-222-121.myvzw.com] has left #openvpn [] 16:24 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Quit: Leaving] 16:29 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds] 16:36 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:38 -!- WinstonSmith [~true@g225024003.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 16:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 16:47 <@vpnHelper> RSS Update - forum: Restricted client-client traffic 16:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 16:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 16:59 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 265 seconds] 17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 17:10 -!- bitterman [~yury@84.51.205.26] has joined #openvpn 17:13 -!- luneff [~yury@84.51.205.26] has quit [Ping timeout: 240 seconds] 17:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:33 -!- bitterman [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 17:34 -!- bitterman [~yury@84.51.205.26] has joined #openvpn 17:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 17:53 -!- bitterman [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 17:54 -!- bitterman [~yury@84.51.205.26] has joined #openvpn 17:58 -!- darth_bitterman [~yury@84.51.205.26] has joined #openvpn 18:00 -!- bitterman [~yury@84.51.205.26] has quit [Ping timeout: 250 seconds] 18:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 18:06 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 18:07 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 18:09 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 240 seconds] 18:10 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn 18:15 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 18:15 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 18:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 18:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 18:28 -!- darth_bitterman [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 18:29 -!- darth_bitterman [~yury@84.51.205.26] has joined #openvpn 18:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 18:57 <@vpnHelper> RSS Update - forum: Comms keeps stopping - ping fails 19:09 <@vpnHelper> RSS Update - forum: Comms keeps stopping - ping fails 19:14 < |Mike|> lol 19:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds] 19:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 19:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 19:41 -!- dangerdave [~dangerdav@c-76-28-192-192.hsd1.wa.comcast.net] has joined #openvpn 19:42 < dangerdave> Okay, how long does build-dh 2048-bit typically take you on, say, a Core i5? Minutes? Hours? Days? I'm several hours into it... 19:42 < dangerdave> !welcome 19:42 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:42 < dangerdave> !goal 19:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 19:56 -!- dangerdave [~dangerdav@c-76-28-192-192.hsd1.wa.comcast.net] has quit [Quit: dangerdave] 20:04 < wunderkin> hours? hmm 20:04 < |Mike|> y 20:20 -!- darth_bitterman [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 20:20 -!- darth_bitterman [~yury@84.51.205.26] has joined #openvpn 20:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 20:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 20:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 20:45 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:51 <@vpnHelper> RSS Update - forum: Converting from OpenSwan? 20:52 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 264 seconds] 20:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 20:59 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds] 21:15 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 21:15 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 21:15 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 21:33 -!- s7r [~s7r@95.154.230.202] has left #openvpn [] 21:34 -!- bitterman [~yury@84.51.205.26] has joined #openvpn 21:37 -!- darth_bitterman [~yury@84.51.205.26] has quit [Ping timeout: 240 seconds] 21:37 -!- bitterman [~yury@84.51.205.26] has quit [Client Quit] 21:38 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 255 seconds] 22:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 22:22 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 22:24 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 22:25 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 22:25 < grendal_prime> hey i need openvpn to send an email when a specific client connects. 22:34 < grendal_prime> wow 22:34 < grendal_prime> ecrist, i have comcast..i love it. 22:37 < grendal_prime> is anyone here? 22:48 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection] 22:48 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 23:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 23:01 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 23:01 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 23:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 23:02 -!- gdb``` [~user@2001:4830:2446:b5:214:4fff:fe4a:f0] has quit [Read error: Operation timed out] 23:05 < ashes> grendal_prime: i suggest scanning logs with a shell script in cron, and email if a grep matches the ip or host you want 23:05 -!- gdb``` [~user@dr-wily.ipv6.mit.edu] has joined #openvpn 23:11 -!- moses [~moses@unaffiliated/moses/x-6794817] has quit [Ping timeout: 240 seconds] 23:11 -!- moses [~moses@unaffiliated/moses/x-6794817] has joined #openvpn 23:15 < grendal_prime> needs to be a little quicker than that..but i found something thanks for the idea. 23:15 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat] 23:27 -!- jfk_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] --- Day changed Thu Jan 06 2011 00:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds] 00:26 -!- WinstonSmith [~true@dslb-088-073-092-170.pools.arcor-ip.net] has joined #openvpn 00:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 00:38 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 272 seconds] 01:52 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 01:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:03 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 02:03 -!- mode/#openvpn [+o mattock] by ChanServ 02:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 02:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 02:42 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has quit [Quit: Leaving.] 02:43 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 265 seconds] 02:57 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 02:59 -!- sia is now known as sia^pwnnt 03:13 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:15 -!- macsppadic is now known as Directorsppadic 03:16 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Ping timeout: 260 seconds] 03:17 -!- dazo_afk is now known as dazo 03:18 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has joined #openvpn 03:30 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 03:41 -!- luneff [~yury@84.51.205.26] has joined #openvpn 03:43 -!- WinstonSmith [~true@dslb-088-073-092-170.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds] 03:43 -!- WinstonSmith_ [~true@g225025106.adsl.alicedsl.de] has joined #openvpn 03:50 -!- master_of_master [~master_of@p57B57625.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 03:52 -!- master_of_master [~master_of@p57B5386B.dip.t-dialin.net] has joined #openvpn 04:04 -!- sia^pwnnt is now known as sia 04:22 -!- WinstonSmith_ [~true@g225025106.adsl.alicedsl.de] has quit [Read error: Connection reset by peer] 04:27 < hyper_ch> krzee: http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/ 04:27 <@vpnHelper> Title: Billy (BK) Rios » Bypassing Flash’s local-with-filesystem Sandbox (at xs-sniper.com) 04:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 04:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 04:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:35 -!- WinstonSmith_ [~true@e179002106.adsl.alicedsl.de] has joined #openvpn 04:36 -!- WinstonSmith_ is now known as WinstonSmith 04:39 -!- common- [~common@p5DDA489C.dip0.t-ipconnect.de] has joined #openvpn 04:42 -!- common [~common@p5DDA470C.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 04:42 -!- common- is now known as common 04:44 -!- silverraindog [~angus@host86-185-35-153.range86-185.btcentralplus.com] has joined #openvpn 04:44 < silverraindog> good day 04:45 < silverraindog> quick question, if i give a static ip in the ccd client file to a client, would the server honour that and not dish out the ip to any other machine ? 04:49 <@dazo> silverraindog: yes, unless your pool is full and that static IP address is not in use when a new connection comes. Then this might be used for that client 04:50 <@dazo> you can avoid this by giving static IP addresses outside the pool-range 04:51 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 04:51 < silverraindog> dazo: thank you! 04:52 <@dazo> you're welcome 05:01 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 05:09 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 05:09 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 05:09 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 05:12 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 05:52 -!- twister004_ [~chatzilla@59.90.34.167] has joined #openvpn 05:54 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 240 seconds] 05:54 -!- twister004_ is now known as twister004 06:07 <@vpnHelper> RSS Update - forum: server and client 06:08 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 06:10 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 06:14 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Client Quit] 06:14 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 06:14 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Client Quit] 06:14 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 06:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 06:21 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 06:21 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 06:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 06:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 06:22 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 06:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 06:26 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 06:27 -!- luneff [~yury@84.51.205.26] has joined #openvpn 06:47 -!- alhadi [~thunderst@92.99.235.168] has joined #openvpn 06:50 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has quit [Read error: Connection reset by peer] 06:55 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 07:01 <@vpnHelper> RSS Update - forum: Problem with client-connect script 07:02 -!- alhadi [~thunderst@92.99.235.168] has quit [Quit: alhadi] 07:03 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 07:12 -!- minto_ [~chatzilla@91.142.198.67] has joined #openvpn 07:13 < minto_> !welcome 07:13 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:13 < minto_> !howto 07:13 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:13 < minto_> hello 07:14 < minto_> can someone help me with establishing vpn i have problems 07:14 < minto_> i did generate keys 07:14 < minto_> i did config files 07:14 < minto_> and when i try to run server i get dh1024.pem error 07:18 < minto_> anyone ? 07:19 < minto_> http://paste.pocoo.org/show/k2S9c5ii6bABIAqR47So/ 07:21 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: rebooting] 07:21 <@dazo> minto_: What does line 5 in your pastebin say? 07:22 < minto_> i know 07:22 < minto_> but that directory existys 07:22 < minto_> exists* 07:22 <@dazo> dh1024.pem is supposed to be a file ... and OpenVPN is never wrong in its error messages 07:23 < minto_> anyway i dont have such file in keys 07:23 <@dazo> it wants to read that file, as you've told it to do so ... and when it can't find it, it can't read it, it will exit 07:23 < minto_> i have only 3 keysa as in config one 07:23 <@dazo> Then, clean up your config file according to what !logs says ... and you might see your mistake 07:24 < minto_> ah no wai i see it 07:24 < minto_> so why he dont want to read it 07:24 <@dazo> either, don't load the dh1024.pem file .... or generate one ... it's all described in the !howto and in the !man pages 07:24 <@dazo> !logs 07:24 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin 07:24 <@dazo> if you don't want to read it, you don't want to understand it ... and nobody here wants to help you 07:25 < minto_> this is so complicated 07:25 < minto_> !pb 07:25 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel. 07:25 <@dazo> It is, if you don't read ... search for dh1024.pem in your config file ... and read what your own config file says in the lines above 07:26 < minto_> im reading it right now 07:26 <@dazo> then you will figure out how to get one step further 07:28 < minto_> so this dh dh1024.pem i must make to something like that dh /etc/openvpn/keys/dh1024.pem? 07:29 -!- sia is now known as sia^pwnnt 07:29 <@dazo> I haven't read your complete config file ... but more likely /etc/openvpn ... it all depends on where your distributions starts OpenVPN from. Or you can give the 'dh' option a full path to the file 07:30 < minto_> i did yea this one is done now i get another one 07:30 < minto_> sigh 07:31 < minto_> now i get cannot load private key but path to file is correct 07:32 < minto_> hmmm 07:32 < minto_> now this is something strange 07:32 < minto_> i need private key but it somehow didnt generate it 07:33 < minto_> i have only ca 07:33 < krzie> you're talking here when you should be following this: 07:33 < krzie> !pki 07:33 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed 07:33 <@vpnHelper> specially as a server (see !servercert) 07:33 <@dazo> then you need to re-read the documentation ... it states clearly that you first create CA keys and certificate, then you create server key and certificates, and then client keys and certificates 07:35 < minto_> well i did so 07:35 < minto_> yet i dont have it 07:36 < minto_> i did it by openvpn how-to 07:36 <@dazo> Neither PKI, OpenVPN nor OpenSSL does magic ... if you have skipped one step, it's not going to appear by itself 07:36 <@dazo> really! 07:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 07:39 < minto_> ok this one is solved too 07:39 < minto_> now i have 07:40 < minto_> Socket bind failed on local address [AF_INET]XXX.XXX.XXX.XXX:1194: Cannot assign requested address 07:40 < minto_> by the way that http://openvpn.pastebin.ca/ gives me 500 error 07:40 < Rienzilla> hmm 07:41 < Rienzilla> if I push redirect-gateway def1, how does openvpn make sure traffic to the tunnel endpoint is not routed into the tunnel? 07:42 < krzie> Rienzilla, redirect-gateway adds a route to vpn server over pre-existing gateway 07:43 < Rienzilla> hmm. It's not there 07:43 < Rienzilla> is it possible that that route gets removed by refreshing a dhcp lease? 07:44 < krzie> it is 07:44 < Rienzilla> hmm 07:44 < krzie> theres a bypass dhcp flag as well 07:44 < minto_> are there some additional command to conf files when using vmware ? 07:45 < krzie> minto_, no, you need to do as !pki says 07:45 < minto_> !pki 07:45 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 07:45 <@vpnHelper> signed specially as a server (see !servercert) 07:45 < krzie> and the bind error was you running openvpn 2 times 07:46 < minto_> !servercert 07:46 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 07:46 < krzie> thats too advanced for you, ignore that 07:46 < krzie> make it like in !pki 07:46 < minto_> i see ... 07:46 < minto_> well anwyay keys are set up propertly nmow i just get this socket error now 07:47 < krzie> because you already have openvpn running 07:47 < krzie> (as i said bove) 07:47 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn 07:47 < krzie> *above 07:47 < krzie> gladiatr! 07:47 < minto_> hmmm kk 07:47 < gladiatr> wheee! good morning! 07:47 < krzie> g'mornin 07:49 < Rienzilla> hmm that must be the issue 07:50 < Rienzilla> my clients drop after ~ their dhcp lease time, and when I look they have a route to 0.0.0.0/1 and 128.0.0.0/1, but none to the tunnel endpoint 07:50 < gladiatr> rude clients. beat them for their rudeness... 07:51 < Rienzilla> I have beat them severl times 07:51 < Rienzilla> with a stick 07:52 * gladiatr prefers chickens... 07:52 < gladiatr> heh. ok. coffee... brain normalization in progress... please continue with business... 07:54 -!- minto_ [~chatzilla@91.142.198.67] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 07:56 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it] 07:56 < krzie> Rienzilla, and when they connect you see that they do have the route to the vpn endpoint? 07:57 < Rienzilla> I haven't checked yet,but they must have, because they work 07:57 <@vpnHelper> RSS Update - forum: SOLVED Windows Server 2008 - incorect address in TAP conn... 07:58 < krzie> well you run the server, should be easy to connect a client 08:01 < Rienzilla> yes, but these clients are in a shitty location :) 08:01 < Rienzilla> (in a bus, and it rains), but hold on, i'll give it a try 08:01 < krzie> but i mean, im sure the server isnt at your house, just connect in 08:01 < |Mike|> :-) 08:06 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 08:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 08:33 -!- minto [~chatzilla@ryd002.multi-play.net.pl] has joined #openvpn 08:33 < minto> hello again 08:33 < minto> i sitll have problem i jsut cant get it working 08:33 < minto> !welcome 08:33 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:33 < minto> !goal 08:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:34 < minto> i still get socket is binded 08:34 < minto> but i cant use other ip adress than 192.168.0.x cause its virtual machine 08:34 < minto> and i dont have open vpn running before as i did stop it and start again 08:35 < gladiatr> on your server? 08:35 < minto> http://paste.pocoo.org/raw/NCHUUl2KQI46TkfYnzAY/ 08:36 < minto> yes 08:36 < krzie> i told you your problem 3 times 08:36 < minto> you told me that it was already running 08:36 < minto> so i did stop daemon and start it again 08:37 < minto> sorry im quite noobish in linux 08:37 < gladiatr> killall -9 openvpn 08:37 < minto> ah thnx it worked :D 08:38 < minto> ^^ 08:38 < gladiatr> always always always check your process table. Init scripts are just that: scripts. They make certain assumptions. When those assumptions aren't necessarily so, the scripts will fail and sometimes give you faulty feedback 08:38 < minto> ill remember that :0 08:38 * krzie bets he doesnt know how to check his processes table 08:39 * gladiatr cackles 08:39 < gladiatr> man ps 08:39 < minto> that i did know |^|^ 08:39 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 08:40 < minto> wth 0_0 08:41 < minto> can client autoconnect to vpn on deafult settings ? 08:42 < gladiatr> default... settings... I do not see... 08:42 < minto> the one for example config one 08:43 < minto> oh nvm ill figure it out somehow :) 08:43 < gladiatr> go get 'em, tiger 08:46 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 255 seconds] 08:49 <@vpnHelper> RSS Update - forum: Problem with client-connect script 08:51 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 08:54 -!- minto [~chatzilla@ryd002.multi-play.net.pl] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 09:03 < krzie> i honestly wasnt trying to be condesending 09:03 < krzie> i really think he didnt know how to find the process list 09:04 < krzie> im not even saying anything bad about that, i just dont know why people try to run openvpn when they dunno their os 09:05 < gladiatr> Dunno. I thought it was funny. :) 09:05 < gladiatr> their os... or basic ipv4 networking 09:06 < gladiatr> Don't get me wrong. I think it's cool that people are interested in securing their links and whatnot, but... yeeeeaaah 09:06 < krzie> yep 09:06 < gladiatr> back in a few. Must reboot... 09:06 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving] 09:07 -!- kmbcz [~androirc@32.165.181.138] has joined #openvpn 09:10 < kmbcz> I want to set up a site to site vpn from a data center to an office, and make a range of ips from the data center available for thee computers at the office available to set as static ips. What's the best way to accomplish this? 09:11 <@dazo> !ccd 09:11 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 09:11 < krzie> you also want 09:11 < krzie> !topology 09:11 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 09:12 < krzie> then you need 2 ips to waste, 1 for the server part of the vpn, 1 for its broadcast 09:12 * dazo wonders if we should propose --topology subnet as the default for OpenVPN 2.3 .... 09:12 < krzie> you get a +1 from me 09:12 < kmbcz> Yeah it will just be a /28 I need to use 09:13 < krzie> kmbcz, then you assign the IPs directly from --server 09:13 -!- abeehc_ [~bob@d207-6-195-163.bchsia.telus.net] has quit [Remote host closed the connection] 09:13 < krzie> as dazo said, you assign static IPs with --ccd 09:13 < krzie> !static 09:13 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 09:14 < kmbcz> Is there some way I can avoid playing with ips in openvpn and just bridge a nic on the server to a nic on the gateway virtually? 09:15 < kmbcz> That would be infinitely easier 09:15 < krzie> yes, but it will a) be less secure and b) i cant help with it 09:15 < kmbcz> Security isn't a big deal 09:16 * krzie baffles 09:16 < krzie> ok, gimme root then! 09:16 < kmbcz> Lol 09:16 -!- moses [~moses@unaffiliated/moses/x-6794817] has quit [Read error: Connection reset by peer] 09:16 < krzie> ill try to stay within your bandwidth constraints ;) 09:17 < kmbcz> I just need to assign those ips at this location, that's my only requirement 09:19 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn 09:19 < krzie> gladiatr, you missed the quote of the day 09:20 < krzie> gone only 13min and you missed it 09:20 < gladiatr> damn 09:20 < gladiatr> do tell 09:20 < krzie> [11:15] Security isn't a big deal 09:21 < kmbcz> Lmao 09:21 < gladiatr> and... where do I find... this... J. S. Sebastian... 09:21 < gladiatr> wow 09:21 < gladiatr> did this individual log off after typing these characters? 09:22 < krzie> nope, hes right here lh[is]ao 09:23 < gladiatr> well, yes indeed. there he is. 09:23 < kmbcz> It's not in this situation, though. Nothing unsecured will by flying over my vpn 09:24 < kmbcz> Not that there is any secure data 09:24 <@dazo> sounds like security through obscurity for me, though 09:24 < krzie> hes going to bridge his external interface at his colo 09:24 <@vpnHelper> RSS Update - forum: OpenVPN to filter DHCP requests in bridge mode 09:25 < gladiatr> well, yeah... in the whole disconnected, powered-off and locked in a room buried under the rubble of the world trade center context... 09:25 < krzie> kmbcz, bridges arent insecure, but its meant to be bridged to an *internal* interface 09:25 < kmbcz> Ah, I see 09:26 < kmbcz> Might you be able to point me in the right direction, at least? 09:26 < krzie> i did 09:26 < krzie> the *right* direction is !topology !static and using inet routable ips in --server 09:26 < krzie> ;] 09:27 < krzie> if you mean the right direction for bridging, that would be !bridge 09:27 < krzie> but thats not the *right* direction ;] 09:31 < kmbcz> Hah alright 09:31 < kmbcz> That's the simple direction though, no? 09:32 < kmbcz> For somebody with limited Openvpn experience? 09:32 < krzie> nope 09:32 < krzie> bridging is more difficult imo 09:32 < krzie> actually the routed method is quite simple... you arent even connecting in LANs 09:33 < krzie> plus your redirect setup wouldnt even need NAT 09:33 < kmbcz> Ahh. I still have to bridge on the gateway though, no? 09:34 < krzie> in fact i believe youd be done already if you spent the last 20 minutes working on it instead of talking about bridging 09:34 < krzie> and to the last question, no 09:34 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Quit: I will be back!] 09:34 < kmbcz> Hmm. Okay. Both servers still require two nics? Time to go shopping 09:35 < krzie> nope 09:35 < krzie> no extra nics needed 09:35 < krzie> just virtual adapters, called tun 09:38 < kmbcz> So on the client end I just plug it the single nic into the same switch as the incoming internet and set the client machines gateway to the gateway vpn machine? 09:39 < krzie> you change nothing 09:39 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 09:39 < krzie> server is already on the net, as is the client 09:39 < krzie> you dont change any of that 09:39 < krzie> you just create a virtual connection (aka vpn) over the existing connection 09:40 < krzie> !vpn 09:40 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is 09:44 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 09:46 < kmbcz> The client machines need to be assignable through their native interface though, not through additional software 09:46 * gladiatr thinks, "I believe it when you say you want to create visually stunning CGI films like Tron. I just think a better place to start would be... oh... a crudely rendered teacup spinning on a plate..." 09:46 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 09:46 < kmbcz> So how do they run through the gateway machine if I don't change any if that? 09:51 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 09:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 260 seconds] 09:53 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 10:00 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 10:07 -!- roue [~roue@75-134-143-252.dhcp.roch.mn.charter.com] has quit [Remote host closed the connection] 10:19 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 10:23 <@vpnHelper> RSS Update - forum: Converting from FreeSwan? 10:40 <@vpnHelper> RSS Update - forum: Converting from FreeSwan? 10:40 < krzie> [11:46] The client machines need to be assignable through their native interface though, not through additional software 10:41 < krzie> then openvpn is not an option 10:41 < krzie> !notcompat 10:41 <@vpnHelper> "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 10:41 < krzie> see #2 10:42 < kmbcz> That was the point of having the gateway machine, no? 10:42 < kmbcz> So I could natively assign the ips through that machine 10:42 < krzie> you said no additional software 10:42 < krzie> you will need openvpn 10:43 < Bushmills> then the gateway is vpn client, not the machines which you call clients 10:43 < krzie> which happens to be additional software (not their native interface) 10:43 < kmbcz> Right 10:43 < Bushmills> gateway - as client - needs extra software: openvpn 10:43 < kmbcz> Yes, and the 10:44 < krzie> Bushmills, hes not using lans behind clients, the gateway is his server 10:44 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 10:44 < krzie> he wants to use internet routable IPs whih currently belong to his server, for his clients 10:44 -!- luneff [~yury@84.51.205.26] has joined #openvpn 10:45 < kmbcz> Right, and they should be assignable to any machine in that lan 10:45 < krzie> wait wait 10:45 < krzie> "in that lan" 10:45 < kmbcz> Office is lan 10:45 < krzie> thats the first you mentioned a lan 10:46 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 10:46 < krzie> ok looks like Bushmills was right 10:46 < krzie> he understood something which i did not 10:46 < Bushmills> lucky guess 10:48 -!- Directorsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 10:48 -!- Directorsppadic [~sonupunno@88.211.55.77] has joined #openvpn 10:48 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has joined #openvpn 10:48 -!- wunderkin [~kbockman@69-92-51-205.cpe.cableone.net] has left #openvpn [] 10:49 < krzie> ok well i have never tested this, but i think it should work... 10:50 < krzie> same setup i mentioned earlier 10:50 < krzie> the vpn client will take the first IP in the pool 10:50 < krzie> then it needs to run a dhcp server for its LAN, and give out the other IPs in the pool 10:50 < krzie> those lan machines must route through it as their default gateway 10:50 < kmbcz> Right. I can run it static though, right? 10:51 < kmbcz> Without adhcp? 10:51 < krzie> sure, just dont use the dhcp server 10:51 < krzie> but they MUST know the vpn client as their default gateway 10:51 < kmbcz> Yes, okay. And do I need the lan on a second nic? 10:52 < kmbcz> Or same is fine? 10:52 < krzie> you are losing the LAN ips all together 10:52 < kmbcz> Right 10:52 < krzie> so what are you talking about? 10:53 * gladiatr whispers, "Pie" 10:53 < kmbcz> So the internet and vpn are on the same switch, the machines that use the ips just set the gateway machine as the gateway, right? 10:55 < krzie> your vpn client will be their router 10:55 < kmbcz> Gotcha. And is this just a pretty standard site to site vpn? 10:55 < krzie> if it also connects to a different router, and must have some other ip and be on some other network in order to communicate with its router, then it needs a second nic for that 10:55 <@vpnHelper> RSS Update - forum: OpenVPN to filter DHCP requests in bridge mode 10:56 < kmbcz> Gotcha 10:56 < kmbcz> And the remote machine doesn't need one, right? 10:57 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 10:58 < krzie> nope 10:58 < kmbcz> By remote I mean server 10:58 < kmbcz> Awesome 10:58 < krzie> its not being a router for a lan 10:58 < krzie> you dont need the 2nd nic because of the vpn, you need it because your vpn client needs to act as a router for its lan now 10:59 < krzie> before, you said clients, which led me to believe that only vpn clients needed IPs from the server 10:59 < krzie> in which case you wouldnt need another nic anywhere 10:59 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has joined #openvpn 10:59 < int_0x80_> hello 10:59 < int_0x80_> some french here ? 11:00 < krzie> nope 11:01 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 11:01 < int_0x80_> do you know some french irc channels where it speaking about openvpn ? 11:02 -!- mathias [~mathias@p5B095E45.dip.t-dialin.net] has joined #openvpn 11:02 < krzie> nope, but there is a european forum online 11:02 -!- mathias is now known as Guest35397 11:02 < kmbcz> :-) thank you for all your help 11:03 < krzie> i dont think they do french tho 11:03 < Guest35397> hi, I would like to configure 3 openvpn server instances on a single machine with "topology subnet" and the _same_ subnet. Basically I want everybody no matter how he connected to be in the same OpenVPN subnet. Is that possible? I am asking because breaking something would lock me out ;) 11:03 <@dazo> I think the European forum does English and German, but not French 11:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection] 11:04 < gladiatr> Guest35397, I can't imagine how that would work 11:06 < gladiatr> why 3 instances? 11:06 < gladiatr> or why the same subnet? 11:07 <@dazo> Guest35397: I believe it can be done - in theory, by having each openvpn instance with different IP addresses (or IP less openvpn servers) providing IP addresses from separate pools ... and then you bridge all the tap adapters on the server into one device ... and use routing based on that interface 11:07 <@dazo> but I share gladiatr questions ... why why? 11:08 < gladiatr> Right, but then you wouldn't be using the topology subnet option which is for a routed connection, yes? 11:09 <@dazo> gladiatr: tap is more or less topology subnet 11:09 < gladiatr> lol. Ok. There is that. 11:10 < gladiatr> I was thinking more of the specific configuration directive rather than the concept. 11:11 * krzie chimes in as the third "why!?" 11:11 < krzie> planning on having like 600 clients and need to spread across multiple cores? 11:13 <@dazo> that explains multiple processes ... but not why on the same subnet 11:13 <@vpnHelper> RSS Update - forum: Problem with client-connect script 11:16 < krzie> if my prior explanation rings true, that part would just be a lack of understanding of routing 11:16 < krzie> (which is super common) 11:17 <@dazo> agreed 11:18 < Guest35397> gladiatr: I have three instances because one is a split tunnel over UDP, another full tunnel over UDP and another full tunnel over TCP port 443 to bypass most proxy servers 11:18 < Guest35397> thx for the hints, I will think about it 11:18 < gladiatr> cool. 11:18 <@dazo> Guest35397: but why do they need to be on separate subnets? 11:18 <@dazo> on *same* subnet, I mean 11:19 < Guest35397> so that I dont have to push around so many routes 11:19 < Guest35397> that was my idea :D 11:19 < gladiatr> You might want to consider going with a bridged environment then 11:19 < gladiatr> the layer 2 traffic is a pita, but then everything is a trade-off :) 11:19 < Guest35397> hmm yeah - I tried to avoid layer 2 tunneling ;) 11:19 < gladiatr> me too 11:20 < gladiatr> if at all possible 11:20 <@dazo> that's not possible when you start with bridging 11:20 -!- Directorsppadic [~sonupunno@88.211.55.77] has quit [Quit: Directorsppadic] 11:20 <@dazo> bridging requires TAP 11:21 < gladiatr> You could also pick your client networks (for your 3 connections) out of a larger subnet. You'd still need entries on the server, but then you would still only need a single route for other parts of your network 11:24 < Guest35397> gladiatr : true - good old supernetting :D 11:24 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 11:24 < gladiatr> :D 11:25 < gladiatr> You have no idea (ok, you might) how many times I shot myself in that particular fashion by laying out address space w/out contemplating route propagation :P 11:27 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 11:28 < Guest35397> :D 11:29 -!- Guest35397 [~mathias@p5B095E45.dip.t-dialin.net] has quit [Quit: leaving] 11:38 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn 11:42 < gladiatr> food... 11:49 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Ping timeout: 276 seconds] 11:54 <@vpnHelper> RSS Update - forum: Problem with client-connect script 11:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 12:07 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has joined #openvpn 12:07 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 12:08 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 12:08 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Changing host] 12:08 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 12:09 < zero_d> want log into my vpn, got this error: http://nopaste.me/paste/4d2605272dd9f.html 12:09 < zero_d> whats wrong? 12:10 <@vpnHelper> RSS Update - forum: Converting from FreeSwan? 12:13 -!- s7r [~s7r@213.229.87.31] has joined #openvpn 12:14 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has quit [Remote host closed the connection] 12:15 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has joined #openvpn 12:22 <@vpnHelper> RSS Update - forum: Problem with client-connect script 12:22 -!- kmbcz [~androirc@32.165.181.138] has quit [Ping timeout: 255 seconds] 12:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 12:30 -!- sia^pwnnt is now known as sia 12:47 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 12:48 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has quit [Remote host closed the connection] 12:49 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has joined #openvpn 12:55 -!- luneff [~yury@84.51.205.26] has joined #openvpn 12:55 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 13:04 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 13:07 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 13:08 -!- luneff [~yury@84.51.205.26] has joined #openvpn 13:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 13:13 -!- luneff [~yury@84.51.205.26] has quit [Quit: Leaving] 13:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 13:26 <@vpnHelper> RSS Update - forum: Problem with client-connect script 13:29 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 13:32 <@vpnHelper> RSS Update - forum: Problem with client-connect script 13:34 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 13:34 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 13:34 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 13:37 <@vpnHelper> RSS Update - forum: Converting from FreeSwan? 13:40 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has quit [Remote host closed the connection] 13:41 -!- zero_d [~zero@213.163.65.50] has joined #openvpn 13:42 -!- daemon [~daemon@serial.daemonrage.net] has quit [Excess Flood] 13:43 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn 13:45 -!- dazo is now known as dazo_afk 13:45 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 13:48 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... || OpenVPN routing issues? || Problem with client-connect script 13:54 -!- zero_d [~zero@213.163.65.50] has quit [Remote host closed the connection] 13:54 <@vpnHelper> RSS Update - forum: 3g works router adsl don´t 13:55 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has joined #openvpn 13:59 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 13:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 14:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 14:05 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 14:05 -!- daemon is now known as jsEvalBot 14:05 -!- jsEvalBot is now known as daemon 14:10 <@vpnHelper> RSS Update - forum: Problem with client-connect script || OpenVPN routing issues? 14:24 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 14:24 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 14:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 14:27 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 14:30 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving] 14:36 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 14:38 -!- kim0 [~kim0@ubuntu/member/kim0] has joined #openvpn 14:38 < kim0> Hi folks 14:38 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 14:38 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 14:38 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 14:39 < kim0> I've been running an openvpn setup for 2 years now, been awesome 14:39 < kim0> today, things are suddenly too slow (ping takes 6000ms) 14:39 < kim0> how can I locate the bottleneck please ? 14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:57 -!- sia is now known as sia^pwnnt 15:01 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn 15:01 < Bushmills> kim0: mtr. 15:01 < grendal_prime> is it possible to get the macaddress of a connected tap ? 15:03 < grendal_prime> so basically a windows machine connects via a tap device, i need to look at the (and yes i know its randomly generated) mac address of the tap on the client machine. 15:06 < kim0> Bushmills: thnx, just tried it, but I am testing the 2 vpn end points. Thus mtr result is a single line saying avg latency = 6000ms with loss=7% 15:06 < Bushmills> mtr public server address instead 15:07 < Bushmills> that'll show all hops between client and server 15:07 < kim0> ah damn :) 15:13 < kim0> Bushmills: mtr is showing a level3 router in san jose is dropping 96% of packets 15:13 < Bushmills> repeat mtr the opposite direction, just to make sure. 15:13 < kim0> Bushmills: however mtr uses icmp right ? I understand ISP differentiate against that 15:14 < Bushmills> but not commonly by introducing a multi-second lag 15:15 < Bushmills> in addition, your observation is consistent with the lag experienced with your openvpn connection 15:16 < Bushmills> with -u, you can use mtr with udp datagrams instead of icmp 15:17 < int_0x80_> some french people here please ? 15:18 < kim0> Bushmills: thanks for being so helpful! Can I ask you to take a quick look over the results (I can pastebin them) ? 15:20 < Bushmills> if i'm called "helpful", i must have done something wrong :P 15:20 < kim0> hehe :) nah not really 15:20 < kim0> lol 15:22 < Bushmills> i suppose, looking at the result will only let me conclude that there's an overloaded level3 router between your server and client 15:22 < kim0> Bushmills: Yeah .. I mean if you can confirm that's the reason (most likely) 15:23 < kim0> then it would be helpful indeed 15:23 < kim0> Bushmills: for example .. in the first trace .. I'm not sure why lines 18 and 19 show high loss as well 15:23 < Bushmills> doesn't it look as there's a routing loop in it? 15:24 < kim0> Bushmills: how can you see that 15:24 < kim0> Bushmills: these are 2 traces .. US2EG then EG2US 15:24 < Bushmills> there's a router which seems to appear several times, as different hop in the route 15:25 < Bushmills> ae-84-84.csw3.SanJose1.Level3.net 15:26 < kim0> Bushmills: yeah that's weird 15:27 < kim0> Bushmills: Any explanations for the loss on linse 18,19 ? 15:27 < Bushmills> anyway, looks like there's fairly little you can do besides waiting it out 15:28 < kim0> I'm not even sure how mtr can determine where the loss happened ? a loss is a loss .. the packet disappeared somewhere right! 15:28 < kim0> I know about ttl and returning an icmp message .. but a loss is different huh 15:30 -!- Malard|Home [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 15:30 -!- Malard|Home [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 15:30 -!- Malard|Home [ident@xbmc/staff/malard] has joined #openvpn 15:31 < kim0> Bushmills: weird huh 15:32 < Bushmills> it can, as all hops are pinged one by one 15:33 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 265 seconds] 15:33 < kim0> Bushmills: but if hop3 is the one dropping packets .. and it pings hop4 and a packet is dropped .. how can it know if it were hop3 or hop4 that dropped it 15:33 < Bushmills> i think it subtracts accumulated time from all previous hops from the one currently measured 15:34 < Bushmills> by knowing that hop2 isn't lossy yet, and the effects of hop 3 show in hop 4, and can therefore be extrapolated on hop4 measurements 15:35 < Bushmills> after all, it measured hop3 before it measured hop4 15:35 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 15:36 < kim0> but that sounds horribly inaccurate 15:36 < kim0> IMO once hop3 drops 95% packets like in my case .. the rest of the route becomes dark 15:37 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 15:37 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 15:37 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 15:37 < Bushmills> which is why i suggested to mtr the opposite direction too 15:38 < kim0> I wish one could manually choose the route to avoid the faulty router 15:38 < kim0> lots of good things were killed in the name of security hehe 15:38 < Bushmills> you could - if those routers were yours 15:39 -!- s7r [~s7r@213.229.87.31] has left #openvpn [] 15:40 < kim0> hehe 15:40 < kim0> Bushmills: Thanks man, really appreciate the help 15:40 -!- Malard|Home [ident@xbmc/staff/malard] has quit [Ping timeout: 250 seconds] 15:45 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!] 15:50 < grendal_prime> tap mac address? is that possible? 15:50 < grendal_prime> from the server? 15:51 -!- luneff [~yury@84.51.205.26] has joined #openvpn 15:54 -!- hexa [~hexa@modemcable102.60-82-70.mc.videotron.ca] has joined #openvpn 15:55 < hexa> hi, is it possible to set the tun ip something else then 172.16.0.1 for example... since I already have a gateway on .1.. ? 15:55 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 15:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds] 15:56 < hexa> can I set server 172.16.0.10 netmask ? 15:59 < Bushmills> hexa: do you overlap ethernet- and openvpn subnet addresses? 15:59 < hexa> Bushmills, ethernet and openvpn subnet?? 16:00 < Bushmills> how can you have a gateway on 172.16.0.1 if it's not the openvpn server? 16:00 < hexa> Bushmills, well it is but it's ip is set on a carp device.. if I get ifconfig: ioctl (SIOCAIFADDR): File exists 16:01 < Bushmills> or, better, why is your openvpn subnet 172.16.0.0 when you have a gateway on 172.16.0.1? 16:02 < hexa> Bushmills, you mean I need to run openvpn in another subnet then my internal lan.. 16:02 < hexa> makes sense 16:02 < Bushmills> right 16:02 < hexa> hehe thx :) 16:02 < grendal_prime> ya...otherwise you want to use a bridge 16:02 < hexa> yeah got it :) doh 16:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 16:13 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Ping timeout: 260 seconds] 16:22 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 16:22 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 16:23 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 16:23 -!- luneff [~yury@84.51.205.26] has joined #openvpn 16:28 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn 16:29 -!- zero_d [~zero@nl.gigabit.perfect-privacy.com] has quit [Remote host closed the connection] 16:33 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds] 16:35 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit] 16:46 -!- hexa [~hexa@modemcable102.60-82-70.mc.videotron.ca] has left #openvpn ["Leaving"] 16:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 16:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Excess Flood] 16:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 16:57 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 16:58 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection] 17:04 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds] 17:07 -!- WinstonSmith_ [~true@g231217167.adsl.alicedsl.de] has joined #openvpn 17:07 -!- WinstonSmith [~true@e179002106.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:13 -!- WinstonSmith_ [~true@g231217167.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:24 -!- WinstonSmith_ [~true@f052099193.adsl.alicedsl.de] has joined #openvpn 17:30 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat] 17:33 -!- luneff [~yury@84.51.205.26] has quit [Quit: Leaving] 17:34 -!- davneg [~lunix@otherreality.net] has quit [Read error: Connection reset by peer] 17:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 18:24 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 18:24 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 18:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 18:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 18:39 < pyther> Hi 18:39 < pyther> If I push routes that already exit on the local system what will happen? Well they simply not go into affect? 18:40 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 18:40 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 18:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 18:42 < Bushmills> they'll exist twice, ad the first will be used. though whether they're duplicated may depend on operating system. 18:47 < pyther> Bushmills: the first being the local, I would assume it would have a lower metric? 18:48 < Bushmills> i assume that the routes are identical, therefore also same metric 18:49 < pyther> well one would push out to my remote network and the other would push out to the local network, no? 18:50 < Bushmills> i don't know the routes zou're pushing. 18:50 < Bushmills> you're . 18:51 < pyther> say I push 10.250.1.10/255 and there is the local lan is 10.250.1.0/24 18:52 < Bushmills> then you'd have two conflicting routes. one will have precedence. 18:53 < pyther> Bushmills: ok, which one? I would assume that the local router would probably have a lower metric taking precedence, correct? 18:53 < Bushmills> may depend on OS. the last rule added having precedence makes most sense 18:54 < pyther> hmm, do you know about windows? 18:55 < Bushmills> when i google for windows, i might know what that is 18:55 < Bushmills> a graphical shell for msdos, iirc 18:56 < pyther> o_o 18:56 < pyther> Hmm on vista the remote route has a metric of 30 and the local route has a metric of 286 18:57 < Bushmills> metric should be of no relevance unless you're using a routing protocol for dynamic routing 18:57 < pyther> no, I thought a metric was used to determine the best route to go with 18:58 < pyther> ? 18:58 < Bushmills> that's how routing protocols can be told which of the overlapping/conflicting routes is more preferable 18:58 < krzie> its most specific route wins 18:59 < krzie> and in windows, if they are = the metric does get used 18:59 < pyther> so the windows uses the most specific route? What if the two routes are the same 18:59 < pyther> ahh ok 19:08 -!- sia^pwnnt is now known as sia 19:40 <@vpnHelper> RSS Update - forum: android-openvpn-settings 20:00 < krzie> grr i wanna answer that one, but cant 20:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 246 seconds] 20:05 -!- WinstonSmith_ [~true@f052099193.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 20:09 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 20:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:16 <@vpnHelper> RSS Update - forum: Private network config 20:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 20:33 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has joined #openvpn 20:34 <@vpnHelper> RSS Update - forum: android-openvpn-settings || Double VPN || 2 Hop VPN || VPN-over-VPN 20:37 < Bebop2Steady> Good morning/evening to all. If any adventurous soul can help out -- I started a new thread at the forum ( link above ^ ) with a question of how to effectively implement 2-hop or double-vpn. I'm stuck for now, on step one, which is teh basic understanding of teh concept. 20:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 20:43 < HoboSteaux> hey im trying to do speed/resource testing using different encryptions etc. whats a suuper simple setup for this? 20:46 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 20:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 20:52 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 20:56 -!- roe [~roe___@unaffiliated/roe] has joined #openvpn 20:56 < roe> !welcome 20:56 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:57 < roe> !goal 20:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 20:58 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... || Double VPN || 2 Hop VPN || VPN-over-VPN 21:16 -!- p3rror [~mezgani@41.140.30.16] has joined #openvpn 21:19 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has left #openvpn [] 21:34 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 21:46 <@vpnHelper> RSS Update - forum: Private network config || Double VPN || 2 Hop VPN || VPN-over-VPN 21:52 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 22:02 -!- p3rror [~mezgani@41.140.30.16] has quit [Ping timeout: 240 seconds] 22:04 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 22:14 -!- p3rror [~mezgani@41.140.34.211] has joined #openvpn 22:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 22:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 22:24 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 240 seconds] 23:33 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 23:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] --- Day changed Fri Jan 07 2011 00:01 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 00:31 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Quit: Leaving] 01:15 -!- gdb``` [~user@dr-wily.ipv6.mit.edu] has quit [Read error: Operation timed out] 01:15 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has joined #openvpn 01:19 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 01:36 -!- WinstonSmith [~true@f052096061.adsl.alicedsl.de] has joined #openvpn 01:42 -!- dazo_afk is now known as dazo 01:59 -!- Satpol [~satpol@unaffiliated/satpol] has joined #openvpn 02:06 -!- p3rror [~mezgani@41.140.34.211] has quit [Ping timeout: 240 seconds] 02:19 -!- p3rror [~mezgani@41.140.47.113] has joined #openvpn 02:42 -!- p3rror [~mezgani@41.140.47.113] has quit [Ping timeout: 240 seconds] 02:43 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has joined #openvpn 02:44 -!- skrusty [~skrusty@83.166.176.39] has quit [Read error: Operation timed out] 02:47 -!- dazo is now known as dazo_afk 02:54 -!- p3rror [~mezgani@41.140.40.137] has joined #openvpn 02:59 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 03:00 -!- dazo_afk is now known as dazo 03:11 -!- alhadi [~thunderst@178.33.209.33] has joined #openvpn 03:11 < alhadi> http://www.pastie.org/private/gjr1n42h3pjiadtsog2fw 03:11 < alhadi> why is the TLS key verifying itself? 03:12 < alhadi> i connected 11:55 AM and then 12:55 PM after 60 minutes it rechecks it, and under client1.ovpn i added regneg = 0 03:12 < alhadi> reneg-sec 0 03:12 < alhadi> infact i added that, shuld it means it wont give that again? 03:12 < alhadi> but still it gives me 03:15 < krzie> do you know why it renegs? 03:16 < alhadi> no 03:16 < alhadi> could you tell me 03:16 < krzie> you get a new key every hour 03:16 < krzie> it is part of what is called forward security 03:16 < alhadi> i see 03:16 < krzie> if i somehow am able to decrypt your traffic, i can only get the hours worth 03:16 < alhadi> so regneg-sec 0 is okay under client1.ovpn? 03:16 < krzie> so lets say you get a yrs worth of my traffic saved 03:17 < krzie> then you get my cert / key 03:17 < alhadi> oh 03:17 < krzie> you can still only decrypt my CURRENT traffic 03:17 < krzie> cause the key is being changed every reneg 03:17 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:17 < alhadi> sounds good 03:17 < krzie> this is an important advantage of certs over static key 03:17 < krzie> you dont wanna remove the reneg 03:17 < krzie> dont mess with it ;] 03:17 < alhadi> sure 03:17 < alhadi> actually 03:18 < alhadi> i put it reneg-sec 0 03:18 < krzie> remove that line 03:18 < alhadi> it was not there as default 03:18 < krzie> it wasnt there, and shouldnt be there 03:18 < alhadi> ok 03:18 < krzie> luckily it did nothing cause your server controls that ;) 03:18 < alhadi> hehe 03:18 < alhadi> can i show you my server.conf? 03:19 < krzie> if you wanna... is something wrong? 03:19 < alhadi> well just to confirm if my settings is alright or i am in trouble 03:19 < krzie> ok 03:19 < alhadi> you are good security guys but noob like me can make us vulnerable 03:19 < alhadi> one moment 03:20 < krzie> you said you used my confgen tho, should be fine 03:20 < krzie> (as long as you didnt do things like try to remove reneg, lol) 03:21 < alhadi> krzie shuld pm you the pastie? 03:21 < alhadi> or here fine? 03:21 < krzie> nah heres fine 03:21 < alhadi> http://www.pastie.org/private/z22slvyjjetdxozbyz2hrq 03:21 < alhadi> client1.conf ^^ 03:22 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 03:22 < alhadi> http://www.pastie.org/private/rfgdxdnzofrybjvjmgc90g 03:22 < alhadi> openvpn.conf ^^ 03:23 < krzie> why DES-EDE3-CBC ? 03:23 < alhadi> triple des 03:23 < alhadi> 192 bit 03:23 < alhadi> shuld go for default then? 03:24 < krzie> In general Triple DES with three independent keys (keying option 1) has a key length of 168 bits (three 56-bit DES keys), but due to the meet-in-the-middle attack the effective security it provides is only 112 bits. Keying option 2 reduces the key size to 112 bits. However, this option is susceptible to certain chosen-plaintext or known-plaintext attacks[13][14] and thus it is designated by NIST to have only 80 bits of security.[7] 03:24 < juhovh> DES is pretty oldschool :) 03:25 < alhadi> oh 03:25 < hyper_ch> all play and no works makes hyper_ch a jolly boy :) 03:25 < krzie> haha nice hyper_ch 03:25 < alhadi> shuld have know that before 03:25 < hyper_ch> howdy krzie 03:25 < alhadi> thats why i pasted here so you profesional ppl can help noob 03:25 < alhadi> :) 03:25 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 276 seconds] 03:25 < krzie> but dude 03:26 < krzie> why change things without learning about them? 03:26 < hyper_ch> krzie: people like to toy around with things... even if they don't understand them :) 03:26 < krzie> i mean so far you killed your encryption level and removed forward security 03:26 < krzie> pls tell me when i look at server i wont see client-cert-not-required 03:26 < alhadi> :( 03:27 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn 03:27 < alhadi> krzie i am just gonna use default openvpn.gen only 03:27 < alhadi> brb 03:27 < alhadi> made by krzee 03:27 < alhadi> :) 03:27 < krzie> the default cipher is blowfish 03:27 < alhadi> ok noted :) 03:28 < krzie> blowfish is widely trusted 03:28 * hyper_ch still thinks that blowfish sounds like a very dirrty word :) 03:29 < krzie> haha 03:30 < krzie> however it looks like the author of blowfish recommends twofish over it 03:30 < krzie> (same author) 03:36 -!- alhadi [~thunderst@178.33.209.33] has quit [Ping timeout: 240 seconds] 03:38 < hyper_ch> any difference? 03:38 < krzie> yep, wikipedia them 03:40 < hyper_ch> use kompare to see the diffs? 03:48 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 246 seconds] 03:50 -!- master_of_master [~master_of@p57B5386B.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 03:51 -!- master_of_master [~master_of@p57B54F79.dip.t-dialin.net] has joined #openvpn 03:54 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 03:57 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 04:02 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:12 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 04:18 -!- mrle0 [~fin@82.132.243.47] has joined #openvpn 04:19 -!- alhadi [~thunderst@92.99.235.168] has joined #openvpn 04:19 < alhadi> Hello 04:19 < alhadi> krzie http://www.pastie.org/private/nb0ophw8bro35d4p9k301q 04:19 < alhadi> openvpn.conf 04:19 < alhadi> generated by the krzee script 04:20 < alhadi> http://www.pastie.org/private/itkd2ebi1hmruawqgzlvg 04:20 < alhadi> client1.conf 04:20 < alhadi> .ovpn* 04:23 < alhadi> looks good? 04:26 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 04:26 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 04:26 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:34 -!- alhadi [~thunderst@92.99.235.168] has quit [Ping timeout: 250 seconds] 04:34 -!- alhadi [~thunderst@178.33.209.33] has joined #openvpn 04:38 -!- alhadi2 [~thunderst@178.33.209.33] has joined #openvpn 04:38 < alhadi2> hi 04:38 -!- alhadi2 [~thunderst@178.33.209.33] has quit [Client Quit] 04:38 -!- alhadi2 [~thunderst@178.33.209.33] has joined #openvpn 04:39 -!- alhadi [~thunderst@178.33.209.33] has quit [Disconnected by services] 04:39 -!- alhadi2 is now known as alhadi 04:39 -!- alhadi [~thunderst@178.33.209.33] has quit [Changing host] 04:39 -!- alhadi [~thunderst@unaffiliated/alhadi] has joined #openvpn 04:39 -!- common- [~common@p5DDA4728.dip0.t-ipconnect.de] has joined #openvpn 04:41 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 04:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:43 -!- common [~common@p5DDA489C.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 04:43 -!- common- is now known as common 04:49 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 04:50 -!- alhadi [~thunderst@unaffiliated/alhadi] has quit [Quit: alhadi] 04:50 -!- dazo is now known as dazo_afk 04:59 -!- alhadi [~thunderst@178.33.209.33] has joined #openvpn 05:02 -!- mrle0 [~fin@82.132.243.47] has quit [Remote host closed the connection] 05:03 -!- mrle0 [~fin@82.132.243.41] has joined #openvpn 05:04 -!- dazo_afk is now known as dazo 05:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 05:07 -!- WinstonSmith [~true@f052096061.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 05:08 -!- mrle0 [~fin@82.132.243.41] has quit [Quit: Leaving] 05:12 -!- alhadi [~thunderst@178.33.209.33] has quit [Read error: Connection reset by peer] 05:12 -!- alhadi [~thunderst@178.33.209.33] has joined #openvpn 05:16 -!- alhadi [~thunderst@178.33.209.33] has quit [Read error: Connection reset by peer] 05:17 -!- alhadi [~thunderst@178.33.209.33] has joined #openvpn 05:20 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has joined #openvpn 05:25 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 05:25 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Changing host] 05:25 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 05:29 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 05:37 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 250 seconds] 05:41 <@vpnHelper> RSS Update - forum: how to create certificates for "--remote-cert-tls" 05:46 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 05:49 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined #openvpn 05:49 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 05:51 -!- dazo is now known as dazo_afk 05:56 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 05:56 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 05:56 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 06:05 -!- dazo_afk is now known as dazo 06:12 <@vpnHelper> RSS Update - forum: no access to net behind working vpn 06:16 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 06:20 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Ping timeout: 240 seconds] 06:23 -!- p3rror [~mezgani@41.140.40.137] has quit [Ping timeout: 240 seconds] 06:36 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host] 06:36 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn 06:39 -!- dazo is now known as dazo_mtg 06:44 -!- s7r [~s7r@89.238.173.233] has joined #openvpn 06:51 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 06:59 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Remote host closed the connection] 07:01 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 07:02 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has joined #openvpn 07:04 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 07:05 -!- elenril [~wiskas@2002:c155:9a2e:1:d43e:64ff:fe5d:2429] has joined #openvpn 07:05 -!- sporedi [~chatzilla@mail.utmxtm.com] has quit [Read error: Connection reset by peer] 07:06 < elenril> hello 07:06 < elenril> does openvpn have a dhcp client built-in or it calls an external program? 07:06 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 07:07 -!- sporedi [~chatzilla@mail.utmxtm.com] has quit [Client Quit] 07:07 < elenril> (i'm trying to get dhcpv6 working automagically over the tunnel) 07:10 -!- WinstonSmith [~true@g230121201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 07:14 < Bushmills> neither. though server assigns ip addresses, static or dynamic, to clients 07:19 < elenril> ah 07:21 < elenril> anyways, that only seems to be implemented for ipv4 07:21 < elenril> i wonder what would be the best way to call a dhcp client on startup 07:23 < hyper_ch> s/r/d 07:29 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined #openvpn 07:46 -!- p3rror [~mezgani@41.140.177.92] has joined #openvpn 08:03 -!- raomin [~romain@86.66.22.240] has quit [Ping timeout: 240 seconds] 08:10 < venom00ut> hello, when using UDP to connect to a vpn server, does OpenVPN makes some additional check of the packet integrity? 08:10 < gladiatr> elenril, I think the only way to accomplish what you're asking would be to bridge your client(s) rather than routing them. 08:11 < ecrist> venom00ut: no 08:11 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has quit [Quit: Leaving] 08:11 < ecrist> if it's corrupt, openvpn cannot decrypt it 08:12 < venom00ut> ecrist, thanks 08:12 -!- Satpol [~satpol@unaffiliated/satpol] has quit [Quit: Leaving] 08:17 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out] 08:17 -!- raomin [~romain@86.66.22.250] has joined #openvpn 08:20 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 08:32 -!- huli [~ericlee@220.181.143.94] has joined #openvpn 08:34 < huli> hi, how to set up the OpenVPN server in bridge mode? 08:37 < huli> There's only one nic in OpenVPN server. 08:39 < gladiatr> huli, in that case, you wouldn't actually bridge the tap device with a physical device. Just treat tap as your stand-alone "internally facing" network card. 08:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 08:40 -!- raomin [~romain@86.66.22.250] has quit [Remote host closed the connection] 08:41 < huli> gladiatr: I see. so is there any thing need to set up for client side? 08:41 < gladiatr> huli, what do you mean, exactly? 08:42 < huli> gladiatr: I mean, if client uses Linux as well, does client need to set up something special? 08:43 < gladiatr> huli, are you just wanting to join the one linux system to the bridge or will it be acting as a gateway for additional systems? 08:44 < gladiatr> huli, I take it you will be tunneling all of your traffic? 08:44 < huli> gladiatr: Okay, a client is an external machine, and if I set up my OpenVPN server in bridge mode, does the client need to set up something when he/she wants to have access my OpenVPN server? 08:46 < gladiatr> Not really. Just specify tap rather than tun as your dev type 08:48 < huli> gladiatr: understand. I need to enable packets forward in OpenVPN server, so do I need to set up another gateway? 08:48 < gladiatr> huli, for... 08:48 < gladiatr> huli, do you mean a route? 08:48 < huli> gladiatr: yes 08:49 < huli> gladiatr: My OpenVPN is in 192.168.10.x and I think tap0 is also in this range. 08:49 < gladiatr> huli, if you want to route all client connections over the VPN, you'll need to do two things: 08:49 < huli> yes? 08:50 < gladiatr> huli, 1: configure your client system with a static host route to your openvpn server 08:50 < gladiatr> huli, and... (checking the docs...) 08:51 < huli> gladiatr: if the client is in Internet, it's all the same, right? 08:53 < gladiatr> huli, nevermind what i typed above. You'll want to use the "redirect-gateway def1" directive in your server.conf 08:53 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 08:53 < gladiatr> huli, I'm not understanding your question. 08:54 < huli> gladiatr: sorry. Actually I can ping my OpenVPN in my home well. 08:54 < huli> So I think that should be okay 08:55 < gladiatr> if you're happy, I'm happy :) 08:55 < huli> thanks gladiatr 08:55 < gladiatr> no problem 08:59 -!- SOG [~SOG@n11649233199.netvigator.com] has joined #openvpn 09:01 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 09:10 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 09:16 < alhadi> krzie :) 09:16 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 09:16 < alhadi> the openvpn works fine , every hour key rehashing 09:16 < alhadi> it will give me new key every hour 09:16 < alhadi> :D 09:16 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Quit: Leaving] 09:17 -!- luneff [~yury@84.51.195.188] has joined #openvpn 09:28 -!- SOG_ [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 09:28 <@vpnHelper> RSS Update - forum: Two clients got the same IP 09:29 -!- SOG_ [~SOG@solution1.hsia.citycenter.com] has quit [Client Quit] 09:29 -!- dazo_mtg is now known as dazo 09:33 -!- SOG [~SOG@n11649233199.netvigator.com] has quit [Ping timeout: 264 seconds] 09:34 <@vpnHelper> RSS Update - forum: Two clients got the same IP || OpenVPN routing issues? 09:38 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 255 seconds] 09:40 <@vpnHelper> RSS Update - forum: Two clients got the same IP 09:46 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn 09:46 <@vpnHelper> RSS Update - forum: Two clients got the same IP 09:47 -!- Ben___ [560ca404@gateway/web/freenode/ip.86.12.164.4] has joined #openvpn 09:47 < Ben___> hello? 09:48 -!- Ben___ is now known as Guest10151 09:48 < alhadi> hi 09:49 < Guest10151> can you give me a bit of help? 09:49 < alhadi> explain your problem 09:49 < Guest10151> I've got an OpenVPN server setup 09:49 < alhadi> ok 09:49 < Guest10151> just trying to setup authentication 09:49 < alhadi> alright what error? 09:50 < Guest10151> we've got an Active Directory environment 09:50 < Guest10151> just trying to integrate it 09:50 < Guest10151> need some basic pointers... 09:50 < Guest10151> sorry, a bit vague, I know 09:51 < Guest10151> we use LDAP authentication for our virtual learning envvironment 09:52 < Guest10151> so, I figured we'd use that 09:52 < Guest10151> just not sure how to drag the users across 09:53 < gladiatr> Is your openvpn server process running on windows? 09:54 < Guest10151> no, ubuntu 09:54 < gladiatr> excellent. You might want to check this out, then: http://code.google.com/p/openvpn-auth-ldap/ 09:54 <@vpnHelper> Title: openvpn-auth-ldap - Project Hosting on Google Code (at code.google.com) 09:55 < gladiatr> ^^ such a helpful lil bot ^^ 09:55 < Guest10151> heh 09:55 < Guest10151> thanks, I'll take a look 10:10 <@vpnHelper> RSS Update - forum: Two clients got the same IP || no access to net behind working vpn 10:16 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 10:16 <@vpnHelper> RSS Update - forum: [newbie/2.0.9] Checking that OpenVPN is OK? 10:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 10:22 <@vpnHelper> RSS Update - forum: how to create certificates for "--remote-cert-tls" 10:31 -!- dazo is now known as dazo_afk 10:32 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 10:33 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 10:33 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 10:33 <@vpnHelper> RSS Update - forum: [newbie/2.0.9] Checking that OpenVPN is OK? 10:34 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 10:36 -!- Guest10151 [560ca404@gateway/web/freenode/ip.86.12.164.4] has quit [Quit: Page closed] 10:38 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 10:38 < iceberg> !welcome 10:38 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:39 < iceberg> !goal 10:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:39 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? || Two clients got the same IP 10:39 < iceberg> !route 10:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:40 -!- huli [~ericlee@220.181.143.94] has quit [Quit: Leaving.] 10:40 < iceberg> !redirect 10:40 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:42 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 10:43 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 10:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 10:44 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 10:44 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 10:44 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 10:44 <@vpnHelper> RSS Update - forum: TLS Error: Unroutable control packet received*IP* (si=3 op=P 10:48 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 264 seconds] 10:52 -!- iceberg_ [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 10:52 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Read error: Connection reset by peer] 10:52 -!- iceberg_ is now known as iceberg 10:53 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 10:55 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 10:55 -!- mode/#openvpn [+o vpnHelper] by ChanServ 10:57 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Client Quit] 11:03 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 11:03 -!- mode/#openvpn [+o vpnHelper] by ChanServ 11:13 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 11:13 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 272 seconds] 11:13 < fahmad> hello 11:13 < fahmad> Bushmills: arround ? 11:15 <@vpnHelper> RSS Update - forum: TLS Error: Unroutable control packet received*IP* (si=3 op=P 11:18 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 11:18 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 11:18 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 11:19 -!- sigius [~sigius@93.125.185.45] has joined #openvpn 11:20 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 11:20 <@vpnHelper> RSS Update - forum: Two clients got the same IP 11:22 -!- Malard [ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 11:22 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 11:22 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 11:22 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 11:24 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 11:27 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? 11:27 -!- roe [~roe___@unaffiliated/roe] has left #openvpn ["Leaving"] 11:28 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 276 seconds] 11:29 < krzie> bmmcwhirt you here? 11:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 11:34 < iceberg> yes 11:34 -!- iceberg is now known as bmmcwhirt 11:35 < bmmcwhirt> forgot my efnet nick was on there 11:36 < krzie> werd 11:36 < krzie> ok so whats your goal? 11:37 < krzie> and as for the .5 thing 11:37 < krzie> !/30 11:37 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 11:38 < bmmcwhirt> connect sever 5-10 remote machines to my local network as well as have their internet traffic routed through the vpn. 11:38 < bmmcwhirt> s/sever/several 11:38 < krzie> ok so 11:38 < krzie> share the server lan with all clientds 11:38 < krzie> AND 11:39 < krzie> !redirect 11:39 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:39 < krzie> is that right? 11:39 < bmmcwhirt> correct, I was leaving the redirect part out of my config till I had the first problem solved 11:40 < krzie> dont worry about the .5 thing 11:40 < krzie> its normal 11:40 < krzie> !serverlan 11:40 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation 11:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 11:41 < krzie> you mentioned gateway_enable="YES" 11:41 < bmmcwhirt> correct 11:41 < krzie> that enables ip forwarding 11:41 < krzie> so thats good 11:41 < krzie> pastebin server config with no comments 11:42 < krzie> although its prolly right, since you read my routing writeup 11:42 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 11:44 < bmmcwhirt> http://pastebin.ca/2040416 11:49 -!- sigius [~sigius@93.125.185.45] has quit [Read error: Connection reset by peer] 11:51 < krzie> lost this 11:51 < krzie> err 11:51 < krzie> lose this: 11:51 < krzie> route 10.8.0.0 255.255.255.0 11:52 < bmmcwhirt> ok, I added that when traffic wasn't moving across the tunel 11:52 < krzie> see --server in the manual 11:52 < krzie> you saying your client couldnt ping 10.8.0.1? 11:53 < bmmcwhirt> correct, thats why I manually set a rotue to it 11:53 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 11:53 < bmmcwhirt> I thought it was because of the .5 .6 stuff 11:54 < krzie> but if you look at --server 11:54 < bmmcwhirt> but you said I was mistaken about that, however when I manualy made a route I was able to ping it 11:54 < krzie> you'll see you already had that route set ;] 11:55 < bmmcwhirt> just to be clear rmove both the route and push lines for 10.8.0.0 correct? 11:55 < krzie> well that depends 11:55 < krzie> 1sec 11:56 < krzie> you want clients to be able to communicate with eachother? 11:56 < bmmcwhirt> no 11:56 < krzie> yes, remove that line too 11:56 < bmmcwhirt> just to talk to private lan 11:56 < bmmcwhirt> ok 11:57 < krzie> 10.2.2.0/24 is the lan behind the server? 11:57 < bmmcwhirt> correct 11:57 < krzie> let me better explain what the route directive does ;] 11:57 < krzie> you have route 10.2.2.0 255.255.255.0 11:57 < krzie> this tells your vpn server process to add a route to that subnet, which says that to reach that subnet it must communicate over the VPN 11:58 < krzie> thats why you DO push the route 11:58 < krzie> !push 11:58 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 11:58 < krzie> when the clients run the pushed route, its what you want 11:58 < krzie> when your server runs it, it is not 11:58 < bmmcwhirt> ok 11:58 < krzie> remove route 10.2.2.0 255.255.255.0 from your server 11:59 < krzie> now... ipp.txt... 11:59 < krzie> !ipp 11:59 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 11:59 < krzie> i almost always recommend to remove that line 11:59 < krzie> if you want static ips, give static ips 11:59 < bmmcwhirt> I think that line is just left over from the sample config anyway 12:02 < krzie> so ya... looks good 12:02 < bmmcwhirt> I havent reconnected to the vpn yet as when I do it will drop my irc connection. Now I had read that each machine on 10.2.2.o that I want to talk to also needs to know where to send packets for 10.8.0.0 right? so I have on them 'route add 10.8.0.0/24 10.2.2.50' with 10.2.2.50 being the vpn server, or is that not neceary? 12:02 < Essobi> krzie: sup 12:02 < krzie> you could choose to drop privs and stuff, but may as well wait until its working 12:03 < krzie> bmmcwhirt, wanna gimme a client config first then? 12:03 < krzie> just in case 12:03 < krzie> bmmcwhirt, that IS necessary, unless you can add the route to their default gateway 12:03 < krzie> !route_outside_ovpn 12:03 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 12:04 < bmmcwhirt> ok, I will add that later to the cisco, right now I just put it in the rc.conf of that one machine 12:04 < krzie> cool 12:04 < krzie> err you cant add routes exactly like that in rc.conf 12:04 < krzie> but ill assume you know how 12:06 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 12:06 < alhadi> hey krzie :) 12:06 < krzie> hey =] 12:06 -!- p3rror [~mezgani@41.140.177.92] has quit [Ping timeout: 246 seconds] 12:06 < alhadi> your conf helped me alot. now VPN no problem 12:06 < krzie> =] 12:06 < alhadi> got a good VPS for less price will install your script and bingo done :) 12:07 < alhadi> france VPS and netherland VPS 12:07 < krzie> glad it helped, i dont get much feedback from that script 12:07 < alhadi> ah ok 12:07 < alhadi> well you have one feedback from me :) 12:07 < alhadi> lucky to find that landing on the net.. 12:08 < bmmcwhirt> ok here was the client conf you asked for before I restart the vpn http://pastebin.ca/2040434 12:09 < krzie> alhadi, ya where DID you find that anyways? 12:09 < krzie> bmmcwhirt, simple enough... although you should prolly enable server cert verification 12:10 < bmmcwhirt> is there a ! for docs on that? 12:10 < alhadi> ubuntu forums 12:11 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 12:11 < krzie> whoa cool 12:11 < krzie> bmmcwhirt, kinda 12:11 < krzie> !servercert 12:11 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 12:12 < krzie> !mitm 12:12 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 12:12 < krzie> odds are you already used easy-rsa build-key-server 12:12 < bmmcwhirt> yes 12:12 < krzie> which means all you need to do is add 12:12 < krzie> ns-cert-type server 12:12 < krzie> to client config 12:12 < alhadi> ^^ 12:12 < bmmcwhirt> simple enough 12:12 < alhadi> i did exactly the same 12:12 < alhadi> :P 12:12 < krzie> =] 12:13 < alhadi> thanks to the ppl here 12:13 < alhadi> especally krzee 12:13 < alhadi> and krzie 12:13 < krzie> alhadi, thats cool it was in the ubuntu forums, i didnt know anyone posted about it 12:13 < bmmcwhirt> ok, going to try this, I shall return. 12:13 < krzie> i am krzee too =] 12:13 < alhadi> hehe :D 12:14 < krzie> alhadi, you have that link handy? 12:14 < alhadi> actually i am too sure if it was ubuntu forums but i just found in a site dont actually remember. my random guess went to ubuntu forums 12:14 < alhadi> sec 12:15 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 12:15 -!- bmmcwhirt [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Read error: Connection reset by peer] 12:15 < krzie> one day hopefully hyper_ch will finish the html confgen 12:15 -!- iceberg is now known as bmmcwhirt 12:17 < alhadi> http://forums.openvpn.net/topic4683.html 12:17 <@vpnHelper> Title: OpenVPN Support Forum openvpn-confgen : Cert / Config management (at forums.openvpn.net) 12:17 < alhadi> sorry it was openvpn 12:17 < alhadi> not ubuntu 12:17 < alhadi> my random guess was totally wrong 12:17 < krzie> awww post was made by me 12:17 < alhadi> and i will post that in ubuntu with tutorial :) 12:17 < alhadi> your script 12:18 < krzie> ;] 12:18 < alhadi> i hope that this script will make ppl like me easy to make conf and generate keys as well 12:19 < alhadi> generating keys is easy now for me :P 12:19 < krzie> it will be nice when it actually makes the configs 12:19 < alhadi> just have to do source ./vars , ./vars then ./clean-all 12:19 < alhadi> yep 12:19 < bmmcwhirt> krzie: works! now I should be able to add in the redirect line and restart server and client and that should go smoothly? 12:19 < krzie> if ecrist doesnt rewrite ssl-admin soon i think im going to re-write easy-rsa to fit into my script 12:19 < krzie> bmmcwhirt, no 12:20 < alhadi> sounds like a plan :) 12:20 < bmmcwhirt> ok 12:20 < krzie> i really like ssl-admin, so i prefer to wait for that 12:20 < alhadi> sure 12:20 < krzie> bmmcwhirt, see this: 12:20 -!- p3rror [~mezgani@41.140.156.223] has joined #openvpn 12:20 < krzie> !redirect 12:20 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:20 < alhadi> i dont know much about ssl-admin 12:20 < krzie> !ssl-admin 12:20 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 12:21 < alhadi> oh freebsd 12:21 < alhadi> unix based 12:21 < krzie> (!redirect @ bmmcwhirt and !ssladmin @ alhadi ) 12:21 < ecrist> gah 12:21 < alhadi> thanks :) 12:21 < alhadi> shuld give freebsd a try now 12:21 < alhadi> lol 12:21 < ecrist> krzie: i will unfriend you if you do that. :P 12:22 < ecrist> krzie: do me a favor, put a ticket in on my trac and mention what options you want and give examples of how you expect it to work. I'll actually fix it in the next week or two 12:22 < bmmcwhirt> krzie: forwarding is already enabled on the FBSD server, what is nat used for as FBSD by default doesnt use NAT for gateway. Only to do port to port redirection and that requires a kernel rebuild and is almost never done on FBSD 12:22 < krzie> oh cool 12:23 < krzie> bmmcwhirt, your vpn subnet is not inet routable 12:23 < alhadi> !def1 12:23 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 12:23 < krzie> you must NAT it 12:23 < alhadi> oh 12:23 < krzie> ecrist, awesome, will do 12:23 < alhadi> !nscert 12:24 < bmmcwhirt> ok, so Im not doing internet gateway today as a kernel rebuid is going to take 6hrs :) 12:24 -!- seraphim [~euro@host-091-097-036-227.ewe-ip-backbone.de] has joined #openvpn 12:24 < bmmcwhirt> thats something to let run over the weekend 12:24 < alhadi> bmmcwhirt good luck 12:24 < krzie> 6 hours!?!? 12:24 < alhadi> shuld take less 12:24 < seraphim> hi 12:24 < krzie> you on a pentium 1? 12:24 < alhadi> 6 hours is too much 12:24 < bmmcwhirt> it's all on a ESXi VM so it's not fast 12:24 < alhadi> hello seraphim 12:25 < seraphim> got a problem using openvpn server on debian lenny + openvpn on win xp 12:25 < bmmcwhirt> this is a test bed so it's a 400Mhz VM with 256M ram 12:25 < krzie> seraphim, were you on efnet like 10 yrs ago? if so we have a friend in common 12:25 < seraphim> nope krzie 12:25 < krzie> ahh ok 12:26 < bmmcwhirt> krzie: I very much appreciate your help, here is a virtual pitcher of high quality high gravity beer 12:27 < krzie> bmmcwhirt, thanx, anything besides virtual would interfere with the antibiotics 12:28 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host] 12:28 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn 12:28 < alhadi> lol 12:28 < bmmcwhirt> doh, antibiotics suck, at least for me they make all my fod taste metalic 12:29 < krzie> seraphim, 12:29 < krzie> !goal 12:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds] 12:30 < seraphim> http://pastebin.com/1AYn1T7e <-- this is the log from the client with verbose 5 12:30 < seraphim> and are replaced by me 12:30 < seraphim> I can´t connect to the vpn server 12:32 < seraphim> i created every cert and keyfile following the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#pki 12:32 <@vpnHelper> Title: HOWTO (at openvpn.net) 12:35 < seraphim> can anyone help me with that? 12:37 < bmmcwhirt> one other thing, when I first started my openVPN voyage I was looking for a book that I could use to get started, however they all seemed like they were form 5 years ago or more which is pretty out of date for software. Id there anything current in publish that anyone would recommend, especially if it's available as an ebook so I don't have to carry a big book or have internet access to read it. 12:37 < krzie> seraphim, 12:38 < krzie> !certverify 12:38 <@vpnHelper> "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt 12:38 < krzie> bmmcwhirt, there is one coming soon 12:39 < bmmcwhirt> krzie: excellent, do you know the title/author so I can put a notice on it on amazon? 12:39 <@vpnHelper> RSS Update - forum: TLS Error: Unroutable control packet received*IP* (si=3 op=P || Restricted client-client traffic || OpenVPN to filter DHCP requests in bridge mode 12:39 < krzie> the openvpn cookbook by jan just kuster 12:39 < krzie> last name mis-spelt 12:39 < bmmcwhirt> thank you 12:39 < krzie> Jan Just Keijser 12:40 < krzie> one of the best openvpn experts 12:40 < krzie> very highly respected in the community 12:40 < bmmcwhirt> excellent, packet has it up in raw format where I can just buy it now and get the new chapters as they come out! So great I love that option. 12:41 < seraphim> hmm got it, forgott to rehash the config with the new ca.crt 12:41 < seraphim> but 12:41 < seraphim> i´m connected but nothing more, i don´t get an IP 12:41 < krzie> new log to post then... 12:41 < krzie> in fact... 12:41 < krzie> !configs 12:41 < seraphim> k wait... 12:41 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 12:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 12:46 < seraphim> http://pastebin.com/Zkz3uGCp 12:48 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 12:51 < seraphim> any idea? 12:52 < alhadi> seraphim 12:52 < alhadi> comment this 74.remote-cert-tls server 12:52 < alhadi> and try? 12:53 < alhadi> 37.;push "redirect-gateway" need uncomment 12:56 < seraphim> hmm 12:57 < krzie> brb, talking to my mom re: my pneumonia 12:57 < alhadi> ok 12:57 < seraphim> http://pastebin.com/GgwjKq1S 12:57 < seraphim> new log 12:57 < seraphim> but still not working 12:57 < seraphim> afk for a few minutes 12:57 < seraphim> brb 12:58 < krzie> Fri Jan 07 19:44:08 2011 us=578000 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 12:58 < krzie> ??? 12:58 < krzie> howd you make your certs? 12:59 < seraphim> re 12:59 < seraphim> easy-rsa 13:00 < krzie> ok, weird, i never seen that message 13:00 < seraphim> following http://openvpn.net/index.php/open-source/documentation/howto.html#pki 13:00 <@vpnHelper> Title: HOWTO (at openvpn.net) 13:00 < krzie> you make your CA with that too? 13:00 < seraphim> yeah 13:00 < seraphim> using the howto 13:04 -!- s7r [~s7r@89.238.173.233] has quit [Ping timeout: 265 seconds] 13:04 -!- Malard|Home is now known as Malard 13:08 < seraphim> brb in a few minutes 13:09 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 13:11 < alhadi> seraphim http://forums.openvpn.net/topic4683.html try this. after creating certs/key , i did this and it allowed me atleast to have a working openvpn server :) 13:11 <@vpnHelper> Title: OpenVPN Support Forum openvpn-confgen : Cert / Config management (at forums.openvpn.net) 13:11 < hyper_ch> hi vpnHelper 13:12 -!- mihpares [~euro@host-091-097-036-227.ewe-ip-backbone.de] has joined #openvpn 13:12 < mihpares> re 13:12 < mihpares> <--seraphim 13:12 -!- seraphim [~euro@host-091-097-036-227.ewe-ip-backbone.de] has quit [Ping timeout: 276 seconds] 13:13 < krzie> mihpares, your end goal is JUST a client - server connection? 13:13 < krzie> if so 13:13 < krzie> !sample 13:13 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 13:15 < mihpares> it is 13:15 < mihpares> may a second or third client in the future 13:15 < krzie> then go ahead and use my sample configs (of course changing file names/paths) 13:15 < krzie> thats good for multiple clients 13:16 < mihpares> your sample configs? you mean the one mentioned by vpnHelper? 13:16 < krzie> youd need more for redirecting inet traffic over the vpn, or sharing the LAN over the vpn 13:16 < krzie> !sample 13:16 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 13:16 < krzie> those ^ 13:16 < mihpares> ^^ ok 13:16 < mihpares> i´ll try them 13:17 < alhadi> wow 13:17 < alhadi> nice 13:19 -!- Guest2911 [~mathias@p5B096973.dip.t-dialin.net] has joined #openvpn 13:20 <@vpnHelper> RSS Update - forum: Two clients got the same IP 13:20 < mihpares> hmm i´ve got no ta.key file oO 13:20 < krzie> !hmac 13:20 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static 13:21 <@vpnHelper> key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 13:21 < krzie> #2 13:21 < Guest2911> hi, I have an openvpn server in multi-client mode and a machine that connects to it. This machine is the default gateway of another network. I would like to be able to reach this "client subnet" from the VPN network. Is there anything in openvpn that might cause problems? I have the setup almost working but the VPN Server cannot ping into the client subnet. So can it be openvpn that is preventing this kind of access? 13:21 < mihpares> ok 13:21 < krzie> !clientlan 13:21 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a 13:21 <@vpnHelper> better explanation 13:22 < krzie> you said its the router for the lan, so you can skip !route_outside_openvpn 13:22 < Guest2911> krzie: yes 13:22 < mihpares> hmm 13:23 < mihpares> Starting virtual private network daemon: server failed! 13:23 < krzie> start it via commandline 13:23 < krzie> not via your OS scripts 13:23 < krzie> openvpn /path/to/config 13:24 < mihpares> hmm wait i think i´ve got it... 13:25 <@vpnHelper> RSS Update - forum: [solved] Two clients got the same IP 13:25 < mihpares> Fri Jan 7 20:28:20 2011 us=327010 failed to find GID for group vpn 13:25 < mihpares> Fri Jan 7 20:28:20 2011 us=327042 Exiting 13:26 < mihpares> now it´s this error message 13:26 < mihpares> first try i got one path wrong 13:26 < mihpares> now this 13:26 < hyper_ch> krzie: you have a furball, right? 13:27 < krzie> nope, only 1 pussy at my house, and i have to take it out to parties and stuff ;] 13:27 * gladiatr chuckles 13:27 < morbidwar> hello, could someone explain me how or what do i need to do to activate the "push route"? do i need to set up a route in the router if the vpnd is not running on the routers hardware? 13:27 < krzie> mihpares, go ahead and remove the user / group lines from the config 13:28 < hyper_ch> krzie: four-legged pussies are much easier and cheaper to maintain :) 13:28 < gladiatr> morbidwar, yes. 13:28 < gladiatr> hyper_ch, it depends on whether or not they still have their claws. 13:28 < mihpares> Fri Jan 7 20:31:11 2011 us=824456 IFCONFIG POOL: base=10.8.1.4 size=62 13:28 < mihpares> Fri Jan 7 20:31:11 2011 us=824488 Initialization Sequence Completed 13:28 < morbidwar> gladiatr: thanks 13:28 < mihpares> now it´s stuck :P 13:28 < gladiatr> np 13:29 < hyper_ch> gladiatr: they have their claws... but they would never ever use them on me... except in rar 13:29 < mihpares> Fri Jan 7 20:31:37 2011 us=484111 SIGINT[hard,] received, process exiting 13:29 < mihpares> ^^ 13:29 < hyper_ch> rare cases when they suddenly get excited 13:29 < hyper_ch> or scared 13:29 < hyper_ch> like a couple of days ago due to fireworks 13:29 < mihpares> k daemon is up now 13:29 < mihpares> now the client... 13:30 < mihpares> do i need the ta.key at my local client, too? 13:30 < mihpares> it´s win xp 13:30 < mihpares> not linux 13:30 < gladiatr> hyper_ch, oh, I was thinking of the furniture and such (regarding expense of their keeping) 13:31 < hyper_ch> furniture is there to be used and not to look pretty 13:31 <@vpnHelper> RSS Update - forum: TLS Error: Unroutable control packet received*IP* (si=3 op=P 13:31 -!- fahmad [~linux@unaffiliated/fahmad] has quit [] 13:31 < gladiatr> mihpares, yes. ta.key needs to be on all of you client machines. 13:31 < mihpares> k 13:32 < gladiatr> hyper_ch, Yeah, but I have (had?) a pretty comfy chair that, over the last several years, has come to look more like a pile of hay 13:32 < gladiatr> s/you/your 13:32 < hyper_ch> gladiatr: time to get a new one :) 13:33 < mihpares> k connection successfull but still no IP address assigned to the adapter... 13:33 < gladiatr> hyper_ch, hehehe 13:34 < mihpares> http://pastebin.com/yzPeBxmU 13:34 < mihpares> client log 13:35 < gladiatr> mihpares, patience, grasshopper. What your client log shows there is that your client isn't done connecting 13:35 < mihpares> I´m waiting for about 3 minutes... 13:35 < gladiatr> oh... 13:36 < gladiatr> and line 315 is as far as it got? 13:36 < mihpares> yep 13:37 < mihpares> brb, supper time 13:39 < Guest2911> hi, using iroute openvpn says "option 'iroute' cannot be used in this context" - why? 13:40 < gladiatr> Guest2911, it can only be used in a per-client configuration context 13:41 -!- bmmcwhirt [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: bmmcwhirt] 13:41 < gladiatr> because if you want to use iroute and you have the same logical network existing on the other side of more than one client, you've got other problems. 13:41 < gladiatr> (of the network architecture variety) 13:42 < gladiatr> !iroute 13:42 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:43 * gladiatr pats vpnHelper 13:44 < hyper_ch> vpnHelper is a really smart person 13:45 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 250 seconds] 13:46 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 13:48 -!- Guest2911 [~mathias@p5B096973.dip.t-dialin.net] has quit [Quit: leaving] 13:51 < mihpares> re 13:52 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 13:52 < mihpares> still no IP address assigned to the adapter 13:55 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 13:57 < morbidwar> gladiatr: could you give me a hint where to look on push route? i've setup a route on the router (the vpnd is not running on the routers hardware), i enabled the ip_forward on the vpn machine, do i need to use masquerade on the vpn to be able to reach the lan's ip? 13:57 <@vpnHelper> RSS Update - forum: LAN to LAN issues 13:58 < mihpares> btw krzie sorry for that may profane question, but is there a way connecting to the openvpn server via cisco vpn client? 14:00 -!- mathias__ [~mathias@p5B096973.dip.t-dialin.net] has joined #openvpn 14:01 < mihpares> hmm 14:01 < mihpares> found something at the log 14:01 < mihpares> http://pastebin.com/JWy9ur7i 14:03 <@vpnHelper> RSS Update - forum: how to create certificates for "--remote-cert-tls" 14:04 < krzie> mihpares, 14:04 < krzie> !notcompat 14:04 <@vpnHelper> "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 14:04 < mathias__> hi, when a client connects I would like to automatically establish a route in the server's routing table to a subnet behind that client - in the ccd file, I created an entry "route 10.0.0.0 255.255.255.0 remote_host" but openvpn said "option 'route' cannot be used in this context" - is there another way? 14:05 < mihpares> ok 14:05 < mihpares> and the tls timeoutß 14:05 < mihpares> ? 14:07 < krzie> im not sure, havnt been paying attention, dealing with my pneumonia right now 14:07 < mihpares> [21:01:11] http://pastebin.com/JWy9ur7i 14:07 < mihpares> ou 14:07 < mihpares> not good 14:07 < mihpares> get well soon ^^ 14:07 < krzie> if not other errors, then its firewall or wrong port/ip/proto 14:08 < krzie> likely other errors above tho 14:08 < mihpares> hmm lets kill the fw... 14:09 < mihpares> nope fw was off, the same error... 14:09 < mihpares> are any port forwards needed on client side? 14:09 < mihpares> may i forgott one 14:09 < mihpares> ... 14:15 < mathias__> hi, when a client connects I would like to automatically establish a route in the server's routing table to a subnet behind that client - in the ccd file, I created an entry "route 10.0.0.0 255.255.255.0 remote_host" but openvpn said "option 'route' cannot be used in this context" - is there another way? 14:16 -!- alhadi [~thunderst@178.33.209.33] has quit [Ping timeout: 240 seconds] 14:23 < reiffert> mathias__: hi. see here: 14:23 < reiffert> !route 14:23 < reiffert> !man 14:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:23 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds] 14:24 -!- alhadi [~thunderst@92.99.235.168] has joined #openvpn 14:28 -!- mathias__ [~mathias@p5B096973.dip.t-dialin.net] has quit [Quit: leaving] 14:33 -!- p3rror [~mezgani@41.140.156.223] has quit [Read error: Connection reset by peer] 14:35 < gladiatr> morbidwar, if your openvpn server is not the remote network's internet gateway, you need to add a static route on the internet gateway stating something along the lines of: route add -net vpn_client_network/mask gw internal_IP_of_vpn_server 14:35 -!- elenril [~wiskas@2002:c155:9a2e:1:d43e:64ff:fe5d:2429] has left #openvpn [] 14:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 14:36 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 14:37 < morbidwar> gladiatr: and it's possible to route thru the vpn a public ip? 14:37 < gladiatr> morbidwar, to do that you would need to also add a nat rule on your internet gateway for your vpn client subnet 14:38 < gladiatr> morbidwar, but yes--at that point, you could route your vpn client traffic through your server-side internet gateway 14:41 < gladiatr> morbidwar, or, more specifically, you would route your traffic through the openvpn server which would, in turn, route your connection through the internet gateway 14:44 < morbidwar> i think i'm missing something 14:46 < morbidwar> i;m not able to forward the trafic from the vpn client to the lan 14:46 < gladiatr> is there a route to your LAN subnet on your client? 14:46 < alhadi> hello 14:46 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving] 14:47 < alhadi> http://www.pastie.org/private/gybjkzj9omw5wkabnng48a 14:47 < alhadi> what could be the problem? 14:47 -!- p3rror [~mezgani@41.140.174.108] has joined #openvpn 14:47 -!- dollabill [~mike@199.44.8.98] has quit [] 14:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn 14:48 < gladiatr> alhadi, it looks like you're trying to start openvpn as an unprivileged user. 14:53 < morbidwar> gladiatr: http://pastebin.com/nejzef6c 14:55 < reiffert> morbidwar: openvpn uses an interface. so whatever can be done to interfaces on your operating system, can also be done to openvpn. In particular routing is as easy as it is when you do it without openpvn. 14:55 < gladiatr> wow. those routing tables kinda make my eyes hurt 14:56 < reiffert> morbidwar: instead of routing you can have masquerading and such thing, whatever your operating system offers you. 14:57 < morbidwar> reiffert: i will try to masquerade 14:57 < gladiatr> Yeah. You may as well nat the vpn client network from the openvpn server 14:57 < reiffert> Masquerading comes with disadvantages, e.g. you have to port forward things in order to access services. 14:59 < krzie> and disadvantages 15:00 < reiffert> ? 15:00 < krzie> e.g. no accountability 15:00 < krzie> better to correctly setup routing 15:01 < krzie> morbidwar, read this 15:01 < krzie> !route 15:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:02 < krzie> yes, the nat-hack has its use, but it surely should not be the first choice 15:02 < gladiatr> Yeah, but it's late and it's Friday and everyone should know not to buy a russian car that was made on Friday or a bottle of vodka that was made on a Monday :D 15:03 < krzie> or a car made from russia, or a bottle of vodka made in usa 15:03 < krzie> or for that matter, beer from usa 15:03 < reiffert> :) 15:03 < reiffert> (and not from France) 15:03 < gladiatr> hahaha 15:04 < krzie> grey goose is arguably the best vodka out here 15:04 < krzie> (note, i did say "out here") 15:04 < hyper_ch> Stolichnaya 15:04 < krzie> ya i prefer stoli 15:05 < hyper_ch> there is "beer from usa"? 15:05 < krzie> and lucky for me its "the cheap vodka" out here 15:05 < krzie> well, there is piss-water they call beer 15:05 < hyper_ch> §:) 15:05 < krzie> i thought it was beer before i started traveling 15:06 < hyper_ch> now you were spoiled 15:06 < gladiatr> reminds me of a joke an ex-gf (Scottish lass) told me: what is the similarity between american beer and having sex in a canoe? 15:07 < krzie> lol, whats that 15:07 < gladiatr> it's like f'ing close to water 15:07 < hyper_ch> lol 15:08 < gladiatr> I admire my associates that can still tolerate PBR and the Beast... such inexpensive habits. 15:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out] 15:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 15:20 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving] 15:21 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 276 seconds] 15:23 <@vpnHelper> RSS Update - forum: Random problem with roadwarriors on windows machines 15:24 < morbidwar> krzie: thanks but i already do that 15:24 -!- mihpares [~euro@host-091-097-036-227.ewe-ip-backbone.de] has left #openvpn [] 15:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 15:34 < alhadi> Sat Jan 08 01:33:00 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 15:34 < alhadi> what does this mean? 15:48 <@vpnHelper> RSS Update - forum: Random problem with roadwarriors on windows machines 16:01 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 16:01 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 16:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:07 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 16:18 <@vpnHelper> RSS Update - forum: Incorrect Login 16:33 < alhadi> hello 16:33 < alhadi> i am connected to the openvpn but there is no internet 16:33 < alhadi> !paste 16:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 16:35 < Bushmills> !redirect 16:35 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:36 < alhadi> !ipforward 16:36 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 16:36 < alhadi> !linipforard 16:36 < alhadi> !linipforward 16:36 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware 16:37 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 16:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 16:38 < alhadi> !nat 16:38 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 16:40 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 16:40 -!- Cain` is now known as Cain 16:50 < alhadi> !linnat 16:50 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) openvz see !openvzlinnat 17:00 < alhadi> anyone here can help me? 17:00 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 17:01 < Bushmills> http://scarydevilmonastery.net/masq 17:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 17:08 < alhadi> hmm 17:08 < alhadi> shall i paste my openvpn.conf and client conf? 17:10 < Bushmills> no. say what your problem is. if it is related to "internet over vpn", vpn config won't help a lot - that's config of operating system on server 17:11 < alhadi> yes internet over vpn 17:12 < Bushmills> anything else, or just that? 17:14 < krzie> alhadi, if you wanted that, why didnt you say so when running my config? 17:14 < krzie> err 17:14 < krzie> config-generator 17:15 < alhadi> actually these conf were setup according to my VPS provider 17:15 < alhadi> its another openvpn server 17:15 < alhadi> i got 2 openvpn server 17:15 < alhadi> 1 working fine. other not 17:15 < krzie> erm 17:15 < krzie> you run the server or not? 17:15 < alhadi> not me 17:15 < Bushmills> you can't set up nat on a server which you don't control 17:15 < krzie> ya, this isnt yours to config 17:16 < krzie> run their config, if it doesnt work you need to talk to them 17:16 < alhadi> i am talking 17:16 < alhadi> taking too much time spending 17:16 < krzie> well you're wasting your time here with that 17:16 < Bushmills> try redirect-gateway in client config 17:17 < krzie> we cant really help you if you dont control the server 17:17 < krzie> ya you could try that ^ 17:18 < alhadi> no luck 17:21 < krzie> you need support from whoever runs the server 17:21 < krzie> unless you have an error in your logs you can post... 17:24 -!- s7r [~s7r@89.238.173.233] has joined #openvpn 17:26 < alhadi> http://www.pastie.org/private/atnpnrnrjrvetmobwlisxw 17:27 -!- shiz0 [~shiz0@HSI-KBW-109-192-060-032.hsi6.kabel-badenwuerttemberg.de] has joined #openvpn 17:27 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 17:28 < shiz0> !route 17:28 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:28 < shiz0> !clientlan 17:29 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a 17:29 <@vpnHelper> better explanation 17:29 < alhadi> http://www.pastie.org/private/4k6ow4bjffze6vmijqkhg 17:29 < Bushmills> alhadi: is that the client log when connecting to your provider vpn server? 17:29 < alhadi> my openvpn.conf 17:29 < shiz0> !serverlan 17:29 < alhadi> its the server log 17:30 < alhadi> status that my client is connecting from 17:30 < Bushmills> your server is the config which works? 17:30 < alhadi> http://www.pastie.org/private/nzofasjwlfggtntsc4nl5a 17:30 < alhadi> client config ^^ 17:31 < alhadi> the VPS provider had a configed openvpn for its VPS users 17:31 < alhadi> i am using them 17:31 < shiz0> !serverlan 17:31 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation 17:32 < krzie> alhadi, i thought you said you didnt run the server 17:32 < Bushmills> yeah, that's a bit confusing 17:32 < alhadi> i dont run the server but these status logs are comming from the FTP 17:32 < alhadi> sorry 17:32 < krzie> you just pastebin'ed a fucked up server conf 17:33 < alhadi> thats stored in my VPS. accessed them from a SSH 17:33 < krzie> but if its not yours, a) howd you get it and b) why would i care to tell you the problems with it 17:33 < alhadi> i copyied pasted 17:33 < alhadi> becuz i paid them VPS. 17:33 < krzie> lol 17:33 < krzie> so you DO run the server 17:33 < krzie> you just didnt configure it 17:33 < alhadi> yes i have axx for the server 17:34 < alhadi> yes the VPS configure for me 17:34 < alhadi> not me 17:34 < krzie> if you were to make changes, would they be accepted? 17:34 < alhadi> if i make changes then there is error on both sides 17:34 < krzie> lol 17:34 < alhadi> they first of all dont allow iptables and NAT 17:34 < alhadi> :( 17:35 < alhadi> root@irc:~# ping -I tun16 yahoo.com 17:35 < alhadi> PING yahoo.com (69.147.125.65) from 188.95.51.233 tun16: 56(84) bytes of data 17:36 < alhadi> cannot even ping yahoo from tun16 interface 17:36 < shiz0> !howto 17:36 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:36 < krzie> alhadi, you need support from them, as i said awhile ago 17:36 < alhadi> ok 18:02 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 18:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 18:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds] 18:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 18:42 -!- s7r [~s7r@89.238.173.233] has left #openvpn [] 19:12 -!- shiz0_ [~shiz0@HSI-KBW-109-192-060-032.hsi6.kabel-badenwuerttemberg.de] has joined #openvpn 19:12 -!- shiz0 [~shiz0@HSI-KBW-109-192-060-032.hsi6.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer] 19:18 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Read error: Operation timed out] 19:18 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 19:38 <@vpnHelper> RSS Update - forum: Random problem with roadwarriors on windows machines 20:09 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 20:27 -!- patelx [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 250 seconds] 20:31 -!- patelx [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined #openvpn 20:49 -!- alhadi [~thunderst@92.99.235.168] has quit [Quit: alhadi] 20:51 -!- patelx [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Changing host] 20:51 -!- patelx [patel@openvpn/corp/admin/patel] has joined #openvpn 21:30 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Ping timeout: 240 seconds] 22:15 -!- huli [~ericlee@220.181.143.94] has joined #openvpn 22:31 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn 23:07 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 250 seconds] --- Day changed Sat Jan 08 2011 00:21 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 00:21 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 00:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 00:54 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds] 01:03 <@vpnHelper> RSS Update - forum: Your Web Design, Website Development, Domain, Web Hosting 01:15 <@vpnHelper> RSS Update - forum: TLS Blocked by provider, need to modify source code... 01:21 <@vpnHelper> RSS Update - forum: TLS Blocked by provider, need to modify source code... || TLS Error: TLS key negotiation failed 01:27 <@vpnHelper> RSS Update - forum: submitting bug reports || logout - dead link || Incorrect Login 01:31 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 01:33 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has joined #openvpn 01:33 < krzie> !static 01:33 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder 01:34 < Bebop2Steady> krzee i got a prob with fully concieving iroute + ccd + route are you around for help at the mo'? 01:34 < krzie> did you read my routing doc? 01:35 < Bebop2Steady> yes.. I am reading it now.. 01:35 < Bebop2Steady> ( and have read it a few times ) 01:35 < krzie> so whats the problem 01:35 < Bebop2Steady> ITS RE: https://forums.openvpn.net/topic7483.html 01:35 <@vpnHelper> Title: OpenVPN Support Forum Double VPN || 2 Hop VPN || VPN-over-VPN : Server Administration (at forums.openvpn.net) 01:35 < krzie> ohhh 01:35 < krzie> heh 01:35 < krzie> vpnchains 01:36 < Bebop2Steady> yepz : ] 01:36 < Bebop2Steady> i can ping from mid chain to end.. but not from start cain to end 01:36 < krzie> your drawing is more accurate now 01:36 < krzie> looks like you do have a decent idea of where your problem is tho 01:36 < krzie> (based on your question) 01:37 < krzie> i bet you have MULTI errors in your logs 01:37 < Bebop2Steady> I've been trial'n'erroing.. not dug thru the logs yet. guess should have. 01:38 < krzie> lol 01:38 < krzie> umm yes 01:38 < Bebop2Steady> can i refer to the last pic i put.. n ask a question about iroute ? 01:38 < krzie> should have a term for each involved scrolling logs 01:38 < krzie> tail -F 01:38 < Bebop2Steady> ahh, so real time monmieoring of logs ? 01:38 < krzie> if your question is in regards to understanding what iroute is, yes 01:39 < krzie> real time is easier than anything else, isnt it? 01:39 < Bebop2Steady> defo 01:39 < krzie> when i figured this out i had that AND a tcpdump for each machine 01:40 < Bebop2Steady> and a 2nd computer screen to watch all the windows would be great 01:40 < krzie> apple is nice like that ;) 01:40 < krzie> pop back into expose and watch things flow 01:41 < Bebop2Steady> client-config-dir /etc/openvpn/ccd/server2 01:41 < Bebop2Steady> route 10.11.0.0 255.255.255.0 01:42 < krzie> see now we're getting more specific :-p 01:42 < Bebop2Steady> and then in the file ccd/server2 i have 01:42 < Bebop2Steady> 10.11.0.0 255.255.255.0 01:42 < Bebop2Steady> oops route 10.11.0.0 255.255.255.0 01:43 < krzie> i wont be offering that level of support on vpnchains 01:43 < Bebop2Steady> ahh ok i'll go back to a generalization 01:44 < Bebop2Steady> is the ccd file with the iroute command in it, supposed to be on the server or client (i have it on server) ? 01:44 < krzie> what is a ccd entry? 01:44 < krzie> !ccd 01:44 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 01:45 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 01:45 < Bebop2Steady> ok, its what I thought.. got confused on anotehr sitde off google.. 01:45 < krzie> that EXACT line you just read is from my routing page 01:45 < krzie> go read it more 01:46 < krzie> you cant read ity like you're trying to solve a problem 01:47 < krzie> read it to understand 01:47 < krzie> i wrote that doc after getting my first vpnchains setup running 01:49 < Bebop2Steady> ok i will read it again and again if need be. another questio? for my setup in the last pic.. how many instances of openvpn would require the ccd/iroute? from my understanding, only 1st server on the 2nd physical machine.... 01:50 < krzie> how many servers will have clients with foreign subnets behind it? 01:50 < krzie> start trying to dig the concepts out of my doc, not the details for your setup 01:50 < Bebop2Steady> just the 1.. 01:51 < krzie> is your irc handle a ninja turtle reference? 01:51 < Bebop2Steady> yeah sorta :] 01:53 < Bebop2Steady> 80s style.. 01:54 < Bebop2Steady> I better start by setting up the real time log monitoring. and then re-look at the guide you so kindly posted. 01:55 < Bebop2Steady> thank once again for helpin' me with some mprobs 01:55 < krzie> and if at any time you dont know where packets stop, tcpdump on tun devices 01:55 < krzie> you're welcome 01:56 < Bebop2Steady> thank you.. 01:56 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 01:56 < krzie> hes not close, but i gave him some pretty good hints 02:01 <@vpnHelper> RSS Update - forum: Firewall blocked https traffic || [n00b] No traffic on tun0 over LAN 02:24 < reiffert> moin 02:28 -!- WinstonSmith [~true@e179006086.adsl.alicedsl.de] has joined #openvpn 02:31 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 02:31 < djgerm> hi all 02:32 < djgerm> i am curious, i remember reading a few years back about using tcp being an issue with openvpn 02:32 < djgerm> something about retransmissions 02:33 < djgerm> is this still a problem? 02:33 < krzie> !tcp 02:33 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) 02:33 < krzie> its not openvpn 02:33 < krzie> its the nature of tcp and what happens when you do tcp over tcp 02:37 < reiffert> djgerm: "something about retransmission" is a too vague description in order to answer your question. 02:37 < djgerm> the helper bots links answer them just fine. I might have more questions once I complete this reading. 02:38 < djgerm> (why don't these links come up under googling openvpn tcp in tcp?! hehe ) 02:38 < reiffert> djgerm: I have a different opinion, but hey, the user is always right :) 02:39 < djgerm> different opinion from the idea that tcp in tcp is bad? do tell! 02:39 < djgerm> i want to believe! 02:40 < djgerm> well perhaps my question should be reasked as "What are the pros and cons of configuring openvpn for tcp? What are the Pros and cons of udp?" 02:41 < krzie> djgerm, the link is in the openvpn manual under --proto tcp 02:42 < krzie> reiffert, you have a different opinion than http://sites.inka.de/~bigred/devel/tcp-tcp.html ? 02:42 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 02:43 < djgerm> well it is a 10 year old link… some things change. granted not many changes to TCP over the years =) 02:48 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 02:48 -!- mode/#openvpn [+o mattock] by ChanServ 02:51 < reiffert> krzie: I have a different opinion on "an issue", "some years back", "with openvpn" and "something about retransmissions" 02:52 < reiffert> I more like djgermn 2nd question :) 02:52 -!- WinstonSmith [~true@e179006086.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 02:53 < djgerm> so good. the consensus is still tcp in tcp should most likely be avoided in all but a handful of cases. 02:54 < djgerm> with openvpn at least =) 02:54 < krzie> ahh gotchya 03:14 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 03:42 -!- mathiassss__ [~mathias@p5B09511F.dip.t-dialin.net] has joined #openvpn 03:42 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:44 < mathiassss__> hi, I had a lot of trouble during the last days with openvpn and routing to a client-side network. Finally, I found that I needed the iroute option in addition to a routing table entry. Why is this iroute necessary? I dont see why a simple routing table entry should not be enough!? 03:44 < reiffert> mathiassss__: see here (once again) 03:44 < reiffert> !route 03:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:44 < reiffert> !man 03:44 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:46 < mathiassss__> reiffert: "It tells openvpn which client owns which network." I know this already. My question as: Is there a reason why openvpn does not simple get this information from the routing table but maintains its own routing information? 03:48 < reiffert> you seem to ignore my proposal. live with it then. 03:50 -!- master_of_master [~master_of@p57B54F79.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 03:50 -!- s7r [~s7r@95.154.230.251] has joined #openvpn 03:51 < mathiassss__> reiffert: okay I will read it again ... 03:51 -!- master_of_master [~master_of@p57B55D9F.dip.t-dialin.net] has joined #openvpn 03:51 < reiffert> be sure to jut pick those parts you already know. 03:52 < mathiassss__> haha 03:54 < mathiassss__> "skips the push for the client" is this the part you mean? I just didnt read attentively enough 03:54 < reiffert> "are we in school?" 03:54 < reiffert> No 03:55 -!- mathiassss__ [~mathias@p5B09511F.dip.t-dialin.net] has quit [Quit: leaving] 04:01 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 04:01 < stony> h 04:01 < stony> i 04:01 < stony> i'm looking for an solution to encrypt layer2 traffic that is passing an fibre connected link 04:01 < stony> but i don't want to setup ip addresses outside the "tunnel" to pass the encrypted packages 04:02 < reiffert> openvpn can do that. 04:02 < stony> so that i'm only encrypt the original packages that should pass the fibre link - that's it 04:02 < stony> reiffert: yeah l2-vpn is not the problem for openvpn 04:02 < reiffert> great, glad to help you. 04:02 < stony> reiffert: but using it without ip on the outside to forward the encrypted packets - this is where i'm stuck 04:03 < reiffert> got the vpn interface attached to your bridge? 04:03 < stony> reiffert: you get me wrong 04:03 < stony> reiffert: the l2 vpn setup is working (did that 200 times or so) 04:03 < stony> reiffert: i want to use openvpn encrypting a real layer2 link without using ip addresses on this link *OUTSIDE* the tunnel 04:04 < stony> reiffert: the connection between the openvpn instances should be without ip 04:04 < reiffert> great. so let's think about how packets will travel through your kernel and what makes them appear on one or another interface. 04:05 < stony> reiffert: you still get me wrong - no offence - but i'll explain it a bit more in detail: 04:06 < reiffert> No harm on my side, I'm answering to your pieces.. 04:06 < stony> network <-> 1 gbit/s ethernet connection (part of bridge) <- bsd system with bridge -> 1 gbit/s fibre connection (part of bridge) <- fibre -> 1gig fibre (part of bridge) <- bsd system with bridge -> gbits copper connection <-> network 04:07 < stony> reiffert: now i want to encrypt the fibre part without using ip addresses on the path itself 04:07 < stony> reiffert: more like "encrypt everything that passes fibre device independend of protocol, size, whatever ... 04:09 < reiffert> I wonder what keeps you from doing so. 04:09 < stony> what i could do is: copper <-> bsd bridge <-> tap <-> openvpn <-> ip on fibre connection <-> fibre <-> ip of other endpoint <-> ip on fibre <-> fibre nic <-> openvpn <-> tap <-> bsd bridge <-> ethernet nic 04:09 < stony> but this will produce a lot ip overhead i don't want 04:10 < stony> the communication between the openvpn daemons should be on l2 instead on l3 04:10 < reiffert> the tap devices dont carry an ip address, right? 04:10 < stony> reiffert: the tap device is *inside* the tunnel 04:10 < stony> reiffert: i'm talking about the *outside* 04:11 < stony> the communication between the openvpn daemons is the outside, the traffic they carry via the tap devices is the inside 04:11 < reiffert> ok, lets make an example. 04:11 < stony> i want to use: remote ma:ca:dd:re:ss:00 04:11 < stony> insteead of remote 1.2.3.4 04:11 < reiffert> network <-> BSD BSD <-> network right? 04:11 < stony> reiffert: yes 04:12 < reiffert> let's think about this setup without openvpn and see about layer 3 here. 04:12 < reiffert> both BSD boxes share one subnet? 04:12 < stony> reiffert: you still don't get it 04:13 < reiffert> let's *THINK* just to have a closer look. to make an example. then come closer to your solution. 04:13 < stony> reiffert: network <-> bsd <-> fibre without any ip here, communication only via layer 2 (mac addresses) to provide ip overhead <-> bsd box <-> network 04:13 < stony> s/provide/avoid/ 04:13 < reiffert> ok, question at this point: 04:14 < reiffert> on the left BSD box, what makes an incoming packet travel to the right BSD box, please explain. 04:15 < stony> packet -> eth nic -> left box -> tap device -> openvpn daemon -> fibre nic -> fibre -> fibre nic -> openvpn daemon -> tap device -> copper nic -> network 04:15 < stony> i left out the bridges but as we do layer2 *INSIDE* the tunnel i have to use bridges 04:15 < reiffert> If I may reask... 04:16 < reiffert> the incoming packet on the eth nic, left BSD will be an ip packet, right? 04:16 < stony> reiffert: no 04:16 < reiffert> ah. 04:16 < stony> reiffert: listen: 04:16 < reiffert> sorry for all this but it's hard for me to strip layer 3 out of my brain. 04:16 < stony> reiffert: to connect to openvpn daemons you need either tcp or udp (preferred) and two ip addresses to forward the packets between the daemons - right ? 04:17 < stony> s/to/two 04:17 < reiffert> stony: thats how communication between services work after the OSI layer. 04:17 < reiffert> s,.,description., 04:17 < stony> reiffert: right, but i could also use mac addresses instead of ip addresses, can't i ? 04:18 < reiffert> stony: no, when asking the OSI layer description, you can not. 04:18 < stony> e.g. iSCSI uses ip addresses to forward the packets to the servers, but hyperscsi uses layer2 packets and mac addresses for that 04:18 < stony> so they avoid ip overhead 04:18 < stony> and that's exactly what i want 04:19 < stony> when you have a 10km fibre link that carries layer 2 packets then it would be nice to use mac addresses for addressing the endpoints instead of putting the 3rd layer around the encrypted packets 04:19 < reiffert> stony: I think that you will have to patch the openvpn source code then and use whatever it takes instead of bind() listen() and accept(). 04:19 < reiffert> stony: let me read some manpages, brb. 04:19 < stony> reiffert: k 04:20 < stony> i wonder if i can strip the layer3 of the packets on the local host and then forward the packet only in the layer2 container and add layer3 on the other side again 04:20 < stony> hm 04:20 < reiffert> ah, on linux it's man 7 socket, leading to man 7 packet 04:21 < reiffert> packet, AF_PACKET - packet interface on device level. 04:22 < stony> reiffert: hmm, but patching openvpn for that I don't know if i want todo that because of stability 04:22 < reiffert> stony: we should discuss this with dazo_afk. 04:22 < stony> hm ok 04:23 < stony> i need something like ipsec for layer 2 :) 04:24 < reiffert> stony: I think that if you still want encryption you will need to patch any VPN software, as VPN software's intention is to provide layer 3, right? 04:24 < stony> reiffert: there are switches that can do this trick ootb, but they're really expensive 04:25 < stony> and they are only protecting the traffic by password and not by cert 04:26 < stony> (or at least doing auth not by cert) 04:26 < reiffert> you can follow me with man 7 packet? 04:27 < stony> reiffert: sorry, was on the phone 04:27 < stony> just a sec 04:28 < stony> on bsd it would be PF_LINK 04:28 < stony> hmm, or PF_ATM 04:28 < stony> openvpn doing atm encryption would be awesome :D 04:29 < reiffert> it's man 7 pf_link on BSD? 04:29 < reiffert> (trying to get something on google) 04:30 < stony> best would be something like cat tap0 | openssl enc > /dev/mac/ma:ca:dd:re:ss:00 ;) 04:30 < stony> reiffert: no it's just man socket 04:30 < reiffert> http://www.freebsd.org/cgi/man.cgi?query=socket&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html 04:30 <@vpnHelper> Title: socket (at www.freebsd.org) 04:31 < stony> yeah 04:31 < stony> there is a PF_LINK (Link Layer Interface) 04:31 < reiffert> had a look at the openvpn source yet? 04:31 < stony> reiffert: no, why? 04:32 < krzie> lol 04:32 < krzie> cause you need to write a patch if you want that 04:32 < reiffert> right after the discussion with dazy. 04:32 < krzie> which is why reiffert looked in the manpage to give you a hint at what to patch 04:32 < reiffert> dazo 04:32 < reiffert> stony: did you check http://www.freebsd.org/cgi/man.cgi?query=mac&sektion=3&apropos=0&manpath=FreeBSD+8.1-RELEASE here? 04:32 <@vpnHelper> Title: mac(3) (at www.freebsd.org) 04:33 < stony> reiffert: yeah but that's not about the mac address or ll2 04:34 < stony> it's a different kind of access control like selinux 04:34 < reiffert> stony: I know, but what came up in mind is: have a layer2 link (with whatever software) and encrypt the communication with a user process. 04:34 < stony> reiffert: yeah, that's what my openssl example should do :D 04:35 < reiffert> mac_get_peer() for that case. 04:35 < reiffert> btw, man 7 packet: http://linuxmanpages.com/man7/packet.7.php 04:35 <@vpnHelper> Title: PACKET (at linuxmanpages.com) 04:36 < stony> reiffert: yes, but to get an endpoint of a socket i need layer 3 don't i ? 04:36 < reiffert> you dont. 04:37 < stony> the good part is that i don't need any arp-routes outside the tunnel on the fibre - i can just encrypt the packages, pass em to the line and at the other end i decrypt the packages again 04:37 < stony> i can even encrypt the mac addresses without getting into problems 04:37 < stony> so i only need to get openssl somewhere in between there 04:37 < reiffert> right now openvpn uses PF_INET, just change that to PF_PACKET 04:38 < stony> and i could do that by passing the data to openssl in userspace 04:38 < reiffert> "just" :) 04:38 < reiffert> VLN encryption came up to mind. anything there? 04:38 < stony> reiffert: yeah the little things in life cause the biggest problems ;) 04:38 < reiffert> s,VLN,VLAN, 04:39 < stony> reiffert: not really 04:39 < stony> (there) 04:40 < stony> bsd network interfaces are a bit more scriptable, i'll check the possibility to pass the packets to openssl in userland and then just forward em via the line 04:40 < stony> on the other hand, i can just use openvpn with overhead and be happy 04:41 < stony> but then i'll use ip addresses like 1.1.1.1 and 2.2.2.2 because then the packets aren't so big like when i use 192.168.100.100 and 192.168.200.200 because the numbers are lower 04:41 < stony> SCNR ;) 04:42 <@vpnHelper> RSS Update - forum: TLS Blocked by provider, need to modify source code... 04:43 < reiffert> stony: those numbers are slower and this gains you packet length were exactly? SCNR 04:43 < reiffert> s,slower,lower, 04:44 -!- common [~common@p5DDA4728.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 04:44 < stony> reiffert: yes ;) 04:44 < reiffert> So for Cisco it's called MACSec 04:44 < stony> yeah 04:44 < reiffert> And TrustSec 04:45 -!- common [~common@p5DDA41E4.dip0.t-ipconnect.de] has joined #openvpn 04:45 < stony> there are intel nics that do the trick ootb 04:45 < reiffert> MACSec seems to produce more overhead than TrustSec, where TrustSec can only be used on direct links which is what you want. 04:46 < reiffert> "ootb"? 04:46 < stony> reiffert: yeah - all i want is to encrypt the lines i don't have the possibility to protect them 04:46 < stony> reiffert: Out Of The Box 04:47 < stony> btw how does the openvpn daemon scale on smp boxes? only using one core or is it using more cores when there are more connections ? 04:48 < reiffert> 3.0 will be using multiple threads IIRC. 04:48 < reiffert> 3.0 is just a roadmap atm. 04:48 < stony> ok so it is better to get less cores and more mht 04:48 < stony> mhz 04:49 < krzie> you can also run an instance of openvpn on each core 04:49 < reiffert> http://www.v3.co.uk/vnunet/news/2191381/israeli-firm-boosts-ethernet 04:49 <@vpnHelper> Title: Israeli firm boosts Ethernet encryption - V3.co.uk - formerly vnunet.com (at www.v3.co.uk) 04:49 < stony> can is use tcp/udp on top of layer2 without ip ? 04:50 < stony> never thought of that, but could be possible, couldn't it? 04:50 < krzie> tcp/udp is IP 04:50 < krzie> s/is/is part of/ 04:50 < stony> hm ok 04:51 < stony> reiffert: thanks for the link - but i prefer to use open source for real encryption :) 04:51 < reiffert> What about L2TP? 04:52 < stony> reiffert: same as openvpn with l2 tunnel 04:52 < stony> reiffert: it uses l3 to transport the packets 04:52 < reiffert> oh right. 04:52 < reiffert> sorry. 04:53 < stony> you know, i'll setup an infrastructure where everything exists three times: one time onside - two times offside in the data centers 04:53 < stony> and it will be connected by gbit/s fibre links 04:54 < stony> so i need to encrypt the data to avoid access anywhere on the public site where the data passes 04:54 < stony> s/onside/onsite 04:54 < stony> s/onsite/on-site 04:54 < stony> damn 04:55 < stony> so best to use is open/freebsd with openvpn 04:55 < stony> then we even have the fbi backdoor ;) 04:55 < reiffert> just buy those cisco switches you were talking about couple of minutes ago 04:55 < stony> in case we lock ourselfs out ;) 04:55 < stony> naa, cisco is a company that does security by obscurity 04:55 < stony> and i don't like that 04:55 < reiffert> ah, those openbsd ipsec stuff around couple of weeks ago.. 04:56 < krzie> if you want the fbi backdoor you need ipsec 04:56 < reiffert> well then sed -e 's,PF_INET,PF_PACKET,g' openvpn/* 04:56 < krzie> aww you beat me to it 04:57 < stony> *g* 04:57 < reiffert> then hardcode the layer 2 address of the receiver ... done. 04:57 < reiffert> dont mess around with parsing config files. 04:57 < stony> yeah but the data is not encrypted 04:58 < reiffert> ? 04:58 < stony> reiffert: you've been talking about setting the mac address of the other endpoint manually in the arp cache? 04:59 < krzie> often a good idea... layer2 cant be trusted 04:59 < reiffert> stony: I'm still talking about patching openvpn 04:59 < stony> krzie: yeah 04:59 < reiffert> 11:56 < reiffert> well then sed -e 's,PF_INET,PF_PACKET,g' openvpn/* 04:59 < reiffert> 11:57 < reiffert> then hardcode the layer 2 address of the receiver ... done. 05:00 < stony> reiffert: ah, i won't patch openvpn - I rely on openvpn's mature and stable code and don't want to mutilate it by my silly patches 05:00 < krzie> then you cant do it using openvpn 05:00 < reiffert> dazo_afk: please read up, it's about patching openvpn for that it can be used for layer 2 encryption (cisco sells this stuff atm) 05:00 < stony> if there is no other solution i'll use openvpn and put up with the overhead 05:01 < reiffert> dazo_afk: under the term MACSec and TrustSec 05:01 < reiffert> stony: buying cisco hardware - alternative. 05:01 < stony> reiffert: no - bsd and openvpn :) 05:02 < reiffert> http://www.youtube.com/watch?v=IUWDYU4KE4s 05:02 <@vpnHelper> Title: YouTube - Extreme - Strutter (Kiss Cover) (at www.youtube.com) 05:02 < stony> i need something i can rely on and that i trust 05:02 < reiffert> stony: trust the cisco technician :) 05:02 < stony> cisco gets people off the stage with the help of the police and a lawyer when they want to show some bugs in ios on a conference ... 05:03 < stony> that's not the way it should work 05:03 < reiffert> http://www.node99.org/papers/l2auth.pdf 05:03 < krzie> stony, when that person is under NDA with cisco...? 05:04 < stony> krzie: you don't know the story, do you ? 05:04 < krzie> maybe i know a different one' 05:04 < stony> krzie: the guy that was working at a company that had a partner status with cisco - he discovered security bugs in the router os and send cisco the infos with the mark that he will share this info with the world on a congress half a year later 05:05 < reiffert> stony: it says something about EAP and 802.1X 05:05 < hyper_ch> good morning reiffert 05:05 < hyper_ch> hi krzie 05:05 < stony> reiffert: i'm using eap as well, but that's just for authentication and not encryption 05:05 < krzie> stony, and was he under NDA because of his job...? 05:05 < stony> krzie: nda? 05:05 < krzie> hey hyper_ch 05:05 < hyper_ch> kde 4.6 rc2 looks a lot sweeter already :) 05:05 < krzie> non disclosure agreement 05:05 < reiffert> stony: and how should someone sniff fibre then? 05:05 < stony> krzie: no 05:05 < krzie> a contract that says "i will wtfu" 05:05 < krzie> "i will stfu" * 05:06 < krzie> if that no is correct then the lawyers had nothing to stand on 05:06 < krzie> stony, got links to info...? 05:06 < stony> reiffert: the switch port is "dead" when you plug in your computer, then the system uses 802.1x to authenticate itself against the radius server in the back - then the radius server says "it's ok, i know this machine, put it on vlan 30" 05:06 < stony> reiffert: link up, system logged on, but *NOT* encrypted 05:06 < stony> reiffert: 802.1x is what you know as wpa enterprise on wifi 05:07 < reiffert> stony: sure and how to sniff a fbire connection? 05:07 < stony> reiffert: just put a bridge in the middle 05:07 < krzie> "just" 05:07 < krzie> heh 05:08 < reiffert> stony: by doing that the link gets down, right? 05:08 < stony> krzie: that's no problem - cut the cables, splice them to new pigtails and then put your switch with port monitoring in the middle 05:08 < djgerm> its not impossible. 05:08 < krzie> is cutting into fibre that easy? 05:08 < krzie> right, not impossible 05:08 < stony> reiffert: yes, but as the fibre goes only to the switch centre and then it is carried via the phone companies atm network, you can monitor the packets there as well 05:08 < krzie> also not "just" 05:09 < stony> krzie: splicing 12 fibre cables to the pigtails takes about 15 minutes 05:09 < stony> krzie: only splicing 2 cables 2 minutes 05:09 < reiffert> stony: then you are fucked anyways. 05:10 < stony> reiffert: that's why i want to encrypt the traffic :D 05:10 < reiffert> stony: you cant use layer 2 encryption on multiple fibre switches belonging to multiple layer 3 nets. 05:10 < djgerm> the NSA has a great security policy: assume everything is already compromised. 05:10 < reiffert> where as you dont keep every single one. 05:10 < stony> reiffert: i'm not doing that 05:10 < reiffert> stony: oh right, just that direct line at yours. 05:11 < reiffert> why not care about the weakest point first? 05:11 < reiffert> and why increase security other than at the weakest point? 05:11 < hyper_ch> reiffert: to feel better 05:12 < stony> reiffert: i do that 05:12 < stony> reiffert: but all i need is a way to encrypt data passing the "not under my control"-points 05:12 < stony> and those are always connections between buildings 05:13 < reiffert> Ah, strutter got written by Kiss. I knew I know it. 05:14 < reiffert> stony: right. encrypting all "not under my control" parts and optimizing those who share one subnet, so can talk via L2. 05:14 < stony> reiffert: yes 05:14 < reiffert> or whatever technology enables them. 05:16 < stony> wtf - i can't find even one link to the obscurity thing cisco did 05:16 < stony> it's just wiped of the net 05:16 < reiffert> :) 05:19 < stony> hehehe wikipedia: http://en.wikipedia.org/wiki/Michael_Lynn 05:19 <@vpnHelper> Title: Michael Lynn - Wikipedia, the free encyclopedia (at en.wikipedia.org) 05:19 < stony> that's the guy 05:21 < stony> http://news.bbc.co.uk/2/hi/technology/4724791.stm 05:21 <@vpnHelper> Title: BBC NEWS | Technology | Cisco acts to silence researcher (at news.bbc.co.uk) 05:21 < stony> the funny thing is: cisco has updates for the systems and said that they haven't been done by the owners of the systems 05:22 < stony> but they forgot to tell that you need an expensive contract to get the new releases 05:22 < stony> and that those updates are not free 05:22 < stony> i guess if the judge would have known that he wouldn't have signed any papers 05:24 < krzie> ya that was a good talk 05:24 < krzie> single ping ownage 05:24 < krzie> s/ping/packet/ 05:30 < reiffert> bl 05:30 < reiffert> bbl 05:30 < reiffert> nice talking 05:33 -!- EnginAy [~engin@78.179.187.85] has joined #openvpn 05:34 < EnginAy> !welcome 05:34 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:34 < EnginAy> my internet is restricted by ISP but I have a dedicated box in a local datacenter which runs ubuntu and is not restricted. Is openvpn for me ? 05:35 < reiffert> !def1 05:35 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 05:36 < reiffert> EnginAy: meaning: yes. see !howto 05:36 < reiffert> done. 05:40 < EnginAy> !hosto 05:40 < EnginAy> haha 05:40 < EnginAy> !howto 05:40 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:40 < EnginAy> not a great start 05:40 < stony> mahahahahahaha, sorry, but i have to post that: http://www.bildschirmarbeiter.com/video/profis_am_bau/ 05:40 <@vpnHelper> Title: Profis am Bau! - Video auf bildschirmarbeiter.com (at www.bildschirmarbeiter.com) 05:44 < EnginAy> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 05:44 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 05:45 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has joined #openvpn 05:45 < EnginAy> does not mention where is the config file, which sure is not in /etc/openvpn on a default ubuntu installation 05:46 < Bebop2Steady> Which config file.. 05:48 < Bebop2Steady> krzee you about? Stoppin by to say thx for your write up on chains. I got mine working finally, or close enough for today. 05:50 -!- alhadi [~thunderst@92.99.235.168] has joined #openvpn 05:51 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Quit: Leaving.] 06:00 -!- Bebop2Steady [~Bebop2Ste@124-168-169-88.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 06:02 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 06:23 -!- alhadi [~thunderst@92.99.235.168] has quit [Ping timeout: 240 seconds] 06:30 -!- alhadi [~thunderst@94.59.248.20] has joined #openvpn 06:31 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 255 seconds] 06:36 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 06:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 07:14 -!- Shathak [proxyuser@p2044-ipbf207oomichi.oita.ocn.ne.jp] has joined #openvpn 07:24 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 07:24 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 07:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 07:32 -!- EnginAy [~engin@78.179.187.85] has quit [Ping timeout: 276 seconds] 07:34 -!- nb [~nb@fedora/nb] has quit [Ping timeout: 240 seconds] 07:50 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 07:57 < stony> using ll2 addresses can't be implemented as a module, can it ? 08:06 -!- huli [~ericlee@220.181.143.94] has quit [Ping timeout: 240 seconds] 08:10 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn 08:26 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 08:26 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 08:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 08:29 <@vpnHelper> RSS Update - forum: Help sharing printers in openvpn and windows xp 08:37 -!- p3rror [~mezgani@41.140.174.108] has quit [Ping timeout: 240 seconds] 08:48 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds] 08:48 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 272 seconds] 08:49 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 08:59 -!- TripMine [~TripMine@unaffiliated/tripmine] has joined #openvpn 09:02 < TripMine> Hello, I've been able to establish a connection from the openvpn server to the client and was able to ping from the client to the gateway with responses. I cannot however communicate with any open ports on the server. 09:03 < TripMine> The server is on a VM and 1194 is forwarded through 09:03 < TripMine> no firewall is started on the VM. 09:04 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 09:04 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 09:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 09:06 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 09:11 <@vpnHelper> RSS Update - forum: To change port 09:13 -!- alhadi [~thunderst@94.59.248.20] has quit [Ping timeout: 240 seconds] 09:22 -!- sia is now known as sia^pwnnt 09:23 -!- sia^pwnnt is now known as sia 09:35 <@vpnHelper> RSS Update - forum: Ineternet speed after the openvpn connection 09:40 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds] 09:41 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 09:42 -!- WinstonSmith [~true@brln-4d0ce2d9.pool.mediaWays.net] has joined #openvpn 09:43 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 09:43 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 09:43 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 09:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds] 09:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 10:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 10:38 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 10:39 -!- EnginAy [~engin@78.179.187.85] has joined #openvpn 10:39 -!- Peer^ [~ttt@ks355877.kimsufi.com] has joined #openvpn 10:39 < Peer^> !welcome 10:39 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:40 < Peer^> !goal 10:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:51 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 10:52 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 11:05 -!- sia is now known as sia^pwnnt 11:08 -!- WinstonSmith [~true@brln-4d0ce2d9.pool.mediaWays.net] has quit [Quit: Ex-Chat] 11:09 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 11:09 < fahmad> hello 11:10 < fahmad> !goal 11:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:15 < fahmad> i have question 11:16 < fahmad> when i start openvpn using init script it starts three openvpn processes and when any these process goes down openvpn does not accept new connection 11:19 -!- Shathak [proxyuser@p2044-ipbf207oomichi.oita.ocn.ne.jp] has quit [Remote host closed the connection] 11:25 -!- shiz0_ [~shiz0@HSI-KBW-109-192-060-032.hsi6.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer] 11:26 < fahmad> anyone ? 11:26 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn 11:30 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 255 seconds] 11:32 -!- Xen^ is now known as fahmad 11:32 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host] 11:32 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 11:35 < fahmad> anyone ? 11:35 < fahmad> when i start openvpn using init script it starts three openvpn processes and when any these process goes down openvpn does not accept new connection 11:35 < fahmad> can someone tell me why this is happening 11:35 < fahmad> ? 11:35 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 11:39 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Ping timeout: 272 seconds] 11:41 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has quit [Remote host closed the connection] 11:41 -!- us3r [~aaron@CPE000d88382326-CM0012256eb04c.cpe.net.cable.rogers.com] has joined #openvpn 11:43 < us3r> Hey all 11:43 -!- us3r is now known as n1xus3r 11:44 < n1xus3r> I have the strangest thing happening to me 11:44 < Bushmills> fahmad: because you'ew running linux, possibly debian or ubuntu, and the init script starts one instance for each .conf file found in /etc/openvpn 11:44 < Bushmills> ergo, you have 3 *.conf files in /etc/openvpn 11:45 < n1xus3r> I have created an openVPN connection between vyatta and windows 7. When I remote desktop into Windows 2008 server its very slow and lags.... When I rdp into a windows xp box it runs fine... Anyone have any idea what this could be? 11:47 < n1xus3r> Ive ran iperf tests on both the boxes and the speed was sufficient to run rdp smoothly.. But for some reason server 2008 would run rdp laggy and xp would run it fine 11:50 < fahmad> Bushmills: i am running centos 11:50 < fahmad> Bushmills: you know when it get down it will not working ... 11:50 < n1xus3r> !welcome 11:50 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:51 < Bushmills> maybe because those multiple configs are not made to run at the same time, and conflict with each other 11:52 < Bushmills> when one goes down, a route may be removed which messes your system up 11:52 < fahmad> Bushmills: i am using only one config 11:52 < Bushmills> just rename all the configs which you don't want to start, and start only with the one you mean to run 11:52 < fahmad> and i am using Radius Plugin for Radius Authentication by Ralf 11:53 < n1xus3r> Could it be because im using the beta rls of openpn on windows 7 for why only server 2008 rdp lags? 11:53 < Bushmills> "when i start openvpn using init script it starts three openvpn processes" - that's a sign that you're *not* "i am using only one config" 11:53 < fahmad> Bushmills: its the only one config which i have in /etc/openvpn is server.conf 11:54 < Bushmills> then fix your init script 11:56 < fahmad> this init script was provided by openvpn source :) 11:57 < n1xus3r> Its like im a ghost in here 11:58 < Bushmills> n1xus3r: that's the problem with unpopular operating system choices 11:58 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn 11:58 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Disconnected by services] 11:58 -!- Xen^ is now known as fahmad 11:58 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host] 11:58 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 11:58 < fahmad> back 11:58 < n1xus3r> Windows? Dont a lot of ppl use that for the "road warrior" configuration 11:59 < Bushmills> did all those lots of ppl reply to you? 12:00 < n1xus3r> Well its just an assumption 12:00 < n1xus3r> But its so weird I can rdp fine into an xp box 12:00 < Bushmills> !windows 12:00 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg 12:01 < n1xus3r> I can see this is not a big windows community damn.. 12:01 < n1xus3r> Anywhere else I can get resources for this.. tried google 12:03 < n1xus3r> Or maybe there is some ppl in this chan who are more apt with windows configs... Such a weird issue. 12:03 < fahmad> Bushmills: how can i get openvpn init script fix as this has been given by openvpn 12:04 < Bushmills> fahmad: determine why it starts three openvpn instances 12:05 < fahmad> no idea why 12:05 < fahmad> but its starting ... 12:05 < n1xus3r> what distro r u using? 12:05 < Bushmills> i also have no idea why. but you're sitting behind the machine where 3 instances are started, i am not. 12:06 < fahmad> n1xus3r: centos 12:06 < fahmad> Bushmills: humm 12:06 < fahmad> lemme check it on test machine 12:06 < fahmad> brb sec 12:06 < n1xus3r> try another possibly 12:06 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has joined #openvpn 12:10 < fahmad> even when i run this command it runs three processes /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn --config server.conf 12:12 < fahmad> i think its due to radiusplugin 12:18 -!- EnginA [~engin@78.179.187.85] has joined #openvpn 12:21 -!- EnginAy [~engin@78.179.187.85] has quit [Ping timeout: 276 seconds] 12:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection] 12:44 -!- TripMine [~TripMine@unaffiliated/tripmine] has quit [Ping timeout: 250 seconds] 12:52 <@vpnHelper> RSS Update - forum: no access to net behind working vpn 12:56 -!- silverraindog [~angus@host86-185-35-153.range86-185.btcentralplus.com] has quit [Read error: Connection reset by peer] 12:57 -!- silverraindog [~angus@host86-185-35-153.range86-185.btcentralplus.com] has joined #openvpn 13:05 -!- p3rror [~mezgani@41.248.105.214] has joined #openvpn 13:11 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 240 seconds] 13:13 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn 13:18 -!- p3rror [~mezgani@41.248.105.214] has quit [Ping timeout: 260 seconds] 13:25 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has quit [Remote host closed the connection] 13:25 -!- Netsplit *.net <-> *.split quits: tessier, d303k, nijotz, ksk, Rienzilla 13:26 -!- Netsplit over, joins: d303k, tessier, Rienzilla, ksk, nijotz 13:36 -!- n1xus3r [~aaron@CPE000d88382326-CM0012256eb04c.cpe.net.cable.rogers.com] has quit [Quit: n1xus3r] 13:40 <@vpnHelper> RSS Update - forum: [newbie/2.0.9] Checking that OpenVPN is OK? 13:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 13:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer] 14:04 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 14:08 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 14:10 < stony> reiffert: hey, just for the discussion this morning - it can be done via the netgraph system on freebsd 14:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds] 14:28 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 14:30 -!- Engin [~engin@78.179.187.85] has joined #openvpn 14:31 -!- EnginA [~engin@78.179.187.85] has quit [Ping timeout: 276 seconds] 14:31 -!- alhadi [~thunderst@188.95.51.165] has joined #openvpn 14:33 -!- Bebop2Steady [~chatzilla@122.151.78.126] has joined #openvpn 14:50 -!- Malard|Home is now known as Malard 14:56 -!- fahmad [~linux@unaffiliated/fahmad] has quit [] 15:11 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn 15:11 -!- p3rror [~mezgani@41.140.35.62] has joined #openvpn 15:19 -!- p3rror [~mezgani@41.140.35.62] has quit [Ping timeout: 240 seconds] 15:20 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Remote host closed the connection] 15:20 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn 15:29 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has left #openvpn [] 15:31 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!] 15:34 -!- p3rror [~mezgani@41.140.47.190] has joined #openvpn 15:37 -!- p3rror [~mezgani@41.140.47.190] has quit [Read error: Connection reset by peer] 15:39 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 15:39 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 15:39 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 15:58 -!- tessier [~treed@mail.copilotco.com] has quit [Ping timeout: 240 seconds] 16:12 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn 16:13 -!- Engin [~engin@78.179.187.85] has quit [Ping timeout: 276 seconds] 16:38 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 16:40 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 16:40 -!- Cain` is now known as Cain 16:43 -!- p3rror [~mezgani@41.140.43.176] has joined #openvpn 17:00 -!- Bushmill1 [~root@178-26-21-130-dynip.superkabel.de] has joined #openvpn 17:04 -!- Iron_Chef [~alloy@tropyx.com] has joined #openvpn 17:04 < Iron_Chef> Hi, I'm trying, and having no luck, sending syslog messages over openvpn - any ideas? 17:04 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has joined #openvpn 17:05 < fredrika> Hi Guys. Got any tip on a good guide for setting up a openvpn server on ubuntu server? 17:05 < krzie> forget that it is ubuntu 17:05 < krzie> that doesnt mattr 17:05 < krzie> !howto 17:05 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:06 < krzie> Iron_Chef, make sure syslogd is listening on the ovpn ip as well 17:06 < Iron_Chef> I'm sure the vpn it working well, ssh, www etc all connect, just syslog messages get lost 17:06 < Iron_Chef> krzie: ah 17:07 < fredrika> krzie, I'll have a look. Thanks. 17:08 < krzie> oh and fredrika 17:08 < krzie> !ubuntu 17:08 <@vpnHelper> "ubuntu" is dont use network manager! 17:08 < krzie> at least while testing 17:08 < krzie> you can use it once your vpn works right if you wanna 17:10 < Iron_Chef> ok, was not openvpn at all. thanks anyway! 17:11 < krzie> fixed it? 17:11 < krzie> Iron_Chef, maybe 40% of questions here arent openvpn ;) 17:12 < krzie> if not more... 17:12 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has joined #openvpn 17:12 < krzie> normally firewalls / routing 17:12 < KamelSnus> Hi all! 17:12 < fredrika> krzie, wouldn't dream of it. I use it from a shell all the time at work. It just seems really complicated to set up at home. I mean, I already have a bridge det up, but it keeps refusing to start the daemon.. 17:12 < krzie> oh god 17:12 < krzie> fredrika, you are using a bridge because of some web walkthrough, arent you... 17:13 < krzie> pls tell me why you want a bridged setup 17:13 < KamelSnus> My VPN-client (192.168.2.0/24) can't seem to get access to my LAN (192.168.1.0/24). I've done everything I can think of, I push the route in the config, I've set up the router to route the traffic to the vpn-server and... well I'm all out of ideas. Any directions would be very much appriciated... 17:14 < fredrika> krzie, I am. Sounds like Im off the mark? 17:14 < krzie> fredrika, 17:14 < krzie> !tunortap 17:14 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 17:14 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 17:14 < krzie> KamelSnus, lan behind server or client? 17:14 < KamelSnus> krzie: behind the server 17:15 < krzie> is the vpn server the router for its LAN? 17:15 < KamelSnus> Nope 17:15 < krzie> !route_outside_openvpn 17:15 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 17:15 < KamelSnus> I've added a route to the gateway for that LAN though 17:15 < krzie> !serverlan 17:15 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation 17:16 < KamelSnus> !ipforward 17:16 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 17:16 < KamelSnus> :) 17:16 < fredrika> krzie, Well, does not the tun way need me to set up a new subnet? I really want the connected computer on the same local subnet as all my other stuff @ home 17:16 < KamelSnus> !linipforward 17:16 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware 17:16 < krzie> fredrika, why do you think you want them on the same subnet? 17:17 < krzie> fredrika, 99% of people who say that dont understand routing... the remaining 1% run something weird the requires it 17:17 < fredrika> krzie, 'cause I do not know how to set up the routing.. ;) 17:17 < krzie> ;) 17:17 < krzie> !route 17:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:17 < KamelSnus> krzie: Hmm I seem to have done all that :& 17:18 < krzie> KamelSnus, i see you are using the most common subnet ever 17:18 < krzie> is your client also on the lan 192.168.1.X ? 17:18 < fredrika> krzie, perhaps that does it. I'll give it a shot. Thanks! 17:18 < krzie> fredrika, yw 17:18 < KamelSnus> krzie: haha yea I know 17:18 < krzie> fredrika, ALSO 17:18 < krzie> !confgen 17:19 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ 17:19 < KamelSnus> krzie: client as in openvpn-client? 17:19 < KamelSnus> krzie: if so then no. the client isn't NAT:ed 17:19 < krzie> KamelSnus, your server's lan is 192.168.1.x, your vpn is 192.168.2.x, what LAN is the client on? 17:19 < krzie> ok, it has no lan 17:19 < krzie> gotchya 17:20 < KamelSnus> nope exactly 17:20 < krzie> !configs 17:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 17:20 < KamelSnus> Bot-master :D 17:20 < krzie> !bot 17:20 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 17:20 < krzie> =] 17:21 < krzie> although... 17:21 < krzie> !forget bot 17:21 <@vpnHelper> Joo got it. 17:21 < KamelSnus> http://pastebin.com/Xn8Jgqg2 17:21 < krzie> !learn bot as I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 17:21 <@vpnHelper> Joo got it. 17:22 < krzie> oh god 17:22 < krzie> and why are YOU bridging... 17:22 < KamelSnus> I like bridges :/ 17:22 < KamelSnus> They make my life more interesting! :) 17:22 < krzie> what layer2 protocol do you need over your vpn? 17:23 < KamelSnus> http and ftp basically 17:23 < krzie> those are layer3 17:23 < KamelSnus> and ssh 17:23 < krzie> change server-bridge to server 192.168.2.0 255.255.255.0 17:23 < krzie> dev tap to dev tun 17:23 < krzie> unbridge your interfaces 17:24 < krzie> remove this line 17:24 < krzie> ifconfig-pool-persist ipp.txt 17:24 < KamelSnus> Ah sorry just ethernet then 17:24 < krzie> ethernet is layer2 17:24 < krzie> you just need IP 17:24 < krzie> aka layer3 17:24 < krzie> aka tun 17:24 < krzie> do what i said above, make the client match by changing it to dev tun 17:25 < KamelSnus> aye aye skipper! One minute :) 17:28 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has quit [Ping timeout: 240 seconds] 17:29 < KamelSnus> brb then 17:31 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has quit [Ping timeout: 276 seconds] 17:33 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has quit [Quit: Lost terminal] 17:34 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has joined #openvpn 17:34 < KamelSnus> Nope nothing :( 17:37 < KamelSnus> Can't see what i'm doing wrong... :/ 17:37 < KamelSnus> Obviously I'm ding something wrong though 17:37 < KamelSnus> *doing 17:38 < krzie> paste BOTH configs now 17:38 < KamelSnus> Client and server? 17:39 < krzie> is there another that could be counted in "both" ? 17:42 < KamelSnus> http://pastebin.com/SerdAazu 17:43 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has joined #openvpn 17:43 < KamelSnus> The gateway for 192.168.1/24 has a route that points 192.168.2/24 to 192.168.1.200 (Which is the OpenVPN server) 17:44 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has joined #openvpn 17:45 < krzie> can the client ping 192.168.2.1? 17:46 < krzie> also, your client has --float 17:46 < krzie> you may have that backwards 17:46 < krzie> your CLIENT might change its ip, not your server, right? 17:46 < KamelSnus> yea 17:46 < krzie> ya its backwards 17:47 < KamelSnus> So I should thus rip float out of it I presume 17:47 < krzie> --float 17:47 < krzie> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic add 17:47 < krzie> ress such as a dial-in user or DHCP client. 17:47 < krzie> yes, remove float 17:47 < Iron_Chef> openvpnas is telling me i'm using 10 users, but only lists 5 - is this normal? 17:47 < krzie> and since server doesnt have --remote, it already has --float so you dont need it there 17:48 < krzie> Iron_Chef, 17:48 < krzie> !AS 17:48 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options 17:48 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 17:48 < krzie> see #4 17:48 < krzie> we dont support AS here 17:48 < KamelSnus> Your a trooper mate. Thanks alot for spending your time on me! Please give me a minute to start irssi inside a screen 17:48 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has quit [Quit: leaving] 17:48 < Iron_Chef> ah ok 17:49 -!- KamelSnus [~root@c80-216-40-208.bredband.comhem.se] has joined #openvpn 17:49 < KamelSnus> There we are 17:49 -!- p3rror [~mezgani@41.140.43.176] has quit [Ping timeout: 276 seconds] 17:49 < KamelSnus> Let me try to ping 192.168.2.1 17:53 < krzie> dude 17:53 < krzie> do NOT irc as root 17:53 < krzie> EVER 17:54 < Iron_Chef> KamelSnus: yeah, really, root and irc are a huge hole 17:54 < krzie> disconnect immediately and join from a user account, trust me 17:59 < KamelSnus> Whups! Totally forget I was su on this box! 17:59 < KamelSnus> Good catch! 17:59 < KamelSnus> Thanks 17:59 < KamelSnus> brb 17:59 -!- KamelSnus [~root@c80-216-40-208.bredband.comhem.se] has quit [Quit: leaving] 18:00 -!- KamelSnus [~upload@c80-216-40-208.bredband.comhem.se] has joined #openvpn 18:00 < KamelSnus> There we are 18:00 < KamelSnus> Anyways.... nope I can't ping 192.168.2.1 18:00 < krzie> cool, pastebin some logs 18:01 < KamelSnus> Where does openvpn log btw? 18:02 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 18:02 < krzie> !logfilew 18:02 < krzie> !logfile 18:02 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info 18:08 < KamelSnus> some syslog; http://pastebin.com/ZuZFxU4X 18:18 < krzie> ahh 18:18 < krzie> your client configs dont have comp-lzo 18:18 < krzie> but your server does 18:18 -!- nb [~nb@fedora/nb] has joined #openvpn 18:18 < krzie> LOL that it happens to point at 42 and 69 18:19 < krzie> the 2 answers to life and everything 18:19 < krzie> (and universe) 18:20 -!- KamelSnus [~upload@c80-216-40-208.bredband.comhem.se] has quit [Remote host closed the connection] 18:20 < krzie> http://www.youtube.com/watch?v=aboZctrHfK8 18:20 <@vpnHelper> Title: YouTube - the answer to life, universe and everything (at www.youtube.com) 18:22 -!- N0b0dy [debian-tor@gateway/tor-sasl/n0b0dy] has joined #openvpn 18:29 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has joined #openvpn 18:30 < KamelSnus> Hi again 18:34 < KamelSnus> Did you get anything from those logs? 18:34 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 18:35 < krzie> [20:18] your client configs dont have comp-lzo 18:35 < krzie> [20:18] but your server does 18:36 < KamelSnus> Oh? 18:36 < KamelSnus> Would that case it? 18:36 < krzie> yes 18:37 < KamelSnus> just add "open-lzo" to the client-conf then I presume? 18:37 < krzie> you really feel the need to ask that? 18:37 < KamelSnus> I seem to get everything wrong today so... :/ 18:37 < N0b0dy> type sudo dd if=/dev/urandom of=/dev/sda into the console 18:37 < N0b0dy> to fix the problem. 18:42 < KamelSnus> Oh! 18:43 < KamelSnus> krzie: Thank you SO much for your time! You cracked the nut 18:43 < krzie> yw 18:43 < KamelSnus> *happy happy* :) 18:44 < KamelSnus> Now I'm off to bed! I wish you a lovely evening! 18:44 < krzie> nite 18:44 -!- KamelSnus [~carl@c80-216-40-208.bredband.comhem.se] has quit [Quit: yaay] 18:44 < krzie> hah 18:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 18:46 < N0b0dy> Cain, you from efnet? 18:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 18:52 -!- Mushbills [~l@178-26-21-130-dynip.superkabel.de] has joined #openvpn 18:52 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has quit [Quit: Lämnar] 18:55 -!- Mushbills [~l@178-26-21-130-dynip.superkabel.de] has left #openvpn [] 18:55 -!- Mushbills [~l@178-26-21-130-dynip.superkabel.de] has joined #openvpn 18:59 < Iron_Chef> what does this mean: 18:59 < Iron_Chef> Options error: Unrecognized option or missing parameter(s) in client.conf:109: (2.0.9) 18:59 < Iron_Chef> i've set up 6 machines the same, this one alone gives this error 19:00 < krzie> didnt you say you run AS? 19:01 < Iron_Chef> krzie: not on the clients 19:02 < Mushbills> 2.0.9 is kind of old 19:02 < krzie> a) if you're really running 2.0.9 go update, b) you prolly dont have the ca entry in the config 19:05 < Iron_Chef> ah, this server has a dodgey repo, will try with rpmforge 19:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds] 19:35 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 19:36 -!- Bushmill1 [~root@178-26-21-130-dynip.superkabel.de] has quit [Quit: Download Gaim: http://gaim.sourceforge.net/] 19:37 < N0b0dy> sky[xx] runs vsftpd 2.0.5 19:37 < N0b0dy> and transmission on port 9091 19:37 < N0b0dy> SECURITY EXPERT 19:38 < N0b0dy> should i rm the kid 19:41 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 19:47 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 19:53 -!- N0b0dy [debian-tor@gateway/tor-sasl/n0b0dy] has quit [Quit: leaving] 20:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 20:07 -!- s7r [~s7r@95.154.230.251] has left #openvpn [] 20:07 -!- p3rror [~mezgani@41.140.43.5] has joined #openvpn 20:30 < reiffert> moin 20:30 < reiffert> Iron_Chef: 2.0.9 sounds like very ancient and broken software. 20:33 -!- nb [~nb@fedora/nb] has quit [Ping timeout: 272 seconds] 20:54 -!- nb [~nb@fedora/nb] has joined #openvpn 21:00 < Bebop2Steady> general question about chains if krzee/anyone is around.. 21:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds] 21:13 -!- Mushbills [~l@178-26-21-130-dynip.superkabel.de] has quit [Quit: Changing server] 21:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 21:19 < krzie> !ask 21:19 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 21:19 < Bebop2Steady> Oh excellent thank you : ] 21:19 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn 21:19 < Bebop2Steady> re: this vpn chain I have been working on, with a VPN over the innner chain.. 21:20 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 240 seconds] 21:20 < Bebop2Steady> I am finding it necessary to run openVPN client twice for the end-ser 21:20 < Bebop2Steady> I am curious if there's a way to only need it once 21:20 < Bebop2Steady> https://forums.openvpn.net/topic7483.html 21:20 <@vpnHelper> Title: OpenVPN Support Forum Double VPN || 2 Hop VPN || VPN-over-VPN : Server Administration (at forums.openvpn.net) 21:21 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 21:22 < Bebop2Steady> end user i mean... 21:22 < reiffert> "Balls to the wall" - Accept comes to mind 21:22 < Bebop2Steady> the peron who wants to utilize the secure chain.. 21:23 < reiffert> http://www.youtube.com/watch?v=TMplgrlXo80 21:23 <@vpnHelper> Title: YouTube - accept - balls to the wall - new singer Mark Tornillo (at www.youtube.com) 21:23 < reiffert> "They're gonna break their chains" 21:24 < reiffert> Bebop2Steady: please explain those "chains". Never heard of any regarding network terms. 21:24 < krzie> oh those chains 21:24 < krzie> lol 21:24 < reiffert> krzie: what is doing there? 21:25 < krzie> hes talking about vpnchains 21:25 < reiffert> meaning? 21:25 < krzie> thats what i called it in my writeup here: 21:25 < krzie> !vpnchains 21:25 < krzie> erm 21:25 < reiffert> glad vpnHelper doesnt respond on that. 21:25 < krzie> http://secure-computing.net/wiki/index.php/OpenVPN/VpnChains 21:25 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at secure-computing.net) 21:26 < reiffert> I call it routing. 21:26 < reiffert> Hey lets rename everything. 21:26 < krzie> erm 21:26 -!- reiffert is now known as krzee_ 21:26 < krzie> you didnt read it 21:26 < krzee_> no, I was looking at a single picture. 21:26 -!- krzee_ is now known as reiffert 21:26 < krzie> i talk to server a, and it exits client b, while inside a vpn that client a and server b cant sniff 21:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:27 < krzie> although i can choose for it to exit any machine through a small setting change on my client machine 21:28 < reiffert> I dont see a benefit. 21:28 < krzie> then dont do it 21:28 < reiffert> Maybe someone should explain me the benefit. 21:28 < krzie> aka, line 2 of the link you just didnt read 21:28 < krzie> You may not see a practical purpose to doing this, and if that is the case: dont do it =] 21:29 < Bebop2Steady> Agreed. mostly interested in the "how to" rather than "why to" for the moment 21:29 < reiffert> Right, I started at "I connect to SERVER-A" 21:30 -!- Engin [~engin@78.179.187.85] has joined #openvpn 21:31 < reiffert> doing something stupid for the purpose of doing something stupid? erm. 21:31 < krzie> if you dont see why, then you dont need it 21:31 < krzie> i didnt document it much more because i didnt want to get into any of that 21:32 < reiffert> ah, catching innocent users with pretty stupid stuff - that makes sense! 21:32 < reiffert> I like the idea. 21:36 < krzie> we could say it helps in offering plausible deniability 21:45 -!- p3rror [~mezgani@41.140.43.5] has quit [Read error: Connection reset by peer] 21:51 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 255 seconds] 22:00 -!- p3rror [~mezgani@41.140.98.116] has joined #openvpn 22:02 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has quit [Read error: Network is unreachable] 22:02 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 22:03 -!- stony is now known as Guest77827 22:04 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn 22:13 -!- p3rror [~mezgani@41.140.98.116] has quit [Ping timeout: 255 seconds] 23:00 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: Lost terminal] 23:14 -!- Engin [~engin@78.179.187.85] has quit [Read error: Connection reset by peer] 23:14 -!- Engin [~engin@78.179.187.85] has joined #openvpn 23:19 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 264 seconds] 23:31 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 23:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ 23:58 -!- mick_laptop [~mick@clamwin/admin/mickhome] has joined #openvpn 23:59 < mick_laptop> anyone know if it is possible to connect two remote locations in a way that if the connection on one goes down that the other ide will not be hosed? --- Day changed Sun Jan 09 2011 00:00 < mick_laptop> I was thinking: [router w/ openvpn @ site A] <----- {intarwebs} ------> [router w/ openvn @site B] 00:00 < krzie> why would the other side be hosed? 00:11 < mick_laptop> internet goes down 00:11 < mick_laptop> i'd still like people to be able to connect remotely to the other side 00:17 < krzie> without access to the internet!? 00:29 -!- Engin [~engin@78.179.187.85] has quit [Ping timeout: 276 seconds] 00:32 < djgerm> this situation sounds enigmatic. 00:36 < mick_laptop> krzie: i mean if a site goes down then users (who have internet access elsewhere) can just connect to the other vpn server 00:36 < krzie> sure, just use 2 remote entries 00:38 -!- Bebop2Steady [~chatzilla@122.151.78.126] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 00:38 < mick_laptop> ok so to have the vpn connected though 00:38 < mick_laptop> so if you connect to one - you have access to the other 00:40 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 00:51 < Iron_Chef> when i run an openvpn client on a webserver, it stops serving http correctly and ssh for that matter 00:51 < Iron_Chef> definately stopping openvpn solves this problem 00:52 < Iron_Chef> i just want to use openvpn to shoot log files off site - what setting am i misplacing? 00:52 < krzie> your client is set to redirect-gateway isnt it 00:53 < Iron_Chef> ah 00:53 < krzie> and why dont you just syslog offsite 00:53 < krzie> oh wait you were trying that earlier... must have given up 00:54 < Iron_Chef> syslog is working fine over the vpn now 00:54 < Iron_Chef> all other servers are happy, just web server now 00:54 < Iron_Chef> i want to put it through the vpn to not have to pay for an IP just for a logger basically 01:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 01:03 < Iron_Chef> where do I tell it not to listen on the vpm ip? 01:05 < |Mike|> what's vpm? 01:07 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 01:07 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 264 seconds] 01:11 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out] 01:29 < Iron_Chef> a typo |Mike| 01:37 < krzie> Iron_Chef, pls restate your question in a better way, i have no idea what you want 01:52 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 01:52 -!- mode/#openvpn [+o vpnHelper] by ChanServ 02:05 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 260 seconds] 02:09 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 02:09 -!- mode/#openvpn [+o vpnHelper] by ChanServ 02:12 < Iron_Chef> krzie: why does the webserver stop serving web when openvpn connects? 02:16 < Iron_Chef> !welcome 02:16 < Iron_Chef> !goal 02:20 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 250 seconds] 02:34 < alhadi> hi 02:34 < alhadi> krzie :) , the VPS support guys sorted a problem with a firewall. 02:34 < alhadi> said to be the cisco ASA device that not allowing dev tun16 to ping and redirect 02:34 < alhadi> now i am connected to VPN and works :) 02:35 < krzie> [02:52] your client is set to redirect-gateway isnt it 02:35 < krzie> you never answered 02:35 < krzie> @ Iron_Chef 02:35 < krzie> alhadi, cool =] 02:35 < alhadi> :d ty 02:36 < alhadi> i am registering in openvpn forum now 02:36 < alhadi> brb 02:46 < Iron_Chef> krzie: I didn't see that setting anywhere 02:48 < krzie> Iron_Chef, pastebin client and server configs 02:54 < Iron_Chef> i'd rather not, if you can't answer that's ok. 02:55 < krzie> lol 02:55 < krzie> you're talking about your AS setup arent you 03:35 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 03:39 -!- WinstonSmith [~true@g231242069.adsl.alicedsl.de] has joined #openvpn 03:48 -!- WinstonSmith [~true@g231242069.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 03:51 -!- master_of_master [~master_of@p57B55D9F.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 03:52 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 03:52 -!- master_of_master [~master_of@p57B52F1C.dip.t-dialin.net] has joined #openvpn 04:01 -!- WinstonSmith [~true@f052101074.adsl.alicedsl.de] has joined #openvpn 04:09 -!- Bebop2Steady [~Bebop2Ste@124-149-37-222.dyn.iinet.net.au] has joined #openvpn 04:23 < Bebop2Steady> Socks server inside VPN. Interesting idea. I wonder of the potential applications, if any... 04:24 < krzie> !routebyapp 04:24 < krzie> !factoids search route 04:24 < krzie> grr vpnhelper is down 04:24 < krzie> 1min 04:24 < Bebop2Steady> dang 04:25 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 04:25 -!- mode/#openvpn [+o vpnHelper] by ChanServ 04:25 < krzie> !routebyapp 04:25 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 04:26 < Bebop2Steady> ahh thats getting pretty crazy / mind screwy 04:27 < Bebop2Steady> so you get in the VPN.. and then route some apps selectively even deeper into the VPN ? 04:27 < krzie> i allow certain apps to bypass the vpn 04:27 < krzie> others go through it 04:28 < krzie> ie: 2 web browsers, 1 goes over local isp other over vpn 04:28 < krzie> default is the vpn one 04:28 < krzie> torrents bypass the vpn 04:28 < krzie> default is to go over the vpn 04:29 < krzie> byproduct of not allowing lan machines to communicate with me, unless i add a rule for them to bypass the vpn 04:29 < krzie> (which i prefer) 04:29 < krzie> my responses go over the vpn, which has no route to the lan 04:32 < Bebop2Steady> I'm with ya up until byproduct... but dont try n explain.. I still gotta get my hands dirty some more with openvpn experiments. 04:38 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:40 -!- common- [~common@p5DDA4406.dip0.t-ipconnect.de] has joined #openvpn 04:43 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 240 seconds] 04:43 -!- common [~common@p5DDA41E4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 04:43 -!- common- is now known as common 04:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 04:49 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 04:54 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer] 05:10 -!- Netsplit *.net <-> *.split quits: d303k, rkantos_, Hamlin, nijotz, ksk, takamichi 05:11 -!- Netsplit over, joins: takamichi, rkantos_, Hamlin 05:12 -!- Netsplit over, joins: d303k, ksk, nijotz 05:12 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Excess Flood] 05:12 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 05:22 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has quit [Ping timeout: 276 seconds] 05:36 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has joined #openvpn 05:36 -!- raidzx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has joined #openvpn 05:39 -!- raidzxx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 265 seconds] 05:40 -!- Bebop2Steady [~Bebop2Ste@124-149-37-222.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 06:11 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 06:14 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 06:19 -!- Stava [~Stava@h-86-192.A197.priv.bahnhof.se] has joined #openvpn 06:19 < Stava> Do I need to open any ports to use OpenVPN? (client) I'm currently unable to open any port :( 06:30 < reiffert> outbound udp/1194 06:30 < reiffert> inbound (server side) udo/1194 06:30 < reiffert> udo=udp 06:31 -!- int_0x80___ [~int0x80@int0x80.big-daddy.fr] has joined #openvpn 06:33 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has quit [Ping timeout: 276 seconds] 06:39 -!- int_0x80___ is now known as int_0x80_ 06:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds] 06:48 -!- WinstonSmith [~true@f052101074.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 06:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 07:00 -!- int_0x80_ [~int0x80@int0x80.big-daddy.fr] has left #openvpn ["Quitte"] 07:02 -!- WinstonSmith [~true@g231217029.adsl.alicedsl.de] has joined #openvpn 07:36 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Read error: Operation timed out] 07:41 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 07:41 -!- Guest77827 is now known as stony 07:56 -!- deever [~deever@static.172.68.46.78.clients.your-server.de] has joined #openvpn 07:56 < deever> hi 07:57 < deever> after TLS succeeds, my client sends infinite PUSH_REQUESTs to the server: 07:57 < deever> Sun Jan 9 14:50:31 2011 SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1) 07:58 < deever> which on the server looks like: 07:58 < deever> Sun Jan 9 15:50:48 2011 PUSH: Received control message: 'PUSH_REQUEST' 08:00 < deever> how can i make the connection come to completion? 08:07 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has joined #openvpn 08:08 < fredrika> Hi guys. I'm trying to set up a openvpn server, with no luck. The daemon starts ok at the server, but when I try to connect from the client It stucks at "UDPv4 link remote: [AF_INET]". Does anyone know what happens at this "stage". 08:12 -!- alhadi [~thunderst@188.95.51.165] has quit [Quit: alhadi] 08:13 < deever> fredrika: does it work with TCP? 08:14 < fredrika> I have not tried. Was recommended to use UDP for recurity reasons. 08:15 < fredrika> deever, I'll have a go right away 08:19 < fredrika> deever, it does not. But I get another error. http://pastebin.com/Cw7TcrPm 08:26 < deever> xxx is a valid ip address in real? ;) 08:27 < deever> @fredrika 08:28 < deever> fredrika: and you can ssh betwenn client and server? 08:28 < fredrika> deever, yes 08:28 < fredrika> deever, the firewall is not the issue 08:29 < fredrika> deever, i tired to flush iptables and connect over lan without any luck 08:29 < deever> you could try to tunnel over ssh for make tat .... 08:29 < deever> ..ah, ok 08:30 < fredrika> seems really strange. 08:31 < deever> try explicitely bind the server (to an address) 08:32 < fredrika> how do i do that? 08:33 < fredrika> Im running on port 12054. It is set up in both server and client config, but could this still perhaps be the issue? 08:33 < deever> "local 12.34.56.78" 08:33 < fredrika> Or can I choose port freeley? 08:33 < fredrika> deever, aa sorry 08:33 < deever> with the ip you want to bind to 08:34 < deever> you better take the standard port (1194) 08:37 < fredrika> changed to port 1194, set the explicit bind. exacltey the same message as before (pastebin) 08:39 < deever> fredrika: very strange...mb you paste the configs too? 08:40 < fredrika> sure 08:40 < fredrika> hold on 08:42 < fredrika> deever, http://pastebin.com/B46cECux 08:44 < fredrika> btw, "home" is set up in my host file to be 10.39.7.5 08:50 < deever> try omitting this tls-auth stuff 08:56 -!- sia^pwnnt is now known as sia 08:58 < fredrika> deever, Ok. Now it complains about the certificates. I'll just try to create new ones. 08:58 < fredrika> thanks for the help! 08:59 < deever> fredrika: mb you try out first with PSK..;) 08:59 < fredrika> deever, sounds like a plan.. 09:00 < deever> x509 is a different hassle than vpn...;) 09:00 < deever> plan? 09:02 < fredrika> deever, like something worth checking out.... 09:10 < deever> ah, ok! ;) 09:11 < deever> can someome here tell me how i prevent the client from sending PUSH_REQUESTs and just continuing setting up the connection? 09:12 < deever> server: http://pastebin.com/E9bMiQQM client: http://pastebin.com/SWxzJbLZ 09:29 -!- s7r [~s7r@83.170.111.154] has joined #openvpn 09:35 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:42 -!- alhadi [~thunderst@188.95.51.165] has joined #openvpn 09:43 -!- WinstonSmith [~true@g231217029.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 09:43 -!- agrajag [~agrajag^@CAcert/Assurer/agrajag] has quit [Quit: ZNC - http://znc.sourceforge.net] 09:45 -!- WinstonSmith [~true@g231217029.adsl.alicedsl.de] has joined #openvpn 09:47 -!- alhadi [~thunderst@188.95.51.165] has quit [Client Quit] 09:47 -!- fredrika [~fredrika@c83-251-120-7.bredband.comhem.se] has quit [Ping timeout: 272 seconds] 09:49 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 09:52 -!- WinstonSmith [~true@g231217029.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 09:52 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn 09:52 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host] 09:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 09:58 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 09:59 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 10:06 -!- WinstonSmith [~true@g231242069.adsl.alicedsl.de] has joined #openvpn 10:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds] 10:32 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 10:38 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 246 seconds] 10:39 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 10:39 -!- sia [115kluu@owned.ninjasinpyjamas.biz] has quit [Disconnected by services] 10:42 -!- sia_ [~115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn 10:50 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 10:51 < deever> anyone here using openvpn as a L2 vpn? (with a bridge so the vpn uses the same IP subnet as the LAN) 10:53 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 10:53 < stony> deever: yes 10:53 < stony> deever: but for ipx things, same ips as in the local lan can be used via layer3 10:53 < stony> 10:54 < deever> stony: ipx? you mean that old l3 protocol? ;) 10:55 < stony> deever: yeah ipx/spx/netbui 10:55 < deever> lol...cool 10:56 < deever> stony: are you running openbsd on the server? 10:56 < stony> deever: on which server ? 10:56 < deever> on the openvpn server 10:56 -!- WinstonSmith [~true@g231242069.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 10:57 < stony> deever: no, but i know how to config brouting on free/openBSD as well 11:00 < deever> stony: does something look wrong in there for you? http://pastebin.com/qzzRu0qg 11:00 < stony> deever: when you tell me what you try todo - maybe 11:00 < stony> deever: you need a tap device if you want to bridge 11:00 < stony> tun is layer3 11:00 < deever> the tunnel itself works, but i can't even ping the router over the vpn 11:00 < deever> not on openbsd 11:01 < stony> deever: the firewall settings are adjusted so that the packets can flow towards the bridge ? 11:01 < deever> there you have to config 'dev tun0; dev-type tap' 11:02 < stony> deever: and assign the ip address to the bridge and not one of it's interfaces: ifconfig em1 delete; ifconfig bridge0 192.168.168.1/24 11:03 < stony> deever: and then check if the mac address of the client that tries to ping is in the arp cache 11:03 < stony> and if the mac of the system you try to ping is in the clients arp cache 11:03 < stony> if the arp cache is filled, then it's only a layer3 firewall problem 11:03 < deever> # ifconfig bridge0 192.168.168.1/24 11:03 < deever> ifconfig: SIOCAIFADDR: Inappropriate ioctl for device 11:03 < stony> is it up ? 11:03 < deever> good idea with the arp cache 11:05 < deever> the bridge? yes 11:05 < stony> check if the bridge is up or add an "up" ad the end: ifconfig bridge0 192.168.168.1/24 up 11:06 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 246 seconds] 11:06 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 11:06 < deever> i get the same error with ifconfig bridge0 192.168.168.1/24 up 11:06 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 11:07 < stony> deever: anything in the logs ? 11:07 < stony> deever: you deleted the ip from the ethernet nterface before ? 11:09 -!- WinstonSmith [~true@f052101074.adsl.alicedsl.de] has joined #openvpn 11:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer] 11:14 < deever> stony: it also happens after a reboot...hmmm 11:14 < stony> deever: i'm "only" running freebsd but it works as it should 11:16 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has joined #openvpn 11:16 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 240 seconds] 11:19 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 11:27 -!- megabraker [c500bab3@gateway/web/freenode/ip.197.0.186.179] has joined #openvpn 11:27 < megabraker> hi guys 11:28 < megabraker> my country have many problems with liberty of express please any one to help me to connect to a vpn server ? am really broke and if any one will help me i will be so gratefull 11:40 -!- megabraker [c500bab3@gateway/web/freenode/ip.197.0.186.179] has quit [Quit: Page closed] 11:49 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 11:50 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has quit [Ping timeout: 240 seconds] 12:02 -!- thomaschaaf [59b74c9c@gateway/web/freenode/ip.89.183.76.156] has joined #openvpn 12:02 < thomaschaaf> !route 12:02 < thomaschaaf> where is VPNhelper? 12:03 -!- luneff [~yury@84.51.205.26] has joined #openvpn 12:07 < hyper_ch> thomaschaaf: it got scared of you 12:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 12:09 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 12:09 -!- luneff [~yury@84.51.205.26] has joined #openvpn 12:30 -!- zakx [zakx@gentoo/contributor/zakx] has joined #openvpn 12:30 < zakx> hi, does anyone know if it's intentional that only one client can connect to the management interface at once? 12:31 < zakx> and, more important, how to get rid of this limitation 12:35 < stony> zakx: afaik it's only made for one client 12:35 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.] 12:35 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 12:36 < thomaschaaf> anyone know whether there is a irc for poptop? I need openvpn and poptop to work together :/ #pptp seems dead on this irc server 12:36 < stony> thomaschaaf: openvpn cant handle pptp (iirc) 12:37 < zakx> meh, that seems to be somewhat unfortunate, especially because there's no server-based timeout either. so any open connection sitting at ENTER PASSWORD: could practically block all other processes relying on the interface 12:37 < stony> zakx: yeah, and this interface should only be accessible by a specific user on a spcific ip (localhost preferred) 12:38 < stony> zakx: but you can run openvpn as an inetd "client" and give each connection it's own daemon with it's own interface 12:38 < thomaschaaf> stony: they are not supposed to talk to each other directly just need some routing help with pptp :/ because I need to send a route out to the client which it needs to add on connect 12:38 < stony> thomaschaaf: on the openvpn or on the pptp side ? 12:38 < thomaschaaf> pptp :( else it would be easy 12:39 < stony> thomaschaaf: on pptp pppd is used and you can offer the client additional routes through pppd and it's config protocols 12:41 * stony gets something to eat 12:41 < stony> brb 12:42 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has joined #openvpn 12:43 < pcfreak30> Hello. i am trying to run "openvpn --config client.ovpn"on ubuntu. my login is correct but it seems to error on DHCP. http://pastie.org/private/adjuu0lv8merjaz1zlzunw 12:50 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 12:50 < stony> re 12:50 -!- luneff [~yury@84.51.205.26] has joined #openvpn 12:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 12:54 < pcfreak30> ? 12:56 -!- WinstonSmith [~true@f052101074.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 12:57 < stony> pcfreak30: is it a l2 or l3 connection ? 12:57 < pcfreak30> i dont follow 12:58 < pcfreak30> im on openvpn 2.1 12:58 < stony> tap or tun ? 12:58 < pcfreak30> i just realized and i saw a bug change log. its ubuntu 10.10 12:58 < stony> post your config please 12:58 < pcfreak30> h/o 12:59 < pcfreak30> http://pastie.org/private/vveavtezioqxitu5crwyfa 13:00 < pcfreak30> thats the part thats between all keys 13:00 < stony> but that's the client's config 13:00 < stony> i need the server side, because the push thingies come from the server 13:00 < pcfreak30> i dont follow 13:00 < pcfreak30> um i dont have that 13:00 < pcfreak30> i bought a service i dint run 1? 13:01 < pcfreak30> sh3lls.net 13:02 < stony> set the ping-timeout higher 13:03 < stony> ping-restart 100 13:03 < stony> they're sending ping-restart to your box but i guess it's to slow 13:03 -!- thomaschaaf [59b74c9c@gateway/web/freenode/ip.89.183.76.156] has quit [Quit: Page closed] 13:04 < stony> if you set it to 100 and it's still not working, check if you still can reach the openvpn server by ping 13:04 < pcfreak30> what number should i set it 13:04 < stony> ping-restart 100 13:04 < pcfreak30> and what bout the dhcp errors 13:04 < pcfreak30> what bout the dhcp errors 13:04 < pcfreak30> Sun Jan 9 13:30:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.1.0) 13:04 < pcfreak30> Sun Jan 9 13:30:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.1.0) 13:04 < pcfreak30> Sun Jan 9 13:30:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.1.0) 13:04 < pcfreak30> Sun Jan 9 13:30:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.1.0) 13:04 < stony> the vpn connection is restarted because of a ping timeout 13:05 < stony> that's your problem 13:05 < stony> so either the ping-request is to low ooooor - they're breaking your route to the vpn daemon 13:05 < pcfreak30> welli sdd to add that 13:06 < pcfreak30> as that setting didnt even exist 13:06 < pcfreak30> ping-restart* 13:06 < pcfreak30> testing 13:07 < pcfreak30> nope 13:07 < pcfreak30> still the same 13:08 < stony> can you paste the latest log again ? 13:08 < pcfreak30> should i install the 2.2betta5? 13:08 < stony> pcfreak30: no 13:08 < pcfreak30> think it mentiobed the exact error 13:10 < pcfreak30> http://pastie.org/private/vpjz5okkwphwx9tp2gaq 13:10 < stony> pcfreak30: everything was fine ... 13:11 < stony> you hit ctrl+c 13:12 < pcfreak30> no 13:12 < pcfreak30> my connection info didnt change when running 13:12 < pcfreak30> b4 13:12 < pcfreak30> and i get im not allowed to p9ng out 13:12 < pcfreak30> ping google.comderrick@dhammer:~$ ping google.com 13:12 < pcfreak30> PING google.com (74.125.67.99) 56(84) bytes of data. 13:12 < pcfreak30> ping: sendmsg: Operation not permitted 13:13 < stony> Sun Jan 9 14:07:14 2011 Initialization Sequence Completed 13:13 < stony> ^CSun Jan 9 14:07:39 2011 event_wait : Interrupted system call (code=4) 13:13 < stony> Sun Jan 9 14:07:39 2011 SIGTERM received, sending exit notification to peer 13:13 < stony> hm, i wonder what that ^C does on the 2nd line, and the SIGTERM ... 13:13 < pcfreak30> yes i know 13:13 < pcfreak30> i ctrl+c 13:13 < stony> yeah, you have to configure your firewall 13:13 < pcfreak30> b/c i couldnt ping out 13:13 < pcfreak30> for what ports 13:13 < stony> pcfreak30: i really want to help you, but if you lie to me, and i have to proof you wrong, than i won't help you anymore ... 13:14 < pcfreak30> um 13:14 < pcfreak30> please tell me why i would be lieinbg 13:14 < pcfreak30> hats just stupid in the first place 13:14 < stony> pcfreak30: i don't like metadiscussion ether 13:14 < stony> pcfreak30: connect, and try to ping the host you try to reach through the vpn 13:15 < pcfreak30> i bought a service. downloaded the comnfig. installed openvpn. followed instructions on penvpn.net and trying to get in 13:15 < stony> pcfreak30: yeah, but your firewall is blocking outgoing icmp 13:15 < stony> pcfreak30: you have to open your firewall to be able to ping 13:15 < stony> pcfreak30: are you running linux ? 13:15 < pcfreak30> ping what host 13:16 < pcfreak30> and whats ports do i need to allow? 13:16 < stony> icmp doesn't have ports 13:16 < pcfreak30> yes. ubuntu 10.04 13:16 < pcfreak30> i have firestarter 13:16 < pcfreak30> gui 13:17 < stony> all you need is: for i in INPUT FORWARD OUTPUT; do iptables -I $i 1 -p icmp -j ACCEPT; done 13:17 < stony> ppl blocking icmp are just stupid 13:17 < stony> i don't know where they have this crap from 13:17 < pcfreak30> and here i feel like a pc noob. kinda ironic being on that end 13:18 < stony> pcfreak30: just allow icmp incoming, outgoing and forwarded for all hosts 13:19 < pcfreak30> mk i ran that bash loop as root 13:19 < stony> pcfreak30: the Internet Control Message Protocol delivers the error reason why a connection is not working 13:19 < pcfreak30> any other shell scripts 13:19 < stony> (at least most of the time) 13:19 < stony> no, try to ping again 13:19 < pcfreak30> up any ports i do need to open on firestarter? 13:20 < stony> pcfreak30: again: icmp doesn't have ports 13:20 < pcfreak30> i know, just didnt know if i needed anything related to openvpn itself 13:21 < stony> pcfreak30: and what do you want to open in prodigy's song ? 13:21 < stony> connect and try to ping 13:23 < pcfreak30> 4 packets transmitted, 4 received, 0% packet loss, time 15282ms 13:23 < pcfreak30> dam 13:23 < pcfreak30> 4 packets transmitted, 4 received, 0% packet loss, time 15282ms 13:23 < stony> surprise! 13:23 < pcfreak30> it ping out but highly slow 13:24 < stony> yeah, that's because of the other endpoint 13:24 < pcfreak30> not sure of my network info should change in network-manasger and wont connect to google. just hope the service didnt rip me off 13:25 < pcfreak30> now 13:25 < stony> just test and see 13:25 < pcfreak30> iis there any way i can get this going via nwtwork-manager gui 13:25 < stony> maybe you have to check the nameservers 13:25 < stony> don't know 13:25 < pcfreak30> as ive tried to rip the key sets to their own files, but doesnt seem to go. 13:26 < stony> i have no glue, as i'm not running linux 13:26 < pcfreak30> i run linux for a reason though some times i feel things would go smoother in windows 13:27 < stony> pcfreak30: i'm running linux on servers, but not on desktop 13:27 < stony> pcfreak30: if you want a system without testing get winodow or mac os x 13:27 < pcfreak30> so why exactly is it that i can ping but i cant connect to the web. 13:28 < stony> pcfreak30: you have to open the connection to the outer world via the vpn interface 13:28 < pcfreak30> is it a config prob or i got ripped off? 13:28 < pcfreak30> please explain? 13:28 < stony> if you have tun0 something like iptables -A OUTPUT -s 0/0 -d 0/0 -p tcp --dest-port 80 -m state --state NEW -j ACCEPT should do 13:28 < pcfreak30> sry 4v acting like a noob. just never used vpn b4 13:28 < stony> and you need iptables -I INPUT 1 -m state --state related,established -j ACCEPT 13:29 < pcfreak30> so in simple terms without iptables cmds, is there any ports i can open gui wise to do the same 13:30 < stony> pcfreak30: suree, dest port 80 13:30 -!- luneff [~yury@84.51.205.26] has quit [Read error: Connection reset by peer] 13:30 -!- luneff [~yury@84.51.205.26] has joined #openvpn 13:30 < pcfreak30> im not a noob like most. just dont think sometimes and pretty new to doing this. just wish my router supported vpn 13:31 < pcfreak30> i still cant find a cheap model to flash dd-wrt onto. i have wert54gs but only 2 mb flash :( 13:31 < stony> yeah it's ok, please don't start crying 13:31 < pcfreak30> lol funny. i just rly would like to be able to get my xbox in the vpn. just a pain... 13:32 < pcfreak30> ill try to do this. will report back 13:32 < stony> pcfreak30: you need to know how layer2, layer3, routing, bridging and so on works, then you can do that 13:32 < pcfreak30> meh i know networking,just not deep enough i guess 13:32 < stony> it's not about the software you use, it's about to understand the technology behind the software 13:32 < pcfreak30> pcfreak30: and what do you want to open in prodigy's song ? <-=- whats that supposed to mean? 13:33 < stony> pcfreak30: ah just a typo 13:33 < pcfreak30> and i know 13:34 < Bushmills> pcfreak30: try ping -n your_host 13:34 < pcfreak30> stupid question. my host 13:34 < pcfreak30> u mean the vpn server? 13:35 < Bushmills> ping -n the_system_you_are_pinging_which_pings_slowly 13:35 < pcfreak30> btw to allow port 80 on the vpn. i need to open inbound or outbound 13:35 < pcfreak30> oh host as it target.lol. mk 13:35 < stony> pcfreak30: you need to open dest port 80 outbound 13:36 < pcfreak30> interesting. gui is set by permissive, so everything is open, nothing black listed 13:36 < pcfreak30> onoutbound 13:37 < deever> stony: it works now! :) 13:37 < stony> deever: :) 13:37 -!- luneff [~yury@84.51.205.26] has quit [Ping timeout: 240 seconds] 13:37 < stony> deever: error? 13:38 < pcfreak30> wellimean i never opened port 80.i mean beased on the config on firestarter gui its blacklist by default and nothing is blacklisted 13:38 < Bushmills> pcfreak30: for "can ping server but not internet", look at: 13:38 < Bushmills> !redirect 13:38 < Bushmills> hm. look at it once the bot is back 13:39 < deever> what i didn't know until now: on obsd you don't assign ip adresses to bridges, but configure the same network twice (on each member iface) and then bridge them together! :) 13:39 < Bushmills> in the meantime, read in manual about --redirect-gateway 13:39 < pcfreak30> Bushmills, you talking to me? 13:39 < stony> deever: wtf!? 13:40 < stony> Bushmills: it's just it's firewall that is not allowing anything out ... 13:40 < stony> Bushmills: everything else is working 13:40 < Bushmills> pcfreak30: that's why i started with "pcfreak:" 13:40 < pcfreak30> hmm, didnt see that 13:40 < pcfreak30> lol 13:40 < pcfreak30> nvm, 13:41 < pcfreak30> so all in all to summarize. seems dhcp gives errors on connecting.i can ping extremely slow but i can not access the net due to fwl prob... 13:42 < Bushmills> so disable firewall for testing 13:47 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has quit [Disconnected by services] 13:47 -!- pcfreak30 [~derrick@64.32.15.130] has joined #openvpn 13:47 < pcfreak30> ... 13:47 < pcfreak30> im in 13:47 < pcfreak30> fwl was screwing everything 13:48 < pcfreak30> had to reconnect though new ip 13:52 < deever> stony: ? 13:53 -!- p3rror [~mezgani@41.248.186.227] has joined #openvpn 13:54 < stony> deever: hm? 14:03 -!- pcfreak30 [~derrick@64.32.15.130] has quit [Ping timeout: 260 seconds] 14:08 < deever> stony: wtf what? 14:11 < stony> deever: eh? 14:13 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 14:13 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 14:13 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 14:18 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has joined #openvpn 14:28 < stony> do i hit the e-mail-in-dn-problem again? 14:29 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn 14:30 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 14:32 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 14:32 < stony> i do 14:32 < stony> *gna* 14:49 -!- p3rror [~mezgani@41.248.186.227] has quit [Ping timeout: 265 seconds] 14:51 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has quit [Ping timeout: 272 seconds] 14:55 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 15:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 15:16 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 15:17 -!- jambooda1 [~cog@108.sub-174-252-10.myvzw.com] has joined #openvpn 15:18 -!- p3rror [~mezgani@41.140.38.61] has joined #openvpn 15:19 -!- Stava [~Stava@h-86-192.A197.priv.bahnhof.se] has quit [Read error: Connection reset by peer] 15:21 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 276 seconds] 15:25 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving] 15:27 -!- jambooda1 [~cog@108.sub-174-252-10.myvzw.com] has quit [Remote host closed the connection] 15:28 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 15:40 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 15:48 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 240 seconds] 15:48 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 15:49 -!- p3rror [~mezgani@41.140.38.61] has quit [Ping timeout: 276 seconds] 15:52 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Remote host closed the connection] 15:54 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 15:57 -!- sia_ is now known as sia^pwnnt 16:12 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has joined #openvpn 16:16 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Remote host closed the connection] 16:17 -!- p3rror [~mezgani@41.140.159.175] has joined #openvpn 16:22 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has quit [Read error: Operation timed out] 16:22 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has joined #openvpn 16:26 -!- jonkri [~jonkri@pontarius/jon] has joined #openvpn 16:26 < jonkri> !welcome 16:26 < jonkri> !goal 16:27 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 16:27 < jonkri> does openvpn support using openvpn using the control panel etc (without using a console or the openvpn gui package or whatever)? 16:35 < Bushmills> many use a text editor to edit the config files 16:35 < Bushmills> after that, it is just turning on and off. no gui needed for that 16:36 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Remote host closed the connection] 16:48 < jonkri> i don't know if that's acceptable for me from a usability and/or software dependency perspective 16:48 < jonkri> thanks Bushmills 16:49 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has joined #openvpn 16:49 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has quit [Changing host] 16:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:52 < Bushmills> jonkri: tendency seems to be that windows users prefer a toolbar applet for turning on and off openvpn, possibly because it is more clumsy there to run a connect script 16:53 < Bushmills> otoh, most users i know run let the system run openvpn during boot, and keep it running all the time 16:53 < Bushmills> therefore no user interface needed 17:18 < jonkri> ok, maybe that is the way to go then 17:19 < jonkri> are there no open source vpn servers that work with windows vpn configuration? 17:27 -!- s7r [~s7r@83.170.111.154] has left #openvpn [] 17:29 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has quit [Remote host closed the connection] 17:29 -!- common [~common@p5DDA4406.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 17:29 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 17:32 -!- js_ [~js@213.180.83.163] has quit [Ping timeout: 276 seconds] 17:33 -!- js_ [~js@213.180.83.163] has joined #openvpn 17:34 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has quit [Ping timeout: 276 seconds] 17:37 -!- common [~common@p5DDA4406.dip0.t-ipconnect.de] has joined #openvpn 17:38 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 17:44 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has joined #openvpn 17:45 < krzie> jonkri, sure there are, but you wont get support for them here 17:45 < krzie> !pptp 17:46 < krzie> wtf! 17:47 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 17:47 -!- mode/#openvpn [+o vpnHelper] by ChanServ 17:47 < krzie> !version 17:47 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1. The newest version available online is 0.83.4.1. 17:47 < krzie> grr 17:48 < krzie> jonkri, 17:48 < krzie> !pptp 17:48 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about 17:48 <@vpnHelper> why to not use pptp 17:48 < krzie> thats the ms protocol 17:51 -!- WinstonSmith [~true@g231241009.adsl.alicedsl.de] has joined #openvpn 17:51 < jonkri> ah, thanks 17:53 < jonkri> will use openvpn then :) just curious - are there any commercial products working with this default windows vpn configs? (are they using pptp?) 18:03 < Bushmills> yes. windows. 18:04 < jonkri> ok, thanks 18:04 < jonkri> good night people! 18:04 -!- jonkri [~jonkri@pontarius/jon] has quit [Quit: Leaving] 18:04 < Bushmills> though the term "working" would need clarification 18:05 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 18:13 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 18:17 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds] 18:48 -!- britt [~britt@h53.56.141.67.static.ip.windstream.net] has joined #openvpn 18:49 < britt> good evening. I am trying to configure OpenVPN with a bridged network interface (layer 2) and tried to test this in OSX. I read this only works successfully in Windows. Is this still a true fact? 18:53 < |Mike|> try reading the topic and follow the steps 18:53 < britt> !welcome 18:53 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:55 < Bushmills> britt: i heard that OSX doesn't support bridges. linux otoh does. 18:55 < britt> Bushmills: thank you. That's actually a very helpful response. 18:56 < Bushmills> !tunortap 18:56 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 18:56 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap! 18:56 < britt> The only reason I would need Layer2 is for Windows SMB packets and NetBios stuff. I want to allow users on the VPN to access thier shared drives 18:57 < britt> hah 18:57 < Bushmills> then #2 would apply 18:57 < britt> !wins 18:57 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 18:58 < britt> Bushmills: excellent. Already doing that on my Samba instance. Thanks for you help. |Mike| thanks for telling me to check the topic 18:59 < |Mike|> yw 19:03 -!- britt is now known as heyyyy 19:03 -!- heyyyy is now known as bd1308 19:04 -!- p3rror [~mezgani@41.140.159.175] has quit [Ping timeout: 255 seconds] 19:05 * bd1308 <3|Mike| 19:05 < |Mike|> err? 19:05 < |Mike|> rtfm or die :-) 19:05 < |Mike|> (c) 2011 19:07 < bd1308> |Mike|: how concise mike. so many thoughts in so few words. congrats on the copyright 19:07 < |Mike|> now you have to pay me. 19:08 < bd1308> |Mike|: I only have a money order for $5000 from nigeria. can you provide change 19:09 < |Mike|> mossad can handle * 19:09 < bd1308> excellent 19:10 < |Mike|> smartiepants, nice to know you. I have to inform you that're ignored for now 2011/01/10 02:10:40 19:11 < bd1308> excellent 19:11 < |Mike|> CET. 19:12 < bd1308> Bushmills: thanks for being helpful man. I appreciate it. Nice to know there's some good people still on IRC. I've already got the config in samba setup, so i'll give that a try. It didnt appear OSX would do bridges so i'll try the other way. Thanks. 19:13 < Bushmills> np 19:15 -!- Bebop2Steady [~Bebop2Ste@124-149-37-222.dyn.iinet.net.au] has joined #openvpn 19:16 -!- WinstonSmith [~true@g231241009.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 19:21 -!- pcfreak30 [~derrick@cpe-098-027-009-128.triad.res.rr.com] has quit [Read error: Operation timed out] 19:22 -!- pcfreak30 [~derrick@64.32.15.130] has joined #openvpn 19:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 19:24 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 265 seconds] 19:29 -!- WinstonSmith [~true@f052101172.adsl.alicedsl.de] has joined #openvpn 19:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection] 19:37 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn 19:45 -!- pcfreak30 [~derrick@64.32.15.130] has quit [Quit: Leaving] 19:50 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has joined #openvpn 19:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 19:54 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 240 seconds] 20:02 -!- p3rror [~mezgani@41.140.97.34] has joined #openvpn 20:08 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 20:10 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has quit [Ping timeout: 240 seconds] 20:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 20:32 -!- Bushmills [~l@scarydevilmonastery.net] has left #openvpn [] 20:44 -!- Bushmills [~l@scarydevilmonastery.net] has joined #openvpn 20:46 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 20:46 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 20:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 20:54 < derekv> I doubt this is news to anyone, but it seems like I can run openvpn as the command line as an unprivliged user in windows, the only thing that snags is adding the route 20:55 < derekv> Thats a heck of a thing if its the only hang up 20:57 -!- p3rror [~mezgani@41.140.97.34] has quit [Ping timeout: 240 seconds] 21:00 < derekv> one can push routes over dhcp 21:01 < derekv> windows should accept it since that is how its receiving the ip address 21:10 -!- p3rror [~mezgani@41.140.29.16] has joined #openvpn 21:15 < derekv> ahh... "When OpenVPN is running as a service, it will make a "best-effort" to remain always connected. That means that whenever it senses that it can reach the server, it will try to connect, and when the server is not reachable or the internet connection is down, it will go into a wait state." (-Yonen.. a long time ago) 21:16 < derekv> So the only thing your losing out on is a bit of manual control and a nifty status tray icon 21:16 < derekv> And those things should eventually be fixed. 21:17 < derekv> If I understand correctly. 21:30 < derekv> and the ability to very strong protections on the keyfile I guess 21:32 <@vpnHelper> RSS Update - forum: [newbie/2.0.9] Checking that OpenVPN is OK? 21:38 <@vpnHelper> RSS Update - forum: Help sharing printers in openvpn and windows xp || To change port 21:46 < Bebop2Steady> For openvpn service sellers (selling access to openvpn servers for web browsing etc), what would be the best method for authenticating users? 21:47 < Bebop2Steady> by 'best' I mean easiest to automate 21:50 < Bebop2Steady> eurephia.net looks good for an automated system, but the manual says its for TAP only. 21:53 < krzie> derekv, the ability to put ANY protections on the keyfile, other than filesystem permissions 21:55 < derekv> krzee, Yea I put filesystem permissions in the group of "not very strong protections" 21:56 < derekv> krzie 22:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 22:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer] 22:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 22:25 < Bebop2Steady> auth-user-pass-verify + client-cert-not-required + username-as-common-name looks to be the easiest to automate with scripts i guess. 22:33 < krzie> aka 22:33 < krzie> !authpass 22:33 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 22:42 -!- alhadi [~thunderst@188.95.51.165] has joined #openvpn 22:46 < Bebop2Steady> User/pass is highly *not* recomended why? I am guessing the idea is that a cert is harder to steal? 22:50 < krzie> will you be auditing against brute forcing? 22:50 < krzie> basically, when you ONLY use passwords, your entire vpn is as secure as your password 22:50 < krzie> but for what you were talking about, maybe thats ok to you 22:51 < krzie> personally, none of my setups will be only password 22:51 < krzie> i use 4096bit rsa certs, with passphrases on the keys 22:55 < Bebop2Steady> I will be auditing against brute forcing, and then blocking with iptables.. 22:58 -!- WinstonSmith [~true@f052101172.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 22:59 < Bebop2Steady> Automation is the killer for me. I'm not profficent enough with linux to script up an automated system for managing users + certs for a VPN chain (where they need to be auth'd by two seperate servers). 23:03 < Bebop2Steady> by 'they' i mean end-users... 23:05 < Bebop2Steady> Actually.. with vpnchains it would be interesting to just disable auth all-togther once the end-users are inside the first VPN/LAN 23:05 < Bebop2Steady> Then just manage certs for the entry server, that would be managable. 23:15 < derekv> From reading the docs, it says here that the probability of finding yourself in a universe compatible with your existence is 1... 23:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 23:17 < Bebop2Steady> Unless you never find yourself. 23:17 -!- bd1308 [~britt@h53.56.141.67.static.ip.windstream.net] has quit [Quit: leaving] 23:19 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 23:22 < Bebop2Steady> also, quote: "If you go back 10 generations (250 years) the chance of you being born at all is at most 1 divided by 6 x 10100" .. so I dare say, your chances of finding yourself in a universe compatible with your existence has to be equal or less than 1 divided by 6 x 10100 23:23 < Bebop2Steady> 6 x 10 exp 100 23:23 < Bebop2Steady> aka 1 in 60000000000000000000000000000000000 00000000000000000000000000 000000000000000000000000000000000000 23:27 < Bebop2Steady> so, the probabilty of *finding yourself* in a compatible universe cannot be 1, since *finding yourself* first requires *existing* 23:28 < djgerm> !multidimensional_philosophy 23:28 < djgerm> hmmm no entry... 23:29 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has quit [Quit: Leaving.] 23:49 -!- alhadi [~thunderst@188.95.51.165] has quit [Read error: Connection reset by peer] 23:50 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn --- Day changed Mon Jan 10 2011 00:07 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out] 00:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 00:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 00:34 -!- sht [sht@2607:f0d0:2001:8b:20c:29ff:fe08:9753] has joined #openvpn 00:36 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn 00:37 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 260 seconds] 00:38 -!- Bebop2Steady [~Bebop2Ste@124-149-37-222.dyn.iinet.net.au] has quit [Ping timeout: 248 seconds] 00:54 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 01:08 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 264 seconds] 01:11 -!- takamichi [Takamichi@85.232.213.54] has joined #openvpn 01:25 -!- dazo_afk is now known as dazo 01:27 <@vpnHelper> RSS Update - forum: how to add a kernel's route on the openvpn server? 01:28 -!- fipu_ [c341fe04@gateway/web/freenode/ip.195.65.254.4] has joined #openvpn 01:28 < fipu_> Hi guys 01:29 < fipu_> I use openvpn access server 01:29 < fipu_> how can I set the VPN-Server IP (in the VPN)? 01:29 < fipu_> I use 10.1.1.0/24 and want that the server get 10.1.1.1 that the server is reachable by the clients 01:30 < fipu_> actually if I make a traceroute to 10.1.1.1 from a Client in the VPN (10.1.1.100) then the first hop is 5.5.0.1 (VPN-Server?) 01:54 < kraut> moin 01:54 < fipu_> moin kraut 01:54 < fipu_> kennst du dich mit dem access server aus? 01:54 < kraut> access server? 01:54 < kraut> ich kenn mich nur mit dem "community" server aus 01:55 < hyper_ch> !english 01:55 < kraut> davon ab, bitte englisch verwenden. 01:55 < kraut> hyper_ch: calm down 01:55 < fipu_> :P 01:55 < hyper_ch> too bad there's no factoid 01:56 < fipu_> mh, so can someone help me with my problem? 01:56 < hyper_ch> kraut: did you see me shout? 01:56 < fipu_> and get another problem now 01:56 < kraut> fipu_: if you don't tell me what's your problem is, i can't help you. 01:56 < fipu_> I disabled "Should clients be allowed to access network services on the VPN gateway IP address?" but I can still ping the VPN-Server 01:56 < kraut> gui?! 01:56 < fipu_> let us check this one first please :) 01:57 < fipu_> that's the bigger problem 01:59 -!- albech [~thomas@119.42.78.59] has joined #openvpn 02:00 < fipu_> kraut: ? 02:00 < kraut> are you talking about any gui? 02:01 < fipu_> What do you mean with any gui? 02:01 < kraut> graphical user interface 02:01 < fipu_> I know 02:01 < fipu_> Client is a windows xp sys 02:02 < fipu_> otherwise I don't know what you mean with gui 02:02 < fipu_> openvpn access server webUI 02:02 < fipu_> :) 02:02 < fipu_> If you mean that 02:02 < kraut> where did you enabled this option? within the configuration file or with a gui? 02:02 < kraut> webui!? 02:03 < fipu_> yes? 02:03 < fipu_> not good? 02:03 < kraut> hmm, i have no idea about this a ccess server 02:03 < fipu_> ok... 02:03 < fipu_> someone else? 02:03 < hyper_ch> any reason why you use access server? 02:04 -!- zamba [marius@flage.org] has joined #openvpn 02:04 < kraut> fipu_: normally with the community server (i hate this naming) you need just the option "client-to-client" 02:04 < fipu_> I know 02:04 < fipu_> I used the "non gui" server before 02:05 < fipu_> hyper_ch: yes, Client management 02:05 < fipu_> and see connected user 02:05 < fipu_> easy revoke certificates etc. 02:06 < krzie> !AS 02:06 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options 02:06 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 02:06 < krzie> #4 02:06 < krzie> we dont support AS here 02:12 < hyper_ch> good morning krzie 02:12 < krzie> moin 02:13 < krzie> playin with my cgi's 02:13 < hyper_ch> that sounds rather dirty ;) 02:13 < krzie> ;] 02:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:16 * dazo things cgi's is so 1990..... 02:17 <@dazo> s/ings/inks/ 02:24 < krzie> sure, but perfect for this 02:25 < krzie> i never needed them in the 90's 02:25 < krzie> ;] 02:40 -!- zakx [zakx@gentoo/contributor/zakx] has left #openvpn [] 02:55 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds] 03:14 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 03:15 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 03:16 -!- mrle0 [~fin@82.132.243.47] has joined #openvpn 03:16 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 03:16 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 03:16 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 03:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 03:18 -!- nb [~nb@fedora/nb] has quit [Read error: Operation timed out] 03:20 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 03:22 -!- nb [~nb@fedora/nb] has joined #openvpn 03:29 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 03:31 -!- mrle0 [~fin@82.132.243.47] has quit [Quit: Leaving] 03:41 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 03:48 -!- master_of_master [~master_of@p57B52F1C.dip.t-dialin.net] has quit [Read error: Operation timed out] 03:52 -!- master_of_master [~master_of@p57B56916.dip.t-dialin.net] has joined #openvpn 03:53 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic] 03:56 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 04:02 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:08 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds] 04:21 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn 04:21 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host] 04:21 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:41 -!- common- [~common@p5DDA4467.dip0.t-ipconnect.de] has joined #openvpn 04:44 -!- common [~common@p5DDA4406.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 04:44 -!- common- is now known as common 05:01 <@vpnHelper> RSS Update - forum: Can somebody help me with OPENVPN Please? 05:06 -!- Bebop2Steady [~Bebop2Ste@124.169.156.37] has joined #openvpn 05:11 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving] 05:26 -!- s7r [~s7r@178.16.22.27] has joined #openvpn 05:36 -!- s7r [~s7r@178.16.22.27] has quit [Ping timeout: 240 seconds] 05:37 -!- WinstonSmith [~true@e177089065.adsl.alicedsl.de] has joined #openvpn 05:37 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds] 05:38 -!- s7r [~s7r@212.117.186.78] has joined #openvpn 05:46 -!- Xen^ [~linux@vpn.server4sale.com] has quit [] 05:50 -!- fipu_ [c341fe04@gateway/web/freenode/ip.195.65.254.4] has quit [Ping timeout: 265 seconds] 05:54 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:56 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Operation timed out] 05:56 -!- Cain` is now known as Cain 06:10 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 06:10 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 06:10 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 06:15 < Bebop2Steady> Good bash script around for generating client certs, with 1 argument passed (common name/username)? 06:20 < kraut> easy-rsa? 06:23 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 06:23 < Bebop2Steady> oh yea.. i mean easy rsa 06:27 < Bebop2Steady> I could have been more clear... specifically I mean adfding new clients later. so if/when i randomly need to add a client, I dont have to go looking up tutorials and guides and risk stuffing something up. 06:30 < Bebop2Steady> !auth 06:30 < Bebop2Steady> !welcome 06:30 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:35 < Bebop2Steady> 'build-key' looks like the main one I shoudl be doing per new client 06:38 <@dazo> Bebop2Steady: that sounds correct to me .... or build-key-pass if you want to password protect the key ... or build-key-pkcs12 if you want a certificate/key bundle (one file containing CA cert, client cert and client key) 06:39 < Bebop2Steady> thx.. I have been following a wiki.. and i think the prob is that i keep doing too many steps for new clients 06:39 <@dazo> Bebop2Steady: which wiki? 06:40 < Bebop2Steady> http://library.linode.com/networking/openvpn/debian-5-lenny 06:40 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Debian 5 (Lenny) - Linode Library (at library.linode.com) 06:40 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 06:40 <@dazo> you basically need to do the . ./vars thing and then ./build-key{,-pass,-pkcs12} ... and then copy the needed files to the new client, and that's it 06:41 < Bebop2Steady> ahh so the . ./vars is required for every new client? 06:41 <@dazo> not every new client ... but each time you close the your shell 06:41 <@dazo> . ./vars prepares several environment variables for you 06:42 * dazo finds that as a completely silly way of doing it ... but I might not see the complete picture 06:42 <@dazo> (however, my opinion is about the easy-rsa implementation, and nothing else) 06:42 < Bebop2Steady> and for each new client i generate, .. how many files are new? 06:43 < Bebop2Steady> I guess these 2: 06:43 < Bebop2Steady> client1.crt 06:43 < Bebop2Steady> client1.key 06:43 <@dazo> client.key and client.crt (their names will change, according to the "client name" you provide) 06:43 <@dazo> so you need client.{key,crt} and ca.crt to be sent to the client 06:43 <@dazo> if you use the -pkcs12 ... you only get a client.p12 file instead 06:43 < Bebop2Steady> and ca should always be the same.. 06:43 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 06:43 <@dazo> yes 06:44 < Bebop2Steady> and the .conf or .ovpn can stay same too.... 06:44 <@dazo> CA is always the same ... that is the certificate of the instance signing the key ... and the clients use ca.crt to validate the server 06:44 <@dazo> you'll need to adopt the conf file to match the name of the client keys/cert files ... everything else stays the same 06:45 <@dazo> (re: CA ... the ca.crt is also used on the server side, to validate the client certificates .... and the complete easy-rsa directory do not need to stay on the openvpn server at all, in fact it is recommended to not have it on the openvpn server) 06:46 < Bebop2Steady> well that is an interesting point.. 06:46 < Bebop2Steady> the rsa tools sometimes say "commit?" and database updated 06:47 <@dazo> yeah, it's means updating the CA files in the easy-rsa dir (or wherever you set the CA path in ./vars) 06:47 < Bebop2Steady> what is this database? and does it mean I cant use a seperate location/node/hardware to take care of generating certs and ca stuff ? 06:47 <@dazo> it's in fact that directory which should be super-duper secret ... and can be completely offline when you don't need to sign new keys 06:48 < Bebop2Steady> ahh the db is a dir 06:48 <@dazo> the database is basically a register over all keys that CA have signed 06:49 <@dazo> and since easy-rsa also creates keys, signing requests and certificates and stores them ... it is highly recommended to have them on a completely different box 06:49 < Bebop2Steady> i prefer to have them on a dif box.. 06:49 < Bebop2Steady> can they be generated/created on the different box, and then scp'd to the vpn server ? 06:49 <@dazo> and if you loose the ca.key (or it gets stolen) ... you can't trust your CA any more ... as other can then create new client certificates 06:50 <@dazo> Bebop2Steady: yes, you can create all on a different box ... and the server only needs server.key, server.crt and ca.crt ... nothing more 06:50 < Bebop2Steady> oh thats great :] 06:50 <@dazo> (well, dh.pem might come in addition) 06:50 < Bebop2Steady> i can stop make a mess of all these files on my vpn 06:50 <@dazo> that's the core principle of PKI ... the trusted third party, which client and server trusts 06:51 -!- alhadi [~thunderst@188.95.51.165] has joined #openvpn 06:52 < Bebop2Steady> thank you for this much valued information / insight. I can get to work on some tiny up.. full restart actually. 06:52 <@dazo> :) 06:52 <@dazo> Bebop2Steady: you're welcome! 06:53 < alhadi> hello 06:53 < Bebop2Steady> :] thx 06:53 <@dazo> !welcome 06:53 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:53 <@dazo> alhadi: ^^^ 06:54 < alhadi> i see 06:54 < alhadi> :) 06:54 < alhadi> !logs 06:54 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin 06:54 < alhadi> one moment i'll set verb to 5 06:55 < alhadi> !pb 06:55 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel. 06:56 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has joined #openvpn 07:06 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 07:09 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has quit [Read error: Operation timed out] 07:11 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 07:12 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has joined #openvpn 07:12 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 07:16 -!- Stylles [bd0b38eb@gateway/web/freenode/ip.189.11.56.235] has joined #openvpn 07:16 < Stylles> Hi 07:18 -!- macsppadic is now known as Directorsppadic 07:33 -!- Stylles [bd0b38eb@gateway/web/freenode/ip.189.11.56.235] has quit [Ping timeout: 265 seconds] 07:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 07:40 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has joined #openvpn 07:47 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has quit [Quit: Leaving] 07:55 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 07:59 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Quit: Leaving] 07:59 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 08:04 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 08:04 -!- iceberg is now known as bmmcwhirt 08:05 -!- bmmcwhirt [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Client Quit] 08:05 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 08:05 -!- iceberg is now known as bmmcwhirt 08:30 -!- theDoc [~Link@bb219-74-102-217.singnet.com.sg] has joined #openvpn 08:31 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 08:37 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 08:46 < peper> hello 08:47 < peper> I have followed http://openvpn.net/index.php/open-source/documentation/howto.html#pki 08:47 <@vpnHelper> Title: HOWTO (at openvpn.net) 08:47 < peper> and the tunnel seems to be set up correctly 08:48 < peper> but when I ping I see in the interface stats the packates are sent 08:48 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 08:48 < peper> but no replies are coming back 08:48 < peper> any common pitfalls? 08:48 -!- bmmcwhirt [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Read error: Connection reset by peer] 08:51 -!- theDoc [~Link@bb219-74-102-217.singnet.com.sg] has quit [Quit: Lost terminal] 08:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 08:54 < dschuett> peper: what OS are you running the server on? 08:56 < peper> dschuett: linux 08:56 -!- rjd_ [~rjd@212.112.31.11] has joined #openvpn 08:56 < peper> dschuett: i see the pings on both the client an server interfaces 08:56 < peper> but no responses sent back 08:58 < dschuett> pastebin your server and client configs 08:58 <@dazo> peper: sounds like routing is wrong ... on the server, check with tcpdump on your internal lan interface and your tun/tap device ... to see where the packets go 08:58 < peper> dazo: i checked tcpdump -i any and I can only see the ICMP echo 08:58 < peper> no replies 08:59 < peper> I currently use one box for client and server for testing 08:59 <@dazo> peper: is your openvpn server also the default gateway for your LAN? 08:59 < peper> no 09:00 < peper> http://paste.pocoo.org/show/318297/ 09:00 <@dazo> peper: that might be the reason ... try to either set the route to your VPN subnet on the client you're trying to reach, or on the default gateway ... so that your VPN subnet goes via the LAN interface of your openvpn server 09:00 < peper> client and server conf, ifconfig and route output 09:01 <@dazo> peper: and if that's not working ... check firewalls 09:02 <@dazo> peper: when you say tcpdump -i any and I can only see the ICMP echo ... I presume you see ICMP echo going out on your LAN interface on your openvpn server 09:02 < dschuett> peper: yes you will more than likely have to set a route since your are not using the openvpn server on your default gw - as dazo said. 09:03 < peper> could you give me an example? 09:03 < peper> it seems like some routes has been added 09:04 <@dazo> but you need it also either on a) your default gateway (which is not your openvpn server, as you said) or b) on the LAN client itself you are trying to ping 09:04 <@dazo> you then need a route like: route add -net netmask gw 09:04 < peper> it's the same box 09:05 <@dazo> then we're away from the fast track 09:05 <@dazo> !logs 09:05 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin 09:05 <@dazo> !configs 09:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 09:05 <@dazo> !goal 09:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:13 < Bebop2Steady> I have same problem once. Solved it witrh: iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 09:21 -!- daguz1 [~leo@208.1.63.50] has left #openvpn [] 09:22 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 276 seconds] 09:25 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 09:28 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:37 < ecrist> hola 09:37 -!- Irssi: #openvpn: Total of 125 nicks [2 ops, 0 halfops, 0 voices, 123 normal] 09:37 < Bebop2Steady> I've a theoretical question: Can a route be pushed from the 3rd node back to the laptop.. I am curious can the route get thru the middle node which has no server instance? http://i52.tinypic.com/2dkhded.jpg 09:38 < Bebop2Steady> ( also, hola ecrist) 09:42 < Bebop2Steady> I'm thinking the answer to be *no*, unless clients can push routes to servers also... 09:45 < gladiatr> If I'm reading your diagram correctly and understanding your question properly, I would say that you wouldn't need to. If CountryC and B are aware of each other, route-wise, your client system would be able to communicate with B 09:46 -!- luneff [~yury@84.51.195.188] has joined #openvpn 09:46 < Bebop2Steady> thx for response. country A has got client-to-client mode off.. laptop wants to be able to ping country C 09:47 < gladiatr> ohhh... I see 09:48 < Bebop2Steady> I'm pushing route from C (server) to B (client)... and then.. I cant see how to push it further back to A 09:49 < Bebop2Steady> I can put a Server instance on B though.. and push it with that.. just wondering if its necessary, logically and technically. 09:49 < gladiatr> That would require (I think), an iroute and a route definition on server A to set up return routes for getting packets sent to server C. 09:49 < Bebop2Steady> ahh OK.. I have route + iroute on C... so should have it on A too ? 09:50 < gladiatr> I'm thinking that would take care of it 09:51 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 09:55 < Bebop2Steady> thx for your help.. ima head off n try it. 09:56 < Bebop2Steady> 3am here though. so better sleep b4 i get too tited. 09:56 -!- Bebop2Steady [~Bebop2Ste@124.169.156.37] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 10:14 -!- Chris___ [goose@well.i.made.ur-mom.go.honk-honk.org] has joined #openvpn 10:15 < Chris___> I'm having an issue with my VPN connection, that I can't preform DNS lookups, so I can't effectively do anything :/ 10:15 < gladiatr> windows client? 10:16 < gladiatr> Chris___, is this a windows client? 10:16 < Chris___> no, Debian Squeeze 10:16 < Chris___> I've tried manually assigning 8.8.8.8 and 8.8.4.4 as DNS servers in the network-manager config, but that hasn't fixed it 10:17 < gladiatr> oh... network manager... /shudder 10:17 < Chris___> lol 10:17 < gladiatr> I'm not trying to blow you off, honestly, but I would get in touch with the debian package mantainer for the openvpn plugin 10:17 < Chris___> although when I'm "connected" I can't ping 10.8.0.1, so I'm not sure *where* the issue is 10:18 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 10:18 < Chris___> well, I've used the debian openvpn plugin on my previous install without a hitch 10:18 < gladiatr> It is *supposed* to update your dns client settings. If it's not, it's not an openvpn issue, but an issue with network manager 10:18 < Chris___> I think I might've just broke something in my setup 10:18 < Chris___> any way I can just check to make sure the issue is with network-manager and not openvpn? 10:19 < gladiatr> Unless your openvpn binary is actually broken, you're dealing entirely with network manager for your configuration and connection management. 10:20 < iceberg> Friday krzie helped me get my OpenVPN where I can access my local network, now I am trying to add tunneling all traffic through the VPN. OS=FreeBSD 8.1 Configs: pastebin.com/k20UarHD 10:20 < gladiatr> Appologies to anyone in That Particular Business, but network manager is great when it works, but it's a right, proper whore to troubleshoot when it isn't 10:21 -!- SOG [~SOG@n11649233199.netvigator.com] has joined #openvpn 10:21 < Chris___> alright, I'll try #Debian then 10:21 < gladiatr> cool. good luck, man 10:21 < peper> dazo: sorry, had to go away for a bit. my goal is to test a secure connection between 2 hosts 10:22 < gladiatr> SOG... does that mean something besides "somewhat wetter than damp"? 10:22 < peper> dazo: and I wanted to do that on a single host 10:23 < peper> cause the other host has a firewall and I don't want that getting in the way 10:24 -!- idle-boy [~idle-boy@nat/yahoo/x-ikvfubrpwgkyivuo] has quit [Ping timeout: 260 seconds] 10:24 < Chris___> I lied, also. I can do dns lookups from shell with "host", but that's it, can't ping my server host, or do anything else 10:26 -!- albech [~thomas@119.42.78.59] has quit [Quit: Ex-Chat] 10:27 < gladiatr> can you do lookups normally before you make your openvpn connection? 10:27 < Chris___> with "host"? yes 10:27 < Chris___> "host" works before and after I make the vpn connection 10:27 < peper> dazo: server conf: http://paste.pocoo.org/show/318343/ client conf http://paste.pocoo.org/show/318344/ 10:28 < gladiatr> are you running nscd by any chance? 10:28 -!- dazo is now known as dazo_afk 10:29 < peper> route: http://paste.pocoo.org/show/318345/ ifconfig http://paste.pocoo.org/show/318346/ 10:29 < Chris___> ..oh wait 10:30 < Chris___> I think I"m an idiot 10:30 < gladiatr> lol 10:30 < gladiatr> do tell 10:31 -!- goose [~goose@samson.honk-honk.org] has joined #openvpn 10:31 < goose> for future reference, I'm a gorram idiot. I forgot to enable compression in my client-side config. 10:31 -!- goose is now known as Guest68482 10:32 < peper> dazo_afk: by seeing icmp echo requests I meant that I see 17:31:52.398825 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 38942, seq 70, length 64 10:32 < peper> dazo_afk: on both tun0 and tun1 10:32 -!- Guest68482 is now known as goose 10:32 < peper> dazo_afk: and I don't see any replies sent on -i any even 10:32 -!- goose [~goose@samson.honk-honk.org] has quit [Client Quit] 10:34 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 10:34 -!- d303k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection] 10:37 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn 10:41 -!- Directorsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 10:45 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 10:47 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Remote host closed the connection] 10:47 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Remote host closed the connection] 10:48 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 10:49 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn 10:53 -!- dazo_afk is now known as dazo_afk_afk 10:54 -!- SOG_ [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 10:55 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds] 10:56 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 10:56 < morbidwar> !help 10:56 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 10:57 < morbidwar> does anybody have a tutorial on how to setup a "roadwarrior" scenario in openvpn? 10:58 -!- SOG [~SOG@n11649233199.netvigator.com] has quit [Ping timeout: 240 seconds] 10:58 -!- SOG_ is now known as SOG 10:59 < gladiatr> wetter than damp--dryer than soaked: It's SOG! 10:59 < gladiatr> :D 10:59 < gladiatr> sorry 10:59 < iceberg> I found it humorous 11:01 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 11:08 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 11:28 -!- LeRrA [~lerra@c-d09872d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Remote host closed the connection] 11:31 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 11:40 -!- p3rror [~mezgani@41.140.29.16] has quit [Ping timeout: 240 seconds] 11:41 <@vpnHelper> RSS Update - forum: Can somebody help me with OPENVPN Please? 11:49 < iceberg> anyone here know how to configure FBSD for 'redirect-gateway' I thought I had my nat set correctly but still no go config: http://pastebin.com/k20UarHD 11:49 < ecrist> sysctl net.inet.ip_forwarding=1 11:49 < ecrist> sysctl net.inet.ip.forwarding=1 11:49 < ecrist> the second one 11:50 < iceberg> yea that is set by rc.conf with enable_gateway="YES" 11:50 < ecrist> yup 11:50 < iceberg> that doesnt solve my problem Ie had that the whole time 11:51 < iceberg> I tried enabeling opfw nat as suggested elsewhere on the net but that didnt help either 11:51 < ecrist> how about sharing specifically what you want to do 11:52 < ecrist> do you have a freebsd machine as a server for an openvpn network, and you want to route client internet connections through the vpn server? 11:52 <@vpnHelper> RSS Update - forum: [newbie/2.0.9] Checking that OpenVPN is OK? 11:53 -!- p3rror [~mezgani@41.140.35.17] has joined #openvpn 11:53 < iceberg> Friday krzie helped be get my basid openvpn set up, so I can access my 10.2.2 subnet that all works fine, now I am just trying to add in the pass everything through the vpn. server is FBSD 8.1 and various clients but my test client is Mac OS X tunelblick 11:54 < ecrist> I can't help if you use ipfw, but if you use pf, I can. 11:54 < ecrist> !bsdnat 11:54 <@vpnHelper> "bsdnat" is see !fbsdnat 11:54 < ecrist> !fbsdnat 11:54 <@vpnHelper> "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 11:54 < iceberg> Im not biased so I can switch Ive never used pf so it'll be new to me 11:55 < ecrist> imho, pf is considerably more powerful than ipfw, and I used to be an ipfw user 11:55 < iceberg> that link is a 404 11:55 < ecrist> blast 11:55 < iceberg> pf is the netBSD firewall port correct? 11:55 < ecrist> gah, no 11:55 < ecrist> openbsd 11:56 < gladiatr> pf = happy making 11:56 < iceberg> eww 11:56 < ecrist> freebsd backports it into the kernel. 11:56 < iceberg> theo = bad 11:56 < ecrist> edit /etc/pf.conf 11:57 < ecrist> add nat on $wan_if from 10.0.2.0/24 to any -> wan.ip 11:57 < ecrist> change wan_if and the IP subnet and wan.ip to the right values 11:57 < ecrist> actually, here 11:57 < iceberg> ok, no default pf.conf is pf a port I need to add first? 11:59 < ecrist> iceberg: http://secure-computing.net/files/scratch.txt 12:01 < iceberg> ok and thats just the pf.conf? 12:02 < iceberg> the just load pf in the rc.conf and set pf_rules to point to that? 12:03 < ecrist> yup 12:03 <@vpnHelper> RSS Update - forum: Can somebody help me with OPENVPN Please? 12:04 < iceberg> and do I need to remove anything other than ipfw_load from my rc.conf? 12:04 < ecrist> no 12:06 < iceberg> ok, restarting the server 12:06 < ecrist> you didn't need to restart the server 12:06 < ecrist> it's not windows, man 12:06 < ecrist> /etc/rc.d/pf reload 12:06 < ecrist> or 12:06 < iceberg> it was esier that clearing out all the other nat garbage I had 12:06 < ecrist> pfctl -e 12:07 < ecrist> /etc/rc.d/ipfw stop 12:07 < iceberg> I had been tinkering trying to get it working 12:07 < iceberg> see all back up 12:07 < iceberg> solid state drives are fast 12:08 < iceberg> my IRC will drop when I connect as you are probably aware so I will brb 12:15 < iceberg> is "No ALTQ Support" an issue? 12:17 < ecrist> nope 12:17 < iceberg> something is as it didnt work 12:17 < iceberg> em0 is my public interface 12:18 < iceberg> there were just two things in that script I needed to sub right? the if name and the ip? 12:19 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has joined #openvpn 12:19 < HoboSteaux> im looking for help on topology 12:20 < iceberg> ecrist: you sure there wasnt anyting else in my rc.conf I posted that neede rmoved other than ipdw_enable? in my /var/log/messages it looks like somethign is still kicking ipfw on 12:21 < HoboSteaux> i have 3 computers on the same network, one of them bein an ovpn server. I am trying to to speedtests on encryption, etc, so i need there to be an ovpn link fromone computer to the server and then out to the third comp 12:21 < ecrist> iceberg: pastebin your rc.conf 12:21 < HoboSteaux> what would be the best way to do this? 12:22 < ecrist> HoboSteaux: create a vpn server and have both ends connect to hit, then pass traffic from one end to the other. 12:22 < HoboSteaux> wouldnt the encryption take place on the clients only then? 12:23 < iceberg> http://pastebin.com/YC6kEBFX 12:28 -!- luneff [~yury@84.51.197.224] has joined #openvpn 12:29 < ecrist> iceberg: remove line 16, 20, 21, 22, 23, 24 12:30 < ecrist> and the pf_rules is really already set to default, so that could be removed, as well 12:31 < HoboSteaux> as i understand it ecrist, the encryption occurs at the fringes of the network; if two item on the same vpn talk, they would be doing all the encryption instead of the server 12:31 < ecrist> no 12:31 < ecrist> the server encrypts traffic to each client 12:32 < HoboSteaux> oh i did not know that ty 12:32 < ecrist> so, if two clients talk, client 1 encrypts to the server, the server decrypts, re-encrypts for cleint-2 and forwards the traffic 12:32 < HoboSteaux> good to know that every stream is secure per client 12:33 < ecrist> there is never a negotiation between clients, not sure why you'd have that idea. 12:34 < iceberg> ecrist: still after the openVPN is established I can only access my local net I can not get out to the internet. 12:36 -!- p3rror [~mezgani@41.140.35.17] has quit [Read error: Connection reset by peer] 12:45 < ecrist> on the cli: pfctl -s nat 12:47 < iceberg> nat on em0 inet from 10.0.0.0/16 to any -> 64.141.147.212 12:47 < iceberg> em0 being my public interface 12:47 < ecrist> and is your vpn on the 10.0.0.0/16 subnet? 12:47 < iceberg> 10.8.0.0/24 so yea 12:48 < ecrist> in your server config, do you have "push 'redirect-gateway def1'" 12:48 < iceberg> push "redirect-gateway def1 bypass-dhcp" 12:48 < ecrist> um, 10.8.0.0/24 is not inside 10.0.0.0/16 12:49 < ecrist> change 10.0.0.0/16 to 10.8.0.0/24 and save 12:49 < ecrist> then run "/etc/rc.d/pf reload" 12:49 < iceberg> ok, giving that a try 12:52 < krzie> [13:55] imho, pf is considerably more powerful than ipfw, and I used to be an ipfw user 12:52 < krzie> i also used ipfw / ipf, pf is the best 12:52 < ecrist> nat is *so* much easier 12:52 < ecrist> s/nat/everything/ 12:52 < krzie> the scrub command by itself is all anyone should need to make the switch 12:53 < ecrist> heh, that breaks lots of stuff on our network. 12:53 < iceberg> success 12:53 < iceberg> thank you 12:53 < ecrist> we have about 23232 subnets flying around and it confuses pf it seems. 12:53 < ecrist> iceberg: it's easier to help when I have *all* the information I need. :) 12:53 < iceberg> it all works now, much appriciate it 12:54 < krzie> packet scrubbing breaks things in your network ecrist? 12:54 < ecrist> very much 12:54 < krzie> like what? 12:54 < krzie> i never seen that 12:54 < iceberg> ecrist: true, and I have several things going on so the /16 instead of /8 passed me 12:55 < ecrist> krzie: what causes it is when I have a pair of systems that are on both subnets (think jails) and a jail on one subnet is sending to another IP on another subnet (which bounces back to the same host) 12:55 < ecrist> pf sees that as spoofing 12:55 < iceberg> now I have to go do lots of reading on pf, as Ive not used it before 12:55 < ecrist> krzie: you should know by now that I often find a way to break things. ;) 12:57 < krzie> ohh 12:57 < krzie> i gotchya 12:57 < krzie> ;] 12:58 < iceberg> one last question, if I add more client keys later does the ca need rebuilt of something or do the new client keys get added during the process? 13:00 < ecrist> nope 13:00 < krzie> !factoids search 13:00 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 13:00 < ecrist> just sign more keys and hand them out 13:00 < krzie> !factoids search --values ca 13:00 <@vpnHelper> 'winroute', 'router', 'pastebin', 'push', 'ifconfig', 'bridge-dhcp', 'hmac', 'net30', 'dhcp', 'all', 'nobind', 'servercert', 'mitm', 'menu', 'wintaphide', 'linnat', 'ccd', 'lintrafaccnt', 'ask', 'crl', 'crl', 'local', 'wins', 'broadcast-relay', 'firestarter', 'notcompat', 'configs', 'mtu-test', 'iporder', 'access-server', 'paste', 'nopaste', 'fbsdnat', 'mtu', 'win2k8', 'subnet', 'tunortap', 'bcast', 13:00 <@vpnHelper> 'client-to-client', 'certverify', 'samesubnet', 'sockd', 'c2c', 'tls-auth', 'win_tcplimit', 'tcp', 'sample', '/30', 'ssl-admin', 'ldap_iptables', 'log', 'logfile', 'iphone', 'snapshots', 'testing', '', 'client-connect', 'script', 'AS', 'layer2', 'badtime', 'winpath', 'confgen', 'dupe', 'pki', 'osxboot', 'pki', 'wireless', 'duplicate', 'static-key', 'mbuf', 'statickey', 'pb', 'diagram', 'epel5', 'current', 13:00 <@vpnHelper> 'openvzlinnat', and 'forum' 13:01 < krzie> damn i thought i wrote one that had the overall idea of how pki works 13:02 < krzie> maybe... 13:02 < krzie> !pki 13:02 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed 13:02 <@vpnHelper> specially as a server (see !servercert) 13:02 < krzie> iceberg, see #2 13:05 < iceberg> ok, Ive use other encrypted tunnels where the client has to know it's private key and the servers public not just having a signed key so I wasn't sure how x509 worked 13:05 < iceberg> but that seems simple enough 13:06 < krzie> same deal 13:07 < krzie> except 2-directional auth 13:08 < krzie> what you were talking about is when the client verifies the server only, like web servers 13:12 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: iceberg] 13:14 -!- s7r1 [~s7r@212.117.186.78] has joined #openvpn 13:14 -!- s7r [~s7r@212.117.186.78] has quit [Ping timeout: 240 seconds] 13:18 -!- s7r1 [~s7r@212.117.186.78] has quit [Ping timeout: 265 seconds] 13:19 -!- s7r [~s7r@212.117.186.78] has joined #openvpn 13:19 -!- s7r is now known as Guest60088 13:24 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Ping timeout: 240 seconds] 13:31 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 13:36 < alhadi> Hi krzie :) 13:37 -!- sht [sht@2607:f0d0:2001:8b:20c:29ff:fe08:9753] has quit [Read error: Operation timed out] 13:37 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 13:39 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Remote host closed the connection] 13:39 -!- SOG [~SOG@n11649233199.netvigator.com] has joined #openvpn 13:40 -!- SOG [~SOG@n11649233199.netvigator.com] has quit [Client Quit] 13:42 < gladiatr> man date 13:42 < gladiatr> bah 14:09 < ecrist> buy her flowers, dress nice. 14:09 < ecrist> see man woman 14:14 < gladiatr> lmao 14:14 < gladiatr> No manual entry for woman 14:18 < hyper_ch> ecrist: wh do you want to bribe her? 14:23 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 14:25 -!- Antarez [kruse@tranquility.quidor.net] has quit [Quit: wopwopwop] 14:26 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 14:28 < krzie> lol 14:29 <@vpnHelper> RSS Update - forum: Problem with routes in Windows 7 14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:45 -!- WinstonSmith [~true@e177089065.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 14:46 -!- stony is now known as gisikon 14:46 -!- gisikon is now known as stony 14:47 <@vpnHelper> RSS Update - forum: JonDo vs OpenVPN - They Claim To Be More Secure 14:51 < alhadi> krzie when ever i connect to the VPN , windows 7 identifies as unidentified network 14:52 < alhadi> is there a workaround to make this interface identify ? 14:54 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 14:57 < krzie> not sure, have seen that problem before 14:57 < krzie> its something windows 7 added, im sure a workaround was found, lots of people have had the problem 14:57 < krzie> should be all over the web / mail lists 14:57 < krzie> !win7 14:58 < krzie> when you find it lemme know and ill add it to !win7 14:59 < alhadi> sure 14:59 <@vpnHelper> RSS Update - forum: backslash problem VPN fail windows xp client || Route: Waiting for TUN/TAP interface to come up... 14:59 < alhadi> thanks m8 14:59 < alhadi> or 14:59 < alhadi> shuld i post a message in forum? 14:59 < alhadi> it might help others 14:59 < krzie> sure 14:59 < alhadi> cheers 14:59 < krzie> i can put the message on the bot too 15:00 < krzie> so thats prolly better 15:00 < alhadi> sounds good 15:00 < alhadi> yes i like vpnHelper 15:00 < alhadi> he is cute 15:00 < krzie> hehe 15:00 < alhadi> ^^ :D 15:00 < krzie> !tell alhadi thank you 15:00 < krzie> (he messages) 15:00 < alhadi> wow 15:00 < alhadi> he is smart 15:00 < alhadi> :) 15:00 < krzie> more useful like this 15:00 < alhadi> indeed 15:00 < krzie> !tell alhadi [howto] 15:01 < alhadi> i had my own irc network but i never made a bot like this ever.. 15:01 < alhadi> so nice to see its very usefull for ppl like us lol 15:01 < krzie> it is a supybot 15:01 < krzie> !version 15:01 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1. The newest version available online is 0.83.4.1. 15:02 < alhadi> nice 15:02 < krzie> there is a channel for them, #supybot 15:02 < alhadi> thanks 15:02 < alhadi> :) 15:03 < alhadi> i'll go and see the workaround 15:03 < alhadi> i saw somewhere to add a manual route and if you see my log you will see gateway 192.168.1.1 pops in that why i guess its unable to identify 15:03 < alhadi> !pb 15:03 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel. 15:03 < ecrist> !tell krzie leave me alone. 15:04 < alhadi> site is slow 15:04 <@vpnHelper> RSS Update - forum: Someone PLEASE HELP!!! OPENVPN SOFT RESETTING FAILED HANDSHA || how to add a kernel's route on the openvpn server? 15:05 < krzie> haha 15:06 < alhadi> lol 15:06 < krzie> alhadi, its because windows 7 doesnt like using an "unidentified network" as your default gateway 15:06 < alhadi> indeed 15:08 < krzie> !learn win7 as http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 "unidentified network" issue you get when using redirect-gateway 15:08 <@vpnHelper> Joo got it. 15:08 < krzie> there ya go 15:08 < krzie> hit #1 on my google 15:09 < alhadi> wow 15:09 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 260 seconds] 15:09 < krzie> search was: windoes 7 unidentified network openvpn 15:09 <@vpnHelper> RSS Update - forum: what is the exact vpn information to use ? 15:10 < alhadi> nice 15:16 <@vpnHelper> RSS Update - forum: OpenVPN with Small Business Server 2003 || Windows 2003 support 15:16 -!- alhadi [~thunderst@188.95.51.165] has quit [Read error: Connection reset by peer] 15:21 <@vpnHelper> RSS Update - forum: error read UDPv4: Connection reset by peer (WSAECONNRESET) ( 15:24 -!- mrle0 [~fin@cpc1-nrte25-2-0-cust619.8-4.cable.virginmedia.com] has joined #openvpn 15:28 <@vpnHelper> RSS Update - forum: How to sign my own TAP driver? || error read UDPv4: Connection reset by peer (WSAECONNRESET) ( || How do I do a complete cleanup after openvpn installation || Route: Waiting for TUN/TAP interface to come up... 15:32 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:33 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 15:33 <@vpnHelper> RSS Update - forum: Running a down script prior to route del || TLS Blocked by provider, need to modify source code... 15:38 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Ping timeout: 240 seconds] 15:38 < krzie> !pki 15:38 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed 15:38 <@vpnHelper> specially as a server (see !servercert) 15:40 <@vpnHelper> RSS Update - forum: Need help with config files/keys will pay || How to create my own TAP driver installer (Windows) 15:45 -!- p3rror [~mezgani@41.140.33.59] has joined #openvpn 15:45 <@vpnHelper> RSS Update - forum: Different networks, DNS-Server does not work || Internet Connection Sharing with openvpn 15:48 -!- iceberg [~iceberg@64.141.147.212] has joined #openvpn 15:50 -!- iceberg [~iceberg@64.141.147.212] has quit [Read error: Connection reset by peer] 15:51 -!- alhadi [~thunderst@188.95.51.165] has joined #openvpn 15:51 <@vpnHelper> RSS Update - forum: Problem installing TAP adapter (split topic) || VPN before 2 routers || openvpn exceptions ?!! 15:51 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 15:51 < alhadi> found a solution temp 15:53 < alhadi> need to go control panel and then network sharing and wizard / adaptor setting / tap-win32 network connection right click properties then IP-v4 and the go to add a gateway 2.2.0.5 or dont add 2 gateway 15:53 < alhadi> also a workaround was to disable DHCP from router and keep static IP's 15:53 < alhadi> that worked 15:53 < alhadi> now i can see my both local interface and virtual interface both identified as public/private 15:55 < iceberg> even though duplicate-cn is not enabled on my server, it is allowing me to connect from two different machines at the same time (both behind a nat on the same public ip, but it shouldn't allow it at all should it?) 15:55 -!- bitterman [~yury@84.51.197.224] has joined #openvpn 15:57 < krzie> iceberg, the first client shouldnt be able to ping the server anymore, until it times out and reconnects, at which point the second one should have the same symptoms, and they continue to fight 15:58 < iceberg> ok, that semms what was going on. There is no way to prevent it from connecting at all is there? 15:58 -!- luneff [~yury@84.51.197.224] has quit [Ping timeout: 240 seconds] 16:00 < gladiatr> iceberg, revoke that certificate and issue new ones 16:02 <@vpnHelper> RSS Update - forum: Help?? 16:02 -!- bitterman [~yury@84.51.197.224] has quit [Quit: Leaving] 16:02 < iceberg> I know I can revoke the cert, I just wondered if there was a way to prevent the 2nd client from connecting. 16:03 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 16:04 < gladiatr> Nope. If it has your dh key and a valid certificate, there's nothing to prevent it from connecting. 16:06 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 16:07 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 16:07 <@vpnHelper> RSS Update - forum: WARNING: potential route subnet conflict || unable to connect to vpn network 16:09 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 16:09 -!- mrle0 [~fin@cpc1-nrte25-2-0-cust619.8-4.cable.virginmedia.com] has quit [Quit: Leaving] 16:14 <@vpnHelper> RSS Update - forum: Client to other client behind subnet || making packets || Can't reinstall OpenVP-AS || Connections bypassing OpenVPN? || Alternative methods to delegate IP to clients? 16:14 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 16:20 -!- alhadi [~thunderst@188.95.51.165] has quit [Quit: alhadi] 16:22 -!- p3rror [~mezgani@41.140.33.59] has quit [Read error: Connection reset by peer] 16:25 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left #openvpn [] 16:29 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has left #openvpn [] 16:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 16:37 -!- p3rror [~mezgani@41.140.34.28] has joined #openvpn 16:42 -!- Guest60088 [~s7r@212.117.186.78] has left #openvpn [] 16:50 -!- Bebop2Steady [~Bebop2Ste@124.169.156.37] has joined #openvpn 16:58 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Ping timeout: 276 seconds] 16:59 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 17:00 <@vpnHelper> RSS Update - forum: OpenVPN or how to configure it from the Windows 7 17:04 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has joined #openvpn 17:05 < HoboSteaux> so i just made my first tun. it connects, gets an ip, but can not commpunicate 17:06 <@vpnHelper> RSS Update - forum: OpenVPN or how to configure it from the Windows 7 17:06 < HoboSteaux> the hardware address of the tun on the client is 16 sets of 00- 17:07 < HoboSteaux> nm both client and server have that 17:09 < Bebop2Steady> what does it mean "cant communitcate"? 17:09 < HoboSteaux> i can not ping across it 17:10 < HoboSteaux> i have a correct ip address with the right subnet 17:10 < Bebop2Steady> you got a local IP of 10.x.x.6 and cant ping to 10.x.x.1? 17:10 < HoboSteaux> yeah 17:11 < Bebop2Steady> server machine has firewall enabled? iptables etc ? 17:14 < HoboSteaux> i did have an old nat, disabling it and trying again 17:14 < Bebop2Steady> # Respond to pings 17:14 < Bebop2Steady> iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 17:15 < HoboSteaux> currently it has a blank policy 17:16 < HoboSteaux> same with client 17:17 < HoboSteaux> added that rule, still no response 17:19 -!- p3rror [~mezgani@41.140.34.28] has quit [Ping timeout: 240 seconds] 17:21 < Bebop2Steady> I'm still a bit noob at this so cant offer more suggestions.. lil help from experts needed. 17:22 < HoboSteaux> heh :P i can do the bridge vpns fine... but then again they are easy 17:22 < Bebop2Steady> probably unrelated, but have you done: echo 1 > /proc/sys/net/ipv4/ip_forward yet ? 17:23 < Bebop2Steady> (on server) 17:25 < Bebop2Steady> what guide did you follow to do the setup? I got one that has never let me down, as far as getting to the ping server stage. 17:25 < HoboSteaux> a couple of em 17:25 < HoboSteaux> meshed em together 17:25 < HoboSteaux> using the howto config file 17:27 < krzie> !logs 17:27 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin 17:27 < krzie> !configs 17:27 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 17:27 < krzie> ^ @ HoboSteaux 17:27 < krzie> and whats your goal...? 17:27 < HoboSteaux> kk ty krzie 17:27 < HoboSteaux> simple tun setup 17:27 < krzie> no lans, no accessing internet over vpn? 17:28 < HoboSteaux> yeah 17:28 < krzie> !sample 17:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 17:28 < krzie> there ya go 17:29 < HoboSteaux> ty 17:30 < Bebop2Steady> i got a quick conceptual question for u krzie: http://i52.tinypic.com/2dkhded.jpg 17:31 < krzie> looks right 17:31 < Bebop2Steady> with that one -- i want client-to-client to be *off*, so I am thinking now, to get route from country C to laptop.... then it needs a server instance in the middle one 17:32 -!- alhadi [~thunderst@92.96.242.8] has joined #openvpn 17:32 < krzie> except the user wouldnt be .7 17:32 < krzie> he'ld be .10 :-p 17:32 < Bebop2Steady> ahh 17:32 < krzie> !/30 17:32 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 17:32 < Bebop2Steady> he is 10 when i put in practice... 17:32 -!- p3rror [~mezgani@41.140.169.219] has joined #openvpn 17:32 < Bebop2Steady> i was wondering why 17:33 < krzie> umm 17:33 < krzie> wait what are you talking about re: routes? 17:33 < Bebop2Steady> lap top to be able to ping both servers in coutry C 17:33 < Bebop2Steady> with client-to-client swicthed to off 17:33 < krzie> why would it want to ping both!? 17:33 < krzie> client-to-client wont help anyways 17:34 < krzie> !c2c 17:34 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 17:34 <@vpnHelper> clients 17:34 < krzie> ohhh 17:34 < krzie> lol 17:34 < krzie> you still havnt caught onto an important part 17:34 < krzie> i bet you still get MULTI errors in your log 17:35 < Bebop2Steady> not in my openvpn logs... 17:35 < Bebop2Steady> or are they in var/log/messages? 17:35 < krzie> they are whereever you said they should be 17:35 < krzie> !logfile 17:35 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info 17:35 < Bebop2Steady> i took your advice and have tail-f /etc/openvpn/*.log on 17:44 -!- agrajag [~agrajag^@c-24-131-78-108.hsd1.pa.comcast.net] has joined #openvpn 17:44 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 17:47 -!- alhadi [~thunderst@92.96.242.8] has quit [Quit: alhadi] 17:49 < HoboSteaux> krzie: this is the latter part of my client log file: 17:49 < HoboSteaux> http://pastebin.com/A9KFuuZp 17:50 < HoboSteaux> still not working 17:50 -!- p3rror [~mezgani@41.140.169.219] has quit [Ping timeout: 240 seconds] 17:56 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 246 seconds] 17:59 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 18:02 -!- mezgani_ [~mezgani@41.140.27.249] has joined #openvpn 18:03 -!- mezgani_ is now known as p3rror 18:03 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Remote host closed the connection] 18:06 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Read error: Operation timed out] 18:08 -!- lupine_85 [~lupine_85@2001:41c8:10:462::99] has joined #openvpn 18:09 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 18:11 < Bebop2Steady> !topology 18:11 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 18:14 -!- silverraindog [~angus@host86-185-35-153.range86-185.btcentralplus.com] has quit [Read error: Operation timed out] 18:14 < krzie> HoboSteaux, i said i wanted both configs and both logfiles, not half of a logfile and nothing else 18:14 < krzie> Mon Jan 10 15:43:39 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541' 18:14 < krzie> Mon Jan 10 15:43:39 2011 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' 18:14 < krzie> the first 2 lines are very important 18:14 < HoboSteaux> alright hold on a second sorry 18:18 < HoboSteaux> client log: http://pastebin.com/kh4UdqRY 18:18 < HoboSteaux> client config: http://pastebin.com/UMBFD2wg 18:20 < HoboSteaux> server log: http://pastebin.com/qJFw83vw 18:20 < HoboSteaux> server config: http://pastebin.com/tmn5JLMg 18:23 < krzie> funny, those logs dont have the error you said you were having... 18:23 < krzie> you pasted half a logfile at first, which doesnt match either of these 18:23 < HoboSteaux> hahah yeahhh... i found the error, but its back to not being able to connect 18:24 < HoboSteaux> i fixed the old error, now its just not able to send data over the interface 18:26 -!- alhadi [~thunderst@92.99.235.139] has joined #openvpn 18:26 -!- tessier [~treed@mail.copilotco.com] has quit [Ping timeout: 250 seconds] 18:29 -!- s7r [~s7r@212.117.186.78] has joined #openvpn 18:46 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 18:46 < krzie> erm 18:46 < krzie> i just noticed, 18:46 < krzie> remote 10.10.0.111 1194 18:47 < HoboSteaux> yeah thats the real address of the server 18:48 < krzie> so you want nothing more than a point to point vpn inside your existing lan 18:48 < HoboSteaux> yes 18:48 < krzie> is this for securing wifi or something...? 18:49 < HoboSteaux> i want somethign to run speed tests on 18:49 < HoboSteaux> different encrytions, etc 18:49 -!- newbie|3 [~Bebop2Ste@124.169.156.37] has joined #openvpn 18:50 < krzie> connect the client in 18:50 < krzie> ping 10.8.1.1 from the client 18:50 < krzie> if those logs are still correct, it should work 18:51 < HoboSteaux> wtf. magicsauce. i literally presses up a bit to find that ping and it somehow worked this time 18:51 < HoboSteaux> ty, i have no clue what i did wrong lol 18:53 -!- Bebop2Steady [~Bebop2Ste@124.169.156.37] has quit [Ping timeout: 248 seconds] 19:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:12 -!- alhadi [~thunderst@92.99.235.139] has quit [Quit: alhadi] 19:16 -!- sparkymarkd [~mark@190.197.41.96] has joined #openvpn 19:18 -!- tessier_ [~treed@mail.copilotco.com] has joined #openvpn 19:26 < newbie|3> krzie, I thought of one possible clarification for the OpenVPN/Routing wiki 19:26 < newbie|3> oops 19:27 < newbie|3> newbie|3 = bebop2steady 19:31 -!- sparkymarkd [~mark@190.197.41.96] has quit [Ping timeout: 240 seconds] 19:32 < newbie|3> In the diagram with 3 box's (servers/clients) 19:32 < newbie|3> The diagram has 1 server and 2 clients ? 19:32 < newbie|3> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 19:32 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 19:44 -!- common [~common@p5DDA4467.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 19:52 -!- common [~common@p5DDA4467.dip0.t-ipconnect.de] has joined #openvpn 20:19 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 20:24 -!- silverraindog [~angus@host86-185-36-14.range86-185.btcentralplus.com] has joined #openvpn 20:31 -!- sparkymarkd [~mark@200.32.232.149] has joined #openvpn 20:40 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 20:44 -!- s7r [~s7r@212.117.186.78] has left #openvpn [] 20:45 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds] 20:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:54 < krzie> newbie|3, you cant have 2 servers... so yes 20:54 < krzie> lol 20:54 < krzie> and if you read the words instead of just the pictures... 20:55 < krzie> "Our user had a openvpn server with a lan (10.10.2.0) behind it, and 2 client with lans behind them:" 20:58 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 21:17 -!- diphthong [~diphthong@69.172.135.243] has quit [Ping timeout: 276 seconds] 21:18 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn 21:26 -!- _zero__ [~zero@noc.toile-libre.net] has joined #openvpn 21:28 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 21:28 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 21:29 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Client Quit] 21:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 21:35 -!- Netsplit *.net <-> *.split quits: mick_laptop, _zero_, rjd_, Clete2 21:37 -!- Netsplit over, joins: rjd_, mick_laptop, Clete2 21:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 22:00 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 22:07 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 22:07 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 22:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 22:19 <@vpnHelper> RSS Update - forum: Linux client problem 22:22 -!- StupidWeasel [~weasel@unaffiliated/stupidweasel] has joined #openvpn 22:22 < StupidWeasel> !goal 22:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 22:22 < StupidWeasel> Heh, just what I was going to type. Neat. 22:24 < krzie> which part... 22:25 < StupidWeasel> Hiya folks, I'd like to use openvpn to connect two computers, for lan gaming purposes. Would it be enough to have this machine as the server - and just have the client connect? 22:25 < StupidWeasel> Making the game use the openvpn adaptor? 22:27 < krzie> sounds about right 22:28 < krzie> if the 2 gaming machines are running openvpn, and no other machines in the lan need gaming access, you can use a routed tap setup 22:28 < krzie> like this, but with dev tap 22:28 < krzie> !sample 22:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 22:28 < krzie> if you need other lan machines to play as well, you need a bridge, which i cant help with 22:28 < StupidWeasel> Excellent, that sounds just right. 22:29 < StupidWeasel> And nope, only two machines currently. 22:30 < StupidWeasel> Thanks a lot krzie. I was fairly certain that I was reading the correct tutorial, but wanted to confirm before I really dug in :) 22:31 -!- newbie|3 [~Bebop2Ste@124.169.156.37] has quit [Read error: Connection reset by peer] 22:31 -!- newbie|3 [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 22:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 23:09 < newbie|3> krzie i'm close to breaking thru over here. lil help from the master and i could be free. i made a new diagram, with full config included for easy dianostics. if you can sneak a peek at it lemmme know.. 23:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out] 23:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 23:32 < newbie|3> ping to last server in vpnchain, but cannot get a vpn connect to it. the initial packet arrives, and thats it. 23:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 23:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 23:43 < newbie|3> I got diagram of my routes pushd and ccd entries mapped so if someexpert looks at it the problem will be immediately evident 23:44 < newbie|3> !route 23:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:48 < newbie|3> the server says initial packer recieved, then "WWRWRWRWRWWWWRRRWRWRW", which I guess is [W]rite [R]ead .... 23:49 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] --- Day changed Tue Jan 11 2011 00:04 < krzie> newbie|3, if thats the type of setup you want, you wont be getting more help from me... LEARN the stuff and you will understand it ;] 00:06 -!- sparkymarkd [~mark@200.32.232.149] has quit [Remote host closed the connection] 00:08 < newbie|3> one incy bincy last tiny little peice of help ? 00:09 < newbie|3> nah.. ok.. i agree 00:09 < newbie|3> I'm deconstructing is starting with something a lil easier 00:16 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 01:02 -!- newbie|3 [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 01:05 -!- StupidWeasel [~weasel@unaffiliated/stupidweasel] has quit [Ping timeout: 240 seconds] 01:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 01:14 < hyper_ch> good morning world 01:24 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 01:24 < krzie> upnp over vpn... heh 01:25 < krzie> i dont even trust upnp over ethernet ;] 01:25 < krzie> or wifi 01:25 < krzie> or any other networking method 01:25 < krzie> good morning hyper_ch 01:26 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 01:28 < hyper_ch> isn't upnp the root of all evil on computers? 01:28 < Bebop2Steady> dying here :[ http://i55.tinypic.com/ftomq9.jpg <----- according to my interpretation of all the available info, i looks like that would work. Through no lack of trying though, I cant get it. 01:29 < krzie> hyper_ch, no, thats women 01:29 < hyper_ch> :) 01:29 < krzie> as proven by the famous proof 01:29 < hyper_ch> there are women on computers? 01:29 < krzie> women = time + money... etc 01:29 < hyper_ch> women = time 01:29 < hyper_ch> money = time 01:29 < hyper_ch> money = evil 01:30 < krzie> http://www.anvari.org/db/fun/Gender/Proof_that_Girls_are_Evil.jpg 01:30 < hyper_ch> I know :) 01:30 < hyper_ch> seen it before 01:30 < hyper_ch> but women are not on computers 01:30 < hyper_ch> so the root of all evil on computers can still be upnp 01:37 < Bebop2Steady> the other root of evil on computers is that you eventually get tired and your brain stops. And simple problems become unsolvable. 01:40 < krzie> really? i thought it was walkthroughs 01:40 < krzie> that lead people to ask more questions of others than of manuals 01:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 01:41 < Bebop2Steady> walkthroughs are god-sent.. so are manuals though. not sure if the distcinction has a great difference 01:41 < krzie> huuuuge difference 01:41 < krzie> one says "this is what the software can do, learn it" 01:42 < krzie> other says "heres how you can blindly make the software do exactly this" 01:42 < Bebop2Steady> yeah in any case.. manual + walktrhough compliment each other nicely.. 01:43 < Bebop2Steady> dont re-invent the wheel, so long as u understand its uses 01:47 < krzie> btw, if theres only 2 machines you dont need a chain at all 01:47 < krzie> (finally looked at above link) 01:48 * krzie shops for a mytouch 4g 01:48 < Bebop2Steady> ( big yay! ) um.. 01:48 < krzie> hey i know 01:48 < krzie> buy me a mytouch 4g and ill not only teach you everything about vpnchains but ill even set them up for you 01:49 < krzie> :-p 01:50 < Bebop2Steady> : ] just the teaching would be fine.. despite my frequent questions, I prefer to learn it all too 01:52 < Bebop2Steady> that design I made had teh same problem as the 3 stack.. ima have to deconstruct it and start again ( again ) .. eventually I'll get there. 01:53 < Bebop2Steady> i learned all that iroute + route + push to the max already.. some invisible problem stopping me now 01:55 < Bebop2Steady> ima go shopping.. not for a mytouch 4g, but a rather simpler element -------- *food* 01:55 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 02:15 -!- alhadi [~thunderst@92.99.235.139] has joined #openvpn 02:17 -!- alhadi [~thunderst@92.99.235.139] has quit [Client Quit] 02:18 -!- alhadi [~thunderst@s3.airvpn.org] has joined #openvpn 02:20 -!- dazo_afk_afk is now known as dazo 02:24 < krzie> moinmoin dazo 02:24 <@dazo> krzie: moinmoin :) whazzup? 02:24 < krzie> not much, shopping a lil for my new phone 02:25 <@dazo> cool :) decided for what you want? 02:25 < krzie> cant get an evo cause its cdma only *gah* but im gunna go for a mytouch 4g 02:25 < krzie> even tho i must admit i considered the n900 cimply because it can do wifi monitor mode reinjection 02:26 < krzie> simply* 02:26 <@dazo> :) 02:27 <@dazo> Well, I'm a F/OSS geek, so I always shop what is most open :) But, I'm more on the extreme side though :) 02:28 < krzie> wouldnt an android phone be more open? 02:28 < krzie> is maemo source online? 02:28 < krzie> ahh yes it is 02:29 <@dazo> it's second on my list ... you still need to jail it ... in maemo, you just install the "Gain root" application from the apps repository, officially supported 02:29 < krzie> the root app i used on the evo was so stupid simple i was shocked 02:29 < krzie> but it was not simply install an app from the repo 02:29 < krzie> that is coo 02:29 < krzie> +l 02:30 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out] 02:31 <@dazo> on maemo and MeeGo devices, your device is much more comparable to a normal computer ... you are in control, you install whatever and remove whatever you want ... if you break it, you need to reflash it ... and even flashing tools are available for Linux, OSX and Windows 02:31 <@dazo> Andriod and others, don't give such powers "out-of-the-box" to its users, therefore I don't consider them really open 02:32 < krzie> valid point 02:32 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 02:32 < krzie> too bad its not so actively developed for 02:32 < krzie> that was certainly part of my decision 02:32 <@dazo> btw ... maemo5 won't die anytime soon .... it seems that Nokia won't officially provide a supported MeeGo version (even though dual-boot from SD card is now supported in the latest PR release) ... but Nokia promised to support maemo5 for a long time, afair 02:32 < krzie> (i mean as compared to IOS / android) 02:32 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn 02:33 < krzie> it still bothers me to call iphoneOS IOS... hey this isnt a cisco device! 02:33 <@vpnHelper> RSS Update - forum: Can somebody help me with OPENVPN Please? 02:34 <@dazo> that's a valid point, even though compared to a year ago ... the application selection has grown tremendously, it started with about 30-40 apps, now there's over 700 ... but of course, not comparable to apple/android 02:34 < krzie> then again they do have 1 app that nobody else does 02:34 <@dazo> openvpn? 02:34 < krzie> the FULL aircrack-ng suite 02:34 <@dazo> yeah :) 02:35 < krzie> iphone AND android have openvpn ;] 02:35 <@dazo> yeah, if you root your device :) 02:35 <@dazo> jail, I mean 02:35 < krzie> which im certain to do 02:35 < krzie> its not even a real phone for me until i do... 02:36 < krzie> an iphone is an ipod touch in this country until you jailbreak / unlock it 02:36 <@dazo> it's a phone even though not jailbroken ... it's just not suitable for much more than phone calls :-P 02:36 <@dazo> ahh 02:36 < krzie> not even suitable for phone calls ;] 02:36 <@dazo> ahh ... yeah, that's even worse 02:37 < krzie> does that go for the n900 too? 02:37 <@dazo> n900 is not locked like that at all, at least here in Europe 02:37 < krzie> cool 02:38 <@dazo> I bought mine completely without subscription to a provider ... and switch SIM cards depending on the country I go to 02:38 < krzie> ive been rockin the iphone for about a year (a friend in au gave me his about a yr ago) but recently i had to setup an evo for the boss to use with openvpn to see the cgi scripts i have been making from afar 02:38 < krzie> i fell in love with that thing 02:40 <@dazo> heh :) iphone deserves credits for pushing the market, making useful smartphones ... earlier it was just silly "smart"phones ... but Android have done a good job, on the user side 02:40 < reiffert> moin 02:40 <@dazo> moin, reiffert :) 02:40 < krzie> yep, i agree 02:40 < krzie> mornin reif 02:40 < alhadi> krzie hello :) you know any openvpn provider ? 02:41 < alhadi> gonna switch the one i have 02:41 < krzie> not really, theres a couple mentioned on the forum 02:41 < reiffert> dazo: did you recognize the layer-2 discussion some days ago? 02:41 < alhadi> sure 02:41 < krzie> i provide my own vpn services 02:41 < krzie> (for me) 02:42 < alhadi> thats great 02:42 <@dazo> reiffert: not sure I do recall it right now .... but a few hints might help refresh memory :) 02:42 < alhadi> looking a a good provider 02:42 < alhadi> i'll see forum now thx 02:42 < reiffert> dazo: it's where openvpn can play together with ciscos MACSec and TrustSec 02:42 < krzie> (same reason i dunno a good webhost or vps provider) 02:42 < reiffert> dazo: could 02:43 <@dazo> reiffert: was I even in that discussion? :-P 02:43 < reiffert> dazo: bascially the client and the server will talk to each other with layer-2 frames. Skip IP overhead. 02:43 < krzie> basically the idea is allowing layer2 to be the transport for openvpn 02:43 < reiffert> dazo: I mentioned your name twice. 02:43 < reiffert> :) 02:43 <@dazo> reiffert: ahh :) I'll check scrollback once again 02:43 < reiffert> krzie: what do you think, 3 days ago, maybe 4? 02:44 < krzie> not sure, the week has blurred into 1 long long pneumonia filled day 02:44 < reiffert> :) 02:44 <@dazo> [08-01 11:01:24] i'm looking for an solution to encrypt layer2 traffic that is passing an fibre connected link 02:44 < krzie> yep thats him 02:44 < reiffert> yeah that one 02:45 <@dazo> gee ... that's a long discussion 02:45 < krzie> made me jealous... he gets fibre and im on 3mbit/1mbit 02:45 < reiffert> dazo: but as I recall he was asking in the middle of the european night. 02:45 < reiffert> DarthGandalf: allright then, "long discussion" fits. 02:46 < reiffert> my tab completition hurts 02:46 < reiffert> completi(ti)on 02:47 < reiffert> :) 02:47 < reiffert> What will help you when you already have plenty of coffee? More coffee! 02:48 < krzie> crack! 02:48 < krzie> o_O 02:49 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 02:58 <@dazo> reiffert: yeah ... well, I just struggle to understand some details ... but that can be because I'm so locking into the traditional Ethernet world .... if using MAC addresses, how would that be useful outside your own network? How will it be possible to bring such traffic "outside your building" using MAC addresses as the addressing scheme, crossing routers? 02:58 <@dazo> s/locking/locked/ 03:00 < reiffert> simply spoken: you dont. 03:00 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has joined #openvpn 03:01 < reiffert> it's for the purpose of having encrypted local links. 03:01 < reiffert> same what cisco's MACSec and/or TrustSec do. 03:02 < reiffert> TrustSec is for local links only and MACSec can do routing IIRC. 03:02 < reiffert> We already do have the Routing stuff. 03:03 < reiffert> Skipping the IP stuff for local links is what might be intresting. 03:03 <@dazo> hmm ... well, it probably gets more useful when you do the routing part ... but, yeah, we already got that covered ... 03:04 <@dazo> it sounds interesting ... but I'm likely to say this is more suitable for OpenVPN3 ... as there the "socket" part will be its own module, which will normally be TCP/IP based (AF_INET/AF_INET6) ... but that can be swapped out for such use-cases to use AF_PACKET instead 03:05 < krzie> yep, iirc we mentioned that 03:05 < reiffert> great. I just wanted to make sure you put i ton the roadmap. 03:05 <@dazo> in the current code base ... doing that will require a lot of hacking 03:05 <@dazo> socket.c which covers most of this, is a nasty piece of code ... which is really difficult to read and understand 03:05 <@dazo> (which is also why listening to multiple ports have never really been implemented) 03:05 < krzie> (not that it would be *more* suitable, but that it would be easier... i dont think we knew what it entailed to do currently) 03:06 <@dazo> krzie: yeah ... exactly my point 03:06 < reiffert> dazo: so you will handle the part from "here" to "putting it on the roadmap"? 03:07 <@dazo> I'll put it into the roadmap as a potential module 03:07 < reiffert> back to "fighting the law" 03:07 < reiffert> (thanks) 03:07 < krzie> openvpn3 will be so awesome 03:07 < reiffert> .oO I fought the law, and the law won :) 03:08 < krzie> "sure, that would just be a new module" will be commonplace for new features 03:08 < krzie> from using layer2 as transport all the way to using DNS as the transport, and much much more 03:09 < reiffert> http://www.youtube.com/watch?v=16u0wwCfoJ4 03:09 <@vpnHelper> Title: YouTube - The Clash - I Fought The Law (at www.youtube.com) 03:09 <@dazo> krzie: yeah, I'm just wondering when we will be able to really kick-off that development cycle ... rewriting thing from scratch is very very seldom a clever idea, so we need to clean up the current code base and massage that one to become more modular .... and the SSL module stuff being reviewed is one big leap in that direction, we just need many more of such leaps 03:11 < reiffert> The more planning you do, the more straight forward the actual coding will get 03:11 < reiffert> but at some point someone has to start writing the inner loop. 03:12 < reiffert> (The dead kennedies cover I like much more) 03:12 < reiffert> http://www.youtube.com/watch?v=jbCqwl2geQg 03:12 <@vpnHelper> Title: YouTube - Dead Kennedys - I Fought the Law (at www.youtube.com) 03:12 -!- macsppadic is now known as Directorsppadic 03:18 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:21 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has joined #openvpn 03:23 -!- alhadi [~thunderst@s3.airvpn.org] has quit [Quit: alhadi] 03:28 -!- alhadi [~thunderst@92.99.235.139] has joined #openvpn 03:28 -!- patelx [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 260 seconds] 03:28 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 03:28 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Changing host] 03:28 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 03:31 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 03:32 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 03:34 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 255 seconds] 03:34 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:41 -!- SOG [~SOG@solution1.hsia.citycenter.com] has joined #openvpn 03:50 -!- master_of_master [~master_of@p57B56916.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 03:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 03:52 -!- master_of_master [~master_of@p57B544B0.dip.t-dialin.net] has joined #openvpn 03:53 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 03:54 -!- alhadi [~thunderst@92.99.235.139] has quit [Quit: alhadi] 03:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 04:01 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 04:06 < kraut> moin 04:08 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 04:09 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 04:09 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 04:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:13 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 04:13 -!- mode/#openvpn [+o mattock] by ChanServ 04:37 <@vpnHelper> RSS Update - forum: Firewall blocked https traffic 04:42 -!- common- [~common@p5DDA441B.dip0.t-ipconnect.de] has joined #openvpn 04:44 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 04:45 -!- common [~common@p5DDA4467.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 04:45 -!- common- is now known as common 04:46 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 04:46 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 04:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:51 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:53 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp 04:58 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 05:03 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 05:10 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds] 05:22 -!- venom00 [~wer@unaffiliated/venom00] has joined #openvpn 05:23 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn 05:24 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 272 seconds] 05:24 -!- venom00 [~wer@unaffiliated/venom00] has quit [Client Quit] 05:25 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 05:29 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds] 05:29 -!- SOG [~SOG@solution1.hsia.citycenter.com] has quit [Ping timeout: 240 seconds] 05:35 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn 05:38 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 05:39 -!- venom00 [~wer@unaffiliated/venom00] has joined #openvpn 05:49 -!- venom00 [~wer@unaffiliated/venom00] has quit [Quit: ☃] 05:50 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 05:55 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:57 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 05:57 -!- Cain` is now known as Cain 05:58 -!- Cain [~Geek@unaffiliated/cain] has quit [Client Quit] 05:59 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 06:29 -!- WinstonSmith [~true@g231231059.adsl.alicedsl.de] has joined #openvpn 06:45 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 06:54 -!- luneff [~yury@84.51.195.188] has joined #openvpn 06:58 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 07:05 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 07:06 -!- lupine_85 [~lupine_85@2001:41c8:10:462::99] has quit [Changing host] 07:06 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn 07:09 < Bebop2Steady> my latest and greatest unsuccess: --> http://i53.tinypic.com/k0o6sn.jpg 07:15 -!- Iron_Chef [~alloy@tropyx.com] has left #openvpn [] 07:17 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has quit [Quit: Leaving] 07:20 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 07:20 -!- WinstonSmith [~true@g231231059.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 07:29 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Quit: iceberg] 07:30 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 07:32 -!- s7r [~s7r@212.78.230.220] has joined #openvpn 07:33 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has joined #openvpn 07:34 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 07:45 -!- markus__ [~markus@c83-250-36-93.bredband.comhem.se] has quit [Remote host closed the connection] 07:52 < gladiatr> mmm... awesomeness... freebsd-ppc subject line: [ANNOUNCE] Playstation 3 support now in HEAD 07:55 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 08:04 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn 08:04 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host] 08:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 08:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 08:06 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 08:10 -!- pete-joh [~pete-joh@triton.dsv.su.se] has joined #openvpn 08:10 < pete-joh> Hi, can openvpn tunnel udp traffic too? 08:11 < pete-joh> or only TCP? 08:12 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 08:13 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 08:13 < gladiatr> as in: through an established tunnel? 08:14 < |Mike|> pete-joh: !welcome 08:14 < |Mike|> !tell pete-joh welcome 08:14 < |Mike|> !tell pete-joh [welcome] 08:26 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 08:28 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has joined #openvpn 08:29 -!- morbidwar [~ovidiu@81.196.150.82] has joined #openvpn 08:30 < iceberg> do most people around here use a UI to manage certificates or just console? 08:33 < gladiatr> <- console 08:33 < morbidwar> console iceberg 08:34 <@dazo> iceberg: console and gui (tinyCA2 and xca) 08:35 < iceberg> ok, I assumed most used console, those of you that do did you just add the vars variables to you shell rc file? 08:36 < gladiatr> I don't. I source the vars file whenever I interact with the CA 08:37 < iceberg> ahh I have an account specifically for that I don't do it from a user or root account 08:38 < gladiatr> cool. Even then, I'd still keep the config within the CA directory structure (personal preference) and just source the vars file from .*profile 08:39 < iceberg> ok, thansk for the advice 08:40 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 08:43 < pete-joh> gladiatr: yep, 08:45 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 08:51 -!- Directorsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 08:53 < gladiatr> pete-joh, yes. 09:02 -!- morbidwar [~ovidiu@81.196.150.82] has quit [Remote host closed the connection] 09:07 < sporedi> !taportun 09:07 < pete-joh> gladiatr: nice, are there any bandwidth or performance penalties? 09:09 < gladiatr> sec 09:11 < sporedi> when to use tap or tunnel what is boat ? 09:12 < gladiatr> pete-joh, It depends on your usage patterns and internet connectivity. 09:13 < gladiatr> pete-joh, like most things, I guess. 09:13 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 09:18 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:20 -!- iceberg_ [~iceberg@64.141.147.212] has joined #openvpn 09:20 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Read error: Connection reset by peer] 09:21 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 09:25 -!- iceberg_ [~iceberg@64.141.147.212] has quit [Ping timeout: 272 seconds] 09:25 -!- sporedi [~chatzilla@mail.utmxtm.com] has left #openvpn [] 09:29 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 09:29 < pete-joh> gladiatr: bandwidth overhead may be constant? 09:31 < gladiatr> pete-joh, how do you mean? 09:32 < pete-joh> gladiatr: packet data overhead needed should be the same if network sends a packet that is 1b or 1000b? 09:33 < gladiatr> I believe that to be true. 09:33 < pete-joh> gladiatr: k,i was thinking about voip-server use-case, maybe traffic peak capacity 100 calllegs transmitting/receiving 160byte rtp packets every 20ms. 09:34 < pete-joh> gladiatr: the vpn channel would be between two servers, would it work? 09:35 < gladiatr> Are your internet connections symmetrical? 09:37 < jambooda> Hello, does anyone know of any good documentation on how to compile lzo statically into openvpn? I want everything else to be dynamic but lzo should be static. 09:38 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 09:39 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 09:39 < pete-joh> gladiatr: hm i have no idea :) 09:41 < gladiatr> pete-joh, is the upstream and downstream bandwidth the same on both of your internet connections? 09:42 -!- iceberg_ [~iceberg@64.141.147.212] has joined #openvpn 09:43 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Read error: Connection reset by peer] 09:43 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 09:47 -!- iceberg_ [~iceberg@64.141.147.212] has quit [Ping timeout: 260 seconds] 09:49 < pete-joh> gladiatr: yep, incoming and outgoing traffic are using the same port 09:52 < gladiatr> hrm... ok, well, if you have access to symetrical, reasonably high-speed connections on both ends, you should have a decent experience. You might end up needing to tweak your configuration to optimize it after you've done your initial testing. 09:52 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 09:54 < iceberg> when I add: push "dhcp-option DNS 10.2.2.1" my client just continually reconnects, if I remove the line it is fine. Client config: http://pastebin.com/RLy0vkPD The error I get is 'No Such Key' but if I remove the DNS push the key I have works just fine. Client OS: OS X, Client: tunelblick any help would be appreciated. 09:55 < pete-joh> gladiatr: alright nice 09:57 -!- Blues-Man [~bluesman@host33-5-dynamic.3-79-r.retail.telecomitalia.it] has joined #openvpn 09:59 < gladiatr> iceberg, have you searched the tunnelblick mailing lists for this error? 09:59 -!- Blues-Man [~bluesman@host33-5-dynamic.3-79-r.retail.telecomitalia.it] has left #openvpn [] 10:01 < iceberg> I searched google in general and found that that line only works for windows clients, how do I push dns settings to non-windwos clients? 10:04 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 10:04 < gladiatr> Huh. I'm not in a position to check (I don't have a mac with me), but I configured a couple os x systems in the last 6 months and didn't have that sort of issue. 10:04 < gladiatr> Everything I'm seeing (from googling openvpn tunnelblick DNS) is all quite old (pre-2008) 10:05 < iceberg> actually there is a new posting from Dec, with no replies 10:06 < iceberg> http://code.google.com/p/tunnelblick/issues/attachmentText?id=61&aid=3358861294701302015&name=DNSresetVPN.log&token=e99e51d0e046d5ed6236a0c3dd2cc67b 10:06 <@vpnHelper> Title: DNSresetVPN.log (filesize) - tunnelblick - Project Hosting on Google Code (at code.google.com) 10:06 < gladiatr> Ahh. I mean, TB uses a standard openvpn configuration file. You could always use an up-script to fix up your DNS settings. I looked it up once (but don't recall) the particular incantation to manually configure DNS on os x 10:07 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 10:07 < iceberg> well it wont always be a mac 10:07 < gladiatr> bwah? 10:07 -!- Bushmills [~l@scarydevilmonastery.net] has left #openvpn [] 10:08 < iceberg> not everyone here uses a mac 10:08 < iceberg> so I would prefer to control the DNS settings from the server 10:09 < gladiatr> oh, sure. You can still get the data from the server, but if tunnelblick is distributing a broken openvpn client, I'm just suggesting you could have an up-script that you distribute with the os x configuration to take care of Doing The Right Thing with the server supplied DNS config data. 10:11 < gladiatr> The only thing I'm seeing in the TB 3.1 Known Issues page is that the supplied script won't set the default search domain. 10:11 < iceberg> Im about to test it on the openvpn porable for windows to see if it's a config issue or just local to tunnelblick 10:12 -!- takamichi [Takamichi@85.232.213.54] has quit [Ping timeout: 246 seconds] 10:13 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 10:17 < iceberg> ok, it's defiantly tunelblick 10:18 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Remote host closed the connection] 10:18 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 10:20 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Remote host closed the connection] 10:20 -!- iceberg_ [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 10:21 -!- iceberg [~iceberg@64.141.147.212] has joined #openvpn 10:21 -!- p3rror [~mezgani@41.140.27.249] has quit [Read error: Connection reset by peer] 10:24 <@vpnHelper> RSS Update - forum: OpenVPN or how to configure it from the Windows 7 10:24 -!- iceberg_ [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Ping timeout: 250 seconds] 10:30 -!- Bushmills [~l@scarydevilmonastery.net] has joined #openvpn 10:37 -!- p3rror [~mezgani@41.140.39.76] has joined #openvpn 10:42 -!- mrle0 [~fin@85.69.2.81.in-addr.arpa] has quit [Quit: Leaving] 10:50 -!- p3rror [~mezgani@41.140.39.76] has quit [Ping timeout: 264 seconds] 10:53 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 272 seconds] 10:53 -!- takamichi [Takamichi@85.232.213.54] has joined #openvpn 10:54 -!- sparkymarkd [~mark@200.32.232.149] has joined #openvpn 11:00 <@vpnHelper> RSS Update - forum: Pushing Routes 11:02 -!- p3rror [~mezgani@41.140.25.30] has joined #openvpn 11:06 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 11:07 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 11:11 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 11:12 <@vpnHelper> RSS Update - forum: Pushing Routes 11:13 < gladiatr> Dear vpnHelper, Hi. My name is Stephen. I am completely misinformed as to the nature of biology on this nice little planet of yours. I've noticed you have Cows. I have been told they are quite versatile. But, I was wondering: I thought I would have some new friends over for dinner last week, so I obtained a cow and butchered it, as per the instructions that came with the cow. But, I do not understand why, after following all the 11:13 < gladiatr> How do I make my cow give me green beans? 11:13 < gladiatr> Sincerely, 11:13 < gladiatr> Stephen the Alien 11:15 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn 11:17 -!- dazo is now known as dazo_afk 11:17 <@vpnHelper> RSS Update - forum: Pushing Routes 11:24 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 11:24 -!- p3rror [~mezgani@41.140.25.30] has quit [Ping timeout: 240 seconds] 11:29 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 11:35 -!- iceberg_ [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 11:36 -!- p3rror [~mezgani@41.140.152.197] has joined #openvpn 11:39 -!- iceberg [~iceberg@64.141.147.212] has quit [Ping timeout: 240 seconds] 11:39 -!- iceberg_ is now known as iceberg 11:44 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^] 11:51 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Read error: Operation timed out] 11:54 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 12:00 -!- powerunits [~aa@116.71.183.202] has joined #openvpn 12:00 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 12:02 < powerunits> hi 12:02 < powerunits> every one i have openvpn server on windows. it was working fine. all clients could connet to it easly.. 12:02 < powerunits> but for some reason 12:02 < powerunits> i stoped working.. 12:03 < powerunits> some clinets can connect and come can't 12:03 < powerunits> some can't 12:03 < powerunits> http://pastebin.com/TCe9y0jb 12:03 < powerunits> here is the clients log file.. please 12:03 < powerunits> can some one help me on this? 12:04 < reiffert> hi powerunits. 12:04 < reiffert> when did you install the stuff and when was the last time it was fully working? 12:04 < powerunits> hi 12:05 -!- benner [~benner@kortu.kalade.lt] has joined #openvpn 12:05 < benner> hi 12:05 < powerunits> well i installed openvpn server on windows 2003 4 months back 12:05 < powerunits> till last week it was working fine.. 12:05 < gladiatr> your clocks are no correct: VERIFY ERROR: depth=1, error=certificate is not yet valid: 12:05 < benner> !welcome 12:05 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:05 < reiffert> powerunits: do you dont seem to hit the "a certificate got expired" problem. 12:05 < gladiatr> s/no/not 12:06 < benner> !redirect 12:06 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:06 < reiffert> powerunits: but have a look at gladiatr's response. 12:06 < benner> !def1 12:06 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 12:06 < powerunits> humm 12:06 < reiffert> krzee: can we have vpnHelper to answer by /msg or /notice or something similar please? 12:07 < reiffert> krzee: like !foo nickname -> /msg nickname !foo 12:07 < powerunits> let me send you all config files as well 12:07 < reiffert> s,!foo$,[foo], 12:07 < reiffert> powerunits: why all the config files. please fix: 12:07 < reiffert> VERIFY ERROR: depth=1, error=certificate is not yet valid: 12:08 < reiffert> powerunits: two possible reasons: when you started creating the certificate, the clock was running way into the future, or it is running way into the past right now. 12:09 < gladiatr> Well, the log files have a Nov. 1 date stamp... 12:09 < reiffert> gladiatr: which year? 12:09 < powerunits> oooh may be this is coz of i changed time on my client machine 12:10 < gladiatr> 2010, but still... 12:10 < reiffert> powerunits: maybe = the reason. 12:10 < powerunits> today when i started my client machine.. 12:10 < powerunits> it gave me time error 12:10 < powerunits> then i went into bios and correct time settings 12:10 < powerunits> after that on that vpn client machine 12:11 < powerunits> i am unable to connect 12:11 < reiffert> powerunits: shall I copy paste again or will you provide recent logfiles or are you trying to fix the date/time problem? 12:12 < reiffert> vorsicht, kunde droht mit auftrag :) 12:12 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 12:12 < powerunits> its still showing worng time 12:12 < powerunits> Mon Nov 1 07:12:05 EDT 2010 12:13 < gladiatr> Hrm... needless to say, this would explain the problem. 12:14 < powerunits> i changed the time 12:14 < powerunits> now its connected 12:14 < powerunits> :) 12:14 < powerunits> thanks alot for giving me this hint :) 12:14 < gladiatr> no problem :) 12:14 < reiffert> just search for "error" in the logfile. 12:14 < reiffert> you are welcome 12:14 < powerunits> thanks 12:15 < powerunits> by the way i used this command date --set="11 JAN 2011 23:10:00" 12:15 < powerunits> to change to time 12:15 -!- benner [~benner@kortu.kalade.lt] has quit [Ping timeout: 240 seconds] 12:15 < powerunits> now does this command change the time for ever 12:15 < powerunits> or after reboot it will go back to old time? 12:18 < reiffert> depends on your bios and your operating system. try it out. 12:18 < gladiatr> Your system clock should be able to keep you within a reasonable proximity to the "correct" time 12:18 < gladiatr> If it isn't, there is something wrong with your motherboard. 12:19 < powerunits> i checked .. after rebooting system.. system shows me correct time :) 12:19 < powerunits> thanks guys for your help 12:21 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: iceberg] 12:21 -!- benner [~benner@kortu.kalade.lt] has joined #openvpn 12:21 -!- benner [~benner@kortu.kalade.lt] has left #openvpn [] 12:33 -!- p3rror [~mezgani@41.140.152.197] has quit [Ping timeout: 240 seconds] 12:40 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 12:41 -!- powerunits [~aa@116.71.183.202] has quit [] 12:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 12:46 -!- p3rror [~mezgani@41.140.181.215] has joined #openvpn 12:51 -!- pete-joh [~pete-joh@triton.dsv.su.se] has quit [Quit: leaving] 13:03 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds] 13:14 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 13:20 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 13:35 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 272 seconds] 13:36 -!- d12fk [~heiko@vpn.astaro.de] has joined #openvpn 13:57 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Read error: Operation timed out] 14:00 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 14:01 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has quit [Ping timeout: 260 seconds] 14:02 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 14:04 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 14:05 -!- stony is now known as Guest11684 14:07 -!- Guest11684 is now known as gisikon 14:09 -!- p3rror [~mezgani@41.140.181.215] has quit [Ping timeout: 240 seconds] 14:10 -!- tona [~boingboin@189.162.124.99] has joined #openvpn 14:10 < tona> hello guys 14:11 < tona> where can i download manual at pdf? 14:13 < gisikon> tona: http://www.web2pdfconvert.com/getPDF.aspx?path=1ffb2865-8122-4e0d-b1f6-868c5e6877dfwww-openvpn-net.pdf 14:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 14:22 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn 14:23 -!- risc427 [~risc@dss.datastreamer.net] has joined #openvpn 14:24 < risc427> anyone around? 14:29 < reiffert> nope 14:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:39 -!- raidzxx [~Andrew@seance.openvpn.org] has joined #openvpn 14:40 -!- Netsplit *.net <-> *.split quits: js_, kisom, raidzx, blackpenguin, Bushmills, sno, pa, Martin`, belZe, fbh, (+8 more, use /NETSPLIT to show all of them) 14:42 -!- Netsplit over, joins: raidzx, kisom, belZe, Bushmills, _zero__, diphthong, js_, sia^pwnnt, ScriptFanix, blackpenguin (+8 more) 14:43 -!- raidzx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has quit [Ping timeout: 274 seconds] 14:44 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 14:47 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 14:49 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 14:56 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 15:01 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 15:15 -!- nb is now known as i 15:16 -!- gisikon is now known as stony 15:16 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: Lost terminal] 15:18 -!- i is now known as nb 15:19 -!- p3rror [~mezgani@41.140.183.184] has joined #openvpn 15:20 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 15:21 < morbidwar> hello everyone 15:22 < morbidwar> can somebody help me? everytime i'm running bridge-start (the bridging script that cames with openvpn) the network goes down 15:23 -!- tona [~boingboin@189.162.124.99] has quit [] 15:26 -!- p3rror [~mezgani@41.140.183.184] has quit [Remote host closed the connection] 15:33 -!- newbie|2 [~kvirc@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 15:34 < krzie> morbidwar, why do you want a bridge...? 15:35 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn 15:35 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 15:35 < morbidwar> krzie: i resolved, added > eth_gw="x.x.x.x" and route add default gw $eth_gw 15:35 < morbidwar> it was deleting the default route 15:36 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 240 seconds] 15:42 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 260 seconds] 15:42 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: Lost terminal] 15:56 -!- sparkymarkd [~mark@200.32.232.149] has quit [Ping timeout: 240 seconds] 15:56 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has joined #openvpn 16:00 -!- risc427 [~risc@dss.datastreamer.net] has quit [Quit: Leaving] 16:02 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 260 seconds] 16:06 -!- s7r [~s7r@212.78.230.220] has left #openvpn [] 16:06 -!- newbie|2 [~kvirc@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 16:07 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Read error: Connection reset by peer] 16:07 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 16:08 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 16:14 -!- p3rror [~mezgani@41.140.40.103] has joined #openvpn 16:19 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn 16:27 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds] 16:42 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 16:55 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 16:56 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 16:58 -!- Xgates [debian-tor@gateway/tor-sasl/xgates] has joined #openvpn 16:59 < Xgates> Hi guys 17:00 < Xgates> I have a problem with a VPN service dropping me typically every hour and I made a post if anyone can help; 17:00 < Xgates> https://forums.openvpn.net/topic7503.html 17:14 < krzie> Xgates, 17:14 < krzie> !man 17:14 < krzie> you asked about --inactive 17:14 < krzie> read about it in the manual 17:14 < krzie> damn bot is down again, 1sec 17:15 < krzie> also read about --keepalive 17:15 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has quit [Ping timeout: 240 seconds] 17:16 < Xgates> thanks where's this manual at? 17:16 < Xgates> on my box or online? 17:16 < krzie> oh damn the bots server is down 17:16 < krzie> ecrist, ^ 17:16 < krzie> you have a manual on your box, AND one at www.openvpn.net/man-beta 17:19 < Xgates> so are these options cmds --inactive --keepalive something everyone should be using for situations like this and because I'm not using them it's why I have this problem? 17:21 < krzie> not sure, i have never *not* used keepalive 17:21 < Xgates> do you use --inactive as well? 17:22 < krzie> nope, just --keepalive, go read what it is 17:22 < Xgates> Well the link you gave me points here; 17:22 < Xgates> http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 17:23 < Xgates> there are only 3 entries so at this point I don't get, is this a cmd to run or an option to place in the client.conf and use? 17:23 < krzie> !-- 17:23 < krzie> grrr 17:23 < krzie> damn bot 17:23 < krzie> it is either 17:24 < gladiatr> bzzzT *pop* 17:24 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 17:24 < Xgates> ok so then this would be all I need to use that? 17:24 < Xgates> openvpn --auth-nocache --keepalive --config /etc/openvpn/config.conf --ca /etc/openvpn/certs/ca.crt 17:25 < krzie> Xgates, every single config option can be used at cli or in the config 17:25 < krzie> at cli with --, in config without the -- 17:25 < Xgates> ok 17:25 < Xgates> ok I see... 17:26 < Xgates> I don't see anything about a certain amount of numbers needed for keepalive 17:26 < Xgates> So as a cli option this is all you use --> --keepalive ? 17:26 < Xgates> like I showed above... 17:26 < krzie> no... 17:27 < krzie> --keepalive n m 17:27 < krzie> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 17:27 < krzie> For example, --keepalive 10 60 expands as follows: 17:28 < krzie> pay attention to the example 17:28 < krzie> then read about the options that are included in --keepalive 17:28 < krzie> and note, you dont actually need any cli options, you can put any/all in the config 17:29 < krzie> (but what you are doing is fine too) 17:29 < Xgates> I'm a geek of many years and even as a Geek it makes little sense... 17:29 < Xgates> like n m as an example what is this representing? 17:30 < krzie> dude, its directly under the lines i pasted 17:30 < krzie> For example, --keepalive 10 60 expands as follows: 17:30 < krzie> if mode server: 17:30 < krzie> ping 10 17:30 < krzie> ping-restart 120 17:30 < krzie> push "ping 10" 17:30 < krzie> push "ping-restart 60" 17:30 < krzie> else 17:30 < krzie> ping 10 17:30 < krzie> ping-restart 60 17:30 < krzie> so then you should read about --ping and --ping-restart 17:31 < Xgates> sorry for seeming dense here but to me this is very little information to understand... 17:31 < Xgates> and THANKS for helping :) 17:31 < krzie> yw 17:31 < krzie> would be easier if my bot was here 17:33 < Xgates> well I'm not totally dead here I understand what keepalive is about... 17:33 * Xgates reads 17:33 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 276 seconds] 17:34 < Xgates> is the manual in mistake? 17:34 < krzie> not to my knowledge... 17:35 < Xgates> Isn't the --ping-restart n listed there by what we are reading suppose to be M instead of N like ---> --ping-restart m ? 17:35 < Xgates> cause we are talking about a n m and when you said to look at ping and ping restart I see no mention of m only two n 17:36 < krzie> lol ignore the letters used and understand their meaning 17:36 < Xgates> ok 17:36 < krzie> valid point tho, i will bring it up 17:37 < Xgates> yeah since it does say --keepalive n m hehe ;p 17:37 < Xgates> ok so I get this now... 17:37 < Xgates> is there any figures that are considered a 'Default' to use? 17:38 < Xgates> is --keepalive 10 60 -- the 10 60 common? 17:38 < Xgates> I like to use defaults when possible that cover common ground for most situations... 17:38 < krzie> yep, very common 17:39 < Xgates> ok good I'll use that then 17:39 < Xgates> is the placement in the cmd I'm using ok? 17:39 < Xgates> --> openvpn --auth-nocache --keepalive 10 60 --config /etc/openvpn/config.conf --ca /etc/openvpn/certs/ca.crt 17:44 < krzie> order doesnt matter unless your config overrides things set before it 17:44 < Xgates> the client.conf or the conf from the VPN service? 17:45 < Xgates> right now I'm not using any client.conf 17:45 < Xgates> I just run the cmds are all to start and that's it 17:46 < krzie> --config /etc/openvpn/config.conf 17:46 < krzie> what do you call THAT 17:46 < krzie> ;] 17:50 < Xgates> That's what I was talking about I haven't been using it 17:50 < Xgates> I did before but not at the moment 17:53 < Xgates> ahh my bad 17:53 < Xgates> that's the VPN service providers config not the OpenVPN client.conf 17:53 < Xgates> krzie: you use Windows or Linux? 17:54 < Xgates> my bad I was talking about the client.conf that is in /usr/doc/openvpn-2.1.4/sample-config-files/ if I needed to use that 17:54 < krzie> osX and freebsd 17:54 < Xgates> ok bsd might have the same path and configs 17:54 < Xgates> or close to it... 17:56 < Xgates> Ahh the technical name, heheh, 'The Client Side OpenVPN config' :) 17:56 < Xgates> http://pastebin.com/Mq5CBbQj 17:57 < Xgates> yeah my bad when I reinstalled OpenVPN I didn't put this back in /etc/openvpn 17:58 < Xgates> errrr 17:59 < krzie> no comments please 17:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 17:59 < Xgates> This is what's in /etc/openvpn/config.conf ---> http://pastebin.com/Xsvy33HK 17:59 < Xgates> I take it that is all I need 17:59 < krzie> and location does not matter, just use full paths 18:00 < Xgates> my bad, I guess the sample config is just like the one that the VPN provider gave me 18:00 < krzie> and osx/linux/bsd configs are the same... windows too although they have a couple optional config options and paths are different style 18:01 < krzie> waitwait 18:01 < krzie> you have a vpn provider and dont run your own server? 18:01 < Xgates> but you see what I'm saying? I think I confused myself with my lack of experience with OpenVPN that I thought 'The Client Side OpenVPN config' was something different I used but that the config I showed in the second pastebin URL is that config that the VPN provider gives you, that you use, correct? 18:02 < krzie> looks like it 18:02 < Xgates> no I don't run a server I'm just using a VPN service 18:02 < krzie> you gotta get help from them really 18:02 < krzie> any options they push to you will override your own 18:02 < Xgates> yeah np hopefully the --keepalive will help 18:03 < krzie> so for example when you added keepalive, it prolly does nothing 18:03 < Xgates> well their config doesn't have keepalive in it 18:03 < krzie> you have their config!? 18:03 < krzie> the SERVER config...? 18:03 < Xgates> No client config they give you ---> http://pastebin.com/Xsvy33HK 18:03 < krzie> right 18:03 < krzie> im telling you that their server config will override your client stuff 18:03 < krzie> if they choose 18:04 < krzie> you need to get support from THEM 18:04 < Xgates> yes I know 18:04 < Xgates> I just didn't know if keepalive was still something I used regardless and, typically speaking they wouldn't override something like this 18:05 < krzie> if they use keepalive, it overrides your 18:05 < krzie> yours* 18:05 < Xgates> I'll ask them, ok... 18:05 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 18:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ 18:05 < krzie> yay! 18:05 < ecrist> krzie: I was re-racking all the gear, cleaning out dust, rerouting power, etc. 18:06 < krzie> ahh sweet 18:06 < ecrist> my whole home lan has been down for about 2 hours 18:06 < krzie> ahh you IRC from remote? 18:06 < ecrist> yeah, I IRC from a work machine that's under-utilized. 18:07 * ecrist poofs to eat dinner 18:09 < Xgates> THANKS krzie for your help, I'll add in the --keepalive and see if it helps in the meantime while I wait on them... 18:09 < Xgates> LATER 18:09 -!- Xgates [debian-tor@gateway/tor-sasl/xgates] has quit [Quit: Ping Timeout ( 0.0 Seconds )] 18:15 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving] 18:32 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has joined #openvpn 18:32 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has quit [Changing host] 18:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 18:45 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn 18:49 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 18:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 19:09 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 19:13 -!- rkantos_ [robin@hp1.jaketus.net] has quit [Ping timeout: 246 seconds] 19:26 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 19:34 -!- grishnav [~grishnav@209.160.52.134] has quit [Ping timeout: 276 seconds] 19:39 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn 19:39 < pyther24> Hmm 19:40 < pyther24> my linux hosts can get to two /32 addresses, but my windows host can't 19:40 < |Mike|> what. 19:40 < pyther24> does windows not like /32 addresses? 19:40 < |Mike|> firewall. 19:40 < pyther24> |Mike|: are you talking to me? 19:40 < |Mike|> Yes sir. 19:40 < pyther24> well I'm connecting using the same user 19:41 < pyther24> meaning the same firewall rules should be applied when I connect 19:42 < |Mike|> you can reach those /32's when the windows firewalls are off? 19:42 < pyther24> no, but I can reach them on my linux box 19:44 < pyther24> gah never mind, now it is timing out 19:45 < pyther24> I thought it worked today 19:45 < pyther24> hmm maybe I had my resolv.conf messed up today 19:45 < |Mike|> search domains? 19:48 < pyther24> nah that is right, if I dig the internal dns name I get an internal ip address 19:49 < pyther24> I have a route in my table for it 19:51 < pyther24> I'm such an idiot 19:51 < pyther24> it's the firewall 19:51 < pyther24> gah I feel stupid! 19:54 -!- p3rror [~mezgani@41.140.40.103] has quit [Ping timeout: 240 seconds] 20:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 20:05 -!- Stylles [c915ad9b@gateway/web/freenode/ip.201.21.173.155] has joined #openvpn 20:06 < Stylles> Anyone know well vpn pptp?........... 20:06 < Stylles> Anyone know well vpn pptp?........... 20:07 -!- p3rror [~mezgani@41.140.34.55] has joined #openvpn 20:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 20:14 -!- pyther24 [~pyther@unaffiliated/pyther] has left #openvpn [] 20:14 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 20:16 < pyther> probably a bad idea to make changes to the vpn config file remotely :P 20:19 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 20:21 -!- djgerm2 [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 20:22 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 255 seconds] 20:25 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 265 seconds] 20:27 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 20:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 20:49 -!- p3rror [~mezgani@41.140.34.55] has quit [Ping timeout: 276 seconds] 20:49 -!- mirobmwgi [~mirovengi@99-3-161-173.lightspeed.mmphtn.sbcglobal.net] has joined #openvpn 20:50 < mirobmwgi> !welcome 20:50 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:55 < mirobmwgi> !goal 20:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 20:57 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 20:58 < mirobmwgi> !howto 20:58 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:01 -!- p3rror [~mezgani@41.140.42.91] has joined #openvpn 21:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 21:13 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn 21:13 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host] 21:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 21:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 21:27 < KipMacy> how can i restrict a vpn client's network access ? 21:30 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:31 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 21:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:55 < krzie> KipMacy, how would you stop someone on your LAN's network access? 21:56 < KipMacy> threat of death 21:58 < theDoc> krzie: vlans segregation + acls + monitoring 22:00 < krzie> firewalls? 22:00 < krzie> (good point on vlans tho) 22:11 -!- p3rror [~mezgani@41.140.42.91] has quit [Ping timeout: 265 seconds] 22:11 < KipMacy> i haven't tried at all but can i make the openvpn server sit on more than one vlan? 22:12 < KipMacy> openvpn server in unix 22:12 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out] 22:19 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 22:25 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 22:27 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has quit [Quit: My damn controlling terminal disappeared!] 22:48 < theDoc> krzie: Just need to becareful of l2 attacks. 22:48 < theDoc> Most of them are thwartable if you have a good admin around. 22:52 < krzie> theDoc, true 23:02 -!- Stylles [c915ad9b@gateway/web/freenode/ip.201.21.173.155] has quit [Ping timeout: 265 seconds] 23:07 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds] 23:20 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 23:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 23:29 < krzie> KipMacy, dont worry bout layer2 if you use tun 23:29 < krzie> just use a firewall 23:29 < krzie> doc was pointing out that i misspoke ;] 23:29 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Disconnected by services] 23:29 < krzie> and services disconnected him for it! 23:30 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 23:30 < reiffert> moin 23:30 < krzie> moin reif! 23:31 < reiffert> krzie! 23:38 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp || cannot ping and samba share between ubuntu server and winxp 23:41 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 23:42 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 23:44 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp 23:50 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 23:55 <@vpnHelper> RSS Update - forum: OpenVPN In Linux - Do You Need To Configure Anything? || cannot ping and samba share between ubuntu server and winxp --- Day changed Wed Jan 12 2011 00:02 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 00:08 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. || Linux client problem 00:14 <@vpnHelper> RSS Update - forum: OpenVPN or how to configure it from the Windows 7 || Pushing Routes 00:19 < krzie> and something else I just realized, many well managed hotspots despite their insane port and traffic restrictions allow IPSec VPNs on port 1293!!! 00:19 < krzie> So I also added 1293 TCP/UDP, which seems to work just fine at this problematic hotspot! In fact I'm posting this over my VPN from that very hotspot right now. 00:19 <@vpnHelper> RSS Update - forum: Setting TCP or UDP from the client side? || Firewall blocked https traffic 00:19 < krzie> cool! 00:22 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out] 00:22 -!- tessier_ [~treed@mail.copilotco.com] has quit [Quit: leaving] 00:26 <@vpnHelper> RSS Update - forum: Routing Questions || Data output 00:29 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 00:32 <@vpnHelper> RSS Update - forum: cannot ping and samba share between ubuntu server and winxp 00:37 < theDoc> krzie: Do you know if the ipsec code has been cleared by the bsd guys? 00:37 -!- us3r [~aaron@CPE000d88382326-CM0012256eb04c.cpe.net.cable.rogers.com] has joined #openvpn 00:37 < theDoc> The last I heard, they were reviewing the code because of someone screaming about a backdoor in it. 00:38 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 00:40 < krzie> havnt heard anything newer than that as well 00:41 < krzie> even when its "cleared" i wont trust it 00:41 -!- us3r [~aaron@CPE000d88382326-CM0012256eb04c.cpe.net.cable.rogers.com] has quit [Client Quit] 00:43 < theDoc> I'm not touching ipsec anymore. 00:43 < theDoc> That probably includes ipsec implentations in cisco devices. 00:46 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 00:50 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp 00:51 -!- dazo_afk is now known as dazo 01:06 -!- jacky_bro [~hk@209.25.231.82] has joined #openvpn 01:06 < jacky_bro> !welcome 01:06 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:07 < jacky_bro> !route 01:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:07 <@vpnHelper> RSS Update - forum: Linux client problem 01:24 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 01:25 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 01:25 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has joined #openvpn 01:30 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp || cannot ping and samba share between ubuntu server and winxp || No internet from units inside LAN when TUN bridge is up 01:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 01:33 -!- jacky_bro [~hk@209.25.231.82] has quit [Remote host closed the connection] 01:33 -!- jkjk [~hk@209.25.231.82] has joined #openvpn 01:33 -!- jkjk is now known as jacky_bro 01:36 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn || Linux client problem 01:36 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 01:39 < krzie> reiffert, is the offer still open for you to help me get krz.ee? 01:40 < krzie> i talked to the guy from .ee and he said it is fine 01:48 <@vpnHelper> RSS Update - forum: No internet from units inside LAN when TUN bridge is up 01:58 -!- WinstonSmith [~true@e179010020.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 01:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 02:07 -!- takamichi [Takamichi@85.232.213.54] has quit [Ping timeout: 240 seconds] 02:07 -!- takamichi [Takamichi@85.232.213.54] has joined #openvpn 02:09 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 02:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 02:15 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 02:15 -!- mode/#openvpn [+o mattock] by ChanServ 02:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 02:16 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 02:18 <@vpnHelper> RSS Update - forum: cannot ping and samba share between ubuntu server and winxp 02:30 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp 02:36 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp || cannot ping and samba share between ubuntu server and winxp 02:42 <@vpnHelper> RSS Update - forum: creating additonal users || Installing VPN with Win Xp || cannot ping and samba share between ubuntu server and winxp 02:52 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds] 02:57 -!- rot13 [~var@unaffiliated/rot13] has quit [Ping timeout: 276 seconds] 02:57 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 02:57 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 02:58 -!- jacky_bro [~hk@209.25.231.82] has quit [Remote host closed the connection] 02:58 -!- jkjk [~hk@209.25.231.82] has joined #openvpn 03:01 -!- jkjk [~hk@209.25.231.82] has quit [Remote host closed the connection] 03:01 -!- jacky_bro [~hk@209.25.231.82] has joined #openvpn 03:06 <@vpnHelper> RSS Update - forum: Pushing Routes 03:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 03:15 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has quit [Ping timeout: 264 seconds] 03:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 03:21 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has joined #openvpn 03:24 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 03:24 <@vpnHelper> RSS Update - forum: Pushing Routes 03:36 <@vpnHelper> RSS Update - forum: Double VPN || 2 Hop VPN || VPN-over-VPN 03:37 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn 03:39 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 03:39 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 03:39 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 03:47 < hyper_ch> hello there 03:48 < Rienzilla> hehe I guess after all the tun/tap talk in the past weeks there is nobody here willing to help me debugging a networking issue involving a tap vpn? :-) 03:48 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp 03:50 -!- master_of_master [~master_of@p57B544B0.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 03:52 -!- master_of_master [~master_of@p57B56AC2.dip.t-dialin.net] has joined #openvpn 03:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 04:09 -!- pielgrzym [~pielgrzym@1str003.multi-play.net.pl] has joined #openvpn 04:09 < pielgrzym> hi 04:09 < pielgrzym> my logwatch today was full of this: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6580 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings: 1 Time(s) 04:09 < pielgrzym> what does that mean? 04:10 < pielgrzym> openvpn v 2.1~rc11-1 on debian lenny 04:10 < pielgrzym> or maybe I'll actually read the manpage :D 04:10 < pielgrzym> sorry 04:10 < Rienzilla> lol 04:11 < Rienzilla> http://pastebin.com/ufvkJLvy 04:12 < pielgrzym> ok, so I'm somehow gettin replayed packages via udp 04:12 < pielgrzym> but 04:13 < pielgrzym> I have like a dozen exactly same machines 04:13 < pielgrzym> with exactly same vpn config (port, udp etc) 04:13 < pielgrzym> and only this one vm gets the error :/ what is the usual source of such warning? 04:16 < pielgrzym> temporarly I've change to tcp for vpn proto 04:17 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 04:18 -!- Guest82698 [~root@a89-183-28-170.net-htp.de] has joined #openvpn 04:18 -!- Guest82698 [~root@a89-183-28-170.net-htp.de] has quit [Quit: leaving] 04:21 <@dazo> pielgrzym: you get such replay warnings when there are network issues. UDP does not have sequence ordering of packets or any kind of "packet handshake" like TCP does 04:22 <@dazo> OpenVPN numbers all the its packets, so if the server sends packet 1, 2, 3, 4, 5 .... you might end up receiving 1,2,4 ... which normally is fine, but the replay warning comes when packet 5 and 3 arrives afterwards 04:23 <@dazo> This is how UDP is designed 04:23 <@dazo> while TCP will make sure that all the packets, even though they arrive as 1,2,4,5,3 is sent to the receiving application as 1,2,3,4,5 04:24 <@dazo> TCP also have time-out on the packets and connections, which UDP does not 04:24 <@dazo> however, beware that using VPN over TCP is not recommended 04:24 <@dazo> !tunortap 04:24 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over 04:24 <@vpnHelper> the vpn, or (#4) lan gaming? use tap! 04:25 <@dazo> !factoids 04:25 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 04:25 <@dazo> gah! 04:25 <@dazo> I meant: 04:25 <@dazo> !tcp 04:25 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) 04:25 < pielgrzym> dazo: ah, so it's might be my overcomplicated iptables config on xen dom0 (some machines get bridging, some nat, some nat + port forwarding etc)? 04:26 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 04:26 <@dazo> pielgrzym: nope, it has to do with some of the routing between your boxes and the ISPs and/or the routing between the ISPs 04:27 <@dazo> packet loss is quite common, and packet re-ordering is even more common 04:27 <@dazo> to happen 04:27 < pielgrzym> dazo: ah :) this is stranger than since it's the only box that causes problems and all the bridged boxes have exactly the same config (different ips though) 04:27 < pielgrzym> dazo: so what would you recommend? ignore the messages and switch back to udp? or stay on tcp? 04:28 <@dazo> stay on udp ... replay warnings aren't necessarily nasty ... but you can improve it with some replay options to OpenVPN 04:28 < pielgrzym> ok 04:28 <@dazo> to make it tolerate bigger spans in the packet reordering 04:29 <@dazo> read up on --replay-window 04:29 < pielgrzym> ok :) thanks! 04:29 < reiffert> did you think about provider mtu yet? 04:29 <@dazo> you're welcome! 04:29 < pielgrzym> and if I use udp I should use tun, right? 04:30 <@dazo> reiffert: nope, but that's a good point! 04:30 < pielgrzym> reiffert: mtu? let me check 04:30 <@dazo> pielgrzym: ^^ see reiffert's comment 04:30 * dazo so often forgets to think about mtu 04:31 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Ping timeout: 272 seconds] 04:33 < pielgrzym> dazo, reiffert it seems the mtu is default 1500 (I can ping -s 1480) 04:33 < Rienzilla> any ideas about http://pastebin.com/ufvkJLvy ? 04:34 < pielgrzym> dazo, reiffert haha, I'm soo dumb :D ping experimenting instead of using plain old ifconfig :D 04:35 <@dazo> pielgrzym: also look in the openvpn log file for MTU warnings 04:35 <@dazo> you may also want to have a look at --mtu-test in the man page as well 04:36 < pielgrzym> dazo: ah, thanks! 04:37 <@dazo> pielgrzym: however, just as a side note ... I would recommend you to upgrade your openvpn 2.1_rc11), as that is very outdated 04:37 <@dazo> (but that's most probably not related to your issues right now) 04:38 < pielgrzym> dazo: thanks :) I'll use lenny backports to do it fast and slic ;) 04:40 <@dazo> pielgrzym: at least 2.1.0/2.1.1 or 2.1.4 is recommended ... 2.1.2/2.1.3 might give you some routing issues 04:40 < pielgrzym> dazo: it's not in the backports - I'll have to find some dev or build it by hand :) 04:40 <@dazo> http://openvpn.net/index.php/open-source/downloads.html 04:40 <@vpnHelper> Title: Downloads (at openvpn.net) 04:41 < Rienzilla> curse of debian :/ 04:41 < pielgrzym> Rienzilla: nah, it's a blessing - I'm transisting my boxes from gentoo - which was overcomplicated to manage after 2 years 04:41 <@dazo> pielgrzym: if you're brave, you can go for 2.2-beta5 (even though, we're trying to get 2.2-RC out soon, it's just delayed due to windows build issues) 04:41 < Rienzilla> yes, it's the reason I use debian too everywhere. 04:41 < pielgrzym> dazo: nope, it's an prod enviorment :) no betas :) 04:42 < Rienzilla> but you're gonna have outdated software 04:42 -!- common- [~common@p5DDA49AC.dip0.t-ipconnect.de] has joined #openvpn 04:42 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer] 04:42 <@dazo> pielgrzym: well, the changes from 2.1 are minor ... and I can guarantee it being quite stable ... using it myself privately and in production on two firewalls (one server, one client) 04:43 < pielgrzym> Rienzilla: yes, but hopefully more secure :) on a desktop box I still use rolling distros (arch, gen2), but a server IMHO should be a little outdated ;) 04:43 < pielgrzym> dazo: I'll take a peek then ;) 04:43 < Rienzilla> yes, I agree. Although, on servers which need some newer stuff, ubuntu server is a nice alternative 04:43 <@dazo> pielgrzym: I share your pain with Gentoo ... I just chose the CentOS road instead of Debian when setting up new boxes :) 04:43 < pielgrzym> Rienzilla: haven't tried that - but nice idea ! :) 04:44 < Rienzilla> and squeeze will be released soon :) 04:44 < Rienzilla> which will get me off 2.1rc11 too :) 04:44 <@dazo> Rienzilla: I don't know about Debian but RHEL/CentOS backports all needed security fixes ... and guarantee that it will just work(tm) until the major release is deprecated (which is 7 years life time, afair) 04:45 < Rienzilla> debian does the same 04:45 < pielgrzym> dazo: initially me too (dom0 is still centos 5.5), but it's much easier to setup django/twisted enviorment on debian (no IUS repo tweaking, no dep hell when installing memcached etc) :) I like centos though - fabulously easy way to setup selinux :) 04:45 -!- jacky_bro [~hk@209.25.231.82] has quit [Ping timeout: 276 seconds] 04:45 < Rienzilla> so you don't have to be afraid of security holes in outdated software. It's just that you don't get new features 04:45 -!- common [~common@p5DDA441B.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 04:45 -!- common- is now known as common 04:46 < pielgrzym> dazo: and yes, rhel/centos backports are security backports, debian backports are feature backports :) 04:46 < Rienzilla> debian backports are not really debian 04:46 <@dazo> reiffert: yes, exactly 04:46 <@dazo> Rienzilla: ^^ 04:46 <@dazo> (sorry, reiffert) 04:46 < pielgrzym> gotta go :) 04:46 < Rienzilla> any idea on my networking issue by the way? I'm pretty puzzled about it 04:46 < pielgrzym> dazo: Rienzilla thanks a lot for help and nice talk :) 04:47 < Rienzilla> later pielgrzym 04:47 < pielgrzym> and reiffert thans for mtu idea :) 04:47 <@dazo> Rienzilla: I dunno, and I should do some work which pays my bills soon :) 04:47 < pielgrzym> bye :) 04:47 <@dazo> c'ya! 04:47 < Rienzilla> haha yeah that shit has to be done too :-) 04:49 <@vpnHelper> RSS Update - forum: No internet from units inside LAN when TUN bridge is up 04:49 < rkantos> why does my lock screen lag for a second when the screen is switched on? 04:49 < rkantos> lol, wrong chan 04:51 < reiffert> Solved? 04:51 < reiffert> you can set whatever mtu with the help of mtu 04:52 < reiffert> problem comes up when carrier doesnt provide such a mtu 04:52 < reiffert> s,help of mtu, help of ifconfig, 04:54 <@dazo> reiffert: I think he is going to investigate that further, and also probably test with --mtu-test (at least that would be clever) 05:00 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 05:00 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 05:07 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 05:07 < reiffert> hm, dreambox.  05:08 < reiffert> best stuff out there. e.g. dreambox 8000. 05:08 < hyper_ch> hi reiffert 05:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 05:12 < reiffert> n n n n n n n n n n n n nn n 05:12 * reiffert blaimes the financial office. 05:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:28 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 05:31 -!- ksk [ksk@im.knubz.de] has quit [Remote host closed the connection] 05:33 < hyper_ch> reiffert: do you have a torrent client at hand that can do magnet links? 05:33 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 05:34 -!- s7r [~s7r@94.46.240.202] has joined #openvpn 05:35 -!- ksk [ksk@im.knubz.de] has joined #openvpn 05:39 <@vpnHelper> RSS Update - forum: Help setting up OpenVPN.... 05:45 <@vpnHelper> RSS Update - forum: help me create a vpn server and client in windows || OPENVPN plugins for DreamBox 05:51 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 05:55 -!- VirusTB [~VirusTB@145.93.237.142] has joined #openvpn 05:56 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:57 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 05:58 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 05:58 -!- Cain` is now known as Cain 06:00 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 06:02 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 06:02 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 06:02 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 06:02 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 06:04 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 264 seconds] 06:09 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 06:13 -!- Ozzapoo__ [7ca84f19@gateway/web/freenode/ip.124.168.79.25] has joined #openvpn 06:14 < Ozzapoo__> Hi. My VPN server is really slow, I can only get ~2kBps at most 06:14 < Ozzapoo__> Yet I can download a test file from the server over http at 700kBps. 06:14 < Ozzapoo__> How can I speed up my vpn? 06:16 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 06:19 < renihs> dont download p0rn or similiar on the same line? 06:19 < Ozzapoo__> Very funny 06:20 < renihs> :) afaik there is no traffic limit feature per default 06:20 < renihs> maybe the firewall is limiting the traffic? 06:20 < renihs> to the vpn service port 06:20 < Ozzapoo__> Unlikely 06:21 < Ozzapoo__> I'm using a different port from the default 06:21 < renihs> so what? 06:21 < renihs> maybe only the known ports are set for full speed, maybe it uses l7 technics 06:21 < renihs> i tend to limit ALL unknown traffic to <20kbs :) 06:21 < Ozzapoo__> lol 06:22 < Ozzapoo__> How do I check whether or not I have a firewall 06:22 < renihs> the only thing i could imagine would be a mtu problem causing massive fragmentation, but even that should not get that low 06:23 < renihs> about the firewall, dunno, ask the network admin? :) 06:27 < renihs> afaik, openvpn has no builtin traffic limiting features 06:27 < renihs> so i doubt the cause is to be searched there 06:31 -!- Ozzapoo__ [7ca84f19@gateway/web/freenode/ip.124.168.79.25] has quit [Ping timeout: 265 seconds] 06:33 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 06:33 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 06:35 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 06:40 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 06:40 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 06:42 -!- silverraindog [~angus@host86-185-36-14.range86-185.btcentralplus.com] has quit [Ping timeout: 255 seconds] 06:47 -!- VirusTB [~VirusTB@145.93.237.142] has quit [Ping timeout: 240 seconds] 06:50 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 07:01 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 07:21 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 07:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 07:40 -!- silverraindog [~angus@host86-178-116-255.range86-178.btcentralplus.com] has joined #openvpn 07:46 < sno> hi, on my openvpn server i have push "route 192.168.0.0 255.255.0.0, i wish to add a static route different from this, do i need to put this on an additional line or do i need an upscript? 07:47 < sno> this would be in addition to the existing route 07:52 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn 07:52 < gladiatr> wheeee 07:55 -!- qermit [~qermit@unaffiliated/pantofel] has quit [Remote host closed the connection] 07:55 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox || How do I do a complete cleanup after openvpn installation 08:01 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 08:04 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 08:08 < Bebop2Steady> if anyone is up for a challenge: https://forums.openvpn.net/topic7483.html <-- all day stuck on 1 problem. 08:08 <@vpnHelper> Title: OpenVPN Support Forum Double VPN || 2 Hop VPN || VPN-over-VPN : Server Administration (at forums.openvpn.net) 08:09 < Bebop2Steady> long story short: using openvpn, is it possible to connect to an openvpn server, then connect to another openven server with the first.. ( so the 2nd server address is 10.x.x.1) .. ? 08:11 < Bebop2Steady> and the 2nd server has redirect gateway def1 08:13 < gladiatr> To clarify, you're making both connections from the client system? 08:13 < Bebop2Steady> yes.. 08:14 < gladiatr> Sure. You can build tunnels within tunnels until your throughput degrades to 300bps :) 08:15 < Bebop2Steady> I made a diagram.. can u see where its gone wrong ? 08:15 < Bebop2Steady> http://i51.tinypic.com/4k73aa.jpg 08:15 < gladiatr> maybe not quite that far... at a certain point things will start to time-out, but you get the idea 08:15 < gladiatr> ugh. manual IPing. :P :) 08:16 < Bebop2Steady> manual everything ! 08:16 < gladiatr> Weren't you saying that you want to make a connection to countryB from the client? 08:16 < Bebop2Steady> client -> A then client -> B while in A 08:17 < gladiatr> more specifically: client -> A, A -> B, client -> C (through VPN), yes?er 08:17 < gladiatr> -> = VPN link 08:17 < gladiatr> bah. third part should read: client -> B 08:18 < Bebop2Steady> client -> A , A -> B , client -> B i thikn 08:18 < Bebop2Steady> then exit B in to the WWW 08:20 < gladiatr> Sure. That will work. I would suggest availing yourself of the nice macro directives (server and client) that openvpn provides, though--just a lot simpler. The sort of configuration you're wanting is actually quite simple if you just break it down into its components. Without seeing the complete configuration, I'm gonna predict that proper routes aren't being instantiated. 08:21 < gladiatr> But, connectivity-wise, as long as your firewalls aren't in the way, there's nothing preventing this concept from being implementable. 08:24 < Bebop2Steady> Are the macros in the man.. I've read the man fairly thouruly 08:24 < Bebop2Steady> by usual standards anyways 08:24 < Bebop2Steady> a thorough skim and then a more thourough skim 08:25 < gladiatr> --server and --client 08:27 < gladiatr> Just sayin... if you're struggling with getting your configuration functional, use the automated features provided by openvpn. You can always go back and retrofit specific, static configs after the networking bits are passing traffic. 08:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 08:28 < gladiatr> !server 08:30 < Bebop2Steady> i got my routes here: http://i54.tinypic.com/xat3c6.jpg 08:30 < Bebop2Steady> its all working down to the last point.. I cant ping to tun0 on the right hand side 08:31 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 08:31 < Bebop2Steady> when I try ping to the ip on tun0, then in tcpdump, its tun1 that is sending the reply ( so my client does get the reply) 08:31 < gladiatr> I imagine that you don't have a return route to the network your client is on 08:31 < Bebop2Steady> but tun0 has the next vpn server on it, so i need to be able to reach it 08:31 -!- kyrix [~ashley@LSt-Amand-152-32-39-189.w80-11.abo.wanadoo.fr] has quit [Quit: Leaving] 08:32 < Bebop2Steady> i wanted to try iptables mangle route, but its not included with iptables any more. 08:32 < Bebop2Steady> ( mangle route is discontinued or something ) 08:33 < gladiatr> um... ok 08:34 < Bebop2Steady> i've tried and documenetd at least 5 different configs or server / client 08:34 < Bebop2Steady> and I made diagrams of each one 08:34 < Bebop2Steady> so I tried different combinations of servers and clients on each physical server 08:34 < Bebop2Steady> i think thats what you mean by --server --client ? 08:36 < Bebop2Steady> also, all the IPs u see in my diagram, are assigned by openvpn.. i just get to choose the subnets .. ie: 10.x.x.1 for the server address.. then clients get IP assigned by openvpn 08:37 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 08:38 < Bushmills> right hand route to 10.77.1.0 says tun1. that's subnet of tun0 left hand 08:38 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 08:38 < Bushmills> seems that left tun0 has right tun1 as end point 08:39 < Bushmills> and vice versa 08:39 < Bebop2Steady> right hand and left hand both have a tun0 and tun1 each (2 tuns per physical machine..) sorry u cant see much from the pic i posted 08:39 < Bebop2Steady> ahh 08:39 < Bebop2Steady> i get u 08:39 < Bushmills> ok. then let me ask you, instead: 08:39 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Remote host closed the connection] 08:39 < Bushmills> ok. no need to ask, then? 08:40 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 08:40 < Bebop2Steady> tun0 and tun 0 and furthest apat.. 08:40 < Bebop2Steady> and tun1 and tun1 are on the p-t-p link 08:41 < Bushmills> "when I try ping to the ip on tun0, then in tcpdump, its tun1 that is sending the reply" - that's correct and consistent with your setup 08:41 < Bebop2Steady> ahh my setup must be wrong then 08:41 < Bebop2Steady> im pinging to the IP at tun0 and its tun1 that sends the reply 08:42 < Bushmills> right. because tun1 is its end point 08:42 < Bebop2Steady> im trying to ping 10.77.2.1 08:43 < Bebop2Steady> and my client is to the left or the left 08:43 < Bushmills> that's an address in the subnet of tun1, left hand, and tun0, right hand 08:43 < Bebop2Steady> left of left i mean 08:43 < Bebop2Steady> 1 sec 08:45 < Bushmills> rather than specifying tun, as dev in config, you can explicitely say tun0 or tun1 08:47 < Bebop2Steady> im grabbing a full screen grab of all the tuns/everyhting.. 1 more min 08:51 < Bebop2Steady> http://i52.tinypic.com/2h3dimt.jpg 08:51 < Bebop2Steady> everything on the left is one box/country everything on the right is the other box/country 08:52 < Bebop2Steady> u can see on the right tun0 never gets any movement on tcpdump 08:52 < Bebop2Steady> the bottom 4 quadrants are TUN TCPdumps 08:52 -!- WinstonSmith [~true@e178177136.adsl.alicedsl.de] has joined #openvpn 08:54 < Bebop2Steady> heres a propper diagram (already posted above) http://i51.tinypic.com/4k73aa.jpg 08:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 08:55 < Bushmills> that's nice that you show me around your system. but your basic gripes still apply: subnet on left tun0 connects to right tun1, and vice versa. 08:56 < Bebop2Steady> ahh is that a problem ? 08:56 < Bushmills> no, shouldn't be a problem. it merely explains why what replies to requests, sent on tun0 (left) go to tun1 (right) 08:57 < Bebop2Steady> but on the right is 10.77.2.1 on tun 1.. how can i get packets to it ? 08:57 < Bebop2Steady> i mean on tun -0 08:57 < Bebop2Steady> on the right 08:58 < Bebop2Steady> so my goal is to get packets to tun0 / 10.77.2.1 when sending from 10.77.1.6 /left 08:58 < Bushmills> ping 10.77.2.1 08:59 < Bebop2Steady> i do that.. 08:59 < Bebop2Steady> and i get replys 08:59 < Bebop2Steady> but the tun0 / right tcpdump stays inactive... and the activiy from pings is only on tun1 / right tun 0 +1 left 09:00 < Bebop2Steady> after all that.. i dont care at the end who can ping who... but the real proble is that i cant connect to the openvpn server at 10.77.2.1 09:01 < Bushmills> if you ping, on right hand machine, a 10.77.2.x address while tcpdumping tun0, you see the echo request and replies, right? 09:01 -!- morbidwar [~ovidiu@81.196.150.82] has joined #openvpn 09:02 < Bebop2Steady> 1 sec 09:02 < Bushmills> btw, why is your gateway, left hand, for 10.77.2.0 net 10.50.50.1? 09:04 < Bebop2Steady> the p-t-p linking left to right -- has ip 10.50.50.1 09:04 < Bebop2Steady> and its other side is 10.50.50.2 09:05 < Bebop2Steady> its not the same IPs as the diagram... 09:05 < Bushmills> but that's tun1 on right side, not tun0 - which would be the 10.77.2.x subnet right side 09:05 < Bebop2Steady> i think diagram is 10.150.5.1 09:06 < Bebop2Steady> yeah its linked to tun1 09:06 < Bushmills> and that's where your echo requests come in, right side? 09:06 < Bebop2Steady> tun1 10.50.50.1 -------- p t p ----------- 10.50.50.2 tun1 09:06 -!- WinstonSmith [~true@e178177136.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 09:06 < Bebop2Steady> yes.. they come in there 09:07 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 09:07 < Bebop2Steady> as for your question before.. 09:08 < Bebop2Steady> the tcpdump was inactive when i did a right side ping to right side 10.77.2.1 09:08 < Bebop2Steady> left/ping/left is also inactive 09:09 < Bebop2Steady> only when i ping left to right it lights up tcpdump 09:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection] 09:11 < Bushmills> simplify your routing. let one client/server/subnet/interface left side talk to one client/server/subnet/interface right side. don't try to route tunneled packets through another tunnel than the one established for that subnet 09:12 < Bushmills> (as in the case of 10.77.2.0 routed through 10.50.50.1 instead of letting it simply reach end point on the tun interface with subnet 10.77.2.0) 09:12 < Bebop2Steady> heres the ping to 10.77.2.1 from pc at home http://i51.tinypic.com/vrd5df.jpg 09:13 < Bebop2Steady> u mean try a difrernt setup ? 09:13 -!- FSprofi [~chatzilla@77.119.210.250.wireless.dyn.drei.com] has joined #openvpn 09:13 < FSprofi> !welcome 09:13 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:13 < FSprofi> !goal 09:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:13 < Bushmills> for a start, drop the 10.50.50.0 subnet 09:13 < FSprofi> !redirect 09:13 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:14 < Bebop2Steady> OK.. 1 sec.. I show u a pic for each setup i've tried.. all ended the same.. 09:14 < Bebop2Steady> http://i53.tinypic.com/b7z0p3.jpg 09:15 < Bebop2Steady> http://i53.tinypic.com/k0o6sn.jpg 09:15 < Bebop2Steady> http://i52.tinypic.com/2mczswp.jpg <-------- this one was the closts to working 09:15 < Bebop2Steady> http://i56.tinypic.com/rad9ns.jpg 09:16 < Bebop2Steady> http://i56.tinypic.com/2eme70n.jpg < ---- added an extra server to that one.. sam eresult 09:16 < Bebop2Steady> thats about all.. 09:16 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 09:18 < Bebop2Steady> but.. im ready to hear what you started to tell me.. 09:18 -!- WinstonSmith [~true@e179011179.adsl.alicedsl.de] has joined #openvpn 09:18 < Bebop2Steady> if its differnt then i will try it 09:19 < Bebop2Steady> so long as it matches the goal 09:20 < Bebop2Steady> I've already got working single VPNS 09:20 < Bebop2Steady> and a standrd double vpn is not what I'm after. 09:21 < Bebop2Steady> standard double vpn has decrytption at the tun on both vpns 09:21 < Bebop2Steady> where as layered or embeded vpn has decrytion at the exit only 09:22 < Bebop2Steady> so the goal is layered/embeded/chained vpn or whatever the name is 09:22 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 09:24 < Bebop2Steady> Bushmills: ? 09:25 -!- WinstonSmith [~true@e179011179.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 09:27 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 09:31 < Bebop2Steady> https://forums.openvpn.net/topic7483.html I be out .. . . ideas if any, most welcome in the thread. 09:31 <@vpnHelper> Title: OpenVPN Support Forum Double VPN || 2 Hop VPN || VPN-over-VPN : Server Administration (at forums.openvpn.net) 09:31 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 09:33 < FSprofi> how do I get over the 10mbit/s limit on the tun device on windows? 09:33 < ecrist> it's not really a limit 09:34 < ecrist> it just shows that it's a 10Mb link 09:34 < ecrist> it will do more than that 09:34 <@dazo> iirc, it's just a register value which needs to be changed, and it will show almost whatever you want 09:35 < gladiatr> aka: placeholder value 09:35 < FSprofi> k thx 09:35 < gladiatr> or you can just throw more pigeons at it... :P 09:36 -!- WinstonSmith [~true@e179011179.adsl.alicedsl.de] has joined #openvpn 09:41 -!- Irssi: #openvpn: Total of 122 nicks [3 ops, 0 halfops, 0 voices, 119 normal] 09:56 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:57 -!- dazo is now known as dazo_afk 10:00 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds] 10:01 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has joined #openvpn 10:02 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has quit [Client Quit] 10:03 -!- OiPolloi [~sena@gw.identity.pt] has joined #openvpn 10:04 < OiPolloi> !welcome 10:04 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:05 < OiPolloi> !goal 10:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:09 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn 10:09 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 10:10 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 10:11 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds] 10:12 < Rienzilla> Anyone an idea about http://pastebin.com/ufvkJLvy ? 10:12 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 10:16 < gladiatr> Those switches are just layer-2 switches, right? Not some sort of wonky application-layer poo flinging monkey switches? 10:18 < Rienzilla> Maybe the are able to do some higher level switching, but I didn't configure them to 10:18 < Rienzilla> (they're HP Procurve 2650's) 10:18 < gladiatr> k 10:18 < Rienzilla> one more thing, the MAC address of the far end vpn appliance is in the port address list for the switchport connected to the local vpn appliance 10:19 < Rienzilla> (which indicates, I think, that the vpn and bridging is working properly) 10:19 < Rienzilla> furthermore, I have tcpdump'ed with ethernet headers, and the packets are directed towards the correct mac's 10:20 < Rienzilla> (so it's not some other device claiming it has the same IP or something like that) 10:20 < gladiatr> I haven't found the spot where this might be happening, but my intuition is screaming "layer-2 broadcast loop" 10:20 < gladiatr> hrm... 10:20 < Rienzilla> it must be something like that, but... why are packets sent beyond the tunnel endpoint working? 10:21 < Rienzilla> (and, if there'd be a loop, i'd expect huge packetloss, and large pingtimes for the packets that do get through, right?) 10:21 < gladiatr> are you using linux for your openvpn appliances? 10:21 < Rienzilla> tyes 10:22 < gladiatr> do you have stp active on your bridge devices? 10:22 < Rienzilla> no, not on these 10:23 < Rienzilla> (there is an stp-enabled bridge configured on the same appliance, but the packets don't use that bridge interface anywhere 10:23 < gladiatr> are the bridge IP addresses on the bridge device or the ethernet devices? 10:23 < Rienzilla> on the bridge devices everywhere 10:23 < gladiatr> k 10:24 < Rienzilla> I'm really puzzled that the packets don't even end up on the ethernet interface of the local vpn appliance 10:25 < Rienzilla> it must be eaten by either the switch, or maybe by the local ethernet device before it enters the os 10:26 < gladiatr> What system has 10.170.1.1? 10:26 < gladiatr> oh, nm 10:26 < Rienzilla> that is the ip of the bridge of the remote vpn device 10:26 < Rienzilla> (one of its ip's) 10:27 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has quit [Quit: leaving] 10:27 < gladiatr> Ok. And the 3 addresses that you mentioned are attached to the same bridge interface (shouldn't matter) 10:27 < Rienzilla> yes 10:28 < Rienzilla> and they all show the same behaviour 10:29 < gladiatr> re-run your test, except using tcpdump's -e switch 10:29 < Rienzilla> I already have 10:29 < gladiatr> and paste the output 10:29 < Rienzilla> lemme find the pastebin 10:29 < gladiatr> sweet 10:29 < Rienzilla> http://pastebin.com/PSWmsydV 10:30 < Rienzilla> nothing weird about mac addresses 10:30 < gladiatr> oh. 10:30 < gladiatr> wait a minute... did you disable the netfilter/bridge interaction? 10:31 < Rienzilla> uhm 10:31 < Rienzilla> not consciously :) 10:32 < Rienzilla> what do you meqn 10:32 < Rienzilla> mean* 10:32 < gladiatr> what's the output of : /sbin/sysctl -a |grep bridge-nf-call 10:33 < Rienzilla> on the vpn appliance right 10:33 < gladiatr> yes 10:33 -!- djgerm2 [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 10:35 -!- albech_ [~thomas@119.42.78.109] has joined #openvpn 10:38 < Rienzilla> http://pastebin.com/ScPE7fBh (remote end) 10:38 < Rienzilla> local end is identical 10:38 <@vpnHelper> RSS Update - forum: creating additonal users 10:39 -!- morbidwar [~ovidiu@81.196.150.82] has quit [Remote host closed the connection] 10:40 < gladiatr> do this on your vpn systems: for x in $( sysctl -a |grep bridge-nf-call |cut -d" " -f1 ); do sysctl -w $x=0; done 10:41 < Rienzilla> what does that do? 10:41 < gladiatr> it sets those 3 sysctl variables to 0 :) 10:41 < Rienzilla> yes, I understand that :) 10:41 < gladiatr> the details are.. 10:42 < Rienzilla> we disable bridge firewalling with it? 10:42 < gladiatr> it removes iptables hooks into your bridges 10:42 < gladiatr> yes 10:42 < Rienzilla> I have no iptables rules whatsoever on the machines 10:42 < gladiatr> Because unless you are insane (or much more hardcore than I), you really don't want to have to mess with layer-2 fireewall rules 10:42 -!- luneff [~yury@84.51.195.188] has joined #openvpn 10:42 < Rienzilla> I have systems with layer-2 firewalls :-) 10:42 < gladiatr> they have their place... 10:43 < gladiatr> just not when it comes to troubleshooting bridged connections :) 10:43 < Rienzilla> (bridging based captive portals :)) 10:43 < gladiatr> and "bah and fiddlesticks" on you not actually having any active firewalls 10:43 < gladiatr> I thought I might be onto something 10:43 < gladiatr> :) 10:43 < Rienzilla> anyway, there's no firewall or ebtables rules active here 10:43 < gladiatr> k 10:43 < Rienzilla> (besides, I'd have to have a really cool rule to have a one in 60 chance to accept a packet :P) 10:44 < Rienzilla> and aso 10:44 < Rienzilla> also* 10:44 < Rienzilla> if it were bridgefirewalling, I would see the packet coming in in the ethernet interface 10:44 < gladiatr> hehe 10:45 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Changing host] 10:45 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:46 < gladiatr> and this is only regarding the IP addresses that are assigned to the bridge device... 10:46 < Rienzilla> yes 10:47 < Rienzilla> machines further down the road work fine 10:47 < ecrist> 10:45 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:49 < gladiatr> and they are all assigned to subinterfaces off of br0 (or whatever you've named your bridge) 10:49 < Rienzilla> -22: br-oob: mtu 1500 qdisc noqueue state UNKNOWN 10:49 < Rienzilla> link/ether 00:0c:42:5b:95:0c brd ff:ff:ff:ff:ff:ff 10:49 < Rienzilla> inet 10.170.1.1/24 brd 10.170.1.255 scope global br-oob 10:49 < Rienzilla> inet 10.170.1.163/24 brd 10.170.1.255 scope global secondary br-oob:1 10:49 < Rienzilla> inet 10.170.1.250/24 brd 10.170.1.255 scope global secondary br-oob:2 10:50 < Rienzilla> whops, that was a little more than expected 10:50 < Rienzilla> inet6 fe80::20c:42ff:fe5b:950c/64 scope link 10:50 < Rienzilla> valid_lft forever preferred_lft forever 10:52 < ecrist> gah, the pasting 10:52 < Rienzilla> sorry for that 10:52 < gladiatr> (it burns! it burns!) 10:55 < gladiatr> state UNKNOWN: I'm curious about this... none of my bridges have this tag... 10:58 < Rienzilla> all of mine do 10:58 < Rienzilla> it might be due to a tap device being enslaved? 10:58 -!- mirobmwgi is now known as mirovengi 10:59 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 11:00 < gladiatr> paste the output of: brctl show 11:01 < gladiatr> append the output of: ip a s 11:01 < gladiatr> as well 11:02 -!- WinstonSmith [~true@e179011179.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 11:05 < Rienzilla> http://pastebin.com/WDPWf3xc 11:06 < Rienzilla> the relevant bridges in this config are called br-oob 11:07 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 11:08 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 11:09 < gladiatr> which one is your tap interface? 11:11 < Rienzilla> renameit-oob 11:12 < gladiatr> are your VPN is currently connected? 11:16 < Bushmills> compiz % 11:16 < gladiatr> *and* 11:16 < Rienzilla> yes 11:16 < Rienzilla> ....do I have two identical macs on the same switch...? 11:22 < gladiatr> hrm... something. somethingsomething. 11:23 < Rienzilla> I think im onto something 11:24 < Rienzilla> I got it 11:24 < Rienzilla> omg 11:24 <@vpnHelper> RSS Update - forum: server certificate management - change email address? 11:24 -!- albech_ [~thomas@119.42.78.109] has quit [Quit: Ex-Chat] 11:24 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has joined #openvpn 11:24 < Rienzilla> it is indeed the switch 11:26 < radisnki> Hi! I try to install OpenVPN on my VPS running Ubuntu 10.10. Is there a good tutorial available for doing this? I just want to surf the internet using my server and maybe play some games together with my friends... 11:28 < Rienzilla> (hold on, i'll post the comp[lete explanation shortly) 11:30 < gladiatr> k 11:30 < gladiatr> !welcome 11:30 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:38 < Rienzilla> the mac of a bridge device is apparently inherited from one its enslaved interface 11:39 < Rienzilla> on the remote endpoint there's several bridges with the same mac, because they have enslaved vlan devices from the same interface (eth0.2 eth0.2424 etc) 11:41 -!- maestroSteve [~barnwells@70-90-14-205-pa-nj-de.hfc.comcastbusiness.net] has joined #openvpn 11:41 < Rienzilla> two of those bridges are connected to my local switch here. One via the VPN, and one via our local uplink. 11:42 < Rienzilla> albeit on a different vlan, but I highly suspect that the switch is screwing this up and switching the traffic to the wrong port, or /dev/null 11:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 11:46 < gladiatr> good times 11:46 < Rienzilla> thanks for thinking along 11:48 -!- katoen [ce024205a3@xs8.xs4all.nl] has joined #openvpn 11:48 < gladiatr> No problem. I'm glad the problem actually surfaced! :) 11:54 < katoen> hi there. If i want the openvpn server (windows 2008 server) to forward traffic to other networks it is attached to, would i also need to create a file in the ccd-directory with the server's common name with the iroute command? 11:55 < katoen> or would ip forwarding be enough? 11:57 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has quit [] 11:58 < Bushmills> !route 11:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:58 < Bushmills> !serverlan 11:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation 11:59 < Bushmills> not sure whether these take account of possibility of windows as server 12:01 -!- takamichi [Takamichi@85.232.213.54] has quit [Ping timeout: 260 seconds] 12:01 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn 12:01 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 12:04 < katoen> Bushmills: thanks 12:10 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 12:11 -!- maestroSteve [~barnwells@70-90-14-205-pa-nj-de.hfc.comcastbusiness.net] has quit [Quit: Leaving] 12:18 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 246 seconds] 12:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 12:18 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has joined #openvpn 12:18 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 12:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 12:18 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 12:18 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 12:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 12:19 -!- p3rror [~mezgani@41.140.43.58] has joined #openvpn 12:19 -!- luneff [~yury@84.51.195.188] has joined #openvpn 12:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 12:26 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 12:27 < radisnki> Hi! I've setup an OpenVPN server on Ubuntu 10.10. While connecting to my server (using Win7 64-Bit), the log says: "Read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)" I tried Google but it didn't help... Server is definately running and I think I created the certificates correctly. Here's my server config: http://pastebin.com/LXKmmb2Y aand the client config: 12:27 < radisnki> http://pastebin.com/rn23UuFS 12:31 -!- Xaevo [~Xaevo@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 12:31 < Xaevo> heyo 12:31 < Xaevo> my server won't connect to the internet anymore after installing OpenVPN, it's a linux ubuntu box 12:32 < Xaevo> especially ZNC 12:33 < Xaevo> ZNC doesn't connect anymore :< 12:34 < hyper_ch> my guess it's a firewall/nat problem 12:34 < hyper_ch> znc works fine through the vpn 12:35 < radisnki> @hyper_ch: Can you help me? :'( btw, if it helps, here are my installation steps: http://pastebin.com/xgEFKRq8 12:35 < Xaevo> hyper_ch, not talking about trough the vpn 12:35 < hyper_ch> radisnki: I don't know windows 12:35 < Xaevo> i am talking about znc on the same box as my vpn server 12:36 < Bushmills> no you didn't 12:36 < Bushmills> you said "my server won't connect to the internet anymore" 12:36 < hyper_ch> !tell radisnki [welcome] 12:37 < hyper_ch> hi Bushmills 12:37 < Bushmills> "to the internet" != "talking about znc on the same box as my vpn server" 12:37 < Xaevo> Bushmills "my server (the linux box) won't connect to the internet anymore" 12:37 < Bushmills> hi hyper_ch 12:37 < Xaevo> znc connects over the internet too 12:37 < Xaevo> but yeah, can't ping google either from shell 12:37 < hyper_ch> !target 12:37 < Xaevo> but can internet -trough- the vpn 12:38 < hyper_ch> !tell Xaevo [goal] 12:38 < Xaevo> i am not natively english 12:38 < Xaevo> so sue me :/ 12:38 < Bushmills> Xaevo: send us a crystal ball, maybe we can see what your are attempting - and your setup - from that 12:38 < Xaevo> :| 12:38 < Xaevo> i am rather clear imho 12:39 < Xaevo> my server (the linux box) doesn't connect to the internet anymore 12:39 < Xaevo> but if i connect with my pc to my OpenVPN server i have internet 12:39 < Bushmills> all we know is - you can't connect with server to the internet, but especially to a service on the server 12:39 < Xaevo> no, ZNC can't connect to the irc networks anymore either 12:40 < Bushmills> why can't you connect to the internet? 12:40 < Xaevo> that's what i am asking you 12:40 < Bushmills> how are we supposed to know? 12:40 < Xaevo> "#openvpn" 12:41 < Bushmills> maybe you didn't pay the bills? 12:41 < ecrist> lol 12:42 < hyper_ch> bushmills can be almost as mean as me 12:42 < hyper_ch> that even rhymse 12:42 < hyper_ch> rhymes :) 12:42 < hyper_ch> bushmills can be 12:42 < hyper_ch> almost as mean as me 12:42 < Bushmills> mean? that's my idea of having fun :) 12:42 < theDoc> lol, this is great. 12:43 < theDoc> Someone just sent me an email regarding zonealarm 12:43 < hyper_ch> Bushmills: some people would call that being mean 12:43 < hyper_ch> theDoc: is your zonealarm outdated and you need to upgrade to the pay-version for securing your computer? 12:44 < hyper_ch> radisnki: paste your configs 12:45 < theDoc> hyper_ch: lol, no. I don't use zone alarm. Someone was saying that their zonealarm flagged one of my domains as "malicious". 12:45 < hyper_ch> theDoc: how can a domain be malicious? 12:46 < Xaevo> shees :| 12:46 < Xaevo> please, just help me 12:46 < theDoc> http://forums.zonealarm.com/showthread.php?t=73330 12:47 < Bushmills> Xaevo: insufficient data 12:47 < Xaevo> what do you want to know?! 12:47 < Xaevo> shees! 12:47 < Bushmills> logs, configs, route table 12:48 < Xaevo> anders ga ik gewoon in het nederlands verder :| 12:48 < Bushmills> ja hoor dat mag ook wel 12:48 * Xaevo headdesks 12:48 < Xaevo> graag 12:48 < Bushmills> maar niet op deze kanaal 12:48 < Xaevo> waardanwel D:< 12:49 < Xaevo> but yeah 12:50 < Xaevo> i installed openvpn using ubuntu's guide 12:50 < Xaevo> bridged my eth0 adapter 12:50 < Bushmills> ouch 12:50 < Xaevo> to br0, which is also tap0 12:50 < Bushmills> why? 12:50 < hyper_ch> radisnki: don't ask in query... ask in here 12:50 < Xaevo> because the guide said so? 12:50 < Bushmills> !tunortap 12:50 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 12:50 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap! 12:50 < theDoc> Don't ask in query, we all want a laugh :P 12:50 < Bushmills> f**k that guide 12:50 < Bushmills> !howto 12:50 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:51 < radisnki> @theDoc: I asked here, but my question wasn't answered yet :) 12:51 < theDoc> radisnki: lol, jking man. 12:51 < theDoc> It's 3am, I just got up 12:52 < radisnki> You don't know how I can solve "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" or? 12:52 < Bushmills> don't query me, i have an /autoignore on unsolicited queries 12:52 < Xaevo> so i shouldn't be using tun? :< 12:52 < theDoc> radisnki: The error is quite obvious, Connection Refused. 12:52 < Xaevo> radisnki, forward the right ports 12:53 < theDoc> Have you given the server a kiss on her nose yet? 12:53 < theDoc> They're like women, they like chocolates and flowers. 12:54 * Bushmills has never seen a server get bloated from chocolate 12:54 < Bushmills> sticky, maybe 12:54 < radisnki> @theDoc: I tried everything :D @Xaevo: I tried this: "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 12:54 < Xaevo> i don't use iptables 12:55 < Xaevo> i have a rad firewall in my router :/ 12:55 < theDoc> radisnki: No you haven't tried everything. 12:55 < theDoc> If you did, it would be working, ;p 12:55 < Bushmills> Xaevo: unless you have a special need for tap / bridge, tun would be most adequate 12:55 < Xaevo> but Bushmills, no TAP but TUN? 12:55 < Xaevo> and also no bridge? 12:55 < Bushmills> right 12:56 < radisnki> @Bushmills: Any mistakes in my installation? http://pastebin.com/xgEFKRq8 12:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 12:56 < theDoc> radisnki: iptables -F && openvpn /path/to/server/config && ps aux | grep openvpn 12:56 < theDoc> I'd do that for a start 12:57 < Bushmills> am i supposed to mentally debug that, or try that out? 12:57 < radisnki> you can do both :D 12:58 < Bushmills> your confidence in my might be overrated 12:58 < Bushmills> me 12:58 < theDoc> radisnki: Few things, is your client connecting to the right ip:port? 12:59 < radisnki> yes, I think so, here are my configs (again): http://pastebin.com/LXKmmb2Y & http://pastebin.com/rn23UuFS 12:59 < theDoc> radisnki: I'm not going to read configs for free at 3am. 12:59 < theDoc> I'm just throwing suggestions out for you to think about :P 13:00 < radisnki> iptables -F crashed my server 13:00 < Bushmills> no. it only denies access 13:00 -!- Xaevo [~Xaevo@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 13:01 < theDoc> lol, it only denies access. You didn't say you had other shit running on it 13:01 < Bushmills> might have helped to set policies first 13:01 < theDoc> Bushmills: That's true. 13:01 * ecrist queries Bushmills just so he can get ignored. 13:04 * gladiatr chuckles 13:05 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 13:05 < X-Vo> back 13:08 < theDoc> gratz on making it back to the interweb. 13:09 -!- astrostl [~astrostl@128.252.233.244] has joined #openvpn 13:09 < astrostl> is there a way to determine which certificate names are blocked by a CRL? 13:10 < astrostl> something in index.txt maybe? I see single-letter flags at the beginning of each account listing. 13:10 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 13:10 < gladiatr> yup. The R means "revoked" 13:11 < astrostl> what flags are there other than R and V? 13:11 < astrostl> V - validated/verified? active in some way? 13:12 < gladiatr> I'm pretty sure that's it 13:13 < astrostl> cool, thx 13:14 < gladiatr> np 13:17 < astrostl> so if i've got something like 4 V entries for a given user, they must have 4 valid keys :-| 13:17 -!- radisnki [radisnki@drsd-4dbd840f.pool.mediaWays.net] has quit [] 13:17 -!- Jondice1 [~brandon@rrdhcp-172-285.redrover.cornell.edu] has joined #openvpn 13:18 < Jondice1> !welcome 13:18 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:20 < gladiatr> astrostl, hrm. What's the duration of validity for the certs you're creating? 13:20 < astrostl> don't know, looking at an established instance 13:21 < astrostl> checked a model crt and it looks like 10 years 13:22 <@vpnHelper> RSS Update - forum: Pushing Routes 13:22 < gladiatr> Ok. The certificate subjects have to be identical. Dunno... perhaps there's a switch you can throw to make openssl not care, but I can't imagine why you'd do that. 13:24 < astrostl> the second and third columns have unique data 13:24 < astrostl> i'm thinking that it was a create cert / create cert (overwriting) issue 13:24 < astrostl> which means the first one could be valid, even if no longer present - right? 13:26 < gladiatr> huh. Yeah. I'd check with the user--get the serial off of the cert that's in use and manually mark the others as revoked. 13:27 < astrostl> can that be done just by putting an R in the index.txt? 13:27 < astrostl> doesn't need to be applied to the crl.pem? 13:30 < gladiatr> ohhh yeah. fallin' asleep here. Yes. You are correct. 13:33 < katoen> how do i get vpnhelper to pm me with info :-) I don't want to spam the channel 13:34 < Jondice1> !goal 13:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:35 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 272 seconds] 13:35 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 13:37 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 260 seconds] 13:37 < Jondice1> openvpn defaults to using 10.8.0/24, which works fine for me. I added ccd files and route commands in server.conf for 10.8.1.0/24 as in the HOWTO . The only step I didn't bother with was iptables since I didn't want to set an access policy. IP addresses from 10.8.1.0/24 are correctly assigned as per the ccd file, but I cannot ping them from the server even though I can ping 10.8.0.0/24 systems. 13:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:39 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds] 13:39 < Jondice1> Is there some other step that needs to be done other than adding route 10.8.1.0 255.255.255.0 and (e.g.) ifconfig-push 10.8.2.5 10.8.2.6 in a ccd file to get the systems on this subnet visible to other VPN subnets? 13:39 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 13:39 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 13:39 < Jondice1> well, I mean the route command is in the server file, sorry for being unclear 13:40 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 13:40 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 13:42 < Jondice1> ok, it seems I was using the wrong IP with ping; I was using the second address 10.8.2.6 instead of the first 10.8.2.5 13:43 < Jondice1> i knew it had to be something really dumb 13:48 < Bushmills> needs to be done to achieve what? 13:48 < Bushmills> !goal 13:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:49 < Jondice1> sorry, to add and categorize more ip addresses on the VPN 13:50 < Bushmills> add more clients 13:50 < Jondice1> yes 13:51 < Jondice1> it seems to be fine now, I will test client-to-client connectivity next, but otherwise it is working beautifully 13:51 -!- p3rror [~mezgani@41.140.43.58] has quit [Ping timeout: 265 seconds] 13:55 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 14:02 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 14:04 -!- p3rror [~mezgani@41.140.46.73] has joined #openvpn 14:11 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Ping timeout: 240 seconds] 14:11 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has joined #openvpn 14:16 -!- luneff [~yury@84.51.195.188] has quit [Read error: No route to host] 14:23 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Remote host closed the connection] 14:23 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Remote host closed the connection] 14:23 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 14:23 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 14:30 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 260 seconds] 14:30 <@vpnHelper> RSS Update - forum: Pushing Routes 14:30 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 14:31 < Azoff> hello 14:31 < Azoff> !goal 14:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:33 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 14:33 < Azoff> I've just started testing anonine with openvpn (https://www.anonine.com/en/guides) with debian 14:33 <@vpnHelper> Title: Anonine : Guides (at www.anonine.com) 14:34 < Azoff> as the server provides a default route in order to route everything through the tunnel 14:34 < Azoff> how can I safly replace the existing default route from the ISP with the one set by openvpn? 14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:40 -!- p3rror [~mezgani@41.140.46.73] has quit [Read error: Connection reset by peer] 14:44 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 14:44 < Bushmills> look up, in manual, --redirect-gateway 14:45 < Bushmills> also check out def1 14:46 < Bushmills> to avoid local route on client changed by openvpn server, read about --route-nopull 14:46 < Azoff> oki, thanks 14:46 < Bushmills> (and --route-noexec) 14:50 < Azoff> Bushmills: do I understand the --redirect-gateway correct....? 14:51 < Azoff> there were a route for 128.0.0.0/128.0.0.0 14:51 < Azoff> and a route for 0.0.0.0/128.0.0.0 14:52 < Azoff> but the existing one for 0.0.0.0/0.0.0.0 with ISP route were left 14:52 < Azoff> so, from the documentation @ http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html; step 2 weren't executed (maybe the 'def1' flag were active 14:52 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 14:54 < Azoff> btw, debian uses version 2.1~rc11-1 14:57 < ecrist> debian is behind, and we don't support it 14:59 < Azoff> I known that there are behind, I am just looking for a solution that works 15:01 < Bushmills> Azoff: those two /1 routes are the result of def1 15:02 < Bushmills> def cause those 2 routes to be added, rather than the original 0.0.0.0/0 overwritten 15:02 < Bushmills> def1 15:02 < Azoff> will that still give me the "real" gw to be through the vpn? 15:03 < Bushmills> debian sid has 2.1.3-2 15:03 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 15:03 < Bushmills> those two routes will catch all traffic for which no other route exists, and no traffic will go through original default gateway 15:04 < Azoff> ok 15:04 < Azoff> I'll have to retry the setup once again 15:06 -!- astrostl [~astrostl@128.252.233.244] has quit [Ping timeout: 260 seconds] 15:09 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving] 15:12 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 272 seconds] 15:15 < Azoff> Bushmills: when I bring up the vpn, the routes are added and when I try to ping any ip on the internet, there's no response 15:16 < Azoff> but if I remove the /0 gateway, the network works again 15:16 < Bushmills> is that your server you're connecting to? 15:17 < Azoff> no, it's the company Anonine that has the server 15:17 < Bushmills> what is the /0 gateway? 15:18 < Azoff> 0.0.0.0 79.136.32.1 0.0.0.0 UG 0 0 0 eth0 15:18 < Bushmills> (def1 sets up two /1 gateways, and won't touch the former default) 15:18 < Azoff> and the other two is: 0.0.0.0 178.73.201.1 128.0.0.0 UG 0 0 0 tap1 15:18 < Bushmills> /1 routes, i mean 15:19 < Azoff> 128.0.0.0 178.73.201.1 128.0.0.0 UG 0 0 0 tap1 15:21 < Bushmills> if connecting to openvpn server gives you those two 128.0.0.0 netmask routes, the 0.0.0.0/0.0.0.0 route is the same as before connecting, right? 15:21 < Azoff> yes 15:21 < Azoff> that's correct 15:21 < Bushmills> and removing that one does what? 15:22 < Azoff> after removing the default gw from my ISP, I can access the internet once again 15:22 < Bushmills> " default gw from my ISP" what is that? 15:23 < Azoff> 79.136.32.1 15:23 < Bushmills> after all, before you said " but if I remove the /0 gateway..." 15:23 < Bushmills> and you confirmed "the 0.0.0.0/0.0.0.0 route is the same as before connecting" 15:23 < Bushmills> thus i am not sure now what you are removing 15:23 < Azoff> yes, but somehow the /1 interferes, or is it the /0 that interferes...? 15:24 -!- ampex [~sterling@circu.it] has joined #openvpn 15:24 < Bushmills> use traceroute or mtr to look where packets go, in both state of "working" and "not working" 15:25 -!- p3rror [~mezgani@41.248.185.32] has joined #openvpn 15:25 < Azoff> route del default gw 79.136.32.1 # this is the command for removing the ISP gw that brings up the network 15:26 -!- risc427 [~risc@dss.datastreamer.net] has joined #openvpn 15:27 < Azoff> mtr just shows the header and no hop 15:27 -!- grapsus [~grapsus@acces1192.res.insa-lyon.fr] has joined #openvpn 15:27 < Azoff> I guess it gets confused by the two routes 15:27 < risc427> anyone have any experience with how an OpenVPN client validates the server cert and vice versa? 15:28 < Bushmills> i can't see how that's possible, provided you have the two 128.0.0.0 routes 15:28 < Azoff> Bushmills: shall I test putting the 'redirect-gateway' in the config? 15:28 < Azoff> (without the 'def1') 15:28 < Bushmills> server is pushing it already, or you wouldn't have those 128.0.0.0 routes 15:29 < Azoff> can the server push the clients to use with 'def1' flag set? 15:29 < Bushmills> that's what it is doing 15:30 < Azoff> oki, so there's no way to make it use whithout def1 set? 15:30 -!- p3rror [~mezgani@41.248.185.32] has quit [Ping timeout: 240 seconds] 15:30 < Bushmills> those ways i told you to read about 15:32 < ampex> risc427 and I are a bit confused as to how exactly one might exploit OpenVPN using a "Man-in-the-Middle" attack. It seems that client and server certificates are validated based upon purpose out of the box regardless of whether remote-cert-tls is specified in the configuration. In light of this I'm not sure that the steps documented here are necessary: http://openvpn.net/index.php/open-source/documentation/howto.html#secnotes 15:32 <@vpnHelper> Title: HOWTO (at openvpn.net) 15:32 < ampex> Any ideas? 15:32 < Azoff> neither of those will work in this case..? unless I use the --redirect-gateway, I have no clue what route to use? or am I missing something? 15:33 < Bushmills> what gateway to use with default route you can see from the 128.0.0.0 routes 15:34 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 255 seconds] 15:36 < Azoff> sorry, but I can't see how --route-nopull can be a solution. If I use it, I won't get the ip of the gateway through the vpn... so there's no way for me to add it *after* the vpn link has been established 15:37 < Bushmills> but that's the purpose of it, to *not* get the server provided routes set 15:37 < Azoff> not realy, I wan't to send all trafic through the vpn link 15:39 < Bushmills> if massaging your route table after connecting and having set routes as puished by server works better for you, execute an --up script 15:39 < Azoff> and in the up script, just remove the default route from the isp? 15:39 < Azoff> that could work 15:40 -!- OiPolloi [~sena@gw.identity.pt] has quit [Quit: OiPolloi] 15:40 < Azoff> I'll give it a shot 15:40 < ampex> Azoff: you can't get rid of your default gateway because then you lose internet connectivity 15:40 < Bushmills> though i think deleting your default route (after two 128.0.0.0 routes were set) is no solution. it merely disables internet access after you disconnect from openvpn server again 15:41 < Azoff> hm, can I somethow get the info from the push_reply and replace the default gateway on my own? 15:41 < Azoff> btw, is this a bug in this old version of openvpn or is it a kernel related problem? 15:42 < Bushmills> maybe the problem is elsewhere. try to ping an ip address rather than a hostname. 15:42 < Azoff> I've heard something about 2.6.36 having a new route table handling (uses metric to decide witch gw to use) 15:43 < gladiatr> Azoff, linux has had multiple routing table support for quite some time 15:43 < Azoff> ok 15:44 < gladiatr> Now, if you were to tell me that they have finally implemented a functional dead-gateway-detection mechanism... well... you know, I might very well squeal like a little girl 15:44 < Azoff> debian lenny uses 2.6.26, does the support exist in that kernel? 15:45 < gladiatr> yarp 15:45 < ampex> Azoff: I came in after you had described your problem, what's the exact issue you're experiencing? 15:46 < Azoff> hm, I did get a response on the ping now, but I'm certain that it didn't respond before 15:46 -!- plaerzen [~cam@vip1.tundraeng.com] has joined #openvpn 15:46 < Bushmills> you tried ip address instead of host name? 15:46 < Azoff> ampex: maybe it's a non-issue after all 15:46 < Azoff> Bushmills: yes, ip 15:46 < Azoff> no dns involved yet.. 15:46 < Bushmills> that's your problem 15:47 < Bushmills> the name server your system uses is your provider's 15:47 < Bushmills> that doesn't allow queries coming from an address outside of their net 15:47 < Azoff> Bushmills: yes, but I used the *IP*, not a *host* :) 15:48 < Bushmills> because you use an *ip address* now, it works 15:48 < Bushmills> try again with a host name 15:48 < Azoff> yes, and I used an ip address before too and it didn't work then 15:49 -!- plaerzen [~cam@vip1.tundraeng.com] has left #openvpn ["Leaving"] 15:49 < Azoff> nm. 15:49 < Azoff> it looks like it's working now 15:49 < Bushmills> then !blame vpn provider 15:49 < Azoff> just have to figure out how to not get the ISP nameservers 15:49 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 15:50 < Bushmills> my favorite solution is to run a recursive name server on local machine or net 15:50 < Azoff> thanks for your patience... 15:50 * Bushmills smirks evilly 15:50 < Bushmills> i'm not patient 15:52 < Azoff> I got this: PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,route-gateway ,ping 10,ping-restart 30,ifconfig 178.73.197.42 255.255.255.128 15:52 < Azoff> crap 15:53 < Azoff> is there any way to push that dns into the /etc/resolv.conf? 15:53 < Bushmills> with a --up script 15:54 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has quit [Read error: Operation timed out] 15:54 < Azoff> ok 15:54 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 15:54 < Essobi> DEEEEAD BEEEEEEF 15:54 -!- stony is now known as Guest63011 15:59 -!- mirovengi [~mirovengi@99-3-161-173.lightspeed.mmphtn.sbcglobal.net] has left #openvpn [] 16:00 -!- risc427 [~risc@dss.datastreamer.net] has quit [Quit: Leaving] 16:11 -!- FSprofi [~chatzilla@77.119.210.250.wireless.dyn.drei.com] has quit [Read error: Connection reset by peer] 16:19 -!- s7r [~s7r@94.46.240.202] has left #openvpn [] 16:21 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 16:21 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 16:27 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Changing host] 16:27 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn 16:32 -!- p3rror [~mezgani@41.140.42.17] has joined #openvpn 16:33 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 16:59 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 17:01 -!- p3rror [~mezgani@41.140.42.17] has quit [Read error: Connection reset by peer] 17:15 -!- p3rror [~mezgani@41.140.158.116] has joined #openvpn 17:27 -!- gomix [~gomix@fedora/gomix] has joined #openvpn 17:27 < gomix> HELP 17:27 < gomix> lol 17:27 < gomix> im trying a bridging config 17:27 < gomix> client win xp 17:28 < gomix> arp is not working fully 17:28 < gomix> but partially 17:28 < gomix> server gets the remote macs... 17:28 < gomix> client does not 17:28 < gomix> server is a debian 17:29 < Bushmills> !tunortap 17:29 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 17:29 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap! 17:30 < gomix> well i'll come later again ;) got to move... 17:30 < gomix> and try with a linux client 17:32 -!- gomix [~gomix@fedora/gomix] has quit [Read error: Operation timed out] 17:43 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 17:49 * krzee is finally back to work 18:05 -!- Guest63011 [~ol@2a01:198:6f7::dead:beef:0] has quit [Read error: Connection reset by peer] 18:06 -!- stony [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 18:06 -!- stony is now known as Guest59138 18:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds] 18:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 18:12 -!- silverraindog [~angus@host86-178-116-255.range86-178.btcentralplus.com] has quit [Ping timeout: 240 seconds] 18:17 <@vpnHelper> RSS Update - forum: creating additonal users 18:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 18:30 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Read error: No route to host] 18:35 <@vpnHelper> RSS Update - forum: Cisco IPSEC VPN Client on Linux causing Kernel Panic || Double VPN || 2 Hop VPN || VPN-over-VPN || logout - dead link || Automatically put on alliases on tun interface 18:35 < Dougy> boredom 18:36 < Dougy> hai guys 18:38 < krzee> dougifresh 18:38 < krzee> wassup man 18:39 < krzee> im working on a new home for that server thats wasting space in your closet 18:40 < krzee> a very longtime friend is getting 50mbit to his house... may have space to colo it at his house ;] 18:40 < Dougy> im surprised you remembered that 18:40 < Dougy> i just was gonna ask if you still wanted it and if you even remembered it 18:40 < krzee> i got good tabs on where my servers sit ;] 18:40 < Dougy> my new busines only has 2u of colo 18:40 < Dougy> so got no room for you right now 18:40 <@vpnHelper> RSS Update - forum: Linux client problem || Is OPEN VPN right for me? || Ineternet speed after the openvpn connection || Incorrect Login || Random problem with roadwarriors on windows machines || H 18:41 < krzee> yep do still want it... its not bothering you to keep it where it is for now is it? 18:41 < krzee> dont wanna be a pita, will find another spot for storage if its any bother 18:41 < Dougy> nope its thrown on the floor on the basement with the other 25U or so of equipment i have 18:41 < krzee> ahh cool :) 18:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 18:44 < Dougy> just got piles of it 18:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 19:02 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:03 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 19:08 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds] 19:18 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 19:20 < Dougy> krzee: ping 19:20 < krzee> pong 19:20 < Dougy> i need your brain 19:20 < Dougy> i fail at designing stuff in my head 19:20 < Dougy> can you help me try and figure out what i need to do for this vpn set up? 19:21 < krzee> sure 19:21 < krzee> !goal 19:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:21 < krzee> ;] 19:21 < Dougy> working on it lol 19:21 < Dougy> i was just wondering if you had time now, if not i would've put it on the forum 19:21 < Dougy> so 19:22 < Dougy> i have my box in MD - i want to set up a domain controller + openvpn on it.. and then set my home router with vpn firmware to connect to the vpn.. so i can connect to domain controller that way 19:22 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 19:22 < Dougy> is that logical? secure communication between 19:22 < Dougy> and then in the office i can set up another router w/vpn firmware and join it as well 19:22 < krzee> logical to colo windows... not in my opinion :-p 19:22 < krzee> but yes, that should work 19:22 < Dougy> i guess now i need to ask questions in ##windows 19:22 < Dougy> oh 19:22 < Dougy> um 19:23 < krzee> !windows 19:23 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg 19:23 < Dougy> so real fast.. how would it work? a /24 subnet per location? 19:23 < Dougy> and push routes? 19:23 < Dougy> thats the real part that i never understood 19:24 < krzee> you mean /24 per location within openvpn? 19:24 < Dougy> yeah.. or wait 19:25 < Dougy> on the client (router) would you just set it to route all the LAN traffic (say each place was 192.168.1.0/24) to the VPN adapter ip? 19:25 < Dougy> ie route 192.168.1.0 255.255.255.0 10.5.5.2 (say .2 is the ip the server gave the client) 19:25 < krzee> you want the office / house to route all traffic through the server? 19:25 < Dougy> not all 19:25 < Dougy> well hrmm 19:25 * Dougy rubs chin 19:26 < krzee> ya i have no idea what you're looking for 19:26 < Dougy> it's hard to explain it, LOL 19:26 < Dougy> hrm 19:26 < krzee> try gliffy.com 19:26 < krzee> !diagram 19:26 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 19:26 < Dougy> I guess yeah, i could redirect all traffic through the vpn 19:26 -!- stan_man_can [stan_man_c@CPE00222d6bc398-CM00222d6bc395.cpe.net.cable.rogers.com] has joined #openvpn 19:26 < stan_man_can> !goal 19:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:27 < Dougy> so jeff how does it work on the actual router.. if i want to reroute all traffic. set def1 on server, when the wrt54g downstairs connects, it'll just send all traffic through the vpn? 19:27 < krzee> Dougy, it would be a combination of !route and !redirect 19:27 < krzee> youd use !route for the lans behind the routers 19:28 < krzee> and !redirect for getting those routers to use the server as the default gateway 19:28 < Dougy> yeah, thats what makes my head spin a lil bit 19:28 < krzee> which part? 19:28 < krzee> its the 2 most commonly desired setups 19:28 < stan_man_can> I'm going on vacation with my laptop and i would like to use openVPN to have a secure connection for internet access while i'm on open and free wifi signals ect... I'm have a VPS with Linode running Ubuntu 10.04.01 ... Any help on getting it setup ? 19:28 < krzee> hell, you could use my confgen to make that :-p 19:29 < krzee> stan_man_can, yes 19:29 < krzee> stan_man_can, see these: 19:29 < Bushmills> !howto 19:29 < krzee> !sample 19:29 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:29 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 19:29 < krzee> !redirect 19:29 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:29 < krzee> oh and: 19:29 < krzee> !pki 19:29 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed 19:29 < Bushmills> too late for ^^^^ :) 19:29 <@vpnHelper> specially as a server (see !servercert) 19:30 < Bushmills> static key may do 19:30 < stan_man_can> erg 19:30 < krzee> understand the config options used in !sample by reading the manual, make your certs and stuff with !pki, then once the client can ping the server via VPN ip, setup !redirect 19:30 < stan_man_can> how long will it take to understand and setup? 19:30 < Bushmills> !howto 19:30 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:30 < krzee> depends on your knowledge of networking and pki 19:30 < Bushmills> check out quick start 19:30 < stan_man_can> no former knowledge 19:30 < krzee> then it will take a long time 19:31 < stan_man_can> Hmm 19:31 < krzee> you need to understand networking! 19:31 < stan_man_can> yeah 19:31 < stan_man_can> I leave on Saturday 19:31 < Bushmills> stan_man_can: will you be the only one connecting to your vpn? 19:31 < stan_man_can> need to move in the mean time 19:31 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 19:31 < krzee> then better get started! 19:31 < stan_man_can> yeah i'll be the only one connecting Bush 19:31 < krzee> you can use static key like Bushmills said then 19:31 < Bushmills> no need for the whole pki gorilla then. check out static keys 19:31 < krzee> but that only skips making pki (which is easy and spelt out command by command in !pki anyways) 19:32 < Dougy> this site is fucking 19:32 < Dougy> boss 19:32 < stan_man_can> maybe I'll just rent one for 2 weeks :D 19:32 < Dougy> krzee: ok well so just to help set my head straight.. lets say home LAN is 192.168.1.0/24 and the server is 10.5.5.0/24.. and my home router got .2 19:33 < Dougy> i'd set the vpn to route that /24 to .2 ? 19:33 < krzee> no, you would let openvpn set the gateway for routing 19:34 < krzee> like in my routing document 19:34 < Dougy> i guess i dont get the concept of lans behind hte vpn 19:34 < Dougy> the 19:34 < Dougy> etc 19:34 < krzee> then read my document! 19:34 < krzee> !route 19:34 -!- silverraindog [~angus@host86-178-116-79.range86-178.btcentralplus.com] has joined #openvpn 19:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:34 < Dougy> bookmarked 19:35 < Dougy> im having too much fun playing with this freakin diagram thing 19:35 < Dougy> lol 19:35 * Bushmills seems to remember that Dougy had bookmarked that link before 19:35 < stan_man_can> I'm sure it's not your guy's forte since you run your own but know a decent company to rent a vpn from ? 19:35 < Dougy> Bushmills: i format my pc about once every 3 months 19:35 < Dougy> boredom 19:35 < Dougy> i formatted the other day to switch to x64 instead of x86 19:36 < Bushmills> so why do you bookmark it then? 19:36 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:37 * Bushmills thinks Dougy can't format vpnHelper 19:38 < Dougy> http://www.gliffy.com/pubdoc/2417373/L.png 19:38 < Dougy> I guess that's what I want 19:38 < krzee> thats basically a useless diagram 19:38 < krzee> it says NOTHING of what you want 19:38 < krzee> lol 19:38 < Dougy> lol 19:38 < Dougy> what's missing? 19:38 < Dougy> other then lan ips 19:38 < Bushmills> wrt54g has 4 MiB flash? 19:38 < Dougy> some models eod 19:38 < Dougy> do 19:39 < Dougy> my home one runs dd-wrt fine 19:39 < krzee> the fact that you want !route AND/OR !redirect 19:39 < Bushmills> ssl takes up about 1 MiB on those routers. openvpn another 300 kB or so 19:39 * Dougy will redirect all traffic 19:39 < Dougy> tis fine 19:39 < krzee> Bushmills, ya wrt54g is a very common router to run linux firmware on 19:39 < krzee> (with openvpn) 19:40 < Dougy> Firmware: DD-WRT v24-sp2 (10/10/09) vpn 19:40 < Dougy> Time: 20:40:10 up 6 days, 39 min, load average: 0.00, 0.00, 0.00 19:40 < Dougy> w00t 19:41 < Bushmills> i find 4 MiB a bit tight for openvpn on router. 19:41 < krzee> in fact iirc they even sold a wrt54gl with linux already on it (im not 100% on that, but i remember something about it) 19:44 -!- WinstonSmith [~true@g231243136.adsl.alicedsl.de] has joined #openvpn 19:48 -!- stan_man_can [stan_man_c@CPE00222d6bc398-CM00222d6bc395.cpe.net.cable.rogers.com] has quit [] 19:49 -!- WinstonSmith [~true@g231243136.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 19:50 <@vpnHelper> RSS Update - forum: Automatically put on alliases on tun interface 19:52 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 20:07 -!- takamichi [~pri@85.232.213.54] has quit [Remote host closed the connection] 20:12 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has joined #openvpn 20:12 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has quit [Changing host] 20:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 20:13 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 20:20 <@vpnHelper> RSS Update - forum: Cannot ping from client to server's lan dynamic IP addresses 20:35 -!- Guest52073 [~kvirc@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 20:37 < Guest52073> A challenge, if you are daring: http://i52.tinypic.com/4lqb92.jpg 20:37 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 20:38 -!- Guest52073 [~kvirc@124-169-6-237.dyn.iinet.net.au] has left #openvpn [] 20:39 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 20:40 < Bebop2Steady> Yes.. a challenge it is 20:42 < krzee> just about any of those diagrams you keep making will work when you understand routing and iroute well enough 20:42 < krzee> remember you dont ALWAYS need to push your routes, lol 20:46 < Bebop2Steady> ya krzee is talking to me.. i know not to push this topic too far with you though. Well I'm to the next level of understanding routes now 20:48 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has quit [Quit: Leaving.] 20:48 < ecrist> sup bitches? 20:48 < krzee> sup eric 20:55 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn 20:56 < Bebop2Steady> routes -> http://i51.tinypic.com/9zx643.jpg 20:57 < Bebop2Steady> pushes + iroutes -> http://i52.tinypic.com/4lqb92.jpg 20:58 < krzee> heh 20:58 < Bebop2Steady> layer 1 / chain 1 vpn is working great. its the layer/chain/vpn on top that stopping progress. 20:59 < krzee> the first layer should not be working great with that config 20:59 < krzee> it should go to hell when country A connects to country C 21:02 < Bebop2Steady> http://i51.tinypic.com/2m4ccjd.jpg 21:03 < Bebop2Steady> Its working great 21:03 < Bebop2Steady> every poitn can ping every point, and tcp dump shows all the tun's are active 21:04 < Bebop2Steady> and i can even lay the 2nd layer down with an errorless connect 21:04 < Bebop2Steady> its just that when the 2nd layer is connected, my pc cant ping the nodes after that 21:05 < krzee> makes sense 21:05 < krzee> and i guess i see why layer1 didnt break 21:05 < krzee> more luck than knowledge ;] 21:05 < Bebop2Steady> why luck ? 21:06 < krzee> cause when you override a route that needs to be there, it doesnt get overridden only because the existing endpoint is loopback 21:06 < Bebop2Steady> i planned it all put according to the man pages 21:06 < Bebop2Steady> what override do u mean ? 21:06 < krzee> but when you do that again later to the client, its not the case and it gets overwritten like you told it to 21:06 < krzee> now go learn more ;] 21:07 < krzee> do you know what a push route is? 21:07 < krzee> when you use a push route you say the following: 21:07 < krzee> "reach this network through ME" 21:08 < Bebop2Steady> yes 21:08 < krzee> do this 21:08 < krzee> STOP PUSHING 21:08 < krzee> just set routes in client configs... see if that makes more sense for you 21:08 < krzee> (and in server configs when appropriate, but dont push) 21:09 -!- pielgrzym [~pielgrzym@1str003.multi-play.net.pl] has quit [Ping timeout: 255 seconds] 21:09 < Bebop2Steady> ok no push.. 21:09 < krzee> cause you're doing it wrong ? ;] 21:09 < krzee> (that was the tm logo) 21:10 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 21:10 < Bebop2Steady> are we talking no push for the layer 1 or 2 ? 21:10 < Bebop2Steady> because on layer one i only have 1 push 21:10 < krzee> at all 21:11 < Bebop2Steady> wouldnt replacing that 1 push, with a hardcoded route from the client side be just the same ? 21:12 < krzee> you're 1 useless question from /ignore 21:12 < krzee> :-p 21:12 < Bebop2Steady> i cant help being curious 21:14 < krzee> til you use it correctly, just dont use it 21:15 < Bebop2Steady> with my layer one push, what exactly is incorect about it ? 21:15 < krzee> i dont know or care if you used it right in that specific case 21:15 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:15 < krzee> i just know you dont understand what it does 21:16 < krzee> or at least dont know how to correctly use it 21:16 < Bebop2Steady> how do you knwo that ? 21:16 < krzee> cause i see why your setup doesnt work :-p 21:16 < krzee> it has to do with this 21:16 < krzee> http://www.threadbombing.com/data/media/30/Failboat.jpg 21:16 < krzee> ALL ABOARD! 21:17 < Bebop2Steady> inother words.. you have not a clue 21:17 < krzee> sure 21:17 < Bebop2Steady> all i ever hear is : go leanr 21:17 < krzee> dont worry, wont hear anything else 21:17 < Bebop2Steady> or: you're not doing it right 21:17 < krzee> hrm wtf my ignore didnt work 21:17 < Bebop2Steady> but when it comes to specifics, you dodge 21:18 < Bebop2Steady> please do ignore so your useless replies stop 21:18 < krzee> ahh i see why 21:18 < krzee> remember, if i didnt give you clues youd still be at step 0 21:18 < Bebop2Steady> i got some real help last night when you werent around 21:19 < krzee> funny, you made negative progress 21:19 < krzee> there, ignore fixed =] 21:20 < dschuett> if i have a client connect in one location, and then connect again from another client using the same client crt and key - should i get the same ip address? 21:21 < theDoc> dschuett: It depends. 21:21 < dschuett> theDoc: do explain... i'm using a basic TUN settup with PKI 21:21 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 21:22 < theDoc> Doesn't matter if it's tun/tap. 21:22 < theDoc> !ccd 21:22 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 21:22 < theDoc> There are ways you can get the same ip. 21:23 < krzee> ipp.txt *might*, ifconfig-push in ccd WILL, ifconfig-push from client-connect script WILL 21:23 < dschuett> theDoc: the problem is that I AM getting the same ip address if i connect from two different locations using the same client.conf etc... 21:23 < dschuett> should it do that by default? 21:23 < Bebop2Steady> duplicate-cn 21:24 < Bebop2Steady> in server.conf if you want to re-use key + cert 21:24 < theDoc> dschuett: I don't know what you put into your configs, I cannot tell you. 21:24 < Bebop2Steady> then u get multi-ip 21:24 < Bebop2Steady> put this: duplicate-cn 21:25 < Bebop2Steady> if you want to re-use the same cert and get different ip on different compluters 21:25 < dschuett> Bebop2Steady: ahhh, didn't even see that! 21:25 < Bebop2Steady> : ] 21:25 < dschuett> thanks! 21:26 < krzee> dschuett, you should make new certs for the new clients 21:26 < dschuett> theDoc: thanks for your help as well, I have just started messing around with openvpn for the first time, so it is good to know to the information you gave 21:26 < theDoc> duplicate-cn is bad, mainly because there's no control. 21:26 < krzee> yep 21:26 < Bebop2Steady> yeah.. it is.. 21:26 < krzee> !dupe 21:26 <@vpnHelper> "dupe" is see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) 21:26 < dschuett> krzee: i know :) i was just testing on a virtual box, and i didn't know if the reason i was getting the same ip was because of that 21:27 < theDoc> Don't use it for production, seriously. 21:27 < dschuett> theDoc: definitely don't plan to - thanks thought! 21:27 < krzee> the only time its decent in production is when you also use password auth 21:27 < theDoc> krzee: I'm still a fan of 2 factor auth, password + cert 21:28 < krzee> as am i 21:28 < krzee> ild like to play with those hardware tokens i scored a yr ago... its just so hard to find time 21:28 < krzee> and they require a windows server =/ 21:29 < dschuett> theDoc: the only reason i will not be using password is because i will have two linux boxes that will be connecting two entire networks together, and i don't want to have to type a password in if the vpn were to go down 21:29 < theDoc> krzee: ew. That's like .. no 21:29 < theDoc> dschuett: Then just use certs. 21:29 < Dougy> im tired 21:29 < krzee> Dougy, hows your leg? 21:29 < Dougy> meh.. sore 21:30 < Dougy> achy 21:30 < Dougy> and both feet are starging to bruise randomly, and its annoying 21:30 < Dougy> take my shoe off and its black and blue 21:30 < krzee> =/ 21:31 < krzee> theDoc, well the windows server could be lan only... PAM would be the only thing that needs to access it 21:31 < theDoc> krzee: Well, yes that's true. 21:31 < krzee> but still, i do agree 21:32 < krzee> i havnt yet played with that or access-server because of the windows requirements 21:32 < theDoc> krzee: I have AS running under loonix. 21:32 < krzee> linux server and client? 21:32 < theDoc> Mhm. 21:33 < krzee> meh i guess i could setup a pair of linux virtual machines sometime =/ 21:33 < theDoc> btw, you guys seen that show the human centipede? 21:33 < theDoc> http://i.imgur.com/SQWLu.jpg -- :) :) :) 21:33 < theDoc> enjoy 21:33 < krzee> heres a treat for you too 21:33 < krzee> http://26.media.tumblr.com/tumblr_kyru8tWvRC1qa1ojxo1_400.jpg 21:33 < krzee> NSFW 21:35 < krzee> hahaha i know that spot dude 21:35 < krzee> ive been there 21:35 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 21:35 < krzee> its out here in the caribbean 21:36 < theDoc> lmao 21:37 < theDoc> krzee: Nice, your tits? 21:39 < krzee> haha nah not many sexy white girls out here 21:39 < krzee> they're all island-dark here 21:39 < krzee> i wouldnt mind borrowing them from time to time tho 21:42 < theDoc> lol 21:42 < theDoc> island dark is good dude. 21:42 < theDoc> Nice and healthy! 21:43 < krzee> they understand push route better than that bebop guy ;] 21:43 < theDoc> hahahahaha 21:43 < krzee> they pushed a route to me just by opening the pic! 21:43 < theDoc> More like inject route. 21:51 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 21:51 < Bebop2Steady> that krz is is quite a character 21:52 < theDoc> I'm all ready to push my route. 21:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:53 < krzee> lol 21:53 < Bebop2Steady> what krz dont understand about pushig routes is that it makes a network design more modular and portable, as compared to hardcoding 21:53 < krzee> oh and ya i do like island dark too 21:54 < krzee> but yanno, whatever you're used to isnt the best ;] 21:56 < theDoc> krzee: They're nice and bouncy. 22:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 22:19 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds] 22:36 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 23:13 -!- pielgrzym [~pielgrzym@91.142.196.180] has joined #openvpn 23:23 -!- djgerm1 [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 23:27 -!- djgerm1 [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 240 seconds] 23:27 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has joined #openvpn 23:51 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 23:58 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] --- Day changed Thu Jan 13 2011 00:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 00:23 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 00:23 < grendal_prime> hey guys. 00:25 < grendal_prime> Im going to be setting up a ananomous browser server. I was just assuming i would us openvpn for this how would i go about pushing a route for only port 80/443 traffic. 00:29 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 00:30 < krzie> routes dont work by port 00:30 < krzie> they work by subnet 00:31 < krzie> maybe iptables can do something, not sure 00:44 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds] 01:04 < Bushmills> put a http proxy on vpn server, set web browsers to use that proxy through vpn 01:09 < krzie> tru 01:09 < krzie> optionally you could put an open socks server on the inside (only on vpn ip) and you can let any apps tunnel over it 01:10 < krzie> dante will accept udp and all, with built in rules you define about what is allowed or not 01:10 < krzie> !routebyapp 01:10 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 01:11 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds] 01:15 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 01:27 * theDoc just thinks that routing by app is not for the end user. 01:27 < theDoc> Mostly, they'll want to push everything through the vpn. 01:27 < krzie> i agree 01:28 < krzie> although if i were offering the service i would do this: 01:28 < krzie> users get a client config with redirect-gateway def1 01:28 < krzie> if they so choose, they can comment that and use the internal-only open sockd 01:29 < theDoc> krzee: If anything, I have learnt that I shouldn't ask end users to edit config files or comment things out. 01:29 < theDoc> Already people have problems running an installer. 01:29 < theDoc> :( 01:29 < krzie> haha 01:29 < krzie> well i wouldnt direct them on it 01:30 < krzie> i would just say "there is an open sockd at this address: 01:30 < krzie> " 01:30 < krzie> if they know what that means, have at it 01:30 < krzie> doesnt take anything extra from you ;) 01:31 < krzie> (ok a lil piece of the hw maybe, but would be running on a different core when that matters anyways 01:31 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 01:35 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 01:36 < theDoc> krzee: That's true. 01:38 -!- dazo_afk is now known as dazo 01:39 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 01:42 -!- daemon [~daemon@serial.daemonrage.net] has quit [Ping timeout: 240 seconds] 01:43 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Ping timeout: 260 seconds] 01:43 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn 01:45 <@vpnHelper> RSS Update - forum: server certificate management - change email address? 01:45 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 01:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Operation timed out] 01:46 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 01:46 -!- mode/#openvpn [+o mattock] by ChanServ 01:49 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn 01:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 01:51 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 01:53 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 01:53 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 01:53 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 01:57 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 02:02 < krzie> !route 02:02 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:02 <@vpnHelper> RSS Update - forum: Cannot ping from client to server's lan dynamic IP addresses || Internet Connection Sharing with openvpn 02:03 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 02:15 <@vpnHelper> RSS Update - forum: Installing VPN with Win Xp || Cannot ping from client to server's lan dynamic IP addresses 02:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 02:21 <@vpnHelper> RSS Update - forum: No internet from units inside LAN when TUN bridge is up 02:27 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 02:38 < katoen> hello, i'm frunning openvpn on a windows server, but somehow the connected lan is not showing up in the client's routing table. 02:38 < katoen> also i'm running in :P 02:39 < katoen> i see this in my client's log "PUSH: Received control message: 'PUSH_REPLY,192.168.76.0 255.255.255.0,route 10.6.0.0 255.255.255.0" 02:40 < katoen> that being the LAN behind the server. 02:41 < krzie> post the server and client config without comments 02:41 < krzie> !configs 02:41 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin 02:42 < katoen> oki, let me try that 02:43 < katoen> oh, it appears it's working now 02:43 < katoen> not sure what i changed 02:44 < krzie> =] 02:44 < katoen> thanks for the response, anyways :-) 02:46 < krzie> np 02:49 <@vpnHelper> RSS Update - forum: logout - dead link || creating additonal users 02:49 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 02:55 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 03:00 <@vpnHelper> RSS Update - forum: How do I do a complete cleanup after openvpn installation || Random problem with roadwarriors on windows machines 03:05 <@vpnHelper> RSS Update - forum: Linux client problem 03:10 -!- p3rror [~mezgani@41.140.158.116] has quit [Ping timeout: 240 seconds] 03:11 <@vpnHelper> RSS Update - forum: Openvpn with a nat 4 or 5 clicks and no internet 03:17 <@vpnHelper> RSS Update - forum: Cannot ping from client to server's lan dynamic IP addresses 03:23 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. || Internet Connection Sharing with openvpn 03:25 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 03:25 -!- venom00 [~wer@unaffiliated/venom00] has joined #openvpn 03:29 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn || Openvpn with a nat 4 or 5 clicks and no internet 03:35 < krzie> http://mirror.netcologne.de/CCC/27C3/mp4-h264-HQ/27c3-4149-en-i_control_your_code.mp4 03:35 < krzie> great talk 03:40 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 03:40 <@vpnHelper> RSS Update - forum: Cannot ping from client to server's lan dynamic IP addresses 03:45 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn || Openvpn with a nat 4 or 5 clicks and no internet 03:45 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net] 03:46 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn 03:51 -!- master_of_master [~master_of@p57B56AC2.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 03:51 <@vpnHelper> RSS Update - forum: Cannot ping from client to server's lan dynamic IP addresses 03:52 -!- master_of_master [~master_of@p57B55F20.dip.t-dialin.net] has joined #openvpn 03:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 03:57 <@vpnHelper> RSS Update - forum: OpenVPN to filter DHCP requests in bridge mode 04:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 04:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 04:03 <@vpnHelper> RSS Update - forum: Backup route || [MOVED] windows client and ubuntu virtual machine server 04:04 < krzie> !pwfile 04:04 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info 04:04 -!- s7r [~s7r@94.46.240.225] has joined #openvpn 04:07 < krzie> !/30 04:07 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 04:09 <@vpnHelper> RSS Update - forum: New user question 04:16 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 04:16 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 04:16 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:25 < s7r> hello, when I browse a HTTPS website over openvpn connection (encrypted with AES256) does the HTTPS encryption from the website certificate establishes between my computer and the site, or between the VPN server and the site? 04:27 <@vpnHelper> RSS Update - forum: OpenVPN routing issues? || OpenVPN to filter DHCP requests in bridge mode 04:28 < krzie> your computer 04:28 < krzie> but the IP the https server sees is your server 04:28 < krzie> its encrypted to you, and once at the server its also encrypted inside the tunnel to you 04:29 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 04:30 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Client Quit] 04:30 -!- maxJadi [~maxJadi@dhcp-166-8.nomad.chalmers.se] has joined #openvpn 04:30 -!- maxJadi [~maxJadi@dhcp-166-8.nomad.chalmers.se] has quit [Changing host] 04:30 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 04:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 04:43 -!- common- [~common@p5DDA482E.dip0.t-ipconnect.de] has joined #openvpn 04:43 -!- common [~common@p5DDA49AC.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:43 -!- common- is now known as common 04:45 <@vpnHelper> RSS Update - forum: No connect option || LAN to LAN issues 04:46 < krzie> !linnat 04:46 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) openvz see !openvzlinnat 04:51 <@vpnHelper> RSS Update - forum: max-clients 04:53 < s7r> krzie: so it will be an encrypted tunnel inside the vpn tunnel 04:53 < krzie> correct 04:53 < s7r> and this tunnel inside the vpn tunnel will be between my computer (not the vpn server) and the remote site? 04:53 < krzie> its only inside the vpn tunnel between the client and server... its encrypted even after the vpn tunnel between the client and webserver 04:54 < s7r> i assume the same thing applies to SSH connections? 04:54 < krzie> to ANY connections 04:54 < s7r> yes I understand :-) but the VPN server will see it encrypted 04:54 < krzie> your server doesnt connect on your behalf to anything 04:54 < krzie> it just NATs 04:54 < s7r> the vpn server will see encrypted data when SSH or HTTPS connections 04:54 < krzie> like your home router 04:55 < krzie> correct 04:55 < s7r> many thanks for the clarification 04:55 < s7r> i understand now 04:55 < krzie> np 04:55 < s7r> i thought the connections would be crypted from the vpn server to the remote site, not my computer 04:55 < s7r> will this feature work exactly as it works nowadays when ipv6 will be fully implemented? do you have any idea? 04:55 < krzie> its not a feature 04:56 < krzie> its just the design 04:56 < krzie> it passes packets... it doesnt make connections 04:56 < krzie> so yes 04:56 < krzie> btw ipv6 is fully implimented in some places 04:56 < krzie> !snapshots 04:56 <@vpnHelper> "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch 04:56 < krzie> !ipv6 04:56 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release 04:57 < krzie> that link is to the patch that openvpn devel snapshot uses, so you can use it as the documentation for it 04:57 < krzie> (for ipv6 in openvpn) 04:58 < krzie> if you do use it, please report how it works for you 04:58 < s7r> so it will be the exactly the same thing ? when we use ipv6? 04:58 < krzie> this will help it become accepted into the stable branch 04:58 <@dazo> s7r: I'm running the OpenWRT version from cron2 (!ipv6 link #1 above) and a development snapshot, to get IPv6 connectivity when I'm not at home ... it works just flawlessly 04:58 < krzie> it doesnt matter what protocols you use, the server does not make connections for the client, it just passes packets 04:59 <@dazo> s7r: yes, IPv6 will be tackled in the same way as IPv4 ... you will have some new arguments for providing IPv6 addresses to clients, that's the only new thing basically 04:59 < s7r> ok, that's what i wanted to know 04:59 < s7r> if anything changes in ipv6 04:59 < s7r> as i keep reading nat will be discarded, since openvpns works as NATs 04:59 < s7r> i thought ipv6 will terminate it :) 05:00 < krzie> huh? 05:00 < s7r> yeah crazy thinking :-p 05:01 <@dazo> Yeah, there is no NAT in IPv6 ... as the address scope is so big that everyone can get their own IPv6 address 05:02 <@dazo> but that's a good thing, actually ... NAT is a hack to make IPv4 survive longer ... but it breaks many protocols and complicates a lot of things 05:02 < s7r> yes but this won't prevent openvpn from working 05:02 <@dazo> nope 05:02 <@dazo> NAT is for IPv4 ... and will stay for IPv4 05:03 <@dazo> IPv4 and IPv6 are two different protocols, so you cannot compare them directly 05:03 <@dazo> even though much in IPv6 specs is based on IPv4 ... things which are good in IPv4, kind of 05:05 < krzie> and some things that are bad 05:05 < krzie> http://mirror.netcologne.de/CCC/27C3/mp4-h264-HQ/27c3-3957-en-ipv6_insecurities.mp4 05:05 < krzie> ;] 05:06 < s7r> some uninformed people are posing on forums 05:06 < s7r> that vpns and proxy and sock servers will disappear when ipv6 reaches 05:06 < s7r> because ipv6 does not support NAT / packetforwarding 05:06 < krzie> ehh? 05:06 < s7r> not true i assume 05:07 < krzie> they just dont understand why we use NAT 05:07 < s7r> yes if you google ipv6 it's funny how many things you will read :)) posted by uninformed persons 05:07 <@vpnHelper> RSS Update - forum: Updates on Openvpn appliance 05:13 <@vpnHelper> RSS Update - forum: Updates on Openvpn appliance 05:25 <@vpnHelper> RSS Update - forum: To change port 05:25 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 05:31 <@vpnHelper> RSS Update - forum: No connect option 05:32 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:32 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:37 <@vpnHelper> RSS Update - forum: cannot ping and samba share between ubuntu server and winxp 05:39 < krzie> !route 05:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:41 -!- pielgrzym [~pielgrzym@91.142.196.180] has left #openvpn ["= Hejka / Hi peeps :]"] 05:44 <@vpnHelper> RSS Update - forum: cannot ping and samba share between ubuntu server and winxp 05:56 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:56 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 05:57 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 05:57 -!- Cain` is now known as Cain 06:03 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 06:17 -!- luneff [~yury@84.51.195.188] has joined #openvpn 06:26 -!- sporedi [~chatzilla@mail.utmxtm.com] has joined #openvpn 06:28 < sporedi> is l2 tunnel/bridge are interoperable (i mean if i am using vendor A @location A and vendor B @location B ) 06:32 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 06:33 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 06:34 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 06:35 -!- takamichi [~pri@85.232.213.54] has quit [Remote host closed the connection] 06:36 <@vpnHelper> RSS Update - forum: Is OPEN VPN right for me? 06:40 < reiffert> sporedi: I do not understand you. Please explain. 06:42 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 06:43 < sporedi> ok 06:44 < sporedi> let me better way 06:47 < sporedi> i have 2 office 1 office is in usa and 2nd office in germany now in usa i am using firewall/vpn from vendror abc and in germany i am using firewall/vpn from vendor xyz but they both are using open vpn 06:48 < sporedi> in this case will i able to connect this two offices 06:48 < reiffert> please ask vendor abc and xyz. 06:49 < sporedi> they are not able to provide the info or they dont want to provide info 06:49 < reiffert> Who is vendor abc and xyz? 06:50 < sporedi> let me confirmed the usa site 06:51 < sporedi> ok vmware and endian 06:53 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 06:58 < Bushmills> sporedi: "i have one machine in country a and one machine in country b. will i be able to use openvpn between them?" 06:59 < Bushmills> oh, i forgot to say, they are both behind a firewall 06:59 < krzie> Bushmills, you can connect them with a crossover cable if you live on the border ;] 06:59 < sporedi> Bushmills: sorry i am not expert on this but i think yes using 07:00 < Bushmills> sporedi: that's great. there is your answer. 07:00 < Bushmills> krzie: none of the machines have ethernet connections 07:00 < krzie> heheh 07:00 < krzie> firewire! 07:01 < Bushmills> one uses wifi, the other usbnet 07:02 < krzie> got microwave antenna/reciever equipment handy? 07:02 < krzie> maybe some bluetooth dongles... 07:02 < reiffert> Paket Radio? 07:02 < krzie> carrier pigeons? 07:02 < Bushmills> maybe i can use the keyboard LEDs as transmitter, and a webcam as receiver 07:03 < Bushmills> or, with a PA on one side, tunnel ip over kansas city standard? 07:05 < krzie> ip over smoke signal 07:05 < Bushmills> satellite heat signature reading 07:05 < reiffert> ip over irc. 07:05 < krzie> hah 07:09 < reiffert> 0x0000: 4500 0054 1d99 0000 4001 979c c0a8 b317 07:09 < reiffert> 0x0010: c163 9050 0800 8db0 719f 0000 69f9 2e4d 07:09 < reiffert> 0x0020: 6966 0c00 0809 0a0b 0c0d 0e0f 1011 1213 07:09 < reiffert> 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 07:09 < reiffert> 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 07:09 < reiffert> 0x0050: 3435 3637 07:09 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 07:09 < krzie> reiffert, still up for helping me on the payment side of getting krz.ee? 07:10 < reiffert> sure 07:10 < krzie> last we talked of it ecrist couldnt send them the $ cause they only wanted to take bank xfer, and we found that your registrar does .ee 07:10 -!- sporedi [~chatzilla@mail.utmxtm.com] has left #openvpn [] 07:10 < reiffert> yeah 07:10 < krzie> ill msg you the .ee contact (needed for reg) 07:11 < reiffert> But as far as I can remember, my registrar needs a registrant address within .ee, so an .ee contact. 07:11 -!- dschuett [~dschuett@216.229.21.250] has quit [Read error: Connection reset by peer] 07:13 < krzie> yep, can use his 07:13 < krzie> he'll need to go sign stuff again i think 07:13 < krzie> even tho he signed stuff with his gov for this domain when ecrist started 07:16 < krzie> gunna head to work and get coffee, bbiaf from krzee 07:37 < krzee> baq 07:38 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn 07:38 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host] 07:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 07:44 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 07:50 <@vpnHelper> RSS Update - forum: OPENVPN plugins for DreamBox 08:01 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 08:02 < dschuett> if i want to add a new client do i have to run ANYHTHING else besides " . /etc/openvpn/easy-rsa/2.0/build-key client2" ?? 08:03 < |Mike|> y 08:03 < dschuett> Mike: what else needs to be done? 08:04 < |Mike|> read the topic sir :) 08:05 < dschuett> !goal 08:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:05 < dschuett> !welcom 08:05 < dschuett> !welcome 08:05 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:11 < dschuett> |Mike|: OpenVPN is installed on my gateway that is in front of a lan. - I have everything working just fine, i just don't know what i need to do to allow a second client to connect. I thought build-key client2 would do it but it is asking me to edit and run source ./vars should i have to do that? 08:13 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 08:22 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has joined #openvpn 08:29 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off] 08:33 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 08:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 08:36 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 265 seconds] 08:37 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 08:46 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has joined #openvpn 08:47 < Bushmills> the second part of it, yes 08:48 < Bushmills> nice if it tells you what to do, isn't it? 08:49 -!- venom00 [~wer@unaffiliated/venom00] has quit [Ping timeout: 246 seconds] 08:49 <@vpnHelper> RSS Update - forum: Ineternet speed after the openvpn connection 08:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 08:52 < dschuett> Bushmills: so do i have to change anything in vars? - or is it a big no no if it stays the same 08:52 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 08:55 < Bushmills> once you have edited it to your taste, you can leave it as it is,. 08:56 < dschuett> ok, so if i have already done this once ... for my first client, why is it asking again? - or do you just have to run "source ./vars" before each client? 08:56 < dschuett> Bushmills ^^ 08:57 < Bushmills> just before you run build-key 08:57 < Bushmills> if you get tired of doing that, source it from those scripts 09:00 < dschuett> alright - so the only two things you need to do to build a new client key is to run "source ./vars" and the "build-key client2" ?? 09:01 < dschuett> Bushmills: oh, and what do you mean "source it from those scripts"? 09:02 < Bushmills> by that i mean "let the scripts do what otherwise you'd have to do manually" 09:05 < dschuett> Bushmills: so that means hard-code my values in vars? - which i have already done 09:07 < Bushmills> "source" is script talk for "include". rather than "include" the file manually, modify script, or create a new script, which includes that vars file for you before calling build-key 09:08 < Bushmills> without sourcing vars, your settings may be in it, but no script uses them 09:11 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has joined #openvpn 09:12 < chr1s> hi, I want to benchmark running openvpn on ubuntu and centos, any thoughts as the best way to do this (already measured transferring large files) 09:13 < gladiatr> !welcome 09:13 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:13 < gladiatr> !goal 09:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:20 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined #openvpn 09:21 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Client Quit] 09:25 < Bushmills> chr1s: monitor RX bytes and TX bytes of ifconfig tun0 09:26 < chr1s> thanks 09:26 < Bushmills> alternatively, add stub firewall rules, which have no other purpose than traffic counting 09:33 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:48 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 09:54 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has quit [Quit: Page closed] 09:57 < gladiatr> he'll be back, you know 10:00 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out] 10:04 -!- dschuett [~dschuett@216.229.21.250] has quit [Read error: Connection reset by peer] 10:06 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 10:22 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 10:26 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 10:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 10:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 10:46 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Quit: Lost terminal] 10:52 < dschuett> any reason why dnsmasq won't resolve through virtualbox with openvpn? 10:54 < gladiatr> dnsmasq is running on the vm host? 10:54 < gladiatr> or the vm? 10:57 < dschuett> gladiatr: i have a gateway at my house running openvpn infront of a LAN, I am at work now on my windows 7 machine- and i can VPN into my home network just fine (with DNS working). - I then installed virtual box on the same windows 7 machine. And have Ubuntu 10.10, - i can connect just fine to the vpn but DNS isn't resolving for my home network hosts 10:58 < dschuett> sorry **And have Ubuntu 10.10 installed on virtual box** 10:58 < dschuett> I don't know if this is a linux issue, or if it is because it is a VM 10:58 < dschuett> G0dfath3r! 10:59 < dschuett> oops, wrong IRC 10:59 < gladiatr> on this, the day of your daughter's wedding 10:59 < gladiatr> lol 10:59 < dschuett> haha 10:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 10:59 < gladiatr> Well... 11:00 < gladiatr> You're gonna have to do something to update your dnsmasq config on the client with the DNS client information that's pushed from the server. 11:00 < gladiatr> I've been lazy about getting into dnsmasq and tend to bypass it (in this case, the only system I have that's using it is my phone, so...) 11:01 < gladiatr> so, I'm not sure exactly what exactly dnsmasq expects to have happen 11:01 < dschuett> i don't have dnsmasq installed on my client, as it shouldn't be needed... It works on every windows machine 11:01 < gladiatr> Right, but you're running an Ubuntu 10.10 host that you're connecting to your home network via openvpn, correct? 11:02 < dschuett> right 11:04 < gladiatr> At this stage, the Ubuntu system is going to be operating independently from the host operating system. For it to function properly as a client, at least as it pertains to your ability to do proper DNS lookups for your home network, you'll need to have some scriptage hooked in to update your client configuration. 11:05 < gladiatr> or rather, your cilent DNS configuration. 11:07 < dschuett> is this because it is a VM? 11:07 < gladiatr> From what I'm seeing in the dnsmasq man page, you can give it the -R directive to prevent it from reading /etc/resolv.conf and can then use a --server directive on the CLI to specify your new DNS server. 11:07 < gladiatr> No 11:08 < gladiatr> Linux doesn't have a per-interface DNS configuration like Windows 11:08 < dschuett> Which i have already done AND i use push "dhcp-option DNS 10.8.0.1" to force the clients to use that as DNS 11:09 < gladiatr> Right. If you look in your client logs on the Ubuntu VM, you'll see the DNS information being pushed down from the server. 11:09 < gladiatr> It is being delivered, your client just hasn't been told to do anything with it yet. 11:11 < gladiatr> You can access it and Do What Needs To Be Done using the --up hook. You'll find all of the information that the server is pushing assigned to various environment variables. 11:12 < dschuett> ahhh, gotcha... makes sense... could you elaborate more on --up hook? 11:13 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined #openvpn 11:13 < gladiatr> it's just a directive in your cilent.conf file. Give it a path to an executable shell script (or whatever your scripting language of choice is) 11:13 < gladiatr> So, for instance, you could create a file that looks like... 11:13 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn 11:14 < gladiatr> http://pastebin.com/tV9y2sRy 11:14 < gladiatr> when you connect to the server, the up script will execute and leave you with a file in /tmp that shows all the environment variables available to that script hook. 11:15 < gladiatr> From there you can either update your /etc/resolv.conf file directly or stop and restart dnsmasq with the proper command line options to point you to the correct DNS server. 11:16 < gladiatr> To save yourself a headache, put the script in /etc/openvpn. In your cilent conf. file, give it the fully qualified path to your script (up /etc/openvpn/myscript.sh) and remember to make it executable (chmod 755 /etc/openvpn/myscript.sh) 11:17 < gladiatr> Once you have this working, you can use a slightly different script that will put things back to the way they need to be when not connected to a VPN server 11:21 < dschuett> gladiatr: awesome! Thanks! 11:21 < gladiatr> you betcha :) 11:22 < gladiatr> Yeah. The windows client kinda spoils you... until it doesn't work properly and then it makes you wish you had hooked up with that hippy chick in college and joined that art commune in Mexico... 11:22 < gladiatr> or somethin 11:23 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 11:23 < dschuett> lol..... i guess that is one way to put it! 11:23 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Remote host closed the connection] 11:25 < dschuett> gladiatr: so what line do i have to add in my client.conf to get that script to run? 11:26 < gladiatr> The directive is "up" 11:26 < gladiatr> and then the path to and name of your script 11:26 < gladiatr> There is "up" 11:26 < gladiatr> and then there is "down" 11:26 < gladiatr> !up 11:26 < gladiatr> !down 11:27 < gladiatr> !fail 11:27 < dschuett> so just : up /etc/openvpn/myscript.sh ??? 11:27 < gladiatr> Yes. 11:27 < dschuett> gladiatr: damn vpnhelper haha 11:28 < gladiatr> hehe 11:31 < dschuett> gladiatr: ok, so here is the thing... i can ping 192.168.0.1 (which is my nameserver on my home LAN) but if i set that manually in /etc/resolve.conf it still doesn't resolve DNS ??? 11:32 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 11:34 < gladiatr> right. that's because you're using the dnsmasq program 11:37 < gladiatr> It reads /etc/resolv.conf when it starts and not again unless it is restarted. that's what I was talking about earlier: you can turn off dnsmasq alltogether and just edit /etc/resolv.conf, you can edit resolv.conf and then restart dnsmasq OR you can leave resolv.conf alone and restart dnsmasq with the -R --server [IP of your remote DNS server] and dnsmasq will ignore the contents of resolv.conf 11:37 < gladiatr> (at least according to what I'm seeing in the dnsmasq man page) 11:39 -!- dazo is now known as dazo_afk 11:44 < dschuett> gladiatr: but my understanding is that it ONLY has to be on one machine (and shouldn't have to be installed on clients) because that would defeat the purpose of a DNS server 11:44 < gladiatr> dnsmasq is a DNS forwarder, not a DNS server 11:44 < gladiatr> it needs an actual DNS server host to talk to 11:45 < gladiatr> The purpose, as I'm reading it, of using dnsmasq instead of just relying on the libc resolver routines and /etc/resolv.conf is to give dhcp systems and dynamic firewall environments a relatively simple way of updating the DNS server info for the local host 11:46 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 11:46 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 11:46 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has joined #openvpn 11:50 < Bushmills> actually, dnsmasq has some features of an authoritative name server. but for this application, recursion would be needed, and that's what dnsmasq doesn't do. 11:51 < Bushmills> i tend to suggest maradns as lightweight name server which can do recursion, can be authoritative and is configurable as upstream forwarder 11:52 < Bushmills> on top, it is available for both unixoids and windowoids, freely. 11:54 < Bushmills> but it won't resolve host names from a /etc/hosts file 11:55 < gladiatr> Dunno. I'm not running ubuntu 10.10 on anything at the moment--not sure what the logic is for including it in the default workstation installation if not for config manipulation simplification. 11:57 < Bushmills> dnsmasq? more serverish, probably because it combines dhcpd, dns forwarder, tftpd in one package 11:57 < gladiatr> Egads. 11:57 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 11:58 < Bushmills> actually, a bit more than just dns forwarder, as it serves from hosts file, and the dhcp request provided names, if any, plus allows to define RRs in the config file 11:59 < gladiatr> Yeah. That kinda sounds a bit more than needs to be installed for a "desktop" system... 11:59 < Bushmills> so for a LAN, or on a router, it can make a lot of sense 11:59 < gladiatr> Right. It just seems to pop up frequently these days on debian-derived systems within distributions that aren't necessarily targeted at the server (ie: maemo) :) 11:59 < Bushmills> maradns, in contrast, is a "real" name server 12:01 < gladiatr> Indeed. Looking at its docs now... 12:02 < Bushmills> as recursor also eminently desktop suited 12:06 < gladiatr> dschuett, is your intent to use this ubuntu vm as a gateway to your home network? 12:07 -!- dazo_afk is now known as dazo 12:10 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has joined #openvpn 12:17 -!- p3rror [~mezgani@41.140.31.52] has joined #openvpn 12:18 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has quit [Quit: Leaving.] 12:21 -!- WinstonSmith [~true@g231243155.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 12:23 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 12:25 < iceberg> is there an openvpn client for windows that doesnt need admin at all? the portable version tried to install some driver and you cant do that w/o admin 12:27 < gladiatr> nope 12:27 < gladiatr> You've got to have the tap-win32 driver 12:28 < gladiatr> And you have to be able to add and remove things from the routing table. 12:28 < gladiatr> Both of those require admin privileges 12:28 < gladiatr> (stupid windows /hrmph) 12:29 < krzee> !win_noadmin 12:29 <@vpnHelper> "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 12:30 < krzee> iirc it hasnt been figured out how to do this after XP 12:30 < iceberg> krzee: yea that method requires admin access 12:30 < krzee> oh well sure 12:30 < krzee> you'll NEVER get openvpn running with no access to admin 12:30 < iceberg> I need a solution for when I goto a business and have no privs at all 12:31 < krzee> otherwise, just to run, it only needs access to add routes and whatnot 12:31 < iceberg> ssh was an epic failure because you can steal the kwys and there is no way to limit ssh to one connection per user 12:31 < krzee> iceberg, cell phone, laptop 12:31 < krzee> virtual machine 12:31 < krzee> (if you can do *that* without admin...) 12:32 < iceberg> I was just gona say vbox needs admin rights 12:34 < iceberg> if it's even possible I hate windows more than ever 12:35 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 12:35 < gladiatr> You are still alive. It is possible. 12:36 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 12:36 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 12:36 < krzee> !windows 12:36 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg 12:37 < gladiatr> awesome 12:37 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Remote host closed the connection] 12:37 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 12:40 < X-Vo> when i connect to my vpn it won't pick up it's External IP, how do i fix this? 12:44 < krzee> !redirect 12:44 < gladiatr> !welcome 12:44 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:44 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:46 < gladiatr> X-Vo, you have been double-vpnhelper'd. Beware lest your head explode... 12:47 < X-Vo> =o 12:48 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 12:52 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Ping timeout: 240 seconds] 12:52 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has joined #openvpn 12:56 < X-Vo> and is it possible to connect to e.g. 192.168.1.1 and such when using my vpn? 12:56 < Bushmills> !goal 12:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:56 < Dougy> need some help with openvpn on windows 12:56 < Dougy> it started properly, and it exists in routing table 12:56 < Dougy> and server get 10.5.5.4 but i can't ping it 12:57 < Dougy> firewall? 12:57 < Bushmills> no idea. somewhat terse problem description 12:57 < krzee> server didnt get .4 12:58 < Dougy> oh says base is .4 12:58 < Dougy> but .1 doesnt ping either 12:58 < Dougy> oh wait, it does 12:58 * Dougy facepalm 12:58 < krzee> heh 12:58 -!- p3rror [~mezgani@41.140.31.52] has quit [Ping timeout: 240 seconds] 12:59 < Bushmills> !howto 12:59 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:59 * krzee hands Bushmills a clue-stick to beat Dougy with 12:59 < Bushmills> Dougy: ^^^^ :P 12:59 < Dougy> I have the howto open already 12:59 < Dougy> just misread 12:59 < Bushmills> bookmarked? 12:59 < Dougy> no 12:59 < Dougy> memorized 12:59 < Dougy> :O 12:59 < Bushmills> for future reference aka deletion? 12:59 < Dougy> im always on there 12:59 < Dougy> i use the 3 ip block thing for reference all the time 12:59 -!- WinstonSmith [~true@e178179130.adsl.alicedsl.de] has joined #openvpn 13:00 < Dougy> where it tells how big the 10 and the 172w blocks are 13:00 < Dougy> etc 13:00 < krzee> umm 13:00 < krzee> you mean 13:00 < krzee> !1918 13:00 < krzee> ? 13:00 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 13:00 < Dougy> yeah that 13:00 < Dougy> i just load the howto as it says it and its convenient 13:01 < Dougy> bout to head to advance auto parts 13:03 < Dougy> balls 13:03 < Dougy> they dont have the part in stock 13:03 < Dougy> ajsfkdghnljjag 13:04 < Dougy> what is 'nsCertType' in ddd-wrt 13:04 < Dougy> dd-wrt 13:05 < krzee> meh 13:05 < krzee> !man 13:05 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:06 < Dougy> oh that's on there? 13:06 * Dougy loads 13:12 -!- Jondice1 [~brandon@rrdhcp-172-285.redrover.cornell.edu] has quit [Ping timeout: 246 seconds] 13:12 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^] 13:16 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Remote host closed the connection] 13:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 13:19 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 13:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 13:22 < Dougy> thats lame 13:22 < Dougy> my server made hte certs not valid till later 13:22 < Dougy> Not Before: Jan 13 18:33:03 2011 GMT 13:22 < Dougy> hrmmph 13:22 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 13:28 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 260 seconds] 13:30 < ecrist> set the date right... 13:37 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds] 13:37 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 13:43 -!- agrajag [~agrajag^@c-24-131-78-108.hsd1.pa.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 13:52 -!- mezgani_ [~mezgani@41.140.43.168] has joined #openvpn 13:54 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: iceberg] 13:55 -!- mezgani_ is now known as p3rror 13:56 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 13:59 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 14:01 -!- gomix [~gomix@fedora/gomix] has joined #openvpn 14:03 -!- diphthong [~diphthong@69.172.135.243] has quit [Quit: leaving] 14:03 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn 14:05 -!- diphthong [~diphthong@69.172.135.243] has quit [Client Quit] 14:05 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn 14:07 -!- gomix [~gomix@fedora/gomix] has left #openvpn [] 14:08 -!- grendal_prime_ [~sgraham@riverbank.fpdomain.com] has joined #openvpn 14:08 < grendal_prime_> hey guys 14:08 < grendal_prime_> i got a werid on here. I have working openvpn server. and im trying to get the clients to see the internal network. 14:09 < grendal_prime_> pushing a route and i have the iroute in the ccd. but the clients cannot see the network on the other side. 14:10 < rjd_> they tunnel all their traffic through the vpn server? 14:10 < rjd_> and that works? 14:10 < krzee> !ipv6 14:10 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release 14:10 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn 14:14 < Dougy> hm 14:14 < Dougy> haing an odd xen issue 14:15 < gladiatr> !iroute 14:15 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:22 -!- grendal_prime_ [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 276 seconds] 14:23 < Dougy> this is so odd 14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:36 < Dougy> just had a job ofer to work for http://www.liveprofile.com/ 14:36 < Dougy> neato 14:36 <@vpnHelper> Title: LiveProfile - Stay Connected (at www.liveprofile.com) 14:37 -!- p3rror [~mezgani@41.140.43.168] has quit [Read error: Connection reset by peer] 14:38 -!- sia^pwnnt is now known as adawda 14:38 < Dougy> it's 18:33 GMT.. certs still dont want to work 14:38 < Dougy> lame 14:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds] 14:44 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 14:45 -!- Jondice1 [~brandon@rrdhcp-172-285.redrover.cornell.edu] has joined #openvpn 14:45 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Client Quit] 14:46 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 14:46 < Manny> hi :) 14:47 < Manny> what solution do you recommend for letting only certain applications run the network traffic over a VPN? Most solutions use iptables, e.g., http://serverfault.com/questions/95813/only-tunnel-certain-applications-via-openvpn 14:47 <@vpnHelper> Title: linux - Only tunnel certain applications via OpenVPN - Server Fault (at serverfault.com) 14:47 < Manny> do you have any other ideas? 14:47 < krzee> !routebyapp 14:47 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 14:47 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Read error: No route to host] 14:47 < Manny> krzee, thanks 14:47 < Manny> !sockd 14:47 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn 14:48 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 14:49 < Manny> krzee, is there any step-by-step howto, or am I expected to be experienced and longanimous to collect all the information myself? 14:49 < krzee> np 14:50 < krzee> no howto, but one isnt needed really 14:50 < gladiatr> longanimous... I like that. I don't think I've ever seen it used in a sentence before. Thanks, manny :) 14:51 -!- p3rror [~mezgani@41.140.155.31] has joined #openvpn 14:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 14:52 < Manny> krzee, for instance, "get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination." -- I thought I have one subnet for the VPN tun0 device, and one for the eth0 devices. So how should I filter by subnet? This seems a bit odd... 14:52 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 14:54 < krzee> you run it listening on tun0 and using eth0 to leave 14:54 < krzee> dante supports this 14:54 < Manny> krzee, ah ok, I wasn't aware of such one-way traffic configurations. I'll try to fiddle a bit around, and ask if I have any problems. 14:55 < Manny> krzee, what do you suggest as a proxifier replacement for linux? iptables rules? 14:55 < Manny> oups, what a stupid remark 14:55 -!- adawda is now known as sia^pwnnt 14:56 < Manny> maybe something like tsocks? 14:56 < krzee> socksify or something 14:57 < Manny> krzee, thanks a million. I wasn't aware of dante. 14:57 < krzee> np 15:00 < krzee> internal: 10.8.1.1 port = 1080 15:00 < krzee> external: 66.11.114.212 15:00 < krzee> this tells it to only listen on 10.8.1.1 port 1080 15:00 < krzee> and to use 66.11.114.212 as its outbound 15:00 < krzee> (quite handy for this) 15:01 < krzee> you can also get crafty with the ruleset... mine allows all because if you are in my vpn you are ME 15:01 < krzee> and if you are me, you should be able to do anything! 15:01 < krzee> (dante also allows udp, whereas socks via ssh does not) 15:02 -!- grendal_prime_ [~sgraham@riverbank.fpdomain.com] has joined #openvpn 15:03 -!- ^scott^ [~scott@stthom.org] has left #openvpn [] 15:03 < grendal_prime_> ok gladiatr sorry i got bounced...so...basically do the machines on the internal network all have to have a static route that tells them where the 10.8.0.0 nework is? 15:03 < grendal_prime_> !route 15:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:04 < krzee> grendal_prime 15:04 < krzee> !route_outside_openvpn 15:04 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 15:04 < krzee> in that section of !route it tells in detail 15:04 < krzee> you CAN add the route to every lan machine if you want... or just to their gateway 15:04 < krzee> with the second option being far easier of course 15:05 < gladiatr> yeah. what krzee said :) 15:07 -!- Guest59138 [~ol@2a01:198:6f7::dead:beef:0] has quit [Read error: Connection reset by peer] 15:09 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds] 15:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 15:14 -!- p3rror [~mezgani@41.140.155.31] has quit [Ping timeout: 240 seconds] 15:16 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: time to go] 15:19 <@vpnHelper> RSS Update - forum: IP address of client still visible 15:23 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:23 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 250 seconds] 15:23 -!- ginoe [~ginoe@6-pra-5.acn.waw.pl] has joined #openvpn 15:24 < ginoe> hi can someone help me with building openvpn on windows ? 15:25 < ginoe> i try with that: https://community.openvpn.net/openvpn/wiki/BuildingOnWindows but when i run python build_all.py i get https://community.openvpn.net/openvpn/wiki/BuildingOnWindows 15:25 <@vpnHelper> Title: BuildingOnWindows – OpenVPN Community (at community.openvpn.net) 15:25 < ginoe> any idea whay ? 15:25 < ginoe> sorry error msg: IOError: [Errno 2] No such file or directory: 'C:\\cprojects\\openvpn-build\\openvpn-2.2\\tapinstall\\sources.in' 15:25 < cron2> ginoe: you could go with the old build system ("domake-win", it's a script but has the documentation right in it) 15:25 < cron2> or you need to get 15:26 < cron2> 2.2-RC with mattock's python build patches 15:26 < ginoe> where can i get that 2.2-RC ? 15:26 < krzee> !download 15:26 < cron2> "wait for it to be released" 15:26 <@vpnHelper> "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore 15:26 -!- p3rror [~mezgani@41.248.184.76] has joined #openvpn 15:26 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Quit: Ex-Chat] 15:26 < cron2> krzee: we have released 2.2-RC already? 15:27 <@dazo> ginoe: mattock is working hard on the building scripts on Windows .... that's what's holding the 2.2-RC back, so that we have proper/working scripts in that release 15:27 < cron2> ginoe: what I tried to say is "python building is very new and stuff is missing" 15:27 <@dazo> cron2: krzee: 2.2-RC is still not released ... due to the windows building issues :( 15:27 < cron2> the old msys/mingw building works 15:27 < cron2> domake-win 15:27 <@dazo> that should probably work, yes 15:28 < ginoe> ok - is ther some tutorial for that ? (msys)\ 15:28 < cron2> ginoe: google for msys, follow the instructions how to install that 15:28 < cron2> windows building is not for the faint of heart 15:30 < cron2> sorry if I sound harsh - that's not actually my intention - but I just don't have an easy-to-follow HOWTO available, just "domake-win, google, and grab the precompiled tap driver from the download page" 15:30 <@vpnHelper> RSS Update - forum: how to create certificates for "--remote-cert-tls" 15:31 < ginoe> cron2 - no it's not problem to me - i have right now msys and try to install openssl lzo and pkc11 15:32 < krzee> ohhh RC 15:32 < krzee> right, we've released beta, my bad 15:36 <@vpnHelper> RSS Update - forum: OpenVPN to filter DHCP requests in bridge mode 15:36 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 246 seconds] 15:37 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving] 15:38 < grendal_prime_> ya this is hella frustrating 15:41 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 15:41 < Manny> !welcome 15:41 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:42 < Manny> !goal 15:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:42 < Manny> !seen krzee 15:42 <@vpnHelper> krzee was last seen in #openvpn 9 minutes and 18 seconds ago: right, we've released beta, my bad 15:42 < Manny> x( 15:43 < Manny> I am trying to configure dante for my tun0 iface. In my case, I only had a Cisco VPN server, so I had to use vpnc to set up the tun0 iface. However, IMO the rest should be identical to OpenVPN, right? 15:43 -!- ginoe [~ginoe@6-pra-5.acn.waw.pl] has quit [Remote host closed the connection] 15:43 < Manny> I tried to follow the suggestions by... 15:43 < Manny> !routebyapp 15:43 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 15:43 < Manny> !sockd 15:43 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn 15:43 < Manny> I don't understand how to "ONLY RUN THIS ON THE INTERNAL VPN IP!" 15:44 < Manny> do I need to take the tun0's IP, and set it as external IP of dante.conf? 15:45 < Manny> is "internal: eth0 port = 1080" and "external: MY-tun0-IP" ok? 15:46 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 15:49 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has left #openvpn ["Ex-Chat"] 15:49 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 15:56 -!- p3rror [~mezgani@41.248.184.76] has quit [Ping timeout: 240 seconds] 15:57 -!- andol [andreas@ubuntu/member/andol] has joined #openvpn 15:58 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Quit: Ex-Chat] 15:59 -!- sbrath [~sbrath@unaffiliated/sbrath] has joined #openvpn 16:09 -!- p3rror [~mezgani@41.140.38.157] has joined #openvpn 16:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 16:29 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 16:29 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 16:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 16:40 < Dougy> haviong some issues.. http://paste2.org/p/1190834 <-- i know the client is missing remote line, remove dit so it'd stop screwing it self up 16:41 < Dougy> the vpn connects fine.. but i lose all connectivity here at the house 16:41 < Dougy> i can ping 10.5.5.6 (vpn ip my router gets).. but nothing else.. and cant connect to router via that ip.. so my connectivity is useless 16:41 < Dougy> i'd like to have def1 at some point too so all traffic goes through that .109 ip 16:47 <@dazo> Dougy: read up on !route 16:47 <@dazo> !route 16:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:48 <@dazo> that error message you refer to is mentioned here and why 16:48 < Dougy> ive been reading it 16:48 < Dougy> i just noticed i missed iroute for the 192.168.1.0/24 vlan 16:48 < Dougy> so i added it for myself 16:48 < Dougy> was that my only issue? 16:49 <@dazo> from the log file it seems so 16:49 < Dougy> ok.. wish me luck.... 16:49 <@vpnHelper> RSS Update - forum: how to create certificates for "--remote-cert-tls" 16:50 < Dougy> here goes nothing 16:51 < Dougy> im still online! 16:51 < Dougy> w00t 16:51 < Dougy> so um dazo 16:51 < Dougy> if i add def1, it should just send all traffic through right 16:51 <@dazo> yeah, basically that's the idea 16:51 < Dougy> ok 16:51 < Dougy> brb testing again 16:51 -!- grendal_prime_ [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat] 16:52 < Dougy> nope :( 16:52 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 16:53 < Manny> re! :) 16:53 < Dougy> dazo: i can still communicate in the LAN fine... b ut no external connectivity :( 16:53 < Manny> third time... 16:53 <@dazo> Dougy: check your routing table after connecting to the VPN 16:53 < Dougy> Thu Jan 13 22:52:06 2011 /sbin/ifconfig tun1 10.5.5.6 pointopoint 10.5.5.5 mtu 1500 16:53 < Dougy> Thu Jan 13 22:52:07 2011 ERROR: Linux route add command failed: external program exited with error status: 255 16:53 < Manny> I am unable to configure dante + vpnc, as suggested by !routebyapp and !socksd. I know, it's a vpnc question -- but it should be (more or less) the same for openvpn. The problem is: 16:53 < Dougy> i assume that means something 16:54 <@dazo> Manny: this is #openvpn ... not #dante or #vpnc 16:54 < Dougy> dazo: any ideas? 16:54 <@vpnHelper> RSS Update - forum: quetions about pushing routes 16:54 < Dougy> or just try it and pastebin routing table 16:55 <@dazo> Dougy: that basically means it struggled with adding a route ... so you need to have log files on verb 4 probably to see more what is happening 16:55 <@dazo> Dougy: you are starting openvpn with admin/root privileges? 16:55 < Manny> dazo, I know, but dante + vpnc is a lot like dante + openvpn, right? :) I mean, I followed the !socksd howto, that's why I am mentioning it. I would LOVE to try out openvpn as well, but I only have a cisco protocol server available @ university 16:55 < Dougy> brb.. will pastebin 16:55 <@dazo> Manny: vpnc != openvpn ... except that both are VPN solutions ... but they are very different 16:55 < Manny> dazo, ...but both create a tunX device, right? 16:56 <@dazo> vpnc != openvpn 16:56 < Manny> isn't it "just" the protocol? 16:56 < Manny> you are very strict. I am trying to find out whether anybody followed the !socksd tutorial, and ran into the same trouble with OpenVPN :) 16:57 <@dazo> Manny ... on this channel you can expect help with #openvpn primarily .... some people here might know a lot about other things ... but don't expect that we can help with whatever here 16:57 < Dougy> dazo: http://paste2.org/p/1190853 16:58 < Manny> my problem is that danted works like a charm, with "internal: 127.0.0.1 port = 1080", and "external = tun0", and the rest of danted as !socksd, but only IFF my default gateway is set to tun0 16:58 < Dougy> have one idea.. windows ip forwarding.. 16:59 < Manny> the same applies conversely: "internal: 127.0.0.1 port = 1080" and "external = eth0" only works if my default gateway is set to eth0's 16:59 < Manny> "set to tun0" = "set to tun0's". By "set to X's", I mean that it is set to the gateway taken from ifconfig. 17:01 < Dougy> bah 17:01 < Dougy> !windows 17:01 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg 17:01 < Dougy> !factoids search windows 2008 17:01 <@vpnHelper> No keys matched that query. 17:01 < Dougy> !factoids search win2008 17:01 <@vpnHelper> No keys matched that query. 17:01 < Dougy> !factoids search win2k8 17:01 <@vpnHelper> "win2k8" is Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private. 17:03 <@dazo> Dougy: it looks like you are trying to setup the same route twice 17:03 <@dazo> look at line 21, 33 and 34 17:04 < Dougy> in the pastebin? 17:04 < Dougy> or in config file(s0 17:04 <@dazo> yeah 17:04 <@dazo> pastebin 17:04 <@dazo> the last one 17:04 < Dougy> intereting 17:04 < Dougy> you didnt see it duped in config files did you 17:04 <@vpnHelper> RSS Update - forum: quetions about pushing routes 17:04 < Dougy> i mean, i did the 'server 10.5.5.0 255.255.255.0' and the push route 17:04 < Dougy> is that my issue? 17:05 <@dazo> sorry, my box crashed and I just recovered ... I lost that window 17:05 < Dougy> which window 17:05 < Dougy> the pastebin? 17:05 < Dougy> server 10.5.5.0 255.255.255.0 and push "route 10.5.5.0 255.255.255.0" <-- causing my dupe issue? 17:06 <@dazo> Dougy: yes, I think so 17:07 <@dazo> --server does a push route like that as well 17:07 < Dougy> alrighty well thats not helping my stupid ip forwarding issue 17:07 < Dougy> once vpn connects, i can ping the vpn ip .1 and the windows server's public IP 17:07 < Dougy> but connectivity just ends there 17:07 < Dougy> thats just windows ip forwarding issue right 17:08 <@dazo> Dougy: you do remember to NAT the traffic from the tunnel and "out to the world"? 17:08 <@dazo> server is windows based? 17:09 < Dougy> yeah 17:09 < Dougy> domain controller 17:09 < Dougy> vpn server 17:09 < Dougy> in one 17:09 <@dazo> ugh ... okay, I know nothing about windows unfortunately, so I have no idea how to do such stuff there 17:10 < Dougy> well, the openvpn aspect works properly 17:10 < Dougy> i know almost noitihng about windows server, either dazo 17:10 < Dougy> so we are on the same page here 17:10 <@dazo> :) 17:11 <@dazo> well, I'm pretty confident it has to be some NAT issues then ... or ... if your server is behind a firewall which NAT's the windows server as well ... 17:11 < Dougy> nope server is colocated 17:11 <@dazo> okay, then you simply need to figure out NAT on Windows 17:12 < reiffert> !factoids search nat 17:12 <@vpnHelper> 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', 'winnat', and 'openvzlinnat' 17:12 < reiffert> !winnat 17:12 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP 17:12 < Dougy> dude 17:12 < Dougy> i love you 17:12 * Dougy tests 17:13 < Dougy> bah server 2003 17:16 -!- p3rror [~mezgani@41.140.38.157] has quit [Ping timeout: 255 seconds] 17:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 17:18 < Manny> ok, thanks 17:18 < Manny> see you 17:18 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Quit: Ex-Chat] 17:19 < Dougy> little confused dazo 17:19 < Dougy> should i enable NAT on the tap interface 17:19 < Dougy> or the actual ethernet interfafce 17:20 <@dazo> Dougy: uhh ... in my head, it would be the ethernet interface, you want traffic going in/out of that one to be NATed to the servers IP address 17:21 <@dazo> but I know this is Microsoft too ... they might have a different opinion than me 17:21 * Dougy will play with it 17:23 < Dougy> enabled it on both with no love 17:23 < Dougy> hmm 17:24 < reiffert> on the ethernet interface, of course. 17:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:33 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 17:35 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 17:37 < Dougy> im out of ideas 17:38 < Dougy> http://www.upload3r.com/serve/130111/1294961926.png 17:38 < Dougy> no luck 17:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:44 <@dazo> Dougy: I believe you in that window you show there need to set your public IP address 17:44 <@dazo> it says "Your ISP provider assigns this address pool" 17:45 <@dazo> but this is just a wildguess though 17:46 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 17:46 <@vpnHelper> RSS Update - forum: OpenVPN to filter DHCP requests in bridge mode 17:50 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Ping timeout: 246 seconds] 17:52 * dazo calls this a day 17:53 -!- dazo is now known as dazo_afk 17:57 -!- s7r [~s7r@94.46.240.225] has left #openvpn [] 18:03 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 18:12 -!- p3rror [~mezgani@41.140.103.245] has joined #openvpn 18:14 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 18:20 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 18:20 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 18:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 18:30 <@vpnHelper> RSS Update - forum: Management localhost 7505 18:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 18:41 -!- p3rror [~mezgani@41.140.103.245] has quit [Remote host closed the connection] 19:06 <@vpnHelper> RSS Update - forum: Linux client problem 19:26 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds] 19:35 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 19:44 -!- sia^pwnnt is now known as adawda 20:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 20:28 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Ping timeout: 260 seconds] 20:36 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 20:53 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 20:59 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 21:02 -!- djgerm [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has quit [Quit: Leaving.] 21:13 < Dougy> dazo i dont think so 21:13 < Dougy> time to fight with it more 21:19 < Dougy> http://paste2.org/p/1191226 why does that look so wron 21:19 < Dougy> g 21:29 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 21:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 21:32 -!- corretiko [~corretico@201.201.44.82] has joined #openvpn 21:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 21:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 21:47 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds] 21:54 < Dougy> fuckkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 21:54 < Dougy> anyon here set up openvpn with def1 on windoze 2008 22:15 < Dougy> ok igot it 22:15 < Dougy> but.. 22:15 < Dougy> now i can surf web properly.. but my local LAN is acting up... i can ping 192.168.1.1 but cant load in browser 22:15 < Dougy> if i push route for 192.168.1.0 255.255.255.0.. should i be able to reach it from the server? things inside the 192 that is 22:16 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 240 seconds] 22:17 < Dougy> i can ping 10.5.5.1 but not .6 (.6 is my router) 22:22 < Dougy> krzie: help 22:23 < krzie> heh 22:23 < krzie> !route_outside_openvpn 22:23 < Dougy> im almost ther 22:23 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 22:24 < Dougy> its 11pm 22:24 < Dougy> and that jsut went so far over my head 22:25 < krzie> then bookmark it for when you can understand it better 22:25 < Dougy> :( 22:25 < krzie> and go read that section of !route 22:25 < Dougy> i realize im missing a route or 2 22:25 < krzie> i documented it all 22:25 < krzie> "explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route" 22:25 < Dougy> thats what i ahve infront of me 22:25 < Dougy> can you do 'route ip netmask ' ? 22:26 < krzie> ask your manual 22:26 < Dougy> ok, let me rephrase 22:26 < Dougy> am i on the right path to what i need? 22:26 < krzie> if you're reading my routing document yes 22:26 < Dougy> yeah i am 22:26 < Dougy> Lets say our server is 10.10.2.10 on its lan, and uses 10.10.2.1 as its default route, and you want the 2.x lan to be accessible or able to access over the vpn. 22:26 < Dougy> 2.1 would need a route for every network that 2.x will access or be accessed by. That means in our example: 22:26 < Dougy> 10.10.2.1 must know that for 10.10.1.x 10.10.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 10.10.2.10 22:26 < Dougy> This is true for any number of lans you want to connect, whether server or client. 22:26 < Dougy> that 22:27 < Dougy> i guess im just not mentally translating that to a route rule 22:27 < Dougy> @MAN 22:27 < Dougy> ER 22:28 < Dougy> !man 22:28 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:29 * Dougy dies 22:29 < Dougy> so krzie i need 'route 192.168.1.0 255.255.255.0 192.168.1.1' ? 22:29 < krzie> umm no 22:30 < krzie> in fact, hell no 22:30 < krzie> lol 22:30 * Dougy headdesks 22:30 < Dougy> i should be careful 22:30 < Dougy> i have a sharps container on my desk 22:30 < krzie> i didnt even need to read anything above 22:30 < krzie> route 192.168.1.0 255.255.255.0 192.168.1.1 by itself just makes no sense 22:30 < Dougy> i guess 22:30 < krzie> if 192.168.1.1 is 1 hop away, why wouldnt the rest of the lan be...? 22:30 < Dougy> i thought about setting it to 10.5.5.1 but that's useless 22:30 < Dougy> or isnt it 22:31 < Dougy> 10.5.5.1 is the server 22:31 < krzie> make a gliffy diagram and include things that matter this time 22:31 < krzie> also, how many VPNs are you setting up dude? 22:31 < Dougy> what would they be 22:31 < Dougy> just one.. 22:31 < Dougy> one server.. and client is my home rotuer 22:31 < Dougy> router even 22:31 < krzie> you keep coming up with new issues, seems like the 3rd vpn 22:31 < Dougy> i set one up for shits and giggles about every month or two 22:31 < Dougy> then take it down after i get bored with it 22:32 < krzie> so you are using my friday night time for shits and giggles? 22:32 < Dougy> actually no 22:32 < Dougy> this time it has a purpose 22:32 < Dougy> purpose of this is to redirect all traffic through vpn..vpn is on same server as a domain controller.. so all pc's can surf the web with that IP and connect to domain controller 22:32 < Dougy> 2 in one i guess 22:33 < Dougy> what really has me perplexed right now is that i can ssh to 192.168.1.1 but cant load web page 22:35 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 22:35 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 22:35 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 22:35 < Dougy> oh now it works 22:38 < Dougy> ok bed 22:38 < Dougy> will tackle that last route tomorrow 22:40 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 240 seconds] 22:55 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 23:00 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Ping timeout: 260 seconds] 23:06 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 23:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds] 23:07 -!- WinstonSmith [~true@e178179130.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 23:10 -!- LedZeplin [jbearer@74.46.1343.static.theplanet.com] has joined #openvpn 23:11 < LedZeplin> !welcome 23:11 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:12 < LedZeplin> !goal 23:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:12 -!- grapsus [~grapsus@acces1192.res.insa-lyon.fr] has quit [Remote host closed the connection] 23:13 < LedZeplin> !howto 23:13 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:13 < LedZeplin> !topology 23:13 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 23:20 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has joined #openvpn 23:23 < Bebop2Steady> A general question for the openvpn expert: If I have 2 different vpn providers (eg: perfect privacy, xerobank) -- can I open one instance of openvpn client on my windows pc, then after it connects -- open a 2nd instance of openvpn client to the other provider, and therefore create a nested vpn situation. Is there any specific change that would need to be manually added to the windows route ta 23:23 < Bebop2Steady> ..route table... 23:25 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 23:25 < Bebop2Steady> just for a proof of concept i setup 2 openvpn servers that work fine on their own, but as soon as i try to run them at the same time -- I cant surf net anymore. 23:26 < Bebop2Steady> I'm starting to think that openvpn or windows is not designed to behave this way 23:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds] 23:47 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 23:48 < Bebop2Steady> any helpers on who know about double vpn ? 23:53 -!- corretiko [~corretico@201.201.44.82] has quit [Read error: Connection reset by peer] 23:53 < Bebop2Steady> well, if you do -- I have started a thread: https://forums.openvpn.net/post9160.html 23:53 <@vpnHelper> Title: OpenVPN Support Forum Double VPN || 2 Hop VPN || VPN-over-VPN : Server Administration (at forums.openvpn.net) 23:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn --- Day changed Fri Jan 14 2011 00:07 -!- Bebop2Steady [~Bebop2Ste@124-169-6-237.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 00:22 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 00:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 00:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 00:33 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 250 seconds] 00:38 -!- Chris___ [goose@well.i.made.ur-mom.go.honk-honk.org] has left #openvpn ["God doesn't send firemen to hell; if he did, he knows we'd just put it out!"] 01:03 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 01:04 -!- andol [andreas@ubuntu/member/andol] has left #openvpn [] 01:10 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds] 01:14 -!- harry_ [~harry@224.sub-174-252-37.myvzw.com] has joined #openvpn 01:14 < harry_> greetings 01:15 -!- harry_ [~harry@224.sub-174-252-37.myvzw.com] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 01:27 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 01:27 -!- mode/#openvpn [+o mattock] by ChanServ 01:32 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds] 01:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 01:57 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Ping timeout: 260 seconds] 02:00 <@vpnHelper> RSS Update - forum: cannot ping and samba share between ubuntu server and winxp 02:00 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 02:04 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 02:22 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal] 02:24 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined #openvpn 02:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 02:39 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 02:47 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 02:52 -!- dazo_afk is now known as dazo 02:59 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:03 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 03:04 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has joined #openvpn 03:04 -!- maxJadi [~maxJadi@h192n3-g-kt-d1.ias.bredband.telia.com] has quit [Changing host] 03:04 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 03:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 03:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 03:26 < Malard> hi, i've got a tun working between server and client and i can send data between both ends on routes that were pushed from the server and addresses that are in the same 10.20.0.0/23 as the client (dont ask about the range size), however i have a seperate range that i want the server to route traffic towards the client (10.1.1.0/29) the client can ping that ip correctly, and on the server side 03:26 < Malard> traffic gets routed to the vpn server correctly 03:26 < Malard> and i've created a static route that mirrors the same as the 10.20.0.0/23 route 03:26 < Malard> 10.1.1.0 10.8.0.2 255.255.255.248 UG 0 0 0 tun0 03:27 < Malard> 10.20.0.0 10.8.0.2 255.255.254.0 UG 0 0 0 tun0 03:27 < Malard> do I need to do anything special with openvpn? 03:29 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 03:41 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 03:45 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 264 seconds] 03:45 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Ping timeout: 246 seconds] 03:50 -!- master_of_master [~master_of@p57B55F20.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 03:52 -!- master_of_master [~master_of@p57B55C08.dip.t-dialin.net] has joined #openvpn 04:06 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:18 < hyper_ch> krzie: http://www.embedded-bits.co.uk/2011/1-second-linux-boot-to-qt/ 04:18 <@vpnHelper> Title: 1 second Linux boot to Qt! « Embedded Bits (at www.embedded-bits.co.uk) 04:18 < macsppadic> hey hyper_ch that looks very cool 04:33 < reiffert> the slides..++ 04:34 < hyper_ch> macsppadic: :) 04:34 < hyper_ch> reiffert: ? 04:35 < reiffert> http://www.slideshare.net/andrewmurraympc/elce-the 04:36 < reiffert> the last comment is nice 04:36 < reiffert> "Looks nice, but maybe you should optimize the touch screenspeed instead, there is quite a delay when you press the screen. 04:36 < reiffert> A speed up there, makes a lot more sense than the booting time." 04:39 < hyper_ch> :) 04:40 -!- albech_ [~thomas@124.157.211.210] has joined #openvpn 04:44 -!- common- [~common@p5DDA484E.dip0.t-ipconnect.de] has joined #openvpn 04:45 -!- common [~common@p5DDA482E.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:45 -!- common- is now known as common 04:58 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 05:16 -!- ashes [~ashes@modemcable247.172-202-24.mc.videotron.ca] has joined #openvpn 05:16 < ashes> hi 05:17 < ashes> i haven't had good luck with redirect-gateway, so i used: route add default gw 10.17.103.1 dev tun0 05:17 < ashes> and now packets are using tun0 on both the client and server systems 05:18 < |Mike|> lol 05:18 < ashes> but the server isn't forwarding anything. it's really bizare 05:19 < ashes> the vpn is over wlan0. the client can't ping the eth0 ip on the server, but i see the packets getting to tun0 on the server 05:19 < ashes> sorry if i'm like jumping in half way through a conversation with myself 05:19 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 05:19 < ashes> or something 05:20 < Manny> !socksd 05:20 < Manny> !routebyapp 05:20 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 05:21 < Manny> !sockd 05:21 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn 05:21 < Manny> could anybody explain me "www.ircpimps.org/sockd.conf"? What IPs do I have to insert in my local copy? tun0's? eth0's? Why are there two distinct IPs? 05:22 < Manny> to my understanding, this should be "external: tun0", and maybe "internal: 127.0.0.1 port = 1080" 05:24 <@vpnHelper> RSS Update - forum: Roadwarriors with Internet thru VPN; Branch offices w/o 05:29 < Manny> can anybody offer me a openvpn server for testing purposes? x) 05:30 < Manny> I'd just like to test whether my config files work OK 05:39 < ashes> when i get ping working, i'll let you know 05:53 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 05:57 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:58 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 05:58 < ashes> ok 05:59 -!- Cain` is now known as Cain 05:59 < ashes> if i ping the other system's vpn ip (the ip on it's tun device), should ifconfig -a show some byte traffic on the tun0 device? 06:00 -!- adawda is now known as sia^pwnnt 06:03 < ashes> getting the openvpn daemons to shake hands, and getting the two systems to ping eachother, doesn't mean the traffic is encrypted. nothing is happening on my tun devices 06:11 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 06:13 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds] 06:19 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 06:20 < Manny> hrm I think I'll just use split tunneling, since I only need a certain IP / domain range. I'll just follow http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html 06:20 <@vpnHelper> Title: [vpnc-devel] Tutorial: client side split tunnel (at lists.unix-ag.uni-kl.de) 06:21 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: Leaving] 06:25 < Manny> very nice...it seems to work like a charm 06:26 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Quit: Ex-Chat] 06:30 -!- s7r [~s7r@46.37.189.61] has joined #openvpn 06:48 -!- macsppadic is now known as Directorsppadic 06:59 -!- Coffe [~niszsse@sto.alatest.se] has joined #openvpn 07:01 < Coffe> Hi, i have 3 offices, that needs to be able to conenct , what is the recommended way of doing this. today wan1 connects to wan2 and wan3 and wan3 connects to wan2 07:01 < Coffe> they all have there own config. 07:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 07:06 < |Mike|> make 1 the server and the rest clients? 07:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer] 07:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 07:09 < ecrist> it's what I would do. 07:16 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 07:21 <@vpnHelper> RSS Update - forum: [n00b] No traffic on tun0 over LAN 07:30 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Quit: iceberg] 07:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 08:03 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 08:07 -!- luneff [~yury@84.51.195.188] has joined #openvpn 08:18 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 08:18 -!- albech_ [~thomas@124.157.211.210] has quit [Quit: Ex-Chat] 08:22 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 08:23 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 08:23 -!- Cain` is now known as Cain 08:26 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:35 -!- corretiko [~corretico@190.241.62.50] has joined #openvpn 08:40 -!- WinstonSmith [~true@e178179130.adsl.alicedsl.de] has joined #openvpn 08:46 -!- Busch [b24d4e60@gateway/web/freenode/ip.178.77.78.96] has joined #openvpn 08:46 < Busch> !welcome 08:46 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:46 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 08:47 < Busch> Is there a chanche to use server, tun and ipv6? Is it a technical limitation? 08:51 < gladiatr> hrm... 08:51 < gladiatr> !ipv6 08:51 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release 09:01 <@dazo> Busch: or grab the latest openvpn-testing/allmerged snapshot 09:01 <@dazo> gah ... it says !snapshots 09:09 < ecrist> what? 09:10 < gladiatr> exactly 09:10 < ecrist> heh 09:14 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has joined #openvpn 09:14 < Manny> hello 09:17 < ecrist> hi 09:19 < gladiatr> greetings 09:34 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:37 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has joined #openvpn 09:40 -!- dmarkey [~dmarkey@188.141.16.113] has joined #openvpn 09:40 < dmarkey> if I want to add a route command after a specific client connects, how could i do it 09:41 < renihs> me hitting road but you want to google openvpn ccd 09:42 < renihs> "client-config-dir ccd" :) 09:42 <@vpnHelper> RSS Update - forum: irouted subments on client 09:42 < dmarkey> yea i have a ccd 09:42 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 09:42 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 09:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 09:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 09:46 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 09:47 <@vpnHelper> RSS Update - forum: IP address of client still visible 09:49 -!- p3rror [~mezgani@41.140.159.203] has joined #openvpn 09:50 -!- Directorsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 09:53 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 09:54 < katoen> when using preconfigured IPs using ccd, i noticed that when a 'non-ccd' host connects, it might get an IP from any of the preconfigured ones. How could i prevent this from happening? 09:55 -!- albech [~thomas@119.42.76.198] has joined #openvpn 09:56 < gladiatr> katoen, try using a proper 'server' directive in either the global scope or in ccd/DEFAULT that specifies an appropriate address range for non-specific clients 09:57 -!- Manny [~chris@p549660BB.dip.t-dialin.net] has quit [Quit: Ex-Chat] 09:57 < katoen> gladiatr: ah i see 09:58 < gladiatr> I haven't tested that sort of configuration, myself. You might need to monkey with it, but it sounds like you're experiencing overlap from a server directive's subnet definition and the static addresses assigned to your defined clients. 09:58 <@vpnHelper> RSS Update - forum: irouted subments on client 09:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 09:59 -!- WinstonSmith_ [~true@e177093238.adsl.alicedsl.de] has joined #openvpn 09:59 < katoen> gladiatr: i think so, too. I was looking for a way to seperate between these types of clients 10:01 < gladiatr> You might also add some data to the ifconfig-pool-persist file to reflect the static address assignments, but I'm afraid your static clients might still get stomped on if you should ever start running low on unassigned addresses 10:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 10:03 -!- WinstonSmith [~true@e178179130.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 10:07 -!- WinstonSmith_ is now known as WinstonSmith 10:22 -!- WinstonSmith [~true@e177093238.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 10:23 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 10:27 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Client Quit] 10:32 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 10:35 <@vpnHelper> RSS Update - forum: Tunnel low speed 10:41 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Ping timeout: 240 seconds] 10:41 <@vpnHelper> RSS Update - forum: [n00b] No traffic on tun0 over LAN 10:49 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 10:50 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 10:51 -!- Coffe [~niszsse@sto.alatest.se] has quit [Quit: Leaving] 10:52 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:53 -!- X-Vo [Ezzie@5ED0FA69.cm-7-1d.dynamic.ziggo.nl] has quit [] 10:56 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn 10:57 -!- albech [~thomas@119.42.76.198] has quit [Quit: Ex-Chat] 11:03 < grendal_prime> Im seeing alot of these web based client scripts for connecting to openvpn..is there something in the ose for doing this? 11:03 < grendal_prime> like a cgi that calls openvpn locally type deal? 11:04 < grendal_prime> the paid access version has it and ive seen it on several of these anono browser type services. 11:06 < gladiatr> I am without clue on that subject 11:06 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 11:12 < grendal_prime> ok.. 11:13 < grendal_prime> soooo there is a few scripts out there that can be put on a web server on the actuall openvpn server. They allow the client two click on a link that calls this cgi script. looks like it makes a request to a file on your local machine which then fires up openvpn client on your local machine. 11:14 < grendal_prime> you still have to config the local script..but that ..well its pretty easy to modify that i think 11:41 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 11:44 -!- Busch [b24d4e60@gateway/web/freenode/ip.178.77.78.96] has quit [Ping timeout: 265 seconds] 11:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Max SendQ exceeded] 11:55 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 12:00 < Dougy> i realize this is !notopenvpn.. but.. anyone with dd-wrt familiar with the openvpn init? i need to change it.. openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon <-- i need to edit that.. so it doesnt load the .sh scripts.. 12:00 < Dougy> where does one do that 12:04 < gladiatr> are you able to get a shell on your router? 12:05 < Dougy> yeah i'm ssh'd in 12:05 < Dougy> i'd grep -R the / but there is no -R 12:05 < gladiatr> do something like this: nvram show |grep -i openvpn 12:05 < gladiatr> Not sure, but I would imagine that's an nvram variable (somewhere) 12:06 < gladiatr> Not 100% sure on that, though 12:06 < Dougy> nothing about the scripts 12:06 < gladiatr> anything at all about openvpn? 12:06 < Dougy> plenty 12:06 < Dougy> nothing to do with init scripts, just the certs and config 12:06 < Dougy> while im here 12:06 < Dougy> !tap 12:06 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the 12:06 <@vpnHelper> protocol uses MAC addresses instead of IP addresses. 12:06 < Dougy> nope not useful 12:07 <@dazo> Dougy: just a heads-up as you say you're using dd-wrt ... http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/ 12:07 <@vpnHelper> Title: /dev/ttyS0 » Blog Archive » Breaking SSL on Embedded Devices (at www.devttys0.com) 12:07 < Dougy> just need to figure out one more route as well.. so that the server can ping my home lan of 192.168.1.0/24 12:07 <@dazo> (the dd-wrt team have by the way not acknowledged this as a real problem) 12:08 < Dougy> ok, dazo, krzie trie to point me to the right pages, but i'm retarded 12:08 < Dougy> lets say i have my home router (LAN 192.168.1.0/24) connected to the server.. the router is .6 and the vpn is .1 12:08 < Dougy> what route(s) do i need to add to be able to make the vpn server ping 192.168.1.112 12:09 <@dazo> Dougy: my link was not related to your openvpn stuff ... just something you should beware of, related to the overall security on your box 12:09 < Dougy> yeeah 12:09 < Dougy> actually hold on i got an idea 12:10 <@dazo> it's a long while since I used dd-wrt ... but openvpn there uses some way of nvram to store configs, certs/keys and bootscripts 12:10 < gladiatr> sounds like perhaps you need... 12:10 < gladiatr> !iroute 12:10 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:10 < Dougy> nevermind 12:10 < Dougy> i had it set up right 12:10 < Dougy> i just could ssh to my router from the host node 12:10 < Dougy> vpn srver, rather 12:10 < Dougy> but ig uess now i need to figure out why icmp to nothing works 12:11 < Dougy> can ping clients -> server but not server -> clients 12:11 < Dougy> can ssh and rdp 12:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds] 12:13 < gladiatr> !snapshots 12:13 <@vpnHelper> "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch 12:16 -!- dazo is now known as dazo_afk 12:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 12:33 -!- dollabill [~mike@199.44.8.98] has quit [] 12:47 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving] 12:49 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 13:01 < gladiatr> Installing openvpn from source is so anticlimactic. It isn't like installing bash or emacs or some other bloated, gnu package where you really feel like you've just trashed your filesystem if you slip up and forget to specify an alternate install prefix--with openvpn you get a binary and a man page. C'mon dev team... that's like getting socks for christmas. Step it up, will ya? 13:03 -!- p3rror [~mezgani@41.140.159.203] has quit [Ping timeout: 246 seconds] 13:32 < cpm> indeed 13:49 -!- virusuy [~luciano@r200-40-173-202.ae-static.anteldata.net.uy] has joined #openvpn 13:57 -!- befago [~befago@87-206-51-38.dynamic.chello.pl] has joined #openvpn 14:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 14:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:36 < reiffert> !revoke 14:36 < reiffert> !factoids search revoke 14:36 <@vpnHelper> No keys matched that query. 14:36 < reiffert> !factoids search --values revoke 14:36 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 14:36 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 14:36 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has left #openvpn [] 14:37 -!- befago [~befago@87-206-51-38.dynamic.chello.pl] has quit [Quit: Wychodzi] 14:40 <@vpnHelper> RSS Update - forum: IP address of client still visible 14:41 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: iceberg] 14:42 -!- corretiko is now known as coyotiko_ 14:42 -!- coyotiko_ is now known as corretiko_ 14:43 -!- corretiko_ is now known as corretiko__ 14:43 -!- corretiko__ [~corretico@190.241.62.50] has quit [Quit: Leaving] 14:44 -!- corretiko [~corretico@190.241.62.50] has joined #openvpn 14:44 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 14:46 <@vpnHelper> RSS Update - forum: IP address of client still visible 15:01 -!- p3rror [~mezgani@41.248.190.46] has joined #openvpn 15:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds] 15:15 <@vpnHelper> RSS Update - forum: How to make air.zip n cer/key files?? 15:22 -!- dmarkey [~dmarkey@188.141.16.113] has quit [Read error: Connection reset by peer] 15:26 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 15:34 < ashes> the redirect-gateway option uses route with wlan0, instead of tun0, and IP traffic bypasses openvpn unencrypted. is this a bug? when i manually run the route command to use tun0, i use tcpdump and see traffic going out wlan0 on the openvpn port, and i see it arriving on the server through the tun0 device, but the server doesn't seem to route it... an otherwise functioning NAT doesn't route this traffic (iptables is passing and forwar 15:34 < ashes> i even see the ping attempts go out the external device of the server. it looks like the server doesn't know how to route the replies back 15:35 < gladiatr> what option are you using with the redirect-gateway directive? 15:38 < ashes> route gateway 10.17.103.1 15:38 < ashes> i don't think i used an option with redirect-gateway 15:39 < ashes> but i probably tried using def1 15:41 < gladiatr> !pastebin 15:41 < gladiatr> !paste 15:42 < gladiatr> dammit. 15:42 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:42 <@vpnHelper> Unable to download feed. 15:42 < gladiatr> Let's see the log file from your client connection 15:42 < gladiatr> as well as the output of netstat -rn (after the connection) 15:42 * gladiatr turns vpnHelper's crank a few more times 15:43 -!- qermit [~qermit@unaffiliated/pantofel] has joined #openvpn 15:44 < qermit> !pptp 15:44 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about 15:44 <@vpnHelper> why to not use pptp 15:44 <@vpnHelper> RSS Update - forum: How to make air.zip n cer/key files?? 15:44 -!- qermit [~qermit@unaffiliated/pantofel] has left #openvpn ["No Route To host, probably drunken"] 15:47 -!- grishnav [~grishnav@209.160.52.134] has quit [Ping timeout: 240 seconds] 15:50 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 15:50 <@vpnHelper> RSS Update - forum: Management localhost 7505 || Roadwarriors with Internet thru VPN; Branch offices w/o 15:52 -!- corretiko [~corretico@190.241.62.50] has quit [Ping timeout: 260 seconds] 15:53 < ashes> http://pastebin.com/909FRvNs 15:54 < ashes> http://pastebin.com/YTHsQ555 16:01 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 16:02 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn 16:06 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds] 16:15 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 16:18 -!- virusuy [~luciano@r200-40-173-202.ae-static.anteldata.net.uy] has quit [Ping timeout: 240 seconds] 16:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 16:34 < reiffert> I've got an openvpn issue 16:34 < reiffert> Jan 14 23:48:10 datenserver openvpn[11557]: daemon() failed: No such device (errno=19) 16:35 < reiffert> wtf? 16:35 -!- teddz [~teddz@dtmd-4d0bc9f5.pool.mediaWays.net] has joined #openvpn 16:35 < reiffert> it worked bevor I ran service restart 16:35 < reiffert> anyone? 16:44 < reiffert> solution: /dev/null was a file, not a special char device. 16:46 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 240 seconds] 16:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds] 16:48 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat] 16:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 17:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 17:37 -!- olivier__ [~olivier@86.67.97.202] has joined #openvpn 17:37 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 17:38 < olivier__> Hi There 17:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:48 -!- WinstonSmith [~true@e177093238.adsl.alicedsl.de] has joined #openvpn 17:56 < olivier__> I do not use openvpn but I do have troubles with a dlink firewall as a vpn server. I don't know where to ask for help. The problem is I can connect from home, I am given a IP address from the remote lan, can ping the remote IP adresses, but I cant see the smb hosts nor access the web services, name resolving isnt working. I guess there's something wrong with the ip filtering rules but I don't have a clue :s 18:08 < s7r> anybody knows, if I connect on firefox via a socks 5 server, will that traffic (through the socks server) be encrypted? 18:08 < s7r> socks v5 provide encryption? 18:22 < olivier__> Does some one know another channel where I could find help for my VPN problem ? Network related chan ? 18:22 < reiffert> I'd call the dlink support. 18:24 < olivier__> reiffert: Already done, already followed all their steps, had my configuration checked by their level 2 hotline, and it was ok for them... :s 18:25 < reiffert> so why still looking at that dlink box? 18:30 < Dougy> does openvpn drop icmp? i dont get it 18:30 < olivier__> reiffert: because whatever client or outside connection I use for the test, it's the same problem. I'm sure they're still something wrong in the dlink settings. After all, their howto did'nt mention that the IP rules ordering in their web gui was important. I had that fixed, but it's still not ok. 18:30 < Dougy> i have it setup.. properly.. can ping 10.5.5.6 (router's (client) ip) and 10.5.5.1.. and stuff 18:30 < Dougy> and then from the server i can ssh to 192.168.1.1 (router's LAN IP) and rdp to .112 (my pc) 18:30 < Dougy> but no imcp 18:30 < Dougy> icmp 18:32 -!- WinstonSmith [~true@e177093238.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 18:32 <@vpnHelper> RSS Update - forum: Management localhost 7505 18:39 < reiffert> olivier__: want me to test from here? 18:40 < olivier__> reiffert: sure I'd like to ! let me add a login for you 18:40 < reiffert> olivier__: what kind of vpn is it? ipsec, pptp, xx? 18:40 -!- holistah [~ryan@108-66-219-113.uvs.irvnca.sbcglobal.net] has joined #openvpn 18:41 < olivier__> reiffert: pptp 18:41 < reiffert> great, my OS X can handle it. 18:42 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 18:45 < olivier__> reiffert: I pm you the credentials ok ? 18:45 < reiffert> k 18:49 < holistah> I currently have a westcoast subnet 10.136, an eastcoast subnet 10.168, permenant VPN tunnel between the 2, and roaming VPNs on subnet 10.169 via the 10.168 router... if I added roaming VPNs to the 10.136 router as subnet 10.137, would someone be able to simultaneously connect to both east and west roaming VPNs, and then have packets take a direct route to their respective subnets instead of travelling over the permalink? I shouldn' 19:07 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out] 19:07 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 19:08 < reiffert> for anyone intrested in dlink routers: the dlink router doesnt provider a nameserver which is why the stuff fails. 19:08 < reiffert> as of now. but we are digging deeper 19:29 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 19:41 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 19:42 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 19:44 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection] 19:45 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 19:46 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Client Quit] 20:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 20:10 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Read error: Operation timed out] 20:11 -!- olivier__ [~olivier@86.67.97.202] has quit [Quit: Ex-Chat] 20:21 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 20:23 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 20:29 < ashes> my openvpn client never configures itself to use tun0 with routing. it uses wlan0 directly, and bypasses openvpn 20:45 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 21:01 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds] 21:03 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 21:09 -!- s7r [~s7r@46.37.189.61] has left #openvpn [] 21:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 21:14 -!- corretico [~corretico@201.201.44.82] has quit [Read error: Connection reset by peer] 21:21 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 21:23 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 21:27 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 21:38 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 21:38 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 272 seconds] 21:43 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn 21:59 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 22:00 -!- teddz_ [~teddz@dtmd-4db2e337.pool.mediaWays.net] has joined #openvpn 22:04 -!- teddz [~teddz@dtmd-4d0bc9f5.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:20 < Bushmills> !winroute 22:20 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin 22:20 < Bushmills> ashes: ^^^ 23:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 23:11 < ashes> i was using the same ip for tun0 and wlan0 --- Day changed Sat Jan 15 2011 00:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 00:59 -!- teddz_ [~teddz@dtmd-4db2e337.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 01:07 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn 01:07 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host] 01:07 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 01:11 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 01:24 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 01:36 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 01:41 -!- djgerm1 [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has joined #openvpn 01:43 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 240 seconds] 01:45 -!- djgerm1 [~Your_Moms@64-60-122-187.static-ip.telepacific.net] has quit [Ping timeout: 260 seconds] 02:02 <@vpnHelper> RSS Update - forum: How to make air.zip n cer/key files?? 02:12 -!- djgerm [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 02:12 -!- albech [~thomas@119.42.77.66] has joined #openvpn 02:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 03:41 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Remote host closed the connection] 03:45 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 03:48 -!- master_of_master [~master_of@p57B55C08.dip.t-dialin.net] has quit [Read error: Operation timed out] 03:51 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn 03:52 -!- master_of_master [~master_of@p57B55533.dip.t-dialin.net] has joined #openvpn 04:03 -!- venom00 [~wer@unaffiliated/venom00] has joined #openvpn 04:05 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds] 04:16 -!- venom00 [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 04:20 <@vpnHelper> RSS Update - forum: Layer 2 Problem (Layer 3 works) 04:24 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection] 04:26 <@vpnHelper> RSS Update - forum: Layer 2 Problem (Layer 3 works) 04:39 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has joined #openvpn 04:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 04:43 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 04:44 -!- common- [~common@p5DDA4378.dip0.t-ipconnect.de] has joined #openvpn 04:44 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 04:45 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 04:45 -!- common [~common@p5DDA484E.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:45 -!- common- is now known as common 04:51 <@vpnHelper> RSS Update - forum: Temporary disable client access 04:58 -!- venom00ut [~vsG@unaffiliated/venom00] has joined #openvpn 05:12 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 05:15 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 246 seconds] 05:15 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 05:15 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 05:15 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 05:17 -!- venom00 [~vsG@unaffiliated/venom00] has joined #openvpn 05:18 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Ping timeout: 264 seconds] 05:19 -!- venom00ut [~vsG@unaffiliated/venom00] has quit [Ping timeout: 264 seconds] 05:20 -!- venom00ut [~vsG@unaffiliated/venom00] has joined #openvpn 05:21 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 05:22 -!- venom00 [~vsG@unaffiliated/venom00] has quit [Ping timeout: 265 seconds] 05:48 -!- elHannios [~Hannos@82.113.121.196] has joined #openvpn 05:50 < elHannios> Howdy! Is the --mktun parameter creating tap or tun devices? In the ethernet bridging howto it creates a tap device, which is a whole differnet to a tun link device, imho?! 05:54 < elHannios> Or is the operation dependent on the argument of the --mktun parameter? 05:56 < elHannios> !welcome 05:56 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:57 < elHannios> !goal 05:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 05:57 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:57 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 05:58 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds] 05:59 -!- Cain` is now known as Cain 06:10 < elHannios> Hmm, I really can't find an answer. Can someone explain? 06:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^] 06:47 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 06:53 -!- tntcoda [58612e73@gateway/web/freenode/ip.88.97.46.115] has joined #openvpn 06:53 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Read error: Connection reset by peer] 06:53 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 06:59 < tntcoda> Hi, I've set up openvpn using a tap interface, and connected a client to it. This set up a client tap device running on 192.168.1.80. But im not sure how do I actually connect to hosts on the other network over the vpn? i.e 192.168.1.40 on the second network, I assumed when i ping that it would be auto routed through the tap, but it's not. Anyone point me in the right direction? The route is defined to route 192.168.1.0 to the tap in 07:43 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 07:46 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 07:53 <@vpnHelper> RSS Update - forum: Machine behind client cannot access service on vpn server 07:58 -!- teddz_ [~teddz@dtmd-4db2e337.pool.mediaWays.net] has joined #openvpn 08:06 -!- elHannios [~Hannos@82.113.121.196] has quit [Ping timeout: 240 seconds] 08:07 < Bushmills> !tunortap 08:07 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 08:07 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap! 08:07 -!- elHannios [~Hannos@82.113.121.201] has joined #openvpn 08:07 < Bushmills> !route 08:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:07 < Bushmills> !redirect 08:07 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:08 < Bushmills> tntcoda: ^^^ 08:16 < tntcoda> ok thanks Bushmills, i think it might be because both my lans are 192.168.1.x 08:20 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 08:28 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn 08:29 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 08:32 -!- raidzxx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 240 seconds] 08:32 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 08:40 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 08:40 -!- venom00ut [~vsG@unaffiliated/venom00] has quit [Ping timeout: 260 seconds] 08:41 -!- gisikon [~ol@2a01:198:6f7::dead:beef:0] has joined #openvpn 08:41 < gisikon> hi 08:41 < gisikon> any docs regarding plugin development? 08:46 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Ping timeout: 260 seconds] 08:47 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 08:50 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 08:53 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Ping timeout: 260 seconds] 08:54 -!- tntcoda [58612e73@gateway/web/freenode/ip.88.97.46.115] has quit [Quit: Page closed] 08:54 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 08:54 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 08:58 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 08:59 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has joined #openvpn 09:06 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 09:10 -!- venom00ut [~vsG@unaffiliated/venom00] has joined #openvpn 09:12 -!- venom00 [~vsG@unaffiliated/venom00] has joined #openvpn 09:14 -!- elHannios [~Hannos@82.113.121.201] has left #openvpn ["Verlassend"] 09:15 -!- venom00ut [~vsG@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 09:17 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 09:26 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has joined #openvpn 09:32 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 09:43 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 09:53 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 10:04 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 10:13 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 10:18 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 10:18 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 10:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 10:19 -!- albech [~thomas@119.42.77.66] has quit [Quit: Ex-Chat] 10:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection] 10:23 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 10:27 < gisikon> any way to figure out how many computing power i need for $speed_throughput? 10:29 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 260 seconds] 10:31 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 10:40 -!- p3rror [~mezgani@41.248.190.46] has quit [Ping timeout: 276 seconds] 10:42 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 10:46 -!- teddz_ [~teddz@dtmd-4db2e337.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 10:51 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 10:51 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 10:52 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 10:56 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 10:56 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 10:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 11:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 11:28 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has joined #openvpn 11:28 -!- djgerm [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 11:31 -!- gisikon [~ol@2a01:198:6f7::dead:beef:0] has quit [Read error: Connection reset by peer] 11:32 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Read error: Operation timed out] 11:41 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 11:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds] 11:44 -!- p3rror [~mezgani@41.140.183.104] has joined #openvpn 11:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 12:14 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Ping timeout: 272 seconds] 12:20 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection] 12:21 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 12:22 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 12:23 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 12:32 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- \o/] 12:55 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has joined #openvpn 12:59 -!- gregd [~gregd@cpc3-sgyl29-2-0-cust457.sgyl.cable.virginmedia.com] has joined #openvpn 12:59 -!- michl [~mich@2001:6f8:1c60:7777:21a:4dff:fe66:600c] has quit [Client Quit] 13:00 < gregd> guys, is it possible to configure openvpn server so it does allocate addresses to the clients from its network's dhcp server? 13:11 -!- venom00 [~vsG@unaffiliated/venom00] has quit [Ping timeout: 250 seconds] 13:12 -!- venom00 [~asdfds@unaffiliated/venom00] has joined #openvpn 13:13 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 13:19 -!- gregd [~gregd@cpc3-sgyl29-2-0-cust457.sgyl.cable.virginmedia.com] has quit [Quit: gregd] 13:21 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 13:22 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 13:25 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has joined #openvpn 13:26 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 240 seconds] 13:28 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 13:29 -!- jambooda1 [~cog@pool-98-109-218-165.nwrknj.fios.verizon.net] has quit [Ping timeout: 240 seconds] 13:33 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Client Quit] 13:37 -!- jfkw [~jtk@12.193.26.194] has joined #openvpn 13:51 -!- gregd [~gregd@cpc3-sgyl29-2-0-cust457.sgyl.cable.virginmedia.com] has joined #openvpn 13:56 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has joined #openvpn 13:57 < lmns972> !welcome 13:57 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:58 < lmns972> !topology 13:58 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 13:59 -!- iceberg_ [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 13:59 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Read error: Connection reset by peer] 13:59 -!- iceberg_ is now known as iceberg 14:02 < lmns972> !sample 14:02 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 14:16 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 14:19 -!- iceberg_ [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has joined #openvpn 14:19 -!- iceberg [~iceberg@cpe-24-166-7-47.indy.res.rr.com] has quit [Read error: Connection reset by peer] 14:19 -!- iceberg_ is now known as iceberg 14:36 <@vpnHelper> RSS Update - forum: Client config works on one machine but not another 14:39 -!- common- [~common@p5DDA4378.dip0.t-ipconnect.de] has joined #openvpn 14:39 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn 14:40 -!- grishnav_ [~grishnav@209.160.52.134] has joined #openvpn 14:41 -!- mezgani_ [~mezgani@41.140.183.104] has joined #openvpn 14:42 -!- Some-body_ [~Vetinari@delta.cluenet.org] has joined #openvpn 14:42 -!- batrick_ [~batrick@nmap/developer/batrick] has joined #openvpn 14:43 -!- juhovh_ [~jvahaher@kekkonen.cs.hut.fi] has joined #openvpn 14:44 -!- irssi____ [~irssi@devastation.securewebs.net] has joined #openvpn 14:47 -!- Netsplit *.net <-> *.split quits: p3rror, dictvm, iceberg, juhovh, corretico, common, DarthGandalf, grishnav, gregd, oc80z, (+1 more, use /NETSPLIT to show all of them) 14:48 -!- common- is now known as common 14:48 -!- mezgani_ [~mezgani@41.140.183.104] has quit [Ping timeout: 276 seconds] 14:51 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 14:52 -!- Some-body_ is now known as DarthGandalf 14:52 -!- DarthGandalf [~Vetinari@delta.cluenet.org] has quit [Changing host] 14:52 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn 14:57 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 14:58 -!- Netsplit over, joins: oc80z 14:58 -!- Cain` is now known as Cain 14:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection] 15:01 -!- corretico_ [~corretico@201.201.44.82] has quit [Quit: Leaving] 15:02 -!- corretico [~corretico@201.201.44.82] has joined #openvpn 15:04 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services] 15:06 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn 15:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ 15:06 -!- caesay_ [~caesay@173.236.15.70] has joined #openvpn 15:07 -!- caesay [~caesay@unvanquished/associate/sniperx] has quit [Ping timeout: 264 seconds] 15:09 -!- corretiko [~corretico@201.201.44.82] has joined #openvpn 15:15 -!- grishnav_ [~grishnav@209.160.52.134] has quit [Quit: leaving] 15:15 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn 15:18 -!- p3rror [~mezgani@41.140.156.95] has joined #openvpn 15:21 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds] 15:22 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 15:22 -!- mode/#openvpn [+o mattock] by ChanServ 15:27 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Read error: Connection reset by peer] 15:30 -!- p3rror [~mezgani@41.140.156.95] has quit [Ping timeout: 240 seconds] 15:34 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn 15:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 15:41 -!- p3rror [~mezgani@41.140.38.249] has joined #openvpn 15:50 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has quit [Quit: Bye bye] 16:06 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 16:17 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 16:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 16:27 -!- siralex [~siralex@87-194-183-38.bethere.co.uk] has joined #openvpn 16:28 < siralex> Hi - How do I set up my openvpn server to allow access to 10.98.76.101 to my clients? 16:28 < siralex> I'm pushing a route 10.98.76.101 255.255.255.255 but no matter what I add or change I can't oing 10.98.76.101 from my laptop, but I can ping the gateway 10.98.76.66 16:30 < siralex> push "route 10.98.76.101 255.255.255.255" 16:30 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has joined #openvpn 16:30 < siralex> Or is there a way of allowing access to 192.168.1.101 over the vpn, though the clients network is 192.168.1.* also 16:32 -!- siralex [~siralex@87-194-183-38.bethere.co.uk] has quit [Client Quit] 16:32 -!- siralex [~siralex@87-194-183-38.bethere.co.uk] has joined #openvpn 16:33 -!- dmarkey [~dmarkey@188.141.16.113] has joined #openvpn 16:33 < dmarkey> does openvpn support a class A range being an iroute? 16:34 < dmarkey> i.e. 10.0.0.0 255.0.0.0 16:39 -!- siralex [~siralex@87-194-183-38.bethere.co.uk] has quit [Quit: Lost terminal] 17:15 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has joined #openvpn 17:32 -!- WinstonSmith [~true@g225027196.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:44 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 18:03 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 240 seconds] 18:12 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 18:12 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 19:10 -!- p3rror [~mezgani@41.140.38.249] has quit [Ping timeout: 240 seconds] 19:20 < reiffert> moin 19:22 -!- p3rror [~mezgani@41.140.41.130] has joined #openvpn 19:57 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 19:58 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 20:01 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Client Quit] 20:02 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 20:03 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 20:30 < ecrist> moin 20:30 < reiffert> moin ecrist 20:30 < ecrist> dmarkey: in routed, no 20:30 < reiffert> wssup? 20:31 < ecrist> in bridged, openvpn knows nothing of IP classes 20:31 < ecrist> nm. sick, so wife hasn't let me do any of the things that I needed to do today 20:32 < reiffert> tell her that it is very importand to do, maybe then she is feeling good when she keeps you from doing things :) 20:33 < ecrist> heh 20:44 -!- p3rror [~mezgani@41.140.41.130] has quit [Ping timeout: 240 seconds] 20:56 -!- p3rror [~mezgani@41.140.44.147] has joined #openvpn 21:10 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 21:11 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 21:23 -!- mezgani_ [~mezgani@41.140.25.117] has joined #openvpn 21:25 -!- p3rror [~mezgani@41.140.44.147] has quit [Ping timeout: 240 seconds] 21:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 21:31 -!- mezgani__ [~mezgani@41.140.38.150] has joined #openvpn 21:33 -!- mezgani_ [~mezgani@41.140.25.117] has quit [Ping timeout: 240 seconds] 21:33 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 21:35 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 21:37 -!- venom00 [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 272 seconds] 21:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 22:01 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has joined #openvpn 22:42 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has quit [Read error: Connection reset by peer] 22:42 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has joined #openvpn 23:48 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 23:50 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 246 seconds] --- Day changed Sun Jan 16 2011 00:08 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has quit [Quit: Leaving.] 00:15 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn 00:16 -!- n0de_ [~n0de@2001:41d0:1:7151::1] has joined #openvpn 00:17 -!- n0de_ [~n0de@2001:41d0:1:7151::1] has quit [Client Quit] 00:19 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has joined #openvpn 00:22 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has quit [Client Quit] 00:24 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has joined #openvpn 00:31 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has quit [Quit: d3cyfer] 00:33 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has joined #openvpn 00:36 -!- flopsplat [634679f2@gateway/web/freenode/ip.99.70.121.242] has joined #openvpn 00:37 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has left #openvpn [] 00:37 < flopsplat> is this the place for tunnelblick help? 00:54 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has joined #openvpn 00:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 00:58 -!- jfkw [~jtk@12.193.26.194] has quit [Quit: leaving] 00:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 01:01 -!- flopsplat [634679f2@gateway/web/freenode/ip.99.70.121.242] has quit [Ping timeout: 265 seconds] 01:50 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 02:01 -!- d3cyfer [~d3cyfer@static.238.229.4.46.clients.your-server.de] has quit [Ping timeout: 240 seconds] 02:15 -!- andrey___ [~chatzilla@95.73.216.247] has joined #openvpn 02:16 -!- andrey___ [~chatzilla@95.73.216.247] has quit [Client Quit] 02:34 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 03:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 03:51 -!- master_of_master [~master_of@p57B55533.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 03:53 -!- master_of_master [~master_of@p57B53308.dip.t-dialin.net] has joined #openvpn 04:00 <@vpnHelper> RSS Update - forum: Route: Waiting for TUN/TAP interface to come up... 04:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 04:41 < hyper_ch> ecrist: howdy 04:45 -!- common- [~common@p5DDA4BF7.dip0.t-ipconnect.de] has joined #openvpn 04:47 -!- common [~common@p5DDA4378.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 04:47 -!- common- is now known as common 04:59 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 05:00 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 05:42 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 05:58 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 05:59 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 05:59 -!- Cain` is now known as Cain 06:11 <@vpnHelper> RSS Update - forum: Server certificate expired. how to renew? 06:11 -!- Huza [~kvirc@gw-agrowest-liga-stud-ar119.dnttm.ro] has joined #openvpn 06:52 < Huza> Hello to all. 06:53 < Huza> I am trying to build a tunnel in order to configure a 2nd site to have ipv6. I found one tutorial over the web, but in here I see there are some openvpn specific variables like: ifconfig_pool_remote_ip 06:53 < Huza> But when I do a $ifconfig_pool_remote_ip on my machine, this variable is empty. 06:59 < Huza> ^ echo $ifconfig_pool_remote_ip 07:16 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 07:17 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 07:17 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 07:17 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Remote host closed the connection] 07:19 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 07:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds] 07:45 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn 07:45 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host] 07:45 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn 07:54 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Ping timeout: 260 seconds] 07:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 08:00 < ecrist> sup d00dz? 08:01 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 08:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 08:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 08:13 < Bushmills> Huza: did you just type that in, interactively 08:13 < Huza> Yes. 08:13 < Bushmills> use it in an event script 08:14 < Huza> Hmm... so the variable is set by an event? I already have 1 client connected. 08:14 < Huza> And I can not get it's IP address using that method. 08:14 < Bushmills> --up or --client-connect are places to hook such a script in 08:14 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has joined #openvpn 08:15 < Huza> Thank you... I was lost, could not understand why I can not get any value for those variables. 08:43 -!- exa [~exa@x.factor.cc] has joined #openvpn 08:46 -!- s7r [~s7r@41.221.41.90] has joined #openvpn 09:00 -!- Huza [~kvirc@gw-agrowest-liga-stud-ar119.dnttm.ro] has quit [Quit: Bye bye!] 09:16 -!- WinstonSmith_ [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 09:16 -!- WinstonSmith_ [~true@e177088174.adsl.alicedsl.de] has quit [Remote host closed the connection] 09:23 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 09:23 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 09:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 09:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Client Quit] 09:32 -!- albech [~thomas@119.42.78.39] has joined #openvpn 09:34 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has joined #openvpn 09:34 -!- teddz_ [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has quit [Quit: Ex-Chat] 09:34 < lmns972> !welcome 09:34 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:34 < lmns972> !wiki 09:34 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki 09:35 < lmns972> !sample 09:35 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 09:49 -!- mezgani__ [~mezgani@41.140.38.150] has quit [Read error: Connection reset by peer] 09:54 -!- DelphiWorld [~VoIpGuy@41.200.12.192] has joined #openvpn 09:55 < DelphiWorld> vpnHelper: help 09:55 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:55 < DelphiWorld> vpnHelper: openvpn 09:55 < DelphiWorld> can someone help me set up my openvpn server please! 10:04 < ecrist> !howto 10:04 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:04 -!- mezgani__ [~mezgani@41.140.169.222] has joined #openvpn 10:04 < ecrist> see /topic 10:06 -!- WinstonSmith_ [~true@e177088174.adsl.alicedsl.de] has joined #openvpn 10:06 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 10:09 -!- WinstonSmith_ [~true@e177088174.adsl.alicedsl.de] has quit [Remote host closed the connection] 10:18 -!- albech [~thomas@119.42.78.39] has quit [Quit: Ex-Chat] 10:24 < DelphiWorld> hey ecrist 10:27 < DelphiWorld> !help 10:27 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 10:30 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn 10:30 < dvl> sitting at the GF's house, wishing the laptop had openvpn on it... 10:30 < DelphiWorld> dvl: lol multiple gf's? 10:31 < dvl> DelphiWorld: valid point. ;) 10:31 < DelphiWorld> dvl: :D 10:31 < dvl> Then I see I'm runing 2.1.1 and 2.1.4 is in the FreeBSD tree.... so I might as well upgrade that. I have an hour or so to kill 10:32 -!- teddz [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has joined #openvpn 10:34 < dvl> I'm just thinking that with OpenVPN on the laptop, the backup is easier. 10:34 < dvl> Perhaps I'll upgrade one of the clients first... see how that goes before hitting the server. 10:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 10:36 < DelphiWorld> yo yo [intra]lanman 10:37 < [intra]lanman> you're a yo yo 10:38 < DelphiWorld> [intra]lanman: :P 10:43 < dvl> Well, one client effortlessly upgraded. On to the next. 10:44 < ecrist> dvl: 2.2-beta5 is stable 10:44 < ecrist> we're looking at an RC probably this week. 10:44 < dvl> ecrist: hello, LNTS. 10:44 < ecrist> LNTS? 10:44 < dvl> LTNS 10:44 < ecrist> oh 10:44 < ecrist> duh 10:44 < ecrist> ditto 10:45 < dvl> ecrist: Well, the FreeBSD tree has 2.1.4.... 10:45 < ecrist> openvpn-devel has 2.2-beta5 10:45 * ecrist points to MAINTAINER 10:45 < ecrist> ;) 10:45 < dvl> I thought that'd been removed. 10:45 < ecrist> sorry, openvpn-beta has 2.2-beta5 10:45 < dvl> Nope, it's still there. 10:45 < ecrist> openvpn-devel has a weekly snapshot 10:46 < ecrist> it was removed, I started it back up about 8 months ago when we actually started doing development again. 10:46 < dvl> nice way to do it. 10:46 < ecrist> mathias still does the release port, I handle the two dev ports 10:46 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 10:49 -!- s7r [~s7r@41.221.41.90] has left #openvpn [] 10:56 < dvl> That's all the clients upgraded. I am now taking bets on a seamless server upgrade... Do I hear $10? 10:56 < ecrist> no reason the server shouldn't upgrade smoothly 10:57 < ecrist> really, we're betting on your ability, not the software. ;) 10:59 < dvl> cd /usr/local/etc 10:59 < dvl> cp -rp openvpn openvpn.2.1.1 11:00 < dvl> portsnap fetch update 11:00 < dvl> portupgrade openvpn 11:00 < dvl> /usr/local/etc/rc.d/openvpn restart 11:07 < dvl> done. thank you. 11:10 < ecrist> np 11:20 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 11:22 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 255 seconds] 11:23 -!- Malard|Home is now known as Malard 11:23 -!- irssi____ [~irssi@devastation.securewebs.net] has quit [Ping timeout: 276 seconds] 11:24 -!- irssi____ [~irssi@devastation.securewebs.net] has joined #openvpn 11:25 -!- mezgani__ is now known as p3rror 11:25 < DelphiWorld> lol p3rror 11:25 -!- DelphiWorld [~VoIpGuy@41.200.12.192] has left #openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"] 11:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 11:51 -!- p3rror [~mezgani@41.140.169.222] has quit [Ping timeout: 240 seconds] 11:57 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has quit [Quit: Bye bye] 11:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 12:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 12:51 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 12:51 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out] 12:52 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 12:55 -!- p3rror [~mezgani@41.140.182.100] has joined #openvpn 12:57 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds] 13:03 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Read error: Operation timed out] 13:09 -!- Peer^ [~ttt@ks355877.kimsufi.com] has quit [Read error: Operation timed out] 13:10 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 13:18 <@vpnHelper> RSS Update - forum: ifconfig question 13:27 -!- Peer^ [~ttt@ks355877.kimsufi.com] has joined #openvpn 13:38 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn 13:50 -!- s7r [~s7r@41.221.41.90] has joined #openvpn 13:51 < s7r> hello. i want to connect to my openvpn server through a http proxy or socks5 .. the question is will the traffic be encrypted between my computer and the vpn server, or between the socls/proxy server and vpn server? 13:59 < Bushmills> between vpn client and vpn server 14:00 < s7r> it encrypts end to end ? 14:00 < s7r> aren't the packets sent from the socks server? 14:00 < s7r> i thought when i connect via proxy 14:00 < s7r> the vpn server does not know my original IP 14:00 < s7r> how come it encrypts the traffic between the server and me, if i go over proxy? 14:01 < Bushmills> because the vpn is a tunnel between client and server 14:01 < Bushmills> what is between, including proxies, see the encrypted stream only 14:02 < s7r> but the VPN server will NOT see my actual IP address, if I connect to it via proxy right ? 14:02 < Bushmills> it will see one actual address, namely the vpn subnet address which the server has assigned to the clinet 14:02 < Bushmills> client 14:02 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 14:03 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 265 seconds] 14:06 < s7r> the server can't see from what IP i connect 14:06 < s7r> ? 14:08 -!- sia^pwnnt is now known as adawda 14:13 < Bushmills> it could if it wanted to 14:17 < s7r> yes and if it is wanted to see it, and i connect to that server via proxy 14:17 < s7r> will it see my ip or the proxy ip 14:19 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has quit [Ping timeout: 272 seconds] 14:19 < Bushmills> http proxies pass, or can pass, the ip address of the requesting interface onwards. 14:20 < s7r> and in case it doesn't pass ? it's an anonymous one 14:20 < Bushmills> if you are behind a proxy now, try http://scarydevilmonastery.net/myip.cgi and look at HTTP_X_FORWARDED_FOR 14:20 < s7r> the server won't see my real ip but it will be able to encrypt the connection between my computer and server? 14:23 < Bushmills> for a https connection between a web browser and a web server, going through a http proxy, applies the same: end to end encryption 14:23 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn 14:32 -!- Huza [~kvirc@gw-agrowest-liga-stud-ar119.dnttm.ro] has joined #openvpn 14:34 -!- DelphiWorld [~VoIpGuy@41.200.22.50] has joined #openvpn 14:34 < DelphiWorld> hey back :P 14:34 < DelphiWorld> i have openvpn in centOs 14:35 < DelphiWorld> my vpn network cidr is 172.16.0.0/24 14:35 < DelphiWorld> in my client i see the default gateway is 172.16.0.5 while my server is 172.16.0.1 14:35 < DelphiWorld> how come? 14:35 -!- me345 [~me345@adsl-75-15-187-76.dsl.bkfd14.sbcglobal.net] has joined #openvpn 14:37 < DelphiWorld> !tun 14:37 < DelphiWorld> !tap 14:37 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 14:37 <@vpnHelper> the protocol uses MAC addresses instead of IP addresses. 14:38 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 14:38 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 14:38 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 14:38 -!- p3rror [~mezgani@41.140.182.100] has quit [Ping timeout: 240 seconds] 14:41 < DelphiWorld> !tun 14:42 -!- Lenhix|AfK [ElChaman@190.156.59.24] has joined #openvpn 14:51 -!- p3rror [~mezgani@41.248.190.60] has joined #openvpn 14:51 -!- s7r [~s7r@41.221.41.90] has left #openvpn [] 14:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 14:55 -!- DelphiWorld_ [~VoIpGuy@41.200.5.200] has joined #openvpn 14:57 -!- DelphiWorld [~VoIpGuy@41.200.22.50] has quit [Ping timeout: 240 seconds] 15:13 -!- Luddhaa [~lud@90-230-114-135-no34.tbcn.telia.com] has joined #openvpn 15:13 < Luddhaa> hello 15:13 < Luddhaa> woho, there was a openvpn channel 15:13 < Luddhaa> ive been trying for two days to get openvpn working on windows 7 x64 with pfsense 1.2 as server 15:14 < Luddhaa> what is there to do about "TLS handshake failed2? 15:14 < Luddhaa> " 15:15 < Bushmills> !firewall 15:15 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 15:16 < Luddhaa> after connecting the client log file doesnt complain very much, its the server log file that complains 15:16 < Luddhaa> and since its pfsense i dont need to do anything in NAT to access the server 15:17 -!- DelphiWorld_ is now known as DelphiWorld 15:18 <@vpnHelper> RSS Update - forum: DD-WRT client, Ubuntu 10.04 LTS as server 15:26 -!- corretico [~corretico@201.201.44.82] has quit [Quit: Leaving] 15:28 -!- batrick_ is now known as batrick 15:28 -!- Luddhaa [~lud@90-230-114-135-no34.tbcn.telia.com] has quit [] 15:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 15:38 -!- corretiko [~corretico@201.201.44.82] has quit [Quit: Leaving] 15:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 15:56 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 15:56 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection] 15:57 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 15:57 -!- adawda is now known as sia^pwnnt 16:03 < Rienzilla> hmm 16:03 < Rienzilla> what did I break when ping returns a ttl exceeded? 16:05 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 16:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 241 seconds] 16:08 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 16:08 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 16:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 16:10 < Bushmills> too many hops. or, ping called with too few allowed hops. 16:10 < Bushmills> routing problem or ping invocation problem 16:11 < Bushmills> most probable is a routing loop 16:16 -!- p3rror [~mezgani@41.248.190.60] has quit [Ping timeout: 240 seconds] 16:23 -!- pyther [~pyther@unaffiliated/pyther] has left #openvpn [] 16:25 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 16:28 -!- p3rror [~mezgani@41.140.171.126] has joined #openvpn 16:36 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 16:38 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 16:38 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 16:38 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 16:40 -!- p3rror [~mezgani@41.140.171.126] has quit [Ping timeout: 240 seconds] 16:40 < DelphiWorld> night all 16:40 -!- DelphiWorld [~VoIpGuy@41.200.5.200] has left #openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"] 16:40 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 16:42 -!- me345 [~me345@adsl-75-15-187-76.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer] 16:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 16:52 -!- p3rror [~mezgani@41.140.26.192] has joined #openvpn 16:56 -!- sia^pwnnt is now known as adawda 17:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 17:17 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 17:20 -!- p3rror [~mezgani@41.140.26.192] has quit [Ping timeout: 240 seconds] 17:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 17:32 -!- p3rror [~mezgani@41.140.96.129] has joined #openvpn 17:33 -!- WinstonSmith [~true@e177088174.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:35 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 17:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:46 -!- WinstonSmith [~true@e177088033.adsl.alicedsl.de] has joined #openvpn 17:57 < dvl> Just got the laptop client working. :) 17:58 < dvl> I'm using a passphrase-less key at present. Worst case, if the laptop is stolen, I disable it. I could add a passphrase.... 18:00 < dvl> I like the GUI. Nice. Simple enough for non-techies. 18:00 -!- Huza [~kvirc@gw-agrowest-liga-stud-ar119.dnttm.ro] has quit [] 18:01 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 18:35 <@vpnHelper> RSS Update - forum: Multiple Server Profiles 18:35 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Operation timed out] 18:35 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined #openvpn 18:51 -!- WinstonSmith [~true@e177088033.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 18:57 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 19:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 19:12 -!- k4k [~K4k@c-24-30-28-242.hsd1.ga.comcast.net] has joined #openvpn 19:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 19:14 < k4k> When editing /etc/init.d/openvpn, I'm following a how-to that says to put in lines for "iptables -t nat... --to 123.123.123.123" where 123.123.123.123 is public IP. Is that the external facing IP for the server or the IP of the server within the network? 19:15 < dvl> k4k: my guess, public IP is public. .... external facing IP.... 19:16 < dvl> I have never used iptables 19:16 < k4k> crum, that's what I was thinking too but was hoping I was wrong :-( 19:20 < dvl> k4k: how about explaining the problem... 19:20 < k4k> no problem, just trying to setup openvpn on my centos server 19:20 < k4k> the instructions I was following said to setup something in the init file 19:22 < k4k> although, now that I'm reading through the file, the comments say that you don't have to uncomment this for it to work, it's just enabling some kind of firewall rules when openvpn starts 19:23 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:25 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 19:43 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 19:44 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 19:59 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 19:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer] 19:59 -!- UnterPerro_ is now known as UnterPerro 20:04 -!- p3rror [~mezgani@41.140.96.129] has quit [Read error: Connection reset by peer] 20:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds] 20:11 -!- theDoc [~Link@173.236.41.36] has joined #openvpn 20:11 -!- theDoc [~Link@173.236.41.36] has quit [Changing host] 20:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 20:13 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 20:14 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 20:19 -!- p3rror [~mezgani@41.140.34.232] has joined #openvpn 20:29 < dvl> so difficult to edit the configuration file.... permissions... 20:43 < theDoc> Why? 20:43 < theDoc> It's just config files. 20:46 < dvl> permissions. If it was unix, I'd just use sudo, but Windows... a bit more work. 20:47 < theDoc> Then the problem isn't permissions, it's Windows. 20:47 * theDoc waggles. 20:47 < dvl> theDoc: No, it's permissions, all bigotry aside. 20:48 < dvl> Just because you don't know how to solve an issue, doesn't make it a problem. ;) 20:48 < dvl> In this case, you = me. 20:49 < dvl> I think I'm getting 'Authenticate/Decrypt packet error: packet HMAC authentication failed' because I'm being NAT. 20:49 < dvl> ...behind NAT. 20:50 < theDoc> Um, no. 20:50 < theDoc> HMAC errors aren't caused because you're behind NAT. 20:50 < dvl> Good. 20:50 < theDoc> dvl: Almost all of us are behind some form of NAT'ing now. 20:51 < theDoc> HMAC is used to verify the integrity/authenticity of a message. 20:52 < theDoc> Not sure where you got the impression that NAT is breaking HMAC. 20:52 < dvl> OK, that's good to know. It's one less thing to suspect. 20:52 < dvl> I suspect NAT because this is the first client behind nat. 20:52 < dvl> I've taken a .conf file from a working client, copied it over to here, and changed only the ca, cert, key, and tls-auth parameters. 20:53 < theDoc> tls-auth parameters? What did you change there? 20:54 < dvl> theDoc: My error. tls-auth remains the same as other clients. 20:56 < theDoc> dvl: I suspect it's a config error somewhere, I haven't touched a config with HMAC for a while now but you need to make sure that both sides match. 20:56 < theDoc> iirc. 20:57 < dvl> theDoc: FWIW, I did a copy paste of the entire openvpn.conf file from a working client. That was my starting point. Looking closer now. 21:00 < dvl> could it be the FQDN? 21:01 < dvl> the one in the cert... that certainly won't relate to the IP address in question. 21:01 < theDoc> Unlikely, to be honest. 21:05 < dvl> distinct progress, thanks. I redid the copy paste. Now it's pretty obvious: VERIFY ERROR: depth=0, error=unable to get local issuer certificate 21:05 < dvl> :) 21:06 < dvl> This I'm sure I can resolve. 21:17 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 21:17 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds] 21:37 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 21:38 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Quit: Leaving.] 21:39 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn 21:42 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn [] 21:55 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 22:01 -!- teddz_ [~teddz@dtmd-4db2f571.pool.mediaWays.net] has joined #openvpn 22:03 -!- teddz [~teddz@dtmd-4db2aea2.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:38 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has joined #openvpn 22:48 -!- corretico [~laguilar@201.201.44.82] has joined #openvpn 22:49 -!- djgerm [~Your_Moms@c-67-169-142-196.hsd1.ca.comcast.net] has quit [Quit: Leaving.] 22:54 -!- corretico [~laguilar@201.201.44.82] has quit [Ping timeout: 276 seconds] 22:55 -!- corretico [~laguilar@201.201.44.82] has joined #openvpn 23:08 -!- Lenhix|AfK [ElChaman@190.156.59.24] has left #openvpn [] 23:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 23:40 <@vpnHelper> RSS Update - forum: DD-WRT client, Ubuntu 10.04 LTS as server 23:41 -!- corretiko [~laguilar@201.201.44.82] has joined #openvpn 23:44 -!- teddz_ [~teddz@dtmd-4db2f571.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 23:44 -!- riddla1 [~Riddla@cm249.psi191.maxonline.com.sg] has joined #openvpn 23:45 < riddla1> howdy 23:45 < riddla1> i was just wondering, is it possible to have multiple local statements in an openvpn server conf? 23:45 < riddla1> i know, just try it... but my vpn is fairly active, and i would like to know before i restart it as it will drop a number of clients 23:47 -!- Kurogane [~kuro@190.87.80.64] has quit [Read error: Connection reset by peer] --- Day changed Mon Jan 17 2011 00:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 00:10 -!- albech [~thomas@119.42.78.103] has joined #openvpn 00:28 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 00:52 <@vpnHelper> RSS Update - forum: Configuring 2 tunnels to access 2 networks on 1 server 00:52 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 246 seconds] 00:53 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 00:53 < grendal_prime> grrrrrrrrrr 00:54 < grendal_prime> this is making me crazy ..ive done this exact install on 5 machines in the last week. Now on my home machine im getting this and i cant figure out the problem 00:55 < grendal_prime> Local Options hash (VER=V4): '691e95c7' 00:55 < grendal_prime> Expected Remote Options hash (VER=V4): '66096c33' 00:55 < grendal_prime> then all hell breaks looks and i get no connection 00:56 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn 01:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Disconnected by services] 01:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 01:31 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 01:56 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat] 02:06 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 02:06 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 02:06 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 02:16 <@vpnHelper> RSS Update - forum: I am unable to access the keys directory keys: Invalid argum 02:51 -!- dazo_afk is now known as dazo 02:58 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 02:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 03:02 < macsppadic> morning all 03:04 < theDoc> moin'. 03:24 < kraut> moin 03:30 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 03:30 -!- mode/#openvpn [+o mattock] by ChanServ 03:41 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 03:49 -!- master_of_master [~master_of@p57B53308.dip.t-dialin.net] has quit [Read error: Operation timed out] 03:53 -!- master_of_master [~master_of@p57B55902.dip.t-dialin.net] has joined #openvpn 03:56 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic] 03:59 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 04:07 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 250 seconds] 04:10 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds] 04:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds] 04:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 04:39 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 04:45 -!- common- [~common@p5DDA4873.dip0.t-ipconnect.de] has joined #openvpn 04:46 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 04:47 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn 04:47 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host] 04:47 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:48 -!- common [~common@p5DDA4BF7.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 04:48 -!- common- is now known as common 05:00 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 05:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 05:02 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:02 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:16 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 05:22 < hyper_ch> ecrist: hi there 05:22 < hyper_ch> kraut: hi there 05:28 < hyper_ch> hi dazo 05:28 <@dazo> hi'ya! 05:29 < hyper_ch> dazo: can I bug with with some encryption stuff? 05:29 <@dazo> hyper_ch: you may try :) 05:29 < hyper_ch> well, currently (once more) encrypting my usb pendrive using truecrypt 05:29 < hyper_ch> and it offers a wide array of encryption algorithms and hash algorithms 05:30 < hyper_ch> any recommendations on what to use? 05:30 < hyper_ch> you have all possible combinations of aes - twofish - serpent... either alone, only two or all three 05:31 < hyper_ch> and as hash algorithm you can use ripmed-160, sha-512 or whirlpool 05:31 <@dazo> Well, I usually stay away from DES and RC encryptions (even though RC4 is claimed to be safe by some groups), and also 3DES if I can .... I usually end up with AES and blowfish variants 05:31 < hyper_ch> using three ciphers in a cascade makes it slower, right? 05:31 <@dazo> For hash algorithm, I prefer SHA512, due to the bigger data amount in the hash 05:32 <@dazo> that depends on the ciphers 05:32 <@dazo> blowfish is not much CPU dependent ... it works almost as fast on old CPUs as on new CPUs 05:32 <@dazo> (I believe twofish is related to blowfish) 05:32 <@dazo> while AES is very much CPU dependent 05:33 < hyper_ch> as text it says: Three ciphers in a cascade operating in XTS mode. Each block is first encrypted with Serpent 256bit, then two fisch 256bit and fineall with aes 256bit. each cipher uses its own key. all keys are mutually independant 05:33 <@dazo> wow ... that's quite a combination 05:33 < hyper_ch> but rather slow? 05:34 < hyper_ch> I think I'll settle for AES / SHA-512 05:34 <@dazo> I wouldn't be too much concerned about AES+twofish .... but I don't know anything about serpent 05:34 < hyper_ch> ok, I use those two then :) 05:34 <@dazo> but then again ... it also depends on what kind of data you are going to save :) 05:35 <@dazo> I think the US government and also Visa/MasterCard finds AES256 alone good enough for sensitive data 05:35 < hyper_ch> so that the us gvt can spy on them :) 05:36 <@dazo> heh ... I dunno :) 05:36 < hyper_ch> thx for the input :) 05:37 < hyper_ch> interesting... df -h shows 29GB free space... truecrypt shows 26.8 05:37 < hyper_ch> does the truecrypt container format need the difference in space? 05:38 <@dazo> I don't know much about truecrypt at all, so I have no idea how that really works out ... I thought truecrypt allocated all the data as it needed and mounted that as a normal filesystem 05:39 < hyper_ch> ok :) 05:39 * hyper_ch gives dazo a super yummy super big cookie 05:39 * dazo looks forward to receiving it :) 05:54 -!- teddz_ [~teddz@dtmd-4db2f571.pool.mediaWays.net] has joined #openvpn 06:03 <@vpnHelper> RSS Update - forum: Temporary disable client access 06:09 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 06:21 <@vpnHelper> RSS Update - forum: Machine behind client cannot access service on vpn server 06:27 <@vpnHelper> RSS Update - forum: Client config works on one machine but not another 06:27 -!- corretiko [~laguilar@201.201.44.82] has quit [Remote host closed the connection] 06:43 -!- ch077179 [~ch077179@nat/ibm/x-lqrnwrfrsurwjkqh] has joined #openvpn 06:43 < ch077179> !welcome 06:43 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:43 < ch077179> !goal 06:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:45 < ch077179> goal: I want to tunnel from my win32 workstation through an aix loginserver to a rhel target to use squirrel to administer the remote db on target. For this I need a permanent tunnel on a local port. How do I do that? 06:47 < ch077179> !howto 06:47 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:03 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 07:04 -!- riddla1 [~Riddla@cm249.psi191.maxonline.com.sg] has quit [Ping timeout: 240 seconds] 07:04 -!- riddla [~Riddla@cm223.epsilon172.maxonline.com.sg] has joined #openvpn 07:15 <@vpnHelper> RSS Update - forum: Temporary disable client access 07:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 07:31 -!- juhovh_ is now known as juhovh 07:31 -!- juhovh [~jvahaher@kekkonen.cs.hut.fi] has quit [Changing host] 07:31 -!- juhovh [~jvahaher@xmms2/developer/juhovh] has joined #openvpn 07:33 <@vpnHelper> RSS Update - forum: Multicast support in tap-win32 07:35 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 07:37 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 07:40 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 07:40 -!- mode/#openvpn [+o mattock] by ChanServ 07:59 < dvl> Last night I managed to get the laptop to server connection working from a remote location. I encountered a "VERIFY ERROR: depth=0, error=unable to get local issuer certificate" issue, but I'm sure I can resolve that today. Only issue: I'm not remote today... 08:00 < dvl> It would be nice to have a second ISP today... 08:03 < theDoc> If it's local, why can't you walk over to the server? 08:05 < dvl> theDoc: I'm trying to test an inbound connection... i.e. connecting my laptop to the server from a remote location. I guess I could go visit Starbucks and try from there. 08:10 < theDoc> dvl: Yeah, or do it from a remote server. 08:15 <@vpnHelper> RSS Update - forum: Multicast support in tap-win32 (with patch) 08:24 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 08:25 -!- WinstonSmith [~true@g231217025.adsl.alicedsl.de] has joined #openvpn 08:26 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:27 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 08:33 <@vpnHelper> RSS Update - forum: Configuring 2 tunnels to access 2 networks on 1 server 08:39 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 08:47 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 08:51 <@vpnHelper> RSS Update - forum: DD-WRT client, Ubuntu 10.04 LTS as server 08:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 250 seconds] 09:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 09:12 -!- k4k [~K4k@c-24-30-28-242.hsd1.ga.comcast.net] has left #openvpn [] 09:13 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 09:21 -!- Cain` [~Geek@41.141.252.98] has joined #openvpn 09:21 -!- Cain` [~Geek@41.141.252.98] has quit [Changing host] 09:21 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 09:21 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds] 09:21 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 09:22 -!- Cain` is now known as Cain 09:54 <@vpnHelper> RSS Update - forum: DD-WRT client, Ubuntu 10.04 LTS as server 09:57 -!- ch077179 [~ch077179@nat/ibm/x-lqrnwrfrsurwjkqh] has quit [Read error: Connection reset by peer] 10:01 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has joined #openvpn 10:02 < chr1s> hi, i'm having a problem with ip forwarding, can only ping server...I'm using systcl.conf has forward set to 1, anyone any thoughts? 10:03 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 10:03 < gladiatr> chr1s, are you seeing a route for your server-side network on your client? 10:03 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 276 seconds] 10:04 < chr1s> yes 10:05 < gladiatr> Is this a routed configuration? 10:06 < chr1s> routed configuration? 10:07 < gladiatr> !route 10:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:07 < gladiatr> what that document describes 10:08 <@dazo> or similar ... the point is, that bridge is not used (brctl on Linux, f.ex) on the TAP device 10:09 < gladiatr> indeed 10:09 < chr1s> yes it is, server on 10.10.0.1, clients get 10.90.0.*, push out route to 10.10.0.0/16 10:09 < gladiatr> client -> server -> stuff you want to get to 10:09 < gladiatr> :) 10:09 < chr1s> can't ping 10.10.3.1 10:10 < gladiatr> Can you ping the address of the openvpn server on the 10.10/16 network? 10:10 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 10:11 < chr1s> yes, just tested 10:11 < gladiatr> Is the openvpn server also the internet gateway for the 10.10/16 network? 10:11 < chr1s> no 10:11 < chr1s> juniper firewall 10:12 < chr1s> can I say that I have ubuntu vpn, same config with no probs, just centos box giving me problems 10:12 < gladiatr> Righto. You'll need to add a route to the firewall system. whatever the equivalent is for: add -net 10.90.0.0/24 gw [internal address of openvpn server] 10:13 < gladiatr> Your VPN configuration is right. It's just none of the systems on 1010/16 know how to communicate with 10.90.0/24 10:13 <@dazo> reverse route? 10:14 < gladiatr> bwah? 10:14 <@dazo> missing reverse route ... so that the traffic hits the right box ... and then missing a route to go back via the tunnel 10:14 < chr1s> just checking firewall 10:15 -!- p3rror [~mezgani@41.140.34.232] has quit [Ping timeout: 265 seconds] 10:15 <@dazo> chr1s: try checking the traffic flow with tcpdump on the different interfaces ... to see if you can see if the traffic takes the path you expect it to 10:15 < gladiatr> (Don't know, I don't know such stuff. I just do eyes!) 10:16 < chr1s> gladiatr: you're the man :-) haven't fixed it yet but can see route for other vpn client address on firewall, have a 10.90 working, this is a 10.91, that was problem 10:17 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Ping timeout: 260 seconds] 10:17 < gladiatr> lol. np 10:20 < chr1s> thanks and bye, tested and working! 10:20 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has quit [Quit: Page closed] 10:25 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 10:42 -!- jfkw [~jtk@216.115.1.60] has joined #openvpn 10:44 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 10:50 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 11:00 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 240 seconds] 11:01 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 11:01 -!- dmarkey [~dmarkey@188.141.16.113] has quit [Read error: Connection reset by peer] 11:26 -!- ShaneN [~ShaneNeue@host-121-159-111-24.midco.net] has joined #openvpn 11:27 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 11:28 < ShaneN> Hello. I'm trying to set up openvpn for a small (5-10 machine) VPN. I've ran into an issue with one of the machines (A) not being able to ping another client (B). However, B can ping A. I do have "client-to-client" uncommented. Any suggestions? 11:31 < ShaneN> A can ping the OpenVPN server though 11:31 < gladiatr> check your firewall on client B 11:32 < ShaneN> Ok 11:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 11:33 < ShaneN> Gah, I'm a moron. Thank you! 11:33 < gladiatr> ;) 11:33 < ShaneN> I kept thinking it was A as that machine is heavily locked down 11:33 -!- albech [~thomas@119.42.78.103] has quit [Quit: Ex-Chat] 11:34 < LedZeplin> Is there an option in the client config to decline using the server supplied DNS server? I didn't see any that sounded like they did that. 11:36 < gladiatr> Hrm.. I don't think so. What's your client OS? 11:38 < gladiatr> Well, regardless, if you don't have control of the vpn server, you can always choose not to pull options from the server and manually set up the client with an up script. 11:38 < gladiatr> That'd mean you'd need to deal with any route instantiation and specialized server definitions (like wins or some such) 11:38 < gladiatr> but it's an option 11:42 < LedZeplin> I'm using Tunnelblick on OSX. I have control of the vpn server, but I want the default option to be to provide dns to the clients. I'm just looking for a way to opt out of the dns advertisment and to contine to use the currently configured dns servers for specific cases. 11:44 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds] 11:44 < LedZeplin> a setup script could be tricky because the "currently configured dns servers" wouldn't be static. unless there is a way to save the dns settings before the connection is started and restore them after the connection is up. 11:44 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 11:44 < gladiatr> Gotcha. You could also set up a client-specific config fragment with the client-config-dir option. 11:46 < LedZeplin> gladiatr: you mean a client specific config on the server? is that based on expecting a specific key or something? 11:46 < LedZeplin> s/key/certificate/ 11:46 < gladiatr> Yup. The actual file name is based on the CN of the client cert 11:47 < gladiatr> You can fish it out of your ipp file 11:47 < LedZeplin> that could work. I'm just surprised that there isn't a -nodns option that I can put in my client side config file tho :( 11:47 < gladiatr> Yeah. I can see where it would be convenient. 11:48 -!- grishnav [~grishnav@209.160.52.134] has quit [Quit: leaving] 11:48 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn 11:50 < LedZeplin> do you know if a setup script can do something before the connection is started? ie cp /etc/resolv.conf /tmp then after the connection is established copy it back? 11:52 < gladiatr> Hrm... I would think so. TB won't have access to the server push data until openvpn delivers it, so I would think it would still be working within openvpn's normal work flow 11:53 < gladiatr> I've only set that up on a few systems, so I haven't had reason to dive into that client too deeply. 11:54 < LedZeplin> ok. thanks for the help 11:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:54 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 11:54 < gladiatr> np. good luck 12:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 12:20 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 12:29 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 12:29 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 12:34 -!- p3rror [~mezgani@41.140.159.243] has joined #openvpn 12:37 < dvl> Every time I go to create a new cert, which is very infrequent. I wind up using the wrong CA.... bugger me. 12:38 < dvl> Now that I've fixed that issue, hopefully for the last time.... 12:38 -!- dazo is now known as dazo_afk 12:50 -!- WinstonSmith [~true@g231217025.adsl.alicedsl.de] has quit [Read error: Connection reset by peer] 12:53 -!- WinstonSmith [~true@g231217025.adsl.alicedsl.de] has joined #openvpn 12:56 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 13:00 < grendal_prime> ok...question. We have been using openvpn for the backhaul on a project for some time. Now. several people are pleased with performance and want to use it more for things like. vpn connection from road warriors. 13:02 < ecrist> the answer is yes 13:02 < grendal_prime> The people that will be admining this server will need some sort of gui to do key management and deployment. they are running into a few issues. 13:03 < ecrist> there is no real GUI for that 13:03 < ecrist> you can use OpenVPN-AS which does some of that, though 13:03 < dvl> Mon Jan 17 13:36:39 2011 There is a problem in your selection of --ifconfig endpoints [local=10.8.1.40, remote=10.8.1.41]. The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info. 13:03 < ecrist> we don't support it here, however. 13:03 < dvl> Sorry, resolved that already. 13:03 -!- p3rror [~mezgani@41.140.159.243] has quit [Ping timeout: 240 seconds] 13:03 < grendal_prime> can you recommend a key management system of some sort. We have tried the openvpn webmin tool it works ok..with s few difficulties. 13:04 < grendal_prime> my thinking is that we will bang on the perl for that tool to fix the few things it does not do to our liking. 13:07 < dvl> We have vpn. :) 13:07 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 13:10 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Quit: leaving] 13:10 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 13:17 -!- p3rror [~mezgani@41.248.186.201] has joined #openvpn 13:19 -!- riddla [~Riddla@cm223.epsilon172.maxonline.com.sg] has quit [Quit: Leaving.] 13:19 -!- Brownoxford [~cabernet@pool-173-69-4-112.prvdri.fios.verizon.net] has joined #openvpn 13:21 < Brownoxford> Hi folks! I'm trying to hook up site-to-site between an office location and some hosted servers at Rackspace, and I would like routing to be automagic between all locations. It seems like my best option is to set up openvpn as a client on each of the remote servers (they are not behind a shared firewall), is there any reason not to do that? 13:27 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 13:27 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 13:32 -!- LeRrA_ [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 13:32 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 13:32 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 13:32 < gladiatr> Brownoxford, not at all. Since your office is the common hub, it actually makes the most sense to do it that way. 13:33 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 13:33 < Brownoxford> gladiatr: Cool, thanks! It's the first time I'm doing this for site-to-site, and it seemed like quite a bit more work to set up routing on all of the remote sites through a common gateway machine without having a firewall on which to create the routes. 13:35 < gladiatr> If you're wanting your remote systems to talk to each other, you might also want to check out the following: http://backreference.org/2009/11/15/openvpn-and-iroute/ 13:36 <@vpnHelper> Title: OpenVPN and iroute « \1 (at backreference.org) 13:38 < Brownoxford> Yup, thanks! That's pretty much what I'm doing. 13:39 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 13:39 < Brownoxford> good walk-through though 13:40 < ecrist> !iroute 13:40 < gladiatr> Indeed 13:40 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:40 < ecrist> !route 13:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:42 < Brownoxford> ecrist: I'm liking iroute with /32 networks so I can get OpenVPN to push routes correctly, are you saying that it isn't advised? 13:42 < ecrist> I don't think I said that... 13:42 < Brownoxford> .. by "correctly", I mean don't push a route to a server that hosts the network 13:43 < Brownoxford> ecrist: got it, I think I was reading to much into the 'LAN' part of iroute 13:43 < ecrist> I was simply pointing out the factoids gladiatr could have used to help you. ;) 13:43 < Brownoxford> :) 13:43 * ecrist kicks the FNG 13:43 < gladiatr> It's true. I'm still learning vpnHelper's vocabulary. 13:44 < gladiatr> !smellycheeses 13:44 < gladiatr> heh 13:44 < gladiatr> !godlike wisdom 13:44 * gladiatr thumps the bot 13:46 < ecrist> !factoids 13:46 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 13:46 -!- smarkyou [~smarkyou@cpe-024-163-095-151.nc.res.rr.com] has joined #openvpn 13:47 < smarkyou> !welcome 13:47 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:49 < Brownoxford> How about firewalling with iptables... any reason not to just "-j ACCEPT" everything on "tun+"? 13:49 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 13:51 -!- p3rror [~mezgani@41.248.186.201] has quit [Ping timeout: 240 seconds] 13:51 < smarkyou> !route 13:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:53 < smarkyou> !sample 13:53 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 13:59 -!- p3rror [~mezgani@41.140.170.156] has joined #openvpn 14:01 < reiffert> any reason to policy DROP on FORWARD? 14:03 -!- jpulgarin [~jpulgarin@190.251.81.82] has joined #openvpn 14:04 < jpulgarin> Hey guys, any idea about how to stop openvpn from running on ubuntu startup 14:04 < gladiatr> man update-rc.d 14:05 < jpulgarin> fixed! 14:06 < jpulgarin> changed AUTOSTART="openvpn" to AUTOSTART="none" in /etc/default/openvpn 14:06 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 14:09 < gladiatr> schweet 14:14 < grendal_prime> ecrist, hey the big problem that seems to be bothering everyone is that we cannot generate a canned config that has the user and group remed out.. it causes the mac's to fail and the windows boxes to fail. 14:14 < grendal_prime> im gonna beat u the perl so it just rems them by default 14:15 -!- p3rror [~mezgani@41.140.170.156] has quit [Ping timeout: 240 seconds] 14:18 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 240 seconds] 14:18 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:28 -!- p3rror [~mezgani@41.140.172.184] has joined #openvpn 14:31 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 14:33 < dvl> Now that I have the Vista laptop up and running on the VPN, I can't access the laptop from the VPN... e.g. ping fail, nmap finds nothing, but other clients on the vpn don't exibit these characteristics. However, all the other clients are Unix. ;) 14:33 < dvl> I want to access the laptop to back it up.... e.g. Bacula. 14:36 -!- jpulgarin [~jpulgarin@190.251.81.82] has quit [Quit: Leaving] 14:37 < dvl> yes, confirmed. Windows firewall. Good. :) 14:44 -!- pmow [~pmow@72.232.162.146] has joined #openvpn 14:46 < gladiatr> What about that bastion of ridiculousness that encompasses windows classification of certain network connections being "private" or "public" or "work" or "playtime" or ... 14:47 < pmow> !welcome 14:48 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:48 < pmow> !redirect 14:48 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:48 < pmow> !def1 14:48 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 14:48 < pmow> !nat 14:48 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 14:50 < pmow> I have a tunnel working just fine, but cannot route to the server's eth0 interface using VPN clients. This is my goal. I can route to internet traffic, but I'm looking for help on setting this up. Currently I must connect using the tun0 interface IP (10.8.0.1) 14:51 < pmow> I'm doing ip forwarding as well as NAT. 14:51 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 14:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 14:54 -!- s7r [~s7r@41.221.41.90] has joined #openvpn 14:54 -!- s7r [~s7r@41.221.41.90] has quit [Remote host closed the connection] 14:55 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 276 seconds] 14:55 < gladiatr> pmow, pastebin your server and client config 14:56 -!- LedZeplin [jbearer@74.46.1343.static.theplanet.com] has quit [Ping timeout: 265 seconds] 14:56 < pmow> sure 14:57 -!- p3rror [~mezgani@41.140.172.184] has quit [Read error: Connection reset by peer] 14:57 < pmow> http://pastie.org/1471291 14:58 < pmow> http://pastie.org/1471293 15:00 < gladiatr> what's with the bypass-dhcp? 15:01 < pmow> was something I had before 15:02 < gladiatr> k 15:02 < gladiatr> What sort of NAT rule do you have in place for your VPN client network? 15:02 < pmow> I had this working prior, but the box went down and the data center is taking their time finding me a new one. So I installed on my other box, following instructions I made while getting it working 15:02 < gladiatr> ah 15:03 < pmow> iptables -A POSTROUTING --table nat ! -o tun0 -j MASQUERADE 15:03 < pmow> I also tried removing the ! -o tun0 15:03 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 15:03 < pmow> I also tried adding a rule, to route to the box's eth0 ip address 15:03 < gladiatr> tun0 isn't your egress device, though, is it? 15:03 -!- LedZeplin [jbearer@74.46.1343.static.theplanet.com] has joined #openvpn 15:04 < pmow> erm, no 15:04 < gladiatr> This rule will try to feed packets coming in from tun0 back into tun0. 15:05 < gladiatr> oh wait. blurred eyes with the ! 15:05 < pmow> this is loosely based on http://ubuntuforums.org/showpost.php?p=5076501&postcount=4 15:05 <@vpnHelper> Title: Ubuntu Forums - View Single Post - [ubuntu] Concise OpenVPN installation. . .? (at ubuntuforums.org) 15:08 < gladiatr> What does your forward chain look ilke? 15:09 < gladiatr> s/il/li 15:09 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 15:09 < gladiatr> and your input chain? 15:10 < pmow> I didn't set those 15:10 < gladiatr> It must be something iptables-related if you're forwarding traffic through to the internet. 15:10 < gladiatr> hrm... 15:10 < pmow> well, the internet works just fine 15:10 < pmow> it's only the box I can't route to 15:10 < pmow> route/get ot 15:11 < gladiatr> so you get nothing if you run: iptables --list INPUT -n 15:11 < gladiatr> ? 15:11 -!- p3rror [~mezgani@41.140.102.137] has joined #openvpn 15:12 < pmow> let me see 15:12 < pmow> correct ,nothing. 15:16 < gladiatr> this is something insanely simple... 15:16 < pmow> lol 15:16 < gladiatr> that is being missed... 15:16 < pmow> I'm sure it is 15:17 < pmow> maybe it's just a route add that needs to be pushed to the client? but then the packet would be going to the tun interface, and missed 15:17 -!- Jondice1 [~brandon@rrdhcp-172-285.redrover.cornell.edu] has quit [Quit: Leaving] 15:17 < gladiatr> /facepalm 15:17 * gladiatr sprinkles some water on his face to try and wake up 15:18 < gladiatr> Yeah. You're gonna need to push a route for your internal network. 15:18 < pmow> the client is sending everything to the tunnel anyway...so it should be a server issue 15:18 * pmow pours gladiatr a shot 15:18 * gladiatr chuckles 15:18 < pmow> of espresso 15:19 < pmow> actually, I'm in dire need 15:19 < gladiatr> so if you run /sbin/iptables-save on the server, the only thing your'e seeing is the postrouting rule from above? 15:19 < gladiatr> (indeed) 15:22 -!- p3rror [~mezgani@41.140.102.137] has quit [Ping timeout: 240 seconds] 15:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 15:23 < pmow> yes 15:23 < pmow> http://pastie.org/1471400 15:24 < gladiatr> what service are you trying to access on eth0? 15:24 < pmow> at the moment, sabnzbdplus - in the future, apache 15:24 < pmow> I can't ping either. 15:25 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has left #openvpn ["Leaving"] 15:25 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 15:25 < gladiatr> oops 15:26 < gladiatr> try this: /usr/sbin/lsof -Pn |grep LISTEN|grep "eth0's IP address" 15:27 < pmow> no such command 15:28 < pmow> nvm 15:28 < pmow> /usr/bin 15:28 < pmow> mysqld is listening on it, port 3306... 15:29 < pmow> bah - I had it on localhost. 15:29 < gladiatr> That's gonna be the only service available on eth0 then. You might want to check your config for... that other thing you're running to make sure it's set up to bind to eth0's address 15:30 < gladiatr> oh wait 15:30 < pmow> okay, I changed the config, and it's listening 15:30 < gladiatr> s*t 15:30 < pmow> (still same deal though) 15:30 < gladiatr> Yeah. eth0 is gonna be caught by *:port 15:30 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:31 < gladiatr> sorry mate. I think I'm a bit to out of it this afternoon to be of much assistance. :P 15:31 < pmow> that's okay 15:31 < gladiatr> s/to/too 15:31 -!- majuk_ [~majuk@cpe-70-112-20-116.austin.res.rr.com] has joined #openvpn 15:31 < majuk_> !welcome 15:31 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:31 < majuk_> !goal 15:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:36 < majuk_> Hi all. I want a secure connection between two comps on a LAN. Currently have the server set for TLS and ethernet bridging. Client gets 'connection refused' on trying to establish a connection. Relevant logs - Server: http://pastie.org/1471440 | Client: http://pastie.org/1471445 15:39 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 15:42 < majuk_> I am able to SSH to the server via its bridged interface just fine, so it is responding on that interface.... so I don't know why I'm getting refusals when I try to connect. I am currently using TCP. With UDP, it just times out after 60s on the client side. 15:42 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Read error: Operation timed out] 15:43 < pmow> heh 15:43 < pmow> I'm getting the same exact problem when doing that over a tunnel 15:45 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...] 15:50 < majuk_> pmow, Awesome. Feeling included is half the battle. :D 15:51 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 15:53 < Dougy> once again 15:53 < Dougy> i cant log into the forum 15:53 < Dougy> there we go 15:54 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Client Quit] 15:59 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 16:01 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has joined #openvpn 16:01 < MrKeuner> hello, I can connect to a vpn server that I have set up on a Ubuntu 10.04.1 from another 10.04.1. However, once I get connected I cannot ping anywhere. what may be the problem? 16:02 < pmow> you can't ping the vpn server? 16:02 < pmow> or "anywhere" 16:02 -!- Brownoxford [~cabernet@pool-173-69-4-112.prvdri.fios.verizon.net] has quit [Quit: Brownoxford] 16:02 < MrKeuner> I can ping the vpn server but not through its WAN ip, only through the LAN ip 16:03 < pmow> that's exactly why I'm here 16:03 < MrKeuner> nice to meet you :) 16:03 < pmow> cannot access VPN server interfaces other than VPN 16:03 < pmow> yeah, majuk_ is also having a similar problem 16:04 < MrKeuner> it was working at the time I set it up. though 16:04 < MrKeuner> haven't used it for a while... 16:04 < MrKeuner> pmow, no luck I suppose... 16:04 < pmow> naw 16:13 -!- pmow [~pmow@72.232.162.146] has quit [Quit: Leaving.] 16:16 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 255 seconds] 16:18 -!- p3rror [~mezgani@41.140.38.34] has joined #openvpn 16:20 < majuk_> fwiw, I have the opposite problem. I can hit my VPN server on any open port BUT the VPN port. 16:36 -!- kim0 [~kim0@ubuntu/member/kim0] has left #openvpn [] 16:40 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has quit [Quit: Ex-Chat] 16:50 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds] 16:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 16:56 -!- majuk_ [~majuk@cpe-70-112-20-116.austin.res.rr.com] has quit [Ping timeout: 240 seconds] 17:06 -!- WinstonSmith [~true@g231217025.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:09 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 17:19 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has joined #openvpn 17:25 -!- teddz_ [~teddz@dtmd-4db2f571.pool.mediaWays.net] has quit [Quit: Ex-Chat] 17:30 -!- undecim [~undecim@24-119-130-33.cpe.cableone.net] has joined #openvpn 17:31 < undecim> I'm following http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html to setup a quick VPN connection... Where do I put the key and config files on the server? 17:31 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 17:35 -!- ShaneN [~ShaneNeue@host-121-159-111-24.midco.net] has quit [Read error: Connection reset by peer] 17:42 -!- grendal_prime [~sgraham@209.78.161.3] has joined #openvpn 17:44 < Bushmills> undecim: same dir as config file, or location given with full path in config 18:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 18:15 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 18:28 -!- teddz [~teddz@dtmd-4db2f571.pool.mediaWays.net] has joined #openvpn 18:31 < undecim> Okay, I've got the connection setup using the OpenVPN GUI on a Windows client. Now how do I forward all internet traffic through the VPN? 18:34 < Bushmills> !redirect 18:34 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:36 < undecim> ty 18:37 < undecim> !def1 18:37 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 18:44 < undecim> !nat 18:44 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 18:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 18:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 18:55 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 18:55 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has joined #openvpn 18:56 < undecim> Windows client still has the same IP as reported by wimi.com 19:10 < undecim> added push "redirect-gateway def1" to the client config, and restarted the connection 19:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [] 19:12 < undecim> hmm... I made the client conf on a *nix system... would the line endings have something to do with it? 19:13 -!- jfkw [~jtk@216.115.1.60] has quit [Quit: leaving] 19:15 < undecim> Wait... 19:16 < undecim> Wrong config file 19:19 < undecim> Okay, it's in the server config file now, we restarted both the server and the client and still won't forward traffic :/ 19:21 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:32 < undecim> I added "pull" to the client config and it gives me an error that says it can only be used in TLS mode? wtf? 19:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 19:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds] 19:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 19:53 < undecim> So I have to setup TLS to forward all traffic over the VPN? 19:58 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:11 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has joined #openvpn 20:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 20:29 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:29 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has joined #openvpn 20:33 -!- undecim [~undecim@24-119-130-33.cpe.cableone.net] has left #openvpn ["Leaving"] 21:09 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 21:12 -!- grendal_prime [~sgraham@209.78.161.3] has quit [Quit: Ex-Chat] 21:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 21:15 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 21:27 -!- djgerm [~Your_Moms@dsl-63-249-119-56.static.cruzio.com] has joined #openvpn 21:37 -!- djgerm [~Your_Moms@dsl-63-249-119-56.static.cruzio.com] has quit [Quit: Leaving.] 21:45 -!- undecim [~undecim@24-119-130-33.cpe.cableone.net] has joined #openvpn 21:46 < undecim> Okay. I think I finally got the windows client to start forwarding internet traffic.... Only problem is it seems to also be trying to forward OpenVPN traffic, and so just cuts off the internet connection completely. 21:47 < undecim> Any ideas? 21:56 < undecim> I've checked firewall rules and everything 22:01 -!- teddz_ [~teddz@dtmd-4d0bfe47.pool.mediaWays.net] has joined #openvpn 22:01 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 22:03 < smerz> if you need internet access then the vpn server needs to provide that 22:03 -!- teddz [~teddz@dtmd-4db2f571.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:04 < smerz> as all internet traffic goes through the vpn 22:05 < undecim> smerz: I Know 22:05 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer] 22:05 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn 22:06 < undecim> smerz: I have the forwarding setup on the server and everything 22:06 < undecim> smerz: Though I think I may have fixed it... 22:06 < undecim> smerz: At least I'm hoping that's why my buddy with the client dropped from teamspeak, lol 22:07 < undecim> nvm.... 22:07 < undecim> It's still broken 22:08 < smerz> just nat the whole VPN subnet 22:08 < smerz> worked for me :) 22:08 < undecim> That's done with iptables? 22:08 < smerz> yeah 22:08 < undecim> iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 22:08 < undecim> I did that 22:09 < undecim> Also forwarding is enabled 22:09 < undecim> Did I miss something? 22:09 < smerz> likely iptables not correct or complete. if you used def1 to redirect all traffic 22:10 < smerz> that's my guess. gotta go outside grab smth 22:12 < smerz> good luck :) 22:14 < undecim> Do I need to push a route option or something? 22:16 < undecim> Or... 22:16 < smerz> undecim !def1 22:16 < smerz> @vpnHelper "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 22:17 < smerz> that pushes all 22:17 < smerz> through vpn 22:17 < undecim> I know 22:17 < undecim> I used that 22:17 < smerz> except for DNS i think 22:17 < smerz> nor sure about dns 22:17 < smerz> but 22:17 < undecim> DNS i don't care about. It can go either way 22:17 < smerz> the iptables command aint right i think 22:17 < undecim> I think I copied that straight from the openvpn man pages... 22:18 < undecim> nvm.. guess I didn't 22:19 < smerz> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 22:19 < smerz> iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 22:19 < smerz> iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT 22:19 < smerz> try these 22:19 < smerz> they work 22:19 < smerz> brb gotta go 22:19 < undecim> okay, I'll try 22:19 < undecim> ty 22:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 22:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 22:41 -!- riddla [~Riddla@cm249.psi191.maxonline.com.sg] has joined #openvpn 22:42 -!- teddz_ [~teddz@dtmd-4d0bfe47.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:42 -!- riddla [~Riddla@cm249.psi191.maxonline.com.sg] has left #openvpn [] 22:49 < undecim> Okay, it's only a specific IP subnet I want to redirect traffic to. Can I just add a push "route ..." option to my server config? 22:52 < Bushmills> yes, you can 22:52 < smerz> you can 22:53 < Bushmills> smerz: redirect sets new default route. if dns queries are sent through default route, they'll be redirected through vpn too 22:54 < Bushmills> if there's a specific route set to a name server, it will take precedence over default route 23:14 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 23:22 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn 23:34 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 23:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] --- Day changed Tue Jan 18 2011 00:15 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 00:24 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out] 00:28 -!- LedZeplin [jbearer@74.46.1343.static.theplanet.com] has left #openvpn [] 00:29 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Read error: Operation timed out] 00:45 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds] 00:47 -!- undecim [~undecim@24-119-130-33.cpe.cableone.net] has quit [Quit: Leaving] 00:57 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 00:59 -!- p3rror [~mezgani@41.140.38.34] has quit [Ping timeout: 240 seconds] 01:01 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 255 seconds] 01:15 -!- p3rror [~mezgani@41.140.101.48] has joined #openvpn 01:23 -!- iRabbit_ [~nfredrich@guest.egv.servercentral.net] has joined #openvpn 01:26 < iRabbit_> need to install OpenVPN Ubuntu 10.10.... sudo apt-get install openvpn? 01:27 < hyper_ch> yes 01:31 < iRabbit_> ok... keyword for the key and config? 01:34 < reiffert> iRabbit_: "howto" 01:34 < reiffert> iRabbit_: "read" "topic" 01:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 01:36 < iRabbit_> ? 01:36 < hyper_ch> !tell iRabbit_ [howto] 01:37 < iRabbit_> hyper_ch, !thank 01:37 < reiffert> I always thought that our topic is one of the most readable topics. 01:39 < iRabbit_> well... here's the deal... not a fan of some Linux stuff and need to get a keyword and config to email netops for a u/p. 01:40 < iRabbit_> so I can take this netbook into the pod, rather than do shit in the noc 01:41 < iRabbit_> so its an urgent thing. if its not going to take 10sec to do.... obvously reading a wiki takes longer... I'll have one of my admins do it for me :) 01:41 < iRabbit_> but thanks for the bathroom reading material :) 01:41 -!- Lantizia [~Lantizia@erebus.seaquake.net] has joined #openvpn 01:43 -!- iRabbit_ [~nfredrich@guest.egv.servercentral.net] has left #openvpn ["Ex-Chat"] 01:43 < Lantizia> Hey is it possibly to make an OpenVPN proxy? 01:44 < reiffert> openvpn does encrypted network layer 2/3 tunneling. 01:44 < reiffert> openvpn does not work as a proxy. 01:44 < Lantizia> e.g. I have an OpenVPN server I want to connect to... but myself and others would like to connect to my own server which connects to that server for us 01:45 < Lantizia> reiffert, can't see how that'd stop what I'm asking for 01:45 < reiffert> Lantizia: please define "openvpn proxy" then. 01:45 < Lantizia> I just did with my example 01:46 < reiffert> you made an example, you didnt define it. 01:46 < Lantizia> Well it's hard to define 01:46 < Lantizia> I essentially want to share a single OpenVPN connection with others using OpenVPN 01:46 < reiffert> it's hard to answer questions about a not well defined theoretical thing. Thanks. 01:47 < reiffert> ok, so here is how it will work: 01:47 < reiffert> [vpn endpoint]<------encrypted openvpn line ----->[vpn endpoint]======multiple others======[machine of those] 01:47 < reiffert> plural, maschines. 01:48 < reiffert> If I get you right, the communication between those multiple maschines and the right vpn endpoint is in your hand, right? 01:49 < Lantizia> more like... 01:49 < Lantizia> [ ]<--encrypted line-->[vpn endpoint] 01:49 < Lantizia> [ ]<--encrypted line-->[vpn endpoint] 01:49 < Lantizia> [vpn endpoint]<--encrypted line-->[vpn endpoint]<--encrypted line-->[vpn endpoint] 01:49 < Lantizia> [ ]<--encrypted line-->[vpn endpoint] 01:49 < Lantizia> [ ]<--encrypted line-->[vpn endpoint] 01:49 < Lantizia> the middle "endpoint" being my server 01:50 < Lantizia> the right hand "endpoints" being our users 01:50 < reiffert> yeah, this can be done with openvpn. 01:50 < Lantizia> the left hand "endpoint" being what we want to connect ti 01:50 < Lantizia> *to 01:50 < reiffert> left endpoint: openvpn server running 01:50 < reiffert> middle endpoint: openvpn server running, openvpn client running (for communication with left endpoint) 01:50 < reiffert> users: openvpn client running on all of them. 01:51 < Lantizia> indeed 01:51 < reiffert> communication between users and left endpoint: routing. 01:51 < reiffert> or: NAT 01:51 < reiffert> or: Bridging (layer 2) 01:51 < Lantizia> we only have one login to the target openvpn server... but want several to login you see 01:52 < reiffert> no, I dont see and I dont know anything about the limited setup details. 01:52 < Lantizia> left - only accepts one login... which is why we can't have more than one user connect to it 01:52 < reiffert> ok, nothing changes from my answers. 01:53 < Lantizia> middle - will take more than one login as I run it and will route to the "one login" server 01:53 < Lantizia> right - multiple users 01:53 < reiffert> so you still got: routing, nat, briding. 01:53 < reiffert> to make an exmaple: 01:53 < Lantizia> OK so how is this achieved ? 01:54 < reiffert> [10.10.30.1]<----->[10.10.20.1]<-------->[10.10.10.2] 01:54 < Lantizia> will openvpn server and client talk directly to each other on the middle endpoint (my server)? 01:54 < reiffert> you tell those clients: hey, if you want to get to 10.10.30.1, send everything to 10.10.20.1 01:54 < reiffert> route add -net 10.10.30.0 netmask 255.255.255.0 gw 10.10.20.1 01:54 < reiffert> done. 01:55 < Lantizia> not done... this doesn't explain how the middle part works 01:55 < reiffert> the middle will get a packet and will hand it to the left 01:56 < reiffert> the answer from the left will reach the middle which will hand it to one of those from the right. 01:56 < reiffert> this is done by pure routing 01:56 < Lantizia> ok the only thing is though... this is for full internet access... so 0.0.0.0/0 01:56 < reiffert> layer 3. routing. 01:56 < reiffert> ya, can be done with openvpn. 01:57 < reiffert> see here: 01:57 < reiffert> !howto 01:57 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:57 < reiffert> it will explain you the basic setup stuff 01:57 < Lantizia> it's not as simple as you think 01:57 < reiffert> then have a look here, it will explain the routing stuff 01:57 < reiffert> !route 01:57 < Lantizia> this really won't work 01:57 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:57 < reiffert> Lantizia: shut up. 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [vpn endpoint]<--encrypted line-->[vpn endpoint]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [vpn endpoint]<--encrypted line-->[vpn endpoint]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 -!- Lantizia was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.] 01:57 < reiffert> then have a look at the "send everything 0/0" part here: 01:57 -!- Lantizia [~Lantizia@erebus.seaquake.net] has joined #openvpn 01:57 < reiffert> then have a look at the "send everything 0/0" part here: 01:57 < Lantizia> [------------]<--encrypted line-->[vpn endpoint] 01:57 < Lantizia> now you see it won't work 01:58 < reiffert> and stop flodding this. just shut up. 01:58 < reiffert> !def1 01:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 01:58 < Lantizia> as the middle server connects to many openvpn servers 01:58 < hyper_ch> hi reiffert 01:58 < reiffert> Lantizia: look: you didnt say anything about multiple left servers. 01:58 < Lantizia> reiffert, no I was trying to start with a basic example 01:58 < reiffert> Lantizia: why didnt you do that? 01:59 < reiffert> Lantizia: it makes life harder as you said. 01:59 < Lantizia> yeah 01:59 < reiffert> Lantizia: I dont see why routing doesnt solve this. 01:59 < reiffert> hyper_ch: hey 01:59 < Lantizia> because all three left servers handle internet 01:59 < reiffert> Lantizia: so? 01:59 < Lantizia> so say in that example you've got 9 clients... if all of them are sending whatever is aimed at 0.0.0.0/0 to the middle.... which of the left servers does it give it to? 02:00 < Lantizia> when they also handle 0.0.0.0/0 02:00 < reiffert> whatever you configure the middle to do. 02:00 < reiffert> start adding some routing protocols. you will figure it out. 02:00 < reiffert> have fun. 02:00 < Lantizia> but I don't see any way of configuring it 02:01 < reiffert> try digging harder into routing protocols and round robin. 02:01 < Lantizia> and apparently neither do you 02:01 < reiffert> I dont see any problem. 02:02 < reiffert> hyper_ch: can you see why he thinks there is a problem? 02:02 -!- s7r [~s7r@94.198.100.92] has joined #openvpn 02:02 < hyper_ch> reiffert: don't even know what's it about :) 02:02 < Lantizia> middle server connects to 3 openvpn servers and itself runs 3 openvpn servers... so it runs 3 servers, and 3 clients... all 3 clients send packets destined for 0.0.0.0/0 and all 3 servers accept packets destined for 0.0.0.0/0 02:03 < hyper_ch> all those encrypted line texts were just too confusing so I gave up 02:03 < Lantizia> thus if client 9 wants to get out through left hand server 3... there is no way to define that 02:03 < reiffert> sure, there is. 02:04 < reiffert> [10.10.30.1]<----->[10.10.20.1]<-------->[10.10.10.2] 02:04 < Lantizia> wrong! 02:04 < reiffert> shut up. 02:04 < reiffert> on 10.2 you say: route add default gw 10.10.20.1 02:04 < Lantizia> you're presuming internal networks! 02:04 < reiffert> on 20.1 you say: route add default gw 10.10.30.1 02:04 < reiffert> those are openvpn ip networks. 02:06 < Lantizia> ok lets say I'm sitting at my pc on the right hand side... and I wanna get to 212.223.232.231... the openvpn connection only knows it can reach 10.10.30.1 via the openvpn server... not that IP 02:10 < reiffert> !route 02:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 02:11 < Lantizia> yeah forget it, you've finally grasped the complexity and do not know 02:12 < s7r> !proxy 02:12 < s7r> !socks 02:13 < reiffert> Lantizia: being an ignorant doesnt solve your problem. 02:13 < reiffert> Lantizia: doing like I said will. 02:14 < Lantizia> reiffert, and pretending you have some hidden answer doesn't solve it either 02:14 < Lantizia> your tone has been nothing but condescending since I got in here 02:14 < reiffert> Lantizia: shall we have a look how a packet from right will travel to 212.223.whatever? 02:14 < Lantizia> no I'm done with you 02:14 < reiffert> k, enjoy. 02:16 < reiffert> 10.10.10.2 doesnt know how to read 212 directly, so sending it to its default gw, 20.1 02:16 < reiffert> 20.1 doesnt know how to reach 212 directly, so sending it to its default gw, 30.1 02:16 < reiffert> 30.1 doesnt know how to reach 212 directly, sending it to its default gw, whatever this one is. 02:16 < Lantizia> and I'm saying _can't_ presume a default gq in this case 02:16 < Lantizia> *gw 02:17 < reiffert> 30.1 doesnt have a default gw? 02:17 < Lantizia> you _still_ do not understand 02:17 < Lantizia> so just drop it 02:17 < reiffert> so maybe it's because of all your explanations dont make it to my brain. 02:17 < reiffert> And I dont think that my brain is the cause. 02:19 < reiffert> 08:57 < Lantizia> now you see it won't work 02:19 < reiffert> no, I dont. 02:19 < reiffert> 08:56 < Lantizia> ok the only thing is though... this is for full internet access... so 0.0.0.0/0 02:19 < reiffert> line doesnt parse. 02:19 < Lantizia> ever heard the phrase "to beat a dead horse" ? 02:19 < reiffert> yeah, which is why I keep beating. 02:21 < Lantizia> ok lets define some terms here.... the "servers" - the openvpn servers I do not run that gives Internet access from various locations 02:21 < Lantizia> the "proxy" the openvpn server I _do_ run that I want many users connecting to... so they can go out through a choice of one of those "servers" 02:21 < Lantizia> the "clients" the people wanting access to a specific "server" 02:22 < Lantizia> if they simply connect to the "proxy" I see no logical way of determining which "server" they get relayed to... since each "server" offers the same service - general internet access 02:22 < hyper_ch> reiffert: a dead horse can't defend itself? 02:23 < reiffert> hyper_ch: it doesnt change a thing when you keep beating the dead horse. 02:23 < hyper_ch> and I thought you just enjoy beating things and even more so since it can't defend itself 02:25 < Lantizia> so to my mind you've some how got to link the insulate each connection to the servers from the "proxy" servers the clients have connected to 02:26 < Lantizia> '/link the/d' 02:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 02:44 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 02:45 -!- dazo_afk is now known as dazo 03:00 < reiffert> Lantizia: how is a client supposed to choose to which of those servers the packets will travel? 03:01 < Lantizia> exactly :P 03:01 < reiffert> Lantizia: is it important for a client to know/choose wo which of the servers its packets will travel? 03:01 < Lantizia> The only way I see is to run 3 openvpn servers on the proxy server 03:01 < Lantizia> reiffert, yes 03:02 < reiffert> why? 03:02 < Lantizia> because they are 3 different locations 03:02 < reiffert> Lantizia: is it important for a client to actually *change* the server? 03:02 -!- p3rror [~mezgani@41.140.101.48] has quit [Ping timeout: 240 seconds] 03:02 < Lantizia> why don't we stick to what the task is - rather than what is and is not important 03:03 < Lantizia> the scenario is the way it is because it has been deemed important already 03:03 < reiffert> Lantizia: why dont we stick to the scenario? Because the more I ask the more details you came up with. I still dont think that I got all the details so thats why I dont stop asking. However. 03:04 < Lantizia> i was thinking 3 openvpn servers running on the "proxy box" on 3 different ports... but how you then link those 3 servers with the 3 clients to connect to the left servers without "mixing" is the confusing part 03:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 03:04 < reiffert> Lantizia: the answer to your last confusing thing: routing. 03:04 < Lantizia> general routing won't help in this case 03:05 < Lantizia> i feel like we're going round in circles 03:05 < reiffert> why? 03:05 < Lantizia> i've already said why many times 03:06 < reiffert> pretending that something that will work is wrong wont make it a wrong. 03:06 < Lantizia> i'm not pretending anything here 03:07 < reiffert> you say that routing wont solve the thing that different clients have to reach differnet servers. 03:07 < reiffert> when running differnent openvpn servers on your middle. 03:08 < reiffert> let's make another example: 03:08 < Lantizia> how are you going to get openvpn server 1 on the proxy box talk to openvpn client 1? 03:08 < reiffert> [server1:10.1] ----- 03:08 < Lantizia> and only openvpn server 2 talk to openvpn client 2... etc etc 03:08 < reiffert> [server2:20.1] ----- 03:08 < reiffert> [server3:30.1] ----- 03:08 < reiffert> those lines end up here: 03:09 < reiffert> [middle.openvpn1:10.2] 03:09 < reiffert> [middle.openvpn2:20.2] 03:09 < reiffert> [middle.openvpn3:30.2] 03:09 < reiffert> so far it represents your setup? 03:09 < Lantizia> i've no idea what you're trying to demonstrate 03:09 < Lantizia> but you're not answering the question because you don't have the answer 03:10 < reiffert> I want to demonstrate how routing will solve your case as far as you gave me the details. 03:10 < Lantizia> the question remains... "how are you going to get openvpn server 1 on the proxy box ONLY TO talk to openvpn client 1?" 03:10 < reiffert> routing, nat, or both. 03:10 < Lantizia> negative 03:11 < reiffert> can you explain the "negative" then please. 03:11 < Lantizia> I'm going now - better things to do than run around in circles 03:11 -!- Lantizia [~Lantizia@erebus.seaquake.net] has left #openvpn ["Leaving"] 03:11 < reiffert> what an ignorant. 03:19 < s7r> can I connect to an openvpn server via http proxy? 03:23 < hyper_ch> reiffert: you had a lot of patience :) 03:25 < s7r> yeah :D 03:25 < s7r> too much 03:27 < hyper_ch> I don't think you cann connect via http proxy 03:28 < hyper_ch> as a http proxy would only proxy http requests 03:28 < s7r> because the http proxy supports only http protocol 03:28 < s7r> exactyl 03:28 < s7r> but how come in the openvpn GUI 03:28 < s7r> at connect options 03:28 < hyper_ch> which is different from establishing a vpn tunnel between you and server 03:28 < s7r> http proxy is listed 03:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 03:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 03:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 03:28 < hyper_ch> that's the access server which is not supported here 03:28 < hyper_ch> IIRS 03:28 < s7r> not the access server 03:28 < hyper_ch> IIRC 03:28 < s7r> the community openvpn client 03:28 < s7r> for windows 03:28 < hyper_ch> what gui then? 03:28 < hyper_ch> oh windows... no clue :) 03:29 < s7r> at connect options it has conect via socks 4, socks 5 or http proxy 03:29 < s7r> socks 5 normally will work as it works with any tcp or udp protocol 03:29 < s7r> but http ? 03:30 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out] 03:30 < hyper_ch> I don't really know :) ask reiffert :) he has lots of patience at explaining things :) 03:30 < reiffert> 10:19 < s7r> can I connect to an openvpn server via http proxy? 03:31 < reiffert> s7r: yes, you can. 03:31 < s7r> I am noit goint to be as stressful as that person trust me 03:31 < s7r> reiffert: isn't http proxy working only with http requests? 03:32 < reiffert> s7r: depends on the http proxy software. 03:33 < s7r> ok. one last question .if i establish the connection between my computer and the openvpn server via a http proxy or socks, will the traffic be encrypted between my computer and the vpn server or between the proxy server and openvpn server? 03:33 < reiffert> it will be encrypted. 03:34 < reiffert> (as long as you doesnt tell openvpn to not encrypt it) 03:37 < s7r> yes I know 03:37 < s7r> but between my computer and the vpn server 03:37 < s7r> or proxy server and vpn server 03:37 < s7r> the proxy server will see the traffic encrypted or plain text? 03:37 < reiffert> Just found an public email from Lantizia, Subject: It's me again - sorry! Trouble doing 'nxsetup--install' 03:38 < reiffert> looks that he is pretty successful in being an ignorant 03:47 < theDoc> reiffert: You should troll him, ;p 03:51 -!- master_of_master [~master_of@p57B55902.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 03:52 -!- master_of_master [~master_of@p57B55AE7.dip.t-dialin.net] has joined #openvpn 03:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal] 03:57 -!- WinstonSmith [~true@f052096152.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 04:14 -!- WinstonSmith [~true@e177095131.adsl.alicedsl.de] has joined #openvpn 04:19 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 04:19 -!- mode/#openvpn [+o mattock] by ChanServ 04:46 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 04:46 -!- common- [~common@p5DDA48B3.dip0.t-ipconnect.de] has joined #openvpn 04:49 -!- common [~common@p5DDA4873.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 04:49 -!- common- is now known as common 04:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:53 <@vpnHelper> RSS Update - forum: Benefits of certificates vs. username/password auth. 04:59 -!- WinstonSmith [~true@e177095131.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 05:29 <@vpnHelper> RSS Update - forum: configure open vpn file 05:37 -!- _zero__ [~zero@noc.toile-libre.net] has quit [Ping timeout: 260 seconds] 05:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 05:40 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn 05:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 06:01 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 06:16 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 06:42 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D] 06:50 -!- albech [~thomas@124.157.211.210] has joined #openvpn 06:51 -!- p3rror [~mezgani@41.140.168.15] has joined #openvpn 06:54 <@vpnHelper> RSS Update - forum: Linux Tap device 10Mbit 06:55 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 07:00 <@vpnHelper> RSS Update - forum: Machine behind client cannot access service on vpn server || configure open vpn file 07:06 <@vpnHelper> RSS Update - forum: Linux Tap device 10Mbit 07:06 < gladiatr> Pie is good. That is all. 07:07 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 07:07 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 07:12 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 07:13 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 07:27 -!- EugenA [~eugen@mnch-4d04f54a.pool.mediaWays.net] has joined #openvpn 07:28 < EugenA> general question: would openvpn help me to use nfs over internet? 07:28 <@dazo> EugenA: yes 07:29 < EugenA> ok, how do i connect to vpn server? it is already installed 07:30 < EugenA> i can make a connection from windows. now i need to create a connection from centos to openvpn server 07:30 <@dazo> EugenA: you need to configure server and client to your liking ... start them, and then connect ... then you need some kind of routing/networking configuration too 07:30 <@dazo> !howto 07:30 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:30 <@dazo> !route 07:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:33 < EugenA> i'm reading here http://www.openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-server-with-linux-clients.html 07:33 < EugenA> Login to the Access Server's Client Web Server and download the desired client config file (typically called "client.ovpn" 07:33 <@vpnHelper> Title: How to connect to Access Server from a Linux computer (at www.openvpn.net) 07:33 < EugenA> what is "Access Server's Client Web Server" ? 07:36 <@vpnHelper> RSS Update - forum: NOTE: could not get adapter index for ... 07:38 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Quit: Leaving] 07:38 < Dougy> !factoids search access server 07:38 <@vpnHelper> "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options supported 07:38 <@vpnHelper> which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 07:42 <@vpnHelper> RSS Update - forum: Linux Tap device 10Mbit 08:01 -!- p3rror [~mezgani@41.140.168.15] has quit [Ping timeout: 240 seconds] 08:02 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 08:05 -!- renihs_ [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn 08:05 -!- Netsplit *.net <-> *.split quits: derekv, renihs, sigius 08:08 -!- Netsplit *.net <-> *.split quits: deever, Nappy, freaky[t], MJD, djgerm1, ScriptFanix, optiz0r 08:08 -!- sigius [~sigius@93.125.185.45] has joined #openvpn 08:09 -!- djgerm [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 08:10 -!- Netsplit over, joins: ScriptFanix, Nappy, deever 08:10 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn 08:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn 08:11 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn 08:13 -!- optiz0r [~optiz0r@miranda.sihnon.net] has joined #openvpn 08:14 -!- teddz_ [~teddz@dtmd-4d0bfe47.pool.mediaWays.net] has joined #openvpn 08:14 -!- [1]rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 08:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:20 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Ping timeout: 240 seconds] 08:20 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 08:20 -!- [1]rond is now known as rond 08:21 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 08:24 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 08:27 -!- p3rror [~mezgani@41.140.169.225] has joined #openvpn 08:27 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 08:30 -!- smarkyou [~smarkyou@cpe-024-163-095-151.nc.res.rr.com] has quit [Read error: Connection reset by peer] 08:31 -!- smarkyou [~smarkyou@cpe-024-163-095-151.nc.res.rr.com] has joined #openvpn 08:31 -!- smarkyou [~smarkyou@cpe-024-163-095-151.nc.res.rr.com] has left #openvpn [] 08:32 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn 08:32 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host] 08:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 08:37 -!- Typone [~nnnnnnnit@195.197.184.87] has quit [Ping timeout: 260 seconds] 08:38 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 08:39 -!- Typone [~nnnnnnnit@195.197.184.87] has joined #openvpn 08:43 < gladiatr> !factoids search port-share 08:43 <@vpnHelper> No keys matched that query. 08:43 < gladiatr> !factoids port-share 08:43 < hyper_ch> !port-share 08:43 < hyper_ch> !ports 08:43 < hyper_ch> !port 08:43 < ecrist> "No keys matched that query" means that key doesn't exist. 08:43 < hyper_ch> :( 08:43 < ecrist> !factoids 08:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 08:44 < hyper_ch> hi ecrist 08:44 < ecrist> hi, hyper_ch 08:44 < gladiatr> Captain, we seem to have attempted to access the part of the entity's brain that was damaged in the crash... 08:47 < gladiatr> ecrist, (gotcha) 08:48 < gladiatr> wasn't sure if the search element of factoids was a keyword search or a please-wait-while-i-grep-my-data-store thing 08:50 < gladiatr> yesterday at 4pm, the freenode #openvpn channel bot, known by its users as vpnHelper, was arrested after reports came in of it grepping itself in front of city hall... 08:52 -!- p3rror [~mezgani@41.140.169.225] has quit [Ping timeout: 240 seconds] 08:52 < ecrist> lol 09:05 -!- p3rror [~mezgani@41.140.24.80] has joined #openvpn 09:11 -!- macsppadic is now known as bruceleesppadic 09:14 -!- EugenA [~eugen@mnch-4d04f54a.pool.mediaWays.net] has quit [Remote host closed the connection] 09:14 <@vpnHelper> RSS Update - forum: OpenVPN connection does not always work for some clients 09:19 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- Organize your IRC] 09:20 -!- p3rror [~mezgani@41.140.24.80] has quit [Ping timeout: 250 seconds] 09:21 -!- majuk_ [~majuk@cpe-70-112-20-116.austin.res.rr.com] has joined #openvpn 09:22 -!- kaisukaru [~marie@84-50-137-232-dsl.rkv.estpak.ee] has joined #openvpn 09:22 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 09:23 < kaisukaru> Is there any good clean solution to add user route addition right in Win7 or Vista, without giving admin to the user? 09:24 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 09:24 -!- Cain` is now known as Cain 09:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 09:27 < kaisukaru> (Using smartcard) 09:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 09:31 < gladiatr> Not to my knowledge. 09:33 < kaisukaru> What are the solutions: 1.) run as admin, 2.) with XP, if you added user to network admins, route addition worked, but not with win7?, 2.) if UAC is enabled, even if you are admin, routes are not added - what are recommended solutions? 09:34 < gladiatr> Hrm... Yeah. Sorry. I'm not familiar enough with the way windows7 and vista drop and/or elevate privileges to be able to help with this one :( 09:41 -!- kaisukaru [~marie@84-50-137-232-dsl.rkv.estpak.ee] has quit [Read error: Connection reset by peer] 09:44 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:51 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 09:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection] 09:54 -!- jfkw [~jtk@216.115.1.60] has joined #openvpn 10:18 -!- albech [~thomas@124.157.211.210] has quit [Quit: Ex-Chat] 10:24 -!- threedaymonk [~threedaym@surimi.vm.bytemark.co.uk] has joined #openvpn 10:24 < threedaymonk> !welcome 10:24 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:25 < threedaymonk> !goal 10:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:26 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 10:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 10:38 < threedaymonk> I'm trying to connect an Android device to a VPN. I've connected it to eth0 of a Linux box, which gives it a 10.0.0.0/24 IP address via DHCP. The Linux box is currently connected to the VPN via another interface; it's exposed as tun0. How would I best wire the two together, so that all the Android device's traffic goes via the VPN? 10:38 -!- djgerm [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 10:39 <@dazo> threedaymonk: using openvpn on Android? 10:40 < threedaymonk> dazo: It looks as if that requires root 10:40 < threedaymonk> (which I don't have!) 10:41 <@dazo> threedaymonk: openvpn requires root to setup the tun/tap device and to add routes 10:41 * gladiatr cradles his N900 like a rich fat lady with a pug... 10:41 < threedaymonk> dazo: sorry, I mean using openvpn an Android requires root *on Android* - I have root on the linux box. 10:41 <@vpnHelper> RSS Update - forum: Server certificate expired. how to renew? 10:42 <@dazo> threedaymonk: you need root on the Android as well 10:42 <@dazo> however, if you're going through some kind of GUI on Andriod, that basically should take care of it 10:44 < threedaymonk> dazo: I'm looking for a way that doesn't involve rooting the androiddevice, which I can't do 10:44 <@dazo> threedaymonk: then you can't use openvpn 10:44 -!- aree [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has joined #openvpn 10:44 < aree> hello there 10:45 < aree> openvpn is it work same as NAT ? 10:45 <@dazo> aree: openvpn (or VPN in general) is not the same as NAT 10:46 < threedaymonk> @dazo: There is no way to use iptables or something like that to redirect the traffic? 10:46 < aree> for assigning ip 10:47 <@dazo> threedaymonk: you need to setup a tun/tap device with openvpn, that requires root access. Further if tun.ko is not loaded (a kernel module), that needs to be loaded which requires root privileges ... and to run route commands as well, again requires root access ... even running iptables requires root access 10:47 < threedaymonk> @dazo I have root access on the Linux box 10:47 -!- kyrix [~ashley@c-67-160-84-118.hsd1.wa.comcast.net] has joined #openvpn 10:48 <@dazo> aree: VPN can more be compared to as a virtual network interface + cable ... where you get access to an internal network, and the traffic between the client and server is encrypted (normally, at least) 10:48 <@dazo> aree: NAT has also nothing to do with assigning IP addresses 10:49 <@dazo> aree: NAT is used to use (or hide) a private internal network behind one public IP address ... so that everyone on the inside is using the same public IP address when accessing Internet services 10:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 10:50 <@dazo> (a private internal network can mean LAN or VPN) 10:50 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 10:50 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 10:50 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 10:51 < aree> well i try to explain my problem i got a public IP on a pc without router with nat setting on my vbox, host ubuntu guest centos ayecee schnuffle sacarlson 10:51 < aree> well i try to explain my problem i got a public IP on a pc without router with nat setting on my vbox, host ubuntu guest centos 10:52 <@dazo> threedaymonk: but you wanted to use openvpn on Android as a client to a openvpn server? if so, then also the openvpn client on Android need root privileges ... there is no way around that 10:52 <@dazo> aree: and you want your centos guest to access the Internet? 10:52 < aree> not a real centos a customize one, 10:52 <@dazo> (via the Ubuntu host?) 10:52 < threedaymonk> dazo: No, I think you've misunderstood. I want to use the Linux box to connect the [black box with an ethernet cable] to the VPN. 10:53 <@dazo> threedaymonk: OpenVPN will work in that case ... All OpenVPN needs is a working Internet connection 10:53 <@dazo> but it needs to be started with root privileges 10:54 < threedaymonk> dazo: That's what I thought! :-) What I'm not clear on is how to route traffic between the two interfaces 10:54 <@dazo> threedaymonk: between which interfaces? 10:54 < aree> that customize Centos working on a web based interface, well on my ubuntu pc i got a Public IP which something like : 82.198.X.X on centos i got an IP something like 10.0.2.15 10:54 < threedaymonk> dazo: essentially, between eth0 and tun0 on the linux box. 10:55 < threedaymonk> so that a device connected to eth0 seamlessly appears to be on the VPN 10:55 <@dazo> aree: this is not much openvpn related at all ... but you need to enable a NAT rule for on the Ubuntu box, to allow that ... I would probably recommend you to search help via some Ubuntu channels or forums 10:56 <@dazo> aree: I don't know how Ubuntu does their firewalling stuff nowadays ... and the ufw stuff was more confusing than usable for me when I tried that 2 years ago ... I've not been using Ubuntu since the Ibix release 10:56 < aree> let me finish , :) from ubuntu web browser if i put this IP 10.0.2.15 i can't able to display that customize OS web page 10:56 <@dazo> aree: this is still ubuntu stuff 10:57 < threedaymonk> dazo: at the moment, I've set up a DHCP server on eth0 to give the [black box] an IP address, but I don't know if that's necessarily the best start. 10:57 <@dazo> threedaymonk: you need to setup default routing ... to route traffic from wherever to your VPN network via your openvpn server 10:58 < threedaymonk> dazo: would that need to be done on the VPN server, or can I do it on this local linux machine? 10:58 <@dazo> sorry, not default routing ... but you need to set up *some* routing 10:59 <@dazo> threedaymonk: you need to do that on the default gateway in your network where your openvpn client is configured ... or on all the boxes which will use resources over the VPN 10:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 11:00 <@dazo> threedaymonk: you also need to do add some routes on the server side too, so that there are routes from the server side and back to your network behind your client 11:00 <@dazo> !route 11:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:00 <@dazo> threedaymonk: ^^ 11:01 < threedaymonk> Would LAN behind OpenVPN in that case refer to LAN <---> OpenVPN server <---> internet or My computer <---> Internet <---> OpenVPN server <---> LAN ? It's the former that I want 11:02 < threedaymonk> I looked at that page earlier and it seemed to be the latter 11:05 <@dazo> threedaymonk: basically .... LAN-A <---> OpenVPN client <---> Internet <---> OpenVPN server <---> LAN-B 11:06 <@dazo> so to access LAN-B from LAN-A, you need basic routing ... LAN-A need to have routes stating the network of LAN-B with the OpenVPN client as the gateway 11:06 -!- gryzli [~gryzli@94.155.42.130] has joined #openvpn 11:06 <@dazo> LAN-B will need a reverse routing, where it will need to know the LAN-A network address and use OpenVPN server IP address as the the gateway 11:07 < threedaymonk> In my case, there's only LAN-A - it's a VPN to the internet 11:07 <@dazo> threedaymonk: that makes it to some degree simpler 11:07 <@dazo> as OpenVPN server will then need to NAT the outgoing traffic 11:08 < threedaymonk> which it already does, I think 11:08 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 11:08 <@dazo> threedaymonk: then you basically need to read up about --redirect-gateway in the man page 11:09 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 11:09 <@dazo> you just need that on the OpenVPN client side ... that will take care of setting up needed default routes on your OpenVPN client, which will route everything via the tunnel 11:10 -!- bruceleesppadic [~sonupunno@88.211.55.77] has left #openvpn [] 11:10 < threedaymonk> so then, as long as my black box is using that device as the gateway, it should work 11:10 < threedaymonk> thanks, that's really helpful 11:10 < threedaymonk> I'll try it ... 11:11 <@dazo> threedaymonk: yeah, basically ... --redirect-gateway does setup some special routes, so that the traffic between the OpenVPN client and server is not trying to go through the tunnel ... and everything else goes through the tunnel 11:11 -!- WinstonSmith [~true@e177095131.adsl.alicedsl.de] has joined #openvpn 11:12 < threedaymonk> yes, I saw the mention about loops - that makes sense :-) 11:23 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 11:56 -!- WinstonSmith [~true@e177095131.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 12:10 -!- kyrix [~ashley@c-67-160-84-118.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds] 12:10 -!- prettyrobots [~alan@66.93.0.189] has joined #openvpn 12:11 < prettyrobots> Can I use Open VPN to make a connection, like MySQL port 3306, encrypted transparently? 12:11 < prettyrobots> MySQL doesn't need to know anything. 12:11 -!- dazo is now known as dazo_afk 12:16 < ecrist> yes 12:22 < reiffert> Did anyone read up what Lantizia and I were discussing approx 12 hours ago? 12:23 < reiffert> Is it me who doesnt see a problem or was it him? 12:23 < reiffert> I need some input on this please. 12:23 * ecrist reads up 12:26 < ecrist> he was a dick, but I think I understand what he was getting after 12:26 < ecrist> !diagram 12:26 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 12:30 -!- Flecks [~kvirc@95.68.37.7] has joined #openvpn 12:30 < Flecks> hello, made some tests with vpn etc... 12:31 < Flecks> i have 100mbit/sec connection on vpn server side and 200mbit/sec on client side 12:31 < ecrist> reiffert: http://secure-computing.net/files/maybe.png 12:31 < Flecks> in server side i have webserver in lan, i have also port forward in router 12:32 < Flecks> so when i download direct from webserver i get 5.7MB/sec 12:32 < Flecks> when i download trough vpn - i get only 3.2MB/sec 12:33 < Flecks> using SMB - i get only 700KB/sec 12:35 -!- prettyrobots [~alan@66.93.0.189] has quit [Quit: prettyrobots] 12:37 < gladiatr> Flecks, are your internet connections symmetrical? 12:39 < Flecks> yes +/-... 12:39 < Flecks> but server is PIII 930Mhz 12:39 < Flecks> and when i copy files - i get 90+ CPU usage for openvpn process 12:39 < ecrist> Flecks: that seems odd 12:40 < gladiatr> indeed 12:40 < ecrist> our entire company uses an Dell PE 1650 with a single PIII at 1.113GHz 12:40 < Flecks> thats the problem? 12:40 < ecrist> and we use that to connect an entire office 12:40 < ecrist> we easily use 5+ Mbps 12:40 < Flecks> if i disable compression will this incrase speed? 12:41 < ecrist> you can try 12:41 < ecrist> we don't use compression here. 12:41 < Flecks> 5mbps is slow - i am talking about 5MBps here 12:41 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 12:42 < ecrist> it's only a decimal place of difference 12:48 -!- majuk_ [~majuk@cpe-70-112-20-116.austin.res.rr.com] has quit [Ping timeout: 265 seconds] 12:48 < Flecks> yeah, u r right ecrist, that didnt change anything 13:00 < Flecks> thx everyone, will try to set up server on faster pc 13:00 < reiffert> ecrist: yeah it looks what he was after, but I still think that routing would have solved his problem. 13:00 < reiffert> ecrist: allthough he didnt realize that. 13:00 < ecrist> oh, most definately 13:00 < ecrist> also, he was still an ass. 13:00 < ecrist> even vpnHelper thought so 13:01 -!- Flecks [~kvirc@95.68.37.7] has quit [Quit: KVIrc 4.1.1 Equilibrium http://www.kvirc.net/] 13:01 < gladiatr> did vpnHelper oh-so-slightly urinate on his shoes? 13:01 < ecrist> 01:57 -!- Lantizia was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs. 13:02 < gladiatr> pow 13:02 -!- s7r [~s7r@94.198.100.92] has left #openvpn [] 13:02 < reiffert> ecrist: thanks for having a look. 13:02 < ecrist> reiffert: your nat suggestion was the right answer, imho 13:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 13:13 < aree> oh ecrist the dangerous 13:13 -!- aree [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has left #openvpn [] 13:16 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)] 13:16 < ecrist> what? 13:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:31 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 13:46 -!- kentr [~Kent@adsl-99-38-177-206.dsl.pltn13.sbcglobal.net] has joined #openvpn 14:04 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Read error: Connection reset by peer] 14:14 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 14:22 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection] 14:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:43 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 14:53 -!- p3rror [~mezgani@41.140.98.151] has joined #openvpn 14:57 -!- hpa [hpa@terminus.zytor.com] has quit [Excess Flood] 14:58 -!- p3rror [~mezgani@41.140.98.151] has quit [Ping timeout: 240 seconds] 14:58 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 14:59 -!- hpa [hpa@terminus.zytor.com] has joined #openvpn 15:14 -!- p3rror [~mezgani@41.140.180.125] has joined #openvpn 15:19 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:26 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 15:26 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 15:26 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 15:32 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 276 seconds] 15:37 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 276 seconds] 15:39 -!- adawda is now known as sia^pwnnt 15:41 -!- p3rror [~mezgani@41.140.180.125] has quit [Ping timeout: 240 seconds] 15:49 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 15:54 -!- p3rror [~mezgani@41.140.178.209] has joined #openvpn 15:56 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 16:03 -!- gryzli [~gryzli@94.155.42.130] has quit [Quit: Leaving] 16:08 -!- p3rror [~mezgani@41.140.178.209] has quit [Ping timeout: 260 seconds] 16:13 <@vpnHelper> RSS Update - forum: TAP-Win32 connection unplugged 16:20 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 16:20 -!- Fleck [~we@unaffiliated/fleck] has joined #openvpn 16:20 < Fleck> hey again 16:21 < Fleck> i have set up openvpn on better box, now when copy files trought tunnel, i get 10% cpu usage, still the speed is very slow 16:21 < Fleck> 3MB/sec 16:21 < Fleck> without vpn 12MB/sec 16:22 < Fleck> using http 16:22 < krzee> play with MTU 16:22 < krzee> !mtu 16:22 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 16:23 < Fleck> tried to set tun-mtu to 1500 and fragment to 1300 16:24 < ecrist> EmperorTom wrote a good mtu doc at that link above. 16:24 < ecrist> hey krzee, how goes vacation? 16:26 < Dougy> im tired as balls 16:26 < Dougy> good god 16:27 -!- p3rror [~mezgani@41.140.152.31] has joined #openvpn 16:28 < krzee> Fleck, but did you try testing what your actual MTU is? 16:28 < Fleck> in ifconfig i see 1500 16:29 < krzee> see #2 above 16:29 < Fleck> i did 16:30 -!- kentr [~Kent@adsl-99-38-177-206.dsl.pltn13.sbcglobal.net] has quit [Read error: Connection reset by peer] 16:31 < krzee> ecrist, going well! 16:31 -!- kentr [~Kent@adsl-99-38-177-206.dsl.pltn13.sbcglobal.net] has joined #openvpn 16:31 -!- kentr is now known as kentr_away 16:31 < Fleck> when i start openvpn server i get strange line 16:31 < Fleck> Wed Jan 19 00:30:54 2011 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ] 16:31 < Fleck> 1576?? 16:31 < ecrist> looks right 16:32 < krzee> Fleck, did you test your mtu as shown in #2 above? 16:32 < Fleck> krzee the problems is i can run tests on server side only 16:33 < Fleck> cannot connect to client at the moment 16:34 < krzee> because the vpn is not working or does the client not listen on the vpn address? 16:34 < Fleck> couse all clients are offline now 16:34 < krzee> i figure you should be able to get access to run tests from client since it can xfer files 16:34 < krzee> ahh 16:35 < Fleck> its midnight :D 16:38 < Fleck> maxevents=1028 << thats cool? 16:39 < Fleck> !slow 16:40 < Fleck> the only problem can be - is MTU? 16:40 < krzee> you use udp or tcp? 16:40 < Fleck> tried udp and tcp too 16:40 < Fleck> speed dosnt change 16:42 -!- p3rror [~mezgani@41.140.152.31] has quit [Read error: Connection reset by peer] 16:42 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 16:42 -!- Malard [~ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 16:42 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 16:43 -!- kentr_away is now known as kentr 16:45 * Fleck scratches head\ 16:46 < krzee> use udp and test mtu tomorrow when clients are on 16:46 < Fleck> tried today 16:46 < Fleck> got 1573 16:46 < reiffert> what openvpn version? 16:46 < krzee> nono, test it like in #2 above 16:47 < Fleck> OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010 16:47 < Fleck> server 16:47 < reiffert> ancient. 16:47 < Fleck> clients ar latest stable windows gui 16:48 < Fleck> reiffert so you say old versions where slow? 16:48 < reiffert> updating is worth a try. 16:50 < krzee> wait you said udp and tcp 16:50 < krzee> but also said 16:50 < krzee> [14:22] using http 16:50 < krzee> what http proxy allows udp?? 16:50 < Fleck> noo 16:50 < Fleck> not that way :) 16:50 < Fleck> using http i tested speed 16:51 < krzee> ahh 16:51 < Fleck> cause with http i can try with and without vpn (port forward) 16:51 < krzee> i use iperf 16:51 < krzee> but i dont have windows 16:52 < krzee> (which explains why its so dark here) 16:52 < Fleck> lol 16:52 -!- krzee [krzee@openvpn/community/support/krzee] has left #openvpn [] 16:52 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 16:53 < krzee> ecrist, do we still have the onjoin set to ##openvpn? 16:54 < Fleck> reiffert OpenVPN 2.2-beta5 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Dec 4 2010 <<< better? :D 16:55 < Fleck> btw have one more question 16:55 < Fleck> i have built keys for many clients 16:55 < Fleck> now one goes away and i need to delete it 16:55 < Fleck> how can i do that? 16:56 < Fleck> !delete keys 16:57 < Fleck> TUN/TAP TX queue length set to 100 << this is cool? 16:57 -!- p3rror [~mezgani@41.140.168.37] has joined #openvpn 16:57 < krzee> !factoids 16:57 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 16:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 17:02 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn 17:02 < ElitestFX> Hi 17:03 < ElitestFX> TLS: soft reset sec=0 bytes=19444637/0 pkts=47261/0 17:03 < ElitestFX> anyone know how to make it so openvpn does get killed? 17:06 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 272 seconds] 17:06 < Bushmills> !revoke 17:07 < Bushmills> !revoke-full 17:08 < ElitestFX> huh? 17:08 < ElitestFX> oh, that's a channel command 17:09 < reiffert> !revoke 17:09 < reiffert> !factoids search revoke 17:09 <@vpnHelper> No keys matched that query. 17:09 < reiffert> !factoids search --values revoke 17:09 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 17:09 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 17:10 < reiffert> !learn revoke as [crl] 17:10 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:11 < Fleck> :D 17:11 < reiffert> krzee: is [factoid] a reference, or a copy? 17:13 < Fleck> so i do ./revoke-full client ? 17:13 < reiffert> dont forget to source the vars file 17:14 < reiffert> 00:14 [fn] -!- Cannot join to channel ##openvpn (You must be invited) 17:14 < Fleck> ok thx reiffert 17:14 < Fleck> what kind of bot is vpnHelper ? 17:14 < reiffert> supi 17:14 < Fleck> thx 17:16 < Fleck> cant find such bot in google ;P 17:18 < reiffert> supy 17:19 < Fleck> ok thx reiffert again...! 17:22 < krzee> reiffert, its output from a script ecrist runs from time to time 17:26 < reiffert> krzee: nah, when using !lear foo as [bar], is [bar] a copy of !bar, or is it a reference to !bar? 17:27 < krzee> copy 17:31 < reiffert> thats bad for cases where the content of !bar changes 17:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 17:43 < ecrist> the output to the webpage is generated from a copy of the factoids database that is scp'd from the host vpnHelper is on to my web server 17:53 -!- p3rror [~mezgani@41.140.168.37] has quit [Ping timeout: 240 seconds] 17:56 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 18:10 -!- WinstonSmith [~true@dslb-088-073-111-064.pools.arcor-ip.net] has joined #openvpn 18:15 -!- WinstonSmith [~true@dslb-088-073-111-064.pools.arcor-ip.net] has quit [Ping timeout: 264 seconds] 18:15 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 18:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 18:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 18:28 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 18:33 -!- WinstonSmith [~true@f052098117.adsl.alicedsl.de] has joined #openvpn 18:33 -!- p3rror [~mezgani@41.140.98.175] has joined #openvpn 18:39 -!- p3rror [~mezgani@41.140.98.175] has quit [Ping timeout: 240 seconds] 19:18 -!- jfkw [~jtk@216.115.1.60] has quit [Quit: leaving] 19:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [] 19:42 -!- prettyrobots [~alan@66.93.0.189] has joined #openvpn 19:45 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 20:05 -!- teddz_ [~teddz@dtmd-4d0bfe47.pool.mediaWays.net] has quit [Quit: Ex-Chat] 20:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 20:39 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 20:39 <@vpnHelper> RSS Update - forum: OpenVPN GUI and the management port 21:02 < theDoc> Guys, question on salting passwords in a db. 21:02 < theDoc> Doesn't the salt have to be stored in the db itself and if the db is breached, wouldn't that put all the passwords at risk? 21:14 -!- prettyrobots [~alan@66.93.0.189] has quit [Quit: prettyrobots] 21:29 -!- kentr [~Kent@adsl-99-38-177-206.dsl.pltn13.sbcglobal.net] has quit [Quit: kentr] 22:08 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 22:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 22:11 -!- boojit [~boojit@67-4-149-89.mpls.qwest.net] has joined #openvpn 22:12 < boojit> exit 22:12 -!- boojit [~boojit@67-4-149-89.mpls.qwest.net] has quit [Client Quit] 22:13 -!- boojit [~boojit@67-4-149-89.mpls.qwest.net] has joined #openvpn 22:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds] 22:52 -!- mosno [~mosno@unaffiliated/mosno] has joined #openvpn 22:54 < mosno> i am generating the vpn server cert and key with build-key-server. why does the openvpn documentation say to run "./build-key-server server" instead of "./build-key-server --server MyActualCommonName"? 22:54 < mosno> oh 22:54 < mosno> nevermind, i didn't think to read the script. anyway, i ran "./build-key-server TheCN" 22:56 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 22:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 23:25 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 23:36 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 23:54 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 260 seconds] --- Day changed Wed Jan 19 2011 00:11 -!- dazo_afk is now known as dazo 00:21 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Remote host closed the connection] 00:25 -!- Netsplit *.net <-> *.split quits: oc80z, MJD, diphthong, _zero_, mosno, @dazo, smerz, derekv, Meliorator, rot13, (+16 more, use /NETSPLIT to show all of them) 00:26 -!- ucekpolish1 [user@hq.ostc-pl.com] has joined #openvpn 00:29 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 00:29 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 00:31 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn 00:31 -!- renihs_ [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn 00:32 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 01:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 01:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 01:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:27 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 02:27 -!- d12fk [~heiko@vpn.astaro.de] has joined #openvpn 02:27 -!- katoen [ce024205a3@xs8.xs4all.nl] has joined #openvpn 02:27 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn 02:27 -!- sbrath [~sbrath@unaffiliated/sbrath] has joined #openvpn 02:27 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 02:27 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn 02:27 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 02:27 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 02:27 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn 02:27 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn 02:27 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn 02:27 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn 02:27 -!- deever [~deever@static.172.68.46.78.clients.your-server.de] has joined #openvpn 02:27 -!- sigius [~sigius@93.125.185.45] has joined #openvpn 02:27 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn 02:27 -!- oc80z [oc80z@blea.ch] has joined #openvpn 02:27 -!- holistah [~ryan@108-66-219-113.uvs.irvnca.sbcglobal.net] has joined #openvpn 02:27 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn 02:27 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn 02:27 -!- nijotz [~nick@li230-4.members.linode.com] has joined #openvpn 02:27 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 02:27 -!- Meliorator [~m@dunnington.eu] has joined #openvpn 02:27 -!- ServerMode/#openvpn [+o dazo] by niven.freenode.net 02:31 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 02:34 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 02:47 <@vpnHelper> RSS Update - forum: TAP-Win32 connection unplugged 03:10 < Fleck> !mtu 03:10 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 03:14 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 03:14 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 03:14 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 03:18 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:20 < macsppadic> morning all 03:21 < theDoc> question guys, is md5sum and md5("string") in php different? 03:21 < theDoc> We're seeing a different outputs on the same string. 03:22 < macsppadic> that wouldnt surprise me theDoc 03:22 < macsppadic> its php 03:22 < macsppadic> :-) 03:22 < theDoc> macsppadic: Oh good god, which one do I trust then? 03:23 < macsppadic> http://blog.sam-pointer.com/2010/01/26/md5sum-vs-phps-md5-function 03:23 <@vpnHelper> Title: md5sum vs. PHP's md5() function (at blog.sam-pointer.com) 03:23 < hyper_ch> theDoc: does one return capitals and the other one doesn't? 03:23 < theDoc> hyper_ch: Both lower case. 03:24 < theDoc> wtfphp 03:25 < macsppadic> i rest my case 03:25 * macsppadic has had nightmares upgrading phpbb 03:25 < theDoc> Now I just need to figure out which one to use for my radius deployment. 03:25 < macsppadic> sorry theDoc not sure if that link helps you but just making you aware of the nature of the beast 03:25 < hyper_ch> so php does it correctly and bash doesn't 03:25 < theDoc> macsppadic: It did. 03:26 < macsppadic> apparently 03:26 < theDoc> hyper_ch: Yep, that's right. 03:26 < hyper_ch> interesting 03:26 < macsppadic> yeah 03:26 < hyper_ch> and if you md5sum a file in bash and in php 03:26 < hyper_ch> no special switches needed? 03:26 < macsppadic> hyper_ch: never tested that out 03:27 < theDoc> hyper_ch: You'll need to use -n for new line in bash. 03:27 < theDoc> php you can just md5("string") 03:27 < hyper_ch> php <3 03:27 < macsppadic> theDoc: what version of php is it ? 03:27 < theDoc> I can't believe no one has patched it. 03:27 < theDoc> macsppadic: 5 03:28 < macsppadic> ok so its not like an older version or something 03:28 < theDoc> It gave me a massive WTF moment, :D 03:28 < macsppadic> trust me 03:28 < macsppadic> it blew my mind wheni found that 03:28 < macsppadic> :-D 03:28 < theDoc> macsppadic: Well, it's a bash problem, not so much of a php one. 03:28 < theDoc> macsppadic: My mind = blown now. I was running around making sure that I typed in md5sum correctly, :( 03:28 < macsppadic> but it drives u mad when u discover stuff like that afer spending hours try to debug the issue 03:29 < theDoc> Tell me about it, I'm fixing my radius box and this has to happen. 03:29 < macsppadic> hehe 03:29 < theDoc> It gave me a wtf moment, along with the web developer. 03:29 < macsppadic> theDoc: i feel ur pain bro 03:29 < macsppadic> hehee 03:29 < theDoc> and I was like, md5 is broken?!?!? WTF?!?! 03:29 < macsppadic> http://andrey.mikhalchuk.com/2008/02/04/why-nix-md5sum-and-php-md5-do-not-match.html 03:29 < reiffert> You all didnt play with md5 yet, right? 03:30 < reiffert> or with hexdump. 03:30 < reiffert> or what is a line break, yeah 03:30 < reiffert> this is #openvpn. 03:31 < macsppadic> reiffert: apologies yes this is not the channel for php cursing 03:31 < theDoc> reiffert: Seldom, I usually use it to make sure my files are ok. 03:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 03:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds] 03:40 < Fleck> ok guys, with ping i get -s set max to 1472, with 1473 i get fragnentation error message 03:40 < reiffert> 1472 over the tunnel or outside? 03:41 < Fleck> tunel 03:49 -!- master_of_master [~master_of@p57B55AE7.dip.t-dialin.net] has quit [Read error: Operation timed out] 03:49 < reiffert> theDoc: md5 is definitly broken. You can find colission easily. That is you can pad whatever text foo, to have the same md5 value like text bar. 03:50 < theDoc> Hrrm. 03:50 < reiffert> http://www.mscs.dal.ca/~selinger/md5collision/ 03:50 <@vpnHelper> Title: Peter Selinger: MD5 Collision Demo (at www.mscs.dal.ca) 03:52 < macsppadic> bloody ell 03:53 -!- master_of_master [~master_of@p57B52CCB.dip.t-dialin.net] has joined #openvpn 03:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds] 03:56 < Fleck> reiffert from client to server 1472 and from server to client 1472 too 03:57 < Fleck> inside or outside dosnt matter 03:58 < Fleck> so i guess my problem is not mtu 03:59 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 04:00 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 04:01 -!- mode/#openvpn [+o mattock] by ChanServ 04:01 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 265 seconds] 04:01 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 04:02 -!- boojit [~boojit@67-4-149-89.mpls.qwest.net] has quit [Ping timeout: 264 seconds] 04:07 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:10 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out] 04:11 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 04:25 -!- alhadi [~thunderst@92.99.129.36] has joined #openvpn 04:25 -!- alhadi [~thunderst@92.99.129.36] has quit [Changing host] 04:25 -!- alhadi [~thunderst@unaffiliated/alhadi] has joined #openvpn 04:41 -!- dazo is now known as dazo_afk 04:46 -!- rot13 [~var@unaffiliated/rot13] has quit [Ping timeout: 276 seconds] 04:48 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 04:49 < Fleck> reiffert ok so, over tunnel - i get 5.2MB/sec downloading file with http 04:49 < Fleck> without vpn 11MB/sec :/ 04:50 -!- common [~common@p5DDA48B3.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 04:52 -!- common [~common@p5DDA484C.dip0.t-ipconnect.de] has joined #openvpn 04:53 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Ping timeout: 246 seconds] 04:53 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 04:54 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 04:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 05:01 < Fleck> anyone?? :( 05:06 <@vpnHelper> RSS Update - forum: configure open vpn file 05:11 < Fleck> !factoids search slow 05:11 <@vpnHelper> No keys matched that query. 05:11 < macsppadic> hey there Fleck whats up ? 05:12 < Fleck> macsppadic vpn slow :( 05:12 < Fleck> over tunnel - i get 5.2MB/sec downloading file with http 05:12 < Fleck> without vpn 11MB/sec :/ 05:12 < macsppadic> whoa 05:12 < macsppadic> hmm 05:12 < Fleck> thats 2x slower 05:12 < macsppadic> any traffic shaping happening for vpn data? 05:12 < macsppadic> within firewall or some such goodness 05:13 < Fleck> nope i dont have any traffic shaping 05:13 < macsppadic> ok that s odd 05:14 < macsppadic> Fleck so tun or tap interface? 05:15 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 05:15 < macsppadic> thats odd 05:15 < macsppadic> 2x speed reduction 05:15 < Fleck> tap 05:18 < Fleck> no QoS enabled and no firewall enabled on router 05:20 < Fleck> any ideas guys? 05:20 < macsppadic> must confess cant think of any - 05:21 < rjd_> could it not be the isp prioritizing down udp streams 05:21 < Fleck> i can try set vpn to listen on 80 port, maybe 1194 gets shaped in ISP somewhere 05:21 < rjd_> or something? 05:21 < macsppadic> rjd_: yes that could be 05:21 < rjd_> test tcp over port 80 05:21 < Fleck> ok! 05:21 < rjd_> and possibly udp over 53 :) 05:21 < macsppadic> :-) 05:21 < Fleck> hehe 05:21 < Fleck> ok 05:22 < rjd_> where is the vpn server, and from where are you testing the speed? 05:23 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 05:23 < Fleck> what do you mean by - where 05:24 < rjd_> geographical location 05:24 < rjd_> far away from you? 05:24 < rjd_> across the atlantic? :) 05:24 < Fleck> nope few KM 05:24 < rjd_> in the building next to you? 05:24 < Fleck> 5 max 05:25 < rjd_> and on the server itself you get how much in your test of speed? 05:25 < rjd_> and what do you test? some tcp download or a speedtest site? 05:26 < Fleck> rjd_ ok in server side i have router and in LAN i have one linux PC with openVPN server installed 05:27 < Fleck> on the same box i have web server 05:28 < Fleck> i have set up port forwarding to that webserver 05:28 < rjd_> and its from that web server you try to get the file? 05:28 < Fleck> now client has router and linux pc in lan 05:28 < Fleck> when from client side i download file from my webserver with portforwarding - i get 11MB/sec speed 05:28 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 05:28 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 05:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:28 < Fleck> if i do that over tunnel - i get 5.2MB/sec max 05:29 < rjd_> ok. test vpn over port 80 (or perhaps 443) and tcp 05:29 < Fleck> ok 05:29 < rjd_> dont know how much extra overhead the tcp over tcp will be, but I think you shoud be able to get about 75-80% 05:29 < rjd_> you already controlled that it's not lack of cpu resources on the vpn server? 05:29 < Fleck> udp is better? 05:29 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 05:30 < rjd_> yes,. because with tcp its tcp over tcp 05:30 < rjd_> pretty much an ack per ack or something :p 05:30 < Fleck> rjd_ when downloading over tunnel - openvpn "eats" about 20% CPU 05:30 < rjd_> transmission control.. on packets that already are transmission controlled.. 05:31 < rjd_> ok, is it a quad core? 05:31 < Fleck> nope dual 05:31 < rjd_> ok 05:31 < Fleck> clients PC is laptop, also dual core 05:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 05:35 < theDoc> Ok, any radius monkeys in here? :) 05:37 < macsppadic> Fleck: yes with tcp over tcp - ack hell - can be problematic 05:38 < macsppadic> theDoc: i know of it 05:38 < macsppadic> probably just left the ocean in evolutionary terms tho as regards RADIUS 05:39 < theDoc> lmao 05:39 < theDoc> macsppadic: I just want to know, using SMD5-Password, what is the correct format of specifying the hash + salt? 05:39 < theDoc> is it supposed to be like, hash:salt or something? 05:40 < theDoc> and fuck google, there's almost nothing on that topic. 05:40 < macsppadic> doh- just googled 05:40 < macsppadic> :-) 05:41 < theDoc> macsppadic: lmao, there's little to no information on the correct entry of hash + salt in sql. 05:41 < theDoc> I'm almost certain you can't just throw everything into the db and expect it to work. 05:42 < theDoc> That's my last problem. 05:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 05:43 < macsppadic> theDoc: forgive my ignorance - so RADIUS set to look at db and u have got SMD5 as the hash function 05:44 < theDoc> macsppadic: SMD5 as the attribute. 05:44 < macsppadic> silly me 05:44 < theDoc> Well, the passwords were basically md5($salt,$password) 05:44 < theDoc> of course, the salt is a static salt. 05:44 < theDoc> :D 05:45 < cpm> someone please pass the salt 05:45 < macsppadic> :-) 05:46 -!- mosno [~mosno@unaffiliated/mosno] has joined #openvpn 05:47 < Fleck> seems that client cant connect to udp 53, maybe udp 53 get redirected to isps DNS servers 05:47 < theDoc> grr. 05:48 < theDoc> This is the last effin' problem I have with radius. 05:48 < theDoc> @_@ 05:48 < Fleck> anyway 1194 with udp was a bit faster, got 5.6MB/sec 05:48 < macsppadic> just trying to refresh my memory on RADIUS theDoc 05:48 < macsppadic> :-) 05:48 < macsppadic> only tried it a while back n never botehred with it 05:48 < theDoc> macsppadic: Well, please let me know if anything comes to mind, :P 05:48 < macsppadic> hehee 05:48 < macsppadic> i wonder why i never went back 05:48 < macsppadic> :-P 05:49 < Fleck> ohh no, my bad, 1153 port was on client side, ok so, no difference with port 53 udp, same ~ 5.6MB/sec 05:50 < theDoc> lmao 05:50 < theDoc> This radius documentation is skimpy as hell. 05:50 < macsppadic> yes that does bring back memories 05:50 < macsppadic> wasnt there something about particular authentication schemes PAP Or some such madness? 05:51 < macsppadic> blimey twas a while ago 05:51 < theDoc> macsppadic: I have that sorted. 05:51 < macsppadic> ahh ok 05:51 < theDoc> Only problem once again, is that the passwords don't match because I have no clue how to insert the salt into the db 05:51 < theDoc> :\ 05:54 < Fleck> tcp 80 - same problem, 5.2MB/sec 05:54 < Fleck> seems that there is no ISP shaping going on 05:54 < Fleck> something else 05:56 < theDoc> 5.2MB, that's 40mbit! OMG! *waggles* 05:57 < Fleck> udp 5.6MB/sec 05:58 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: leaving] 05:58 < Fleck> is there simpler encryption methods that don't "eat" so much cpu resources? 05:58 < macsppadic> theDoc: found a trail here 05:58 < macsppadic> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg26079.html 05:58 <@vpnHelper> Title: RE: FreeRadius + MySQL & Encrypted passwords (at www.mail-archive.com) 05:59 < Fleck> laptops openvpn process is at 68% 05:59 < macsppadic> doubt thats the one tho 05:59 < theDoc> macsppadic: Yeah, I saw that already 05:59 < theDoc> :\ 05:59 < theDoc> It isn't. 05:59 * theDoc twiddles his ears. 06:00 < macsppadic> yes now i remember why i hated this 06:00 < macsppadic> bleeding lack of doc 06:01 < theDoc> lmao 06:01 < macsppadic> as per docs SMD5-Password is attribute - oh look it says its got with a salt as well 06:01 < theDoc> Precisely but no one says how to format that string in the database! 06:01 < theDoc> That's my problem. 06:01 < macsppadic> what db are you using? 06:01 < theDoc> mysql 06:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 06:06 < Fleck> !password-only 06:06 <@vpnHelper> "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 06:07 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn 06:07 <@vpnHelper> RSS Update - forum: Need help with OpenVPN setup 06:09 < macsppadic> theDoc: am sure u probably checked but just asking - in radius sql module any thing that could possibly help? 06:10 < Fleck> so guys any ideas what to try next? :( 06:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 06:27 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 06:31 < gladiatr> Fleck, good morning :) I was scanning your conversation here... you are essentially reporting that your throughput from the client is around 50% of a direct connection. What sort of connection is the client using? 06:31 < Fleck> optic 06:31 < Fleck> 200Mbit/sec 06:31 < Fleck> i have optic 100Mbit/sec 06:33 < gladiatr> nice. Was curious... what you're observing is common with asymmetrical client connections 06:35 < Fleck> well i have more or less symmetrical connections 06:36 < Fleck> anyway for asymmetrical - any fix? i can try that 06:38 < gladiatr> Not really. It comes down to the tunnel is only going to operate as fast as the packets that maintain it move over the internet. 06:38 < Fleck> so what can i do now? 06:39 < gladiatr> One thing you might try, just to rule out this as a possibility (and if you are able) is to set up a client system on the same VLAN or network that your VPN server is connected to. 06:40 < Fleck> ohh btw i did with another client 06:40 < Fleck> with that clients we have symmetrical 100/100 im sure 06:40 < Fleck> same problem 06:41 < Fleck> anyway i dont have such difference between upload and download - thats for sure 06:41 < Fleck> not 50% 06:42 < Fleck> maybe 20%... 06:45 < gladiatr> hrm... 06:45 < gladiatr> Are you able to set things up for a local test? 06:46 < Fleck> sure i could try that 06:46 < Fleck> and if the same results? 06:46 -!- corretico [~laguilar@201.201.44.82] has quit [Remote host closed the connection] 06:47 < gladiatr> I will think on that while drinking my coffee :) 06:48 < Fleck> ;p 06:54 < Fleck> gladiatr ok 06:54 < Fleck> same thing :) 06:54 < Fleck> slow i mean 06:54 < gladiatr> hrm... 06:55 < Fleck> 4.6MB/sec 06:55 < gladiatr> and this is a routed/tun connection, yes? 06:55 < Fleck> yes, over tunnel 06:55 < gladiatr> (that's still not shabby, but I understand your concern with the speed difference) 06:55 < Fleck> direct 10+ MB/sec 06:57 < gladiatr> hrm. what was the result of the mtu tests that you ran? 06:58 < Fleck> 1472 with ping 06:58 < Fleck> so +20 +8 = 1500 06:59 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 06:59 < gladiatr> Roger that. At the moment, I've got nothin'. I'll let this float around for a bit. If anything occurs to me, I'll ping you with it. :\ 07:00 < Fleck> downloads stops locally 07:00 < Fleck> that points to mtu problem, right? 07:01 < gladiatr> what do you mean--stops locally? 07:01 < Fleck> btw locally vpnserver is with gigabit link (gigabit switch and card), but laptop local is 100mbit card so 100mbit link 07:02 < Fleck> stops, suddenly reports - downloaded :D 07:02 < gladiatr> still shouldn't be an issue. Are you running jumbo frames on that switch? 07:02 < Fleck> dunno, thats simple home switch 07:02 < Fleck> with no management etc 07:02 < gladiatr> Ah. Probably not then :) 07:04 -!- dollabill [~mike@199.44.8.98] has joined #openvpn 07:04 < gladiatr> Do you, by any chance, have a crossover ethernet cable? 07:04 < Fleck> gladiatr naah, but i can make one! :) 07:04 < Fleck> have connectors and tool too 07:05 < Fleck> sec, will make one! :) 07:06 < gladiatr> Ok. What just occured to me is that there are going to a lot frames hopping through that switch; that perhaps what is happening is that having such a high speed connection combined with the VPN tunnel packets might be stressing your switch's abilities 07:06 < gladiatr> ^^^ kind of a stretch 07:06 < Fleck> btw thx for helping... and ideas! :) 07:06 < gladiatr> So, as another test, perhaps connect the laptop directly to your vpn server with a crossover 07:06 < gladiatr> and rerun your transfers 07:07 < Fleck> ok, one moment please! :) 07:07 < gladiatr> This is kind of a reach, but I have encountered non-enterprise switches that experience performance degradation under high frame load 07:11 < Fleck> cable done, brb... :) 07:12 < gladiatr> k 07:16 -!- Fleck [~we@unaffiliated/fleck] has quit [Ping timeout: 264 seconds] 07:18 -!- Fleck [~we@85.158.73.148] has joined #openvpn 07:18 -!- Fleck [~we@85.158.73.148] has quit [Changing host] 07:18 -!- Fleck [~we@unaffiliated/fleck] has joined #openvpn 07:18 < Fleck> same speed gladiatr 07:18 < Fleck> ;D 07:19 < gladiatr> hrm. Ok. You now have a bright, shiny crossover cable to erm... keep until you need it... in a couple years or so :D 07:19 < Fleck> yeah :)) 07:20 < Fleck> not a big deal/problem 07:20 < gladiatr> I'm out of ideas again. I'll pop back in if something else occurs to me. 07:20 < Fleck> ;( 07:20 < theDoc> Fleck: Have you tried going over to the switch and planting a kiss on her head? 07:20 < Fleck> hehe :) 07:21 < theDoc> I heard chocolates work good too. 07:21 < theDoc> I'm also stuck :P 07:21 < theDoc> radius. 07:21 < theDoc> fml 07:21 < Fleck> heh 07:21 < Fleck> thats not good 07:22 < theDoc> http://www.youtube.com/watch?v=mhPUzgfBoS8&feature=related 07:22 <@vpnHelper> Title: YouTube - Jay Chou - Herbalist Manual MV (at www.youtube.com) 07:22 < theDoc> This is such an awesome song to rock to 07:22 < theDoc> :D 07:23 -!- gryzli [~gryzli@94.155.42.130] has joined #openvpn 07:24 < Fleck> gladiatr btw maybe something with TAP ? 07:24 < gladiatr> Hrm... 07:26 < gladiatr> Yeah... not a big windows user here... I suppose to rule that out (or in) you could boot your laptop from a live linux or bsd disk/SD with your client config/keys/etc to give it a try 07:27 < Fleck> not windows 07:27 < Fleck> linux 07:27 < Fleck> openvpns server 07:27 < gladiatr> oh... you're running a bridged connection? 07:27 < Fleck> i have tried allready linux and windows - no difference 07:28 < Fleck> yes i have br0 (took eht0 IP) and tap0 07:28 < gladiatr> ohohohoh. 07:28 -!- exa [~exa@x.factor.cc] has quit [Remote host closed the connection] 07:28 < gladiatr> hahahaha. Stupid me for not asking clearly before. 07:28 < Fleck> sorry ;( 07:29 < Fleck> so now ideas? 07:29 < Fleck> just don't say its normal 07:29 < Fleck> :D 07:29 < gladiatr> That's pretty much 100% expected that you are going to cut your throughput by a significant amount. Your VPN is processing all of your layer-2 traffic 07:29 < gladiatr> It is 07:29 < ecrist> Fleck: are you still troubleshooting your bandwidth issues? 07:29 < gladiatr> unfortunately 07:29 < gladiatr> ecrist, he is 07:29 < Fleck> ecrist yes 07:29 < reiffert> gladiatr: that layer two traffic is at 1-2KB/s 07:29 < ecrist> and how much are you actually getting? 07:29 < Fleck> ecrist 50% 07:30 < ecrist> I don't want relative, I want actual 07:30 < Fleck> well direct connection 11MB/sec 07:30 < Fleck> over tunnel 5.6MB/sec 07:31 < reiffert> Fleck: how fast is it for tun setup? 07:32 < Fleck> dunno, have not tried tun 07:32 < Fleck> i liked this kind of setup because... 07:32 < reiffert> try it, should last some minutes to change the setup. 07:32 < Fleck> really? 07:33 < theDoc> OH GOOD FUCKING GOD 07:33 < reiffert> no, really. 07:33 < theDoc> WHY DOESN'T THE PASSWORDS MATHC?!?!?! 07:33 < theDoc> >:o 07:33 < macsppadic> am back theDoc 07:33 < macsppadic> any luck? 07:33 < reiffert> theDoc: your caps lock key is stuck. 07:33 < ecrist> Fleck: and that's on the PIII 733 or such, right? 07:33 < Fleck> ecrist not anymore 07:33 < Fleck> on dual core amd 07:34 < ecrist> openvpn isn't multithreaded, so it'll only use a single core. 07:34 < Fleck> 2.6ghz 07:34 < Fleck> and 1.6ghz for client - test pc 07:35 < Fleck> laptop 07:35 < theDoc> reiffert: :D 07:37 < reiffert> Fleck: just to be sure, change it to tun and try again. 07:37 < Fleck> where do i do that? 07:37 < reiffert> Fleck: what switch are you using and: is it a direct connection? please provide a traceroute 07:37 < reiffert> Fleck: server.conf, client.conf 07:38 < ecrist> Fleck: what are you using to test your bandwidth throughput 07:38 < reiffert> wget I think 07:38 < reiffert> 23:50 < Fleck> using http i tested speed 07:38 < reiffert> 23:51 < Fleck> cause with http i can try with and without vpn (port forward) 07:38 < Fleck> ecrist downloding simple file 4.2GB over http 07:38 < Fleck> yes ;) 07:39 < Fleck> thx reiffert :) 07:39 < ecrist> ok 07:39 < reiffert> Fleck: so what about the direct connection between server and client, is it direct? 07:39 < reiffert> what network components live inbetween? 07:39 < Fleck> reiffert: gladiatr suggested crossed cable - tried that - same speed 07:40 < Fleck> gigabit switch at the moment, but as i said - no difference 07:40 < ecrist> gigabit devices (most of them) do auto-sensing for crossover 07:41 < Fleck> ecrist i mean i tried crossover direct - server to client 07:41 < Fleck> w/o switch 07:41 < Fleck> and that made no difference at all 07:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn 07:41 < Fleck> btw 07:41 < Fleck> Options error: --server-bridge directive only makes sense with --dev tap 07:41 < ecrist> I understand, I was just stating you could have gotten away with just a straight-through cable between them 07:41 < Fleck> when i replaced tap with tun 07:42 < ecrist> tap = layer 2, tun = layer 3 for the most part 07:43 < Fleck> so its not so quick to change from tap to tun ;/ 07:43 < reiffert> which gigabit switch? 07:44 < reiffert> and why do only have 11MB/s without openvpn when using GBIT? 07:44 < Fleck> reiffert doesnt matter - without switch = no difference 07:44 < Fleck> reiffert cause laptop has 100mbit card? 07:44 < reiffert> oh get some better testing environment. 07:44 < ecrist> reiffert: probably IO bound on disk on one system or the other. 07:44 < reiffert> 5 USD that the bottleneck is the laptop. 07:45 < Fleck> ;D 07:45 < reiffert> Fleck: try with a 10MB file. 07:45 < reiffert> (to exclude the hard drives) 07:45 < Fleck> ok let me try on other PC, not laptop, with gbit card 07:45 < reiffert> and changthen step to tun, just to be sure 07:46 < Fleck> reiffert well doubt, cause direct is 11MB/sec... 07:46 < reiffert> Cause I dont think (liek gladiatr does), that tap is the bottleneck. 07:46 < gladiatr> reiffert, s'ok. I understand the logic, but in practice, a bridged connection is much less efficient than a routed connection. 07:47 < reiffert> gladiatr: much less for 1-2KB/s? 07:47 < gladiatr> heck yeah. 07:47 < gladiatr> And it gets progressively worse the more systems are a member of the bridged LAN 07:47 < reiffert> I dont see the "yeah" part? 07:47 < reiffert> I've got 1-2KB/s in a bridged setup with ~50 members. 07:48 < gladiatr> No multicast clients, huh? Static arp? :) 07:49 < reiffert> no static arp. 07:50 < gladiatr> I'm not saying you can't configure a network environment that is vpn-bridge friendly--my experience is that most VPNs are bolted on to the network after it is being lived in. Even modern linux distros are stinky with multicast services. 07:51 < gladiatr> (client/desktop targeted disros, that is) 07:51 < reiffert> I'm talking about 40 OS X maschines in my setup. 07:52 < Fleck> ok test done 07:52 < Fleck> with gigabit links over vpn i get 11MB/sec 07:52 < Fleck> without 70MB/sec 07:52 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 07:52 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 07:52 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 07:54 < gladiatr> reiffert, Huh. Stock network configuration? I've got 4 macs in-house, so I'm not familiar with os x's network detritus--just that of windows, network printers and linux clients. 07:55 < Fleck> so the problem is even bigger with gigabit link 07:56 < ecrist> no, I think you're IO limited 07:56 < Fleck> ok where i incrase io limit? 07:57 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit] 07:59 < reiffert> gladiatr: OS X uses multicast and broadcast announcements for its service discovery announcements 07:59 < reiffert> Fleck: whats your debug level, verbose, verb that is? 07:59 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 07:59 < Fleck> 3 07:59 < gladiatr> Ok. Similar to the rest of the crowd then :) 08:00 < reiffert> Fleck: *thats* the question. Now change to tun. 08:00 < reiffert> Fleck: and get rid of that fragment, mss-fix and tun stuff. 08:01 < reiffert> Fleck: after switching to tun, try without encryption and without compression (lzo). 08:02 < reiffert> then we have a sane value for further adjustments. 08:03 < reiffert> s,tun stuff,mtu stuff, 08:03 < reiffert> Fleck: btw, what are the operating systems you are running? 08:04 < Fleck> i have win7 only here with gigabit card 08:04 < Fleck> tried linux and windows xp too 08:04 < Fleck> similar results everywhere 08:04 < reiffert> the windows tap driver is limited to 100mbit/s IIRC. 08:05 < Fleck> ok then thats why i get only 11MB/sec with gigabit link... 08:07 < reiffert> o get rid of that windows stuff. 08:10 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 08:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 08:21 < Fleck> with tun and w/o encryption/compression i get around ~8MB/sec 08:21 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Remote host closed the connection] 08:42 -!- OiPolloi [~sena@gw.identity.pt] has joined #openvpn 08:43 < OiPolloi> hello 08:43 < secretary_linux> hi 08:46 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 08:47 < OiPolloi> I'm using OpenVPN with password authentication (via a script with auth-user-pass-verify), and everything is working fine. However, when a user's password contains some special characters (like accented leters, for example), the script receives the password without those characters... Anyone knows what's happening here? 08:48 < OiPolloi> OpenVPN's documentation states that: "The password string can consist of any printable characters except for CR or LF." 08:49 < OiPolloi> So it should be fine... 08:51 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn 08:52 < hid3> Hello everyone. Each time I try to connect from my laptop (Windows 7) to my server's VPN (linux/debian). I need to reconnect two times. The first time in status window I see those messages: http://pastebin.com/tfXyBii8 . After I disconnect / reconnect, then it connects normally. Any ideas what's wrong? 08:54 < Rienzilla> hmm these messages seem normal 08:55 < hyper_ch> I'd blame windows 7 09:07 < gladiatr> hid3, what is your route-delay set to? 09:08 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn 09:08 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host] 09:08 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 09:08 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 09:11 < gladiatr> Bueller... 09:13 * gladiatr goes outside to smoke... 09:13 -!- gladiatr is now known as gladiatr_smokin 09:16 -!- sentmen [bccdf3f6@gateway/web/freenode/ip.188.205.243.246] has joined #openvpn 09:16 < sentmen> Hi all 09:16 < sentmen> I have a problem 09:17 < sentmen> I have 2 linux servers 09:18 < sentmen> On the vpn server (server 1) i will start the openvpn server 09:18 < sentmen> But server 2 has no tap0 09:18 < sentmen> How can i install it again? 09:21 -!- OiPolloi [~sena@gw.identity.pt] has quit [Quit: OiPolloi] 09:22 -!- gladiatr_smokin is now known as gladiatr 09:22 <@vpnHelper> RSS Update - forum: Two link in load-balance causing tunnels the stop working 09:23 < gladiatr> sentmen, it will be created when openvpn initially opens the device 09:24 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 09:24 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 09:24 -!- Cain` is now known as Cain 09:25 < gladiatr> sentmen, if you need it beforehand, you create it with the command: openvpn --mktun --dev tap4 09:25 < gladiatr> (or whatever tap interface designation you need) 09:25 < gladiatr> !mktun 09:25 < gladiatr> !factoids search mktun 09:25 <@vpnHelper> No keys matched that query. 09:28 < hid3> gladiatr: I don't have any route-delay set... 09:28 < gladiatr> hid3, add the following to your client configuration and try connecting again: route-delay 5 20 09:29 < hid3> Thanks, will try it in a moment 09:31 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:32 < hid3> gladiatr: Thanks, it looks like this solved the problem 09:32 < gladiatr> schweet :0 09:32 < gladiatr> :) 09:32 -!- sentmen [bccdf3f6@gateway/web/freenode/ip.188.205.243.246] has quit [Ping timeout: 265 seconds] 09:35 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 09:41 < theDoc> macsppadic: I cbf'ed to look at the md5 shit now, went with crypt. 09:41 < theDoc> Works like a charm. 09:42 < macsppadic> oh? 09:42 -!- jfkw [~jtk@216.115.1.60] has joined #openvpn 09:42 < macsppadic> so what u change in radius conf? 09:42 < theDoc> Yeah. 09:42 < theDoc> I just changed it in the sql db from smd5-password to crypt-password 09:42 < theDoc> and the m'fucking thing works like a charm. 09:44 < theDoc> macsppadic: for my own sanity. 09:44 < theDoc> I'm about to break my laptop and the vm. 09:44 < macsppadic> :-D 09:44 < macsppadic> wel glad thas worked 09:44 < macsppadic> i think issue with the damn smd5 to be honest 09:44 < macsppadic> or rather support for it 09:44 < theDoc> I was about to burst a vein, I tell you. 09:45 < macsppadic> am not surprised 09:45 < theDoc> The damn thing was eating away at my sanity. 09:50 < macsppadic> thank the lord thats sorted then 09:51 < theDoc> macsppadic: I'm going to steer really far away from md5 salted hashes from now 09:51 < theDoc> All I hear from that is, PAIN! 09:51 < macsppadic> hehehe 09:51 < theDoc> Don't get me started, I was raging on this for a long time. 09:53 <@vpnHelper> RSS Update - forum: Need help with OpenVPN setup 09:53 -!- macsppadic is now known as Jokersppadic 09:53 -!- resno [~bryan@unaffiliated/resno] has joined #openvpn 09:53 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has left #openvpn ["Leaving"] 09:54 < resno> hello all. considering setting up a vpn for the office. is there a way to make it automatically setup the clients amchine? 09:54 < resno> windows* 09:55 < theDoc> resno: What's your idea of "automatically"? 09:56 < resno> eh, the user doesnt need to know alot about how it works, outside of credentials, etc 09:56 < resno> a novice user can almost just start and type in a few things and it works 09:57 < resno> or does an "expert" need to configure it 09:58 -!- sentmen [bccdf3f6@gateway/web/freenode/ip.188.205.243.246] has joined #openvpn 09:58 < sentmen> Hi all 09:59 < ecrist> resno: you'll need to configure, but it's pretty simple to install 09:59 < ecrist> the user does a generic install, and copies some files you provide to a directory 09:59 < ecrist> voila 09:59 < sentmen> I have 2 servers, server 1 is the openvpn server. The other is the vpn client (both in linux) 10:00 < sentmen> But when i install openvpn, the tap0 will not install 10:00 < sentmen> How can i install it manualy 10:02 < gladiatr> erm... modprobe tun 10:04 < sentmen> Can you also say what the command is for set manualy the tap1 device? 10:04 < sentmen> Because if i typ ifconfig tap0 don't show, but only tap1 10:05 < resno> ecrist: sweet thanks :) 10:05 < sentmen> Hmm... 10:06 < sentmen> If i typ "ifconfig tap0" it will show, but if i start the openvpn service he get no ip 10:07 -!- Jokersppadic [~sonupunno@88.211.55.77] has left #openvpn [] 10:09 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 10:10 < void_pointer> !welcome 10:10 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:10 < void_pointer> !goal 10:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:10 < void_pointer> !route 10:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:10 < void_pointer> !redirect 10:10 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:11 < void_pointer> !def1 10:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 10:11 < void_pointer> !sample 10:11 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 10:15 < sentmen> If i typ "ifconfig tap0" it will show, but if i start the openvpn service he get no ip 10:18 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Ping timeout: 246 seconds] 10:19 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 10:19 < dvl> sentmen: What do the logs show? 10:22 < sentmen> dvl: I got it. He has started from tap, not tap0:) 10:22 < dvl> Progress. 10:45 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal] 10:45 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Ping timeout: 240 seconds] 10:45 -!- void_pointer [~void@173.192.53.132] has joined #openvpn 10:45 -!- void_pointer [~void@173.192.53.132] has quit [Changing host] 10:45 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 11:01 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has joined #openvpn 11:02 < chr1s> hi guys, does anyone know how I can benchmark openvpn connections? 11:03 -!- resno [~bryan@unaffiliated/resno] has left #openvpn [] 11:03 < reiffert> !forward 11:03 < reiffert> !factoids search forward 11:03 <@vpnHelper> 'winipforward', 'linipforward', 'fbsdipforward', 'linportforward', 'osxipforward', and 'ipforward' 11:03 < reiffert> !winipforward 11:03 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 11:09 -!- s7r [~s7r@80.79.116.232] has joined #openvpn 11:10 -!- sentmen [bccdf3f6@gateway/web/freenode/ip.188.205.243.246] has quit [Ping timeout: 265 seconds] 11:12 < reiffert> !factoids search nat 11:12 <@vpnHelper> 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', 'winnat', and 'openvzlinnat' 11:12 < reiffert> !winnat 11:12 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP 11:12 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [] 11:13 < s7r> krzee: u there? 11:15 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 11:18 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 11:20 -!- Shards_of_Narsil [~wsduvall@vtluug/member/ackthet] has joined #openvpn 11:20 <@vpnHelper> RSS Update - forum: benchmark openvpn connection 11:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:24 -!- p3rror [~mezgani@41.140.99.17] has joined #openvpn 11:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:31 -!- chr1s [5d61f643@gateway/web/freenode/ip.93.97.246.67] has quit [Quit: Page closed] 11:32 -!- WinstonSmith [~true@f052098117.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 11:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:37 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Ping timeout: 255 seconds] 11:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:41 -!- p3rror [~mezgani@41.140.99.17] has quit [Ping timeout: 240 seconds] 11:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:44 -!- p3rror [~mezgani@41.140.169.126] has joined #openvpn 11:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 250 seconds] 11:46 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 11:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:51 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 11:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 11:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:54 -!- p3rror [~mezgani@41.140.169.126] has quit [Read error: Connection reset by peer] 11:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 11:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 11:59 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out] 12:00 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:03 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 12:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 12:04 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:08 -!- p3rror [~mezgani@41.140.156.248] has joined #openvpn 12:08 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 12:09 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:12 < havoc> bah 12:12 < havoc> need to run ovpn as non-admin in win7 12:13 < havoc> I know there's a factoid on this 12:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded] 12:13 < havoc> plus I've found stuff on google 12:13 -!- buntfalke_ [~nobody@openvpn-p0-052.triple-a.uni-kl.de] has joined #openvpn 12:13 -!- buntfalke_ [~nobody@openvpn-p0-052.triple-a.uni-kl.de] has quit [Changing host] 12:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:16 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 12:16 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:17 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 264 seconds] 12:19 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out] 12:21 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 12:21 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 12:21 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 12:21 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:21 < havoc> is this the definative way to run openvpn as non-admin in windows? http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html 12:21 <@vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se) 12:24 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 12:25 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:29 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood] 12:29 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:32 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out] 12:32 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 12:39 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 12:45 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 12:46 -!- jfkw [~jtk@216.115.1.60] has quit [Ping timeout: 240 seconds] 12:49 < gladiatr> havoc, That certainly worked for the xp/2000 generation; however, I haven't tested (or read about anyone testing) this method with vista or 7. 12:50 < havoc> yeah, this would be on win7 12:53 -!- mete [~metefr@84.200.12.194] has joined #openvpn 12:53 < mete> hi all 12:53 < mete> is there an option that openvpn listen only on one ip address for connections? 12:54 < gladiatr> mete, it's the "local" directive 12:55 -!- OhMyGuru [~OhMyGuru@81-67-200-162.rev.numericable.fr] has joined #openvpn 12:55 < OhMyGuru> yo 12:55 < gladiatr> !factoid search local 12:55 < mete> so in config "local 1.2.3.4" 12:55 < gladiatr> mete, yes 12:55 < mete> k ;) I try 12:56 < mete> thank you gladiatr 12:56 < gladiatr> np 12:56 < mete> I've searched for something like "lip" ;) 12:56 < mete> because of "lport" xDD 12:57 < OhMyGuru> I have one computer connected to a dedicated server running openvpn, and I want this computer get the public IP address of the dedicated server (OpenVPN server) to go on the web 12:57 < OhMyGuru> and I don't get it on google :( 12:57 < gladiatr> For reference, the how-to on the openvpn.net doc page has a sample server configuration that has a decent inventory of commonly used options 12:58 < OhMyGuru> Anyone can help me ? 12:58 -!- Malard [~ident@xbmc/staff/malard] has quit [Quit: —I-n-v-i-s-i-o-n— 3.2 (July '10)] 12:59 < gladiatr> OhMyGuru, That wouldn't actually be possible; however, you could set up your openvpn server to nat your client network 12:59 < OhMyGuru> it's what I did I guess 12:59 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 12:59 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 12:59 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 12:59 < OhMyGuru> echo 1 > /proc/sys/net/ipv4/ip_forward 12:59 < OhMyGuru> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 13:00 < OhMyGuru> isn't it ? 13:00 < gladiatr> looks reasonable 13:01 < OhMyGuru> but probably that I have to tell to my computer to use the VPN as the gateway to go out on the web ? 13:01 < OhMyGuru> (I mean my computer still use the default gateway ? not the VPN one ?) 13:01 < gladiatr> yes 13:01 < gladiatr> !redirect 13:01 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:02 < OhMyGuru> ouch 13:02 < OhMyGuru> is it a client.conf option ? 13:03 < gladiatr> Nope. That option is defined on within the server config 13:03 < OhMyGuru> ok 13:03 < mete> works perfect, thank you gladiatr 13:03 < gladiatr> mete, sweet! 13:03 < gladiatr> on/within/around/above/in-the-facinity-of 13:03 < gladiatr> :P 13:04 < gladiatr> s/fac/vac 13:04 < OhMyGuru> where should I use this option ? 13:04 < OhMyGuru> "--redirect-gateway" 13:04 < OhMyGuru> it's a command line option 13:04 < gladiatr> on the openvpn server. 13:04 < OhMyGuru> mmmh 13:05 -!- rjd_ [~rjd@212.112.31.11] has quit [Ping timeout: 250 seconds] 13:05 < gladiatr> !def1 13:05 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 13:06 -!- rjd_ [~rjd@212.112.31.11] has joined #openvpn 13:07 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 265 seconds] 13:10 < OhMyGuru> mmh 13:11 < OhMyGuru> thats is ok, but no more DNS working on the computer 13:11 < gladiatr> You keep saying that... I do not think it means what you think it means... 13:11 < OhMyGuru> lol 13:11 < OhMyGuru> you're right 13:11 < OhMyGuru> sorry 13:11 < gladiatr> heh 13:13 -!- Netsplit *.net <-> *.split quits: APTX, katoen, krzee, ScriptFanix, buntfalke_, belZe, js_, d12fk, Meliorator, gladiatr, (+49 more, use /NETSPLIT to show all of them) 13:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 13:15 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 13:16 < mete> ooops 13:18 -!- Netsplit over, joins: @dazo_afk, krzee, d12fk, Essobi, kisom, rjd_, OhMyGuru, buntfalke_, noisebleed, djgerm (+48 more) 13:18 -!- WinstonSmith [~true@e178176159.adsl.alicedsl.de] has joined #openvpn 13:18 < OhMyGuru> ty gladiatr ! 13:18 -!- Cain [~Geek@unaffiliated/cain] has quit [Max SendQ exceeded] 13:18 < gladiatr> you betcha :) 13:19 < OhMyGuru> see you 13:20 -!- OhMyGuru [~OhMyGuru@81-67-200-162.rev.numericable.fr] has left #openvpn ["Quitte"] 13:20 < gladiatr> see ya 13:20 < mete> wb ;) 13:20 < gladiatr> !factoid evil traitorous bot 13:21 < gladiatr> !factoid search evil traitorous bot 13:21 < mete> gladiatr: can openvpn listen on two ports with one server ? 13:21 < gladiatr> Hrm... good question. 13:21 < mete> would be nice xD because I'm setting up an openvpn server on port 80 and 443 for my mobile client :P 13:22 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 13:22 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 13:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 13:22 < gladiatr> spinning up my test vm here and will give it a try. 13:22 < mete> nice ;) 13:25 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 13:28 < gladiatr> mete, it doesn't look like it 13:28 < gladiatr> You get to choose one or the other. You can run multiple openvpn server instances on the same host, though. 13:29 < mete> ok 13:29 < mete> yep, that with the servers I know ;) 13:29 < mete> currently I've 3 running :P 13:29 < gladiatr> You just have to use a unique subnets and tun device for each instance's client subnet 13:29 < mete> jep 13:29 < mete> ;) 13:29 < mete> the basic routing stuff I know from openvpn :P 13:29 < mete> that i've learned 13:29 < mete> hehe 13:31 < mete> thank you for testig 13:31 < mete> :) 13:33 < gladiatr> you're welcome! 13:36 -!- QubeZ [~nkasu@64.128.254.34] has joined #openvpn 13:37 < QubeZ> hello all 13:37 * gladiatr waves 13:38 < QubeZ> I have servers in the Amazon EC2 cloud and one of them is an OpenVPN server. I've managed to do a site to site between my macbook at work and the Amazon hosted openvpn server. Works beautifully. My next step is to setup a server at our colo to go through the PIX and connect to the openvpn so that everyone behind our PIX can access the amazon ec2 without need to go through public IP's. Is there a general howto I should reference to get started on this proces 13:38 < QubeZ> internal net -> openvpn server -> pix <--- INET ---> amazon ec2 openvpn server 13:39 < gladiatr> !factoid search iroute 13:39 < gladiatr> vpnHelper, you're killin' me here 13:39 < Fleck> :D 13:39 < QubeZ> hehe 13:40 < gladiatr> !clientlan 13:40 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a 13:40 <@vpnHelper> better explanation 13:40 < gladiatr> !route 13:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:40 < gladiatr> !route_outside_openvpn 13:40 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan 13:40 < gladiatr> serve me, bot... 13:40 < gladiatr> there's also a pretty good article on the subject of iroute here: http://backreference.org/2009/11/15/openvpn-and-iroute/ 13:40 <@vpnHelper> Title: OpenVPN and iroute « \1 (at backreference.org) 13:41 < QubeZ> great thanks 13:41 < gladiatr> And if you decide to go through with this, I can get you an excellent deal on bulk pigeons... oh wait... wrong blog entry.. 13:41 < gladiatr> heh 13:43 < QubeZ> gladiatr: what if I wanted to not only have a p2p connection from my office to the openvpn server @ amazon, but also want the openvpn server @ amazon to serve real clients ie: i'm on my notebook remotely and need to connect into amazon. Would it be better to vpn to my office here then from there i can get to the amazon since the openvpn is already established? 13:45 < gladiatr> It depends on the available bandwidth. If you connect the office and the cloud and you already have things in place for users to connect to the office, I can't see why you wouldn't just connect via the office vpn server. On the other hand, if you need to transfer lots of data between client systems and the cloud, the bandwidth usage could be problematic. 13:46 < QubeZ> gladiatr: it would be more for maintenance 13:46 -!- WinstonSmith [~true@e178176159.adsl.alicedsl.de] has quit [Quit: Ex-Chat] 13:46 -!- WinstonSmith [~true@e178176159.adsl.alicedsl.de] has joined #openvpn 13:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 13:50 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Changing host] 13:50 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn 13:52 -!- p3rror [~mezgani@41.140.178.88] has joined #openvpn 13:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 13:57 -!- gladiatr is now known as gladiatr_afk 14:03 -!- Mish12 [~mish@194.28.69.111.dynamic.snap.net.nz] has joined #openvpn 14:03 < Mish12> !welcome 14:03 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:03 < Mish12> !goal 14:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:06 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 260 seconds] 14:10 <@vpnHelper> RSS Update - forum: Virtual Boot Error 14:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 14:18 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 14:22 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 14:24 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 14:24 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 14:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 14:31 -!- dollabill [~mike@199.44.8.98] has quit [Ping timeout: 240 seconds] 14:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:45 -!- gpmidi_wrk [~mcintyrep@63.90.129.80] has joined #openvpn 14:45 <@vpnHelper> RSS Update - forum: benchmark openvpn connection || Tap installs, but doesn't show up in ipconfig. 14:47 < gpmidi_wrk> Are there any good web-ui based key management utils? I'm looking for something that would be simple to setup and would let me script the key management functions for provisioning new clients. I can write something that'll work very quickly but for obvious reasons I'd rather use something off-the-shelf if it exists. Note: I've already looked at a pair of heavy-weight key management programs but they seem like overkill for what I'm trying to do. 14:51 -!- gryzli [~gryzli@94.155.42.130] has quit [Quit: Leaving] 14:55 < ecrist> closest thing I know of is ssl-admin, but it doesn't currently support scripting, and it's not a webui 14:57 < gpmidi_wrk> Is there any way other than using a post-connect script to update a dns record with the new IP of a client? 15:02 < ecrist> static IPs? 15:06 < gpmidi_wrk> In this case there would be 3+ load balanced servers, so a client would have to get an ip on different pools 15:07 < gpmidi_wrk> unless I go for an ethernet level bridge, which is what its looking like I'll have to do 15:16 -!- Fleck [~we@unaffiliated/fleck] has quit [Remote host closed the connection] 15:26 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:55 -!- p3rror [~mezgani@41.140.178.88] has quit [Ping timeout: 240 seconds] 16:00 -!- alhadi [~thunderst@unaffiliated/alhadi] has quit [Quit: alhadi] 16:04 <@vpnHelper> RSS Update - forum: build TAP-Win32 driver using the latest Windows Driver Kit 16:07 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 16:07 -!- mode/#openvpn [+o mattock] by ChanServ 16:08 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 16:13 < QubeZ> If I have an openVPN server and one machine behind it on another subnet yet I added a static route to it from my machine and back to the openVPN server from the other machine. I am then connected to the VPN but cannot ping machine B (Machine A is the openvpn server) 16:13 < QubeZ> essentially, Machine A (vpn server) can ping Machine B. My macbook can ping Machine A but not Machine B. 16:13 < Bushmills> !route 16:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:13 < Bushmills> !serverlan 16:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation 16:14 < QubeZ> i have ip forwarding on the open vpn server and i've added the routes 16:14 < Bushmills> !firewall 16:14 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 16:14 < QubeZ> iptables if completely off 16:15 < QubeZ> hence me being able to ping B from A and vice versa. Then my macbook over VPN can ping A but not B. 16:15 < QubeZ> A can get to B.. routes are statically set 16:16 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 16:17 < Bushmills> return route exists too? 16:17 < QubeZ> Bushmills: yes, B can ping A 16:17 < QubeZ> even if it didn't, i see ICMP echo request going from 10.8.0.1 (tun0) on server A go my server B. However, running tcpdump on Server B shows nothing coming in. 16:17 < Bushmills> back route on A to macbook through vpn 16:18 -!- dominicus [~dominicus@unaffiliated/dominicus] has joined #openvpn 16:18 < Bushmills> i suppose it does ... macbook can ping A, right? 16:18 < dominicus> !welcome 16:18 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:19 < dominicus> !howto 16:19 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:19 < Bushmills> what does machine B do with packets destined to macbook? 16:19 < dominicus> !goal 16:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:20 < QubeZ> Bushmills: yup, here's a synopsis again. Macbook VPN client pings Server A through VPN (10.8.0.1). Server A can ping Server B on the regular LAN address 10.x.x.x. B can also ping Server A via eth0 (lan address). However, Mac cannot get to Server B through VPN. So I'm trying to do: Macbook (VPN) <---> INET <---> OpenVPN Server (tun0) aka Server A LAN -> Server B (LAN) 16:20 < Bushmills> what does machine B do with packets destined to macbook? 16:20 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- \o/] 16:20 < QubeZ> Bushmills: im not even that far yet, I did a tcpdump on Server B while seeing my packets go through VPN to Server A to Server B yet Server B is not showing the ICMP echo requets. 16:20 < Bushmills> (i.e. replies) 16:21 < dominicus> When running "./build-key-server SERVER", what is "A challenge password" used for? 16:22 < Bushmills> QubeZ: "going through A" ..."not showing on B" .. sounds like their lost in the cable 16:22 -!- gpmidi_wrk [~mcintyrep@63.90.129.80] has left #openvpn [] 16:22 < QubeZ> Bushmills: ya, weird stuff. Although if I just do a ping from Server A to B... it works over LAN. Just not on Server A (tun) handoff to eth0 to Server B eth0 16:23 < QubeZ> its going through the tun0 on server A to eth0 just fine then off to Srv B but not receiving the requests. If I got the requets and saw no responses then I know I have routing issues on Srv B but im not even that far yet 16:23 -!- dominicus [~dominicus@unaffiliated/dominicus] has quit [Quit: leaving] 16:30 -!- Netsplit *.net <-> *.split quits: Clete2, Essobi, mick_laptop, grishnav, ucekpolish1, djgerm, optiz0r 16:31 < QubeZ> 16:31 < QubeZ> oops, sorry 16:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving] 16:32 -!- GCNR [~gabrielre@cpc1-nmal6-0-0-cust382.croy.cable.virginmedia.com] has joined #openvpn 16:32 < GCNR> Hi, I want to set up a VPN Connection using L2TP over IPSec to connect to a VPN using pre-shared key, username and password. I tried to follow some forum discussions and wiki articles, but I didn't succeed. Can anybody tell me how to do it or at least point me to a tutorial on how to do it? Thanks. 16:33 -!- Netsplit over, joins: Essobi, djgerm, ucekpolish1, optiz0r, grishnav, mick_laptop, Clete2 16:33 < GCNR> I forgot to say that I am using Ubuntu GNU Linux 10.10 16:40 -!- p3rror [~mezgani@41.140.99.43] has joined #openvpn 16:42 -!- GCNR [~gabrielre@cpc1-nmal6-0-0-cust382.croy.cable.virginmedia.com] has left #openvpn [] 17:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 17:02 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 17:03 -!- Shards_of_Narsil [~wsduvall@vtluug/member/ackthet] has left #openvpn [] 17:08 -!- WinstonSmith [~true@e178176159.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:08 -!- Fleck [~we@unaffiliated/fleck] has joined #openvpn 17:22 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn 17:22 -!- WinstonSmith [~xxx@e178176159.adsl.alicedsl.de] has joined #openvpn 17:29 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 17:31 -!- s7r [~s7r@80.79.116.232] has left #openvpn [] 17:33 -!- mosno [~mosno@unaffiliated/mosno] has joined #openvpn 17:33 -!- ljvb [~jason@vps.vanbrecht.com] has joined #openvpn 17:33 < ljvb> evenin 17:34 < ljvb> anyone using the android port of openvpn? 17:42 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 17:43 < ecrist> I couldn't get it working on my samsung vibrant, never tried on my mytouch 4g 17:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 17:53 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 17:53 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 17:53 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 17:59 < krzee> ljvb, i had 18:00 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 264 seconds] 18:01 -!- teddz [~teddz@dtmd-4db23b7d.pool.mediaWays.net] has joined #openvpn 18:05 -!- QubeZ [~nkasu@64.128.254.34] has quit [Ping timeout: 264 seconds] 18:13 < krzee> i got it working on an HTC evo 18:13 < krzee> will pout it on my new mytouch 4g soon 18:13 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 18:17 -!- p3rror [~mezgani@41.140.99.43] has quit [Ping timeout: 240 seconds] 18:32 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has joined #openvpn 18:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 18:46 -!- unspin_ [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn 18:47 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Read error: Connection reset by peer] 18:49 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn 18:49 -!- mode/#openvpn [+o patelx] by ChanServ 18:53 -!- corretico [~laguilar@201.201.44.82] has joined #openvpn 19:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 19:05 -!- p3rror [~mezgani@41.140.46.229] has joined #openvpn 19:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 19:18 < ljvb> krzee mind posting your configs... I have a working setup, 2 laptops, and remote network using certificates, but cannot for the life of me get my galaxy s working, it connects, but no routing or connectivity.... 19:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 19:41 < theDoc> Are you pushing the correct routes? 19:45 < reiffert> Fleck: still using the laptop? 19:45 < reiffert> Fleck: still using windows? 19:55 < ljvb> just checked the log file (or rather just enabled logging heh...) http://pastebin.com/AQv1Krgw is the error, unrecognized option blah blah blah for route and ifconfig 19:55 < ljvb> but I cannot seem to find anything via the usual google searches 20:01 -!- corretico [~laguilar@201.201.44.82] has quit [Ping timeout: 240 seconds] 20:19 -!- corretico [~laguilar@201.201.44.82] has joined #openvpn 20:30 < ljvb> hmm.. I think its the ifconfig in use.. was using /system/bin/ifconfig and not /system/xbin/ifconfig.. still have to delete the tun int and recreate it by hand to get vpn up (via adb) 20:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 20:39 < krzee> ljvb, you dont need my config 20:39 < mosno> i have setup openvpn to act as a server on a tunnel interface. i thought it would be nice to use uci to firewall the tun interface. i've successfully added a "vpn" zone, but i am having trouble adding a vpn interface, eg. uci network add interface gives me "network.@interface[0]=interface" instead of "network.vpn=interface". how can i get the latter? or am i trying to firewall openvpn in the wrong way? 20:40 < krzee> ljvb, you need to install busybox and make symbolic links to /system/xbin/ifconfig / route 20:43 < krzee> ljvb, also be sure to watch logfiles so you dont have to wonder what happened 20:43 < krzee> !logfile 20:43 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info 20:44 < krzee> mosno, that is not an openvpn question 20:44 < krzee> !notovpn 20:44 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 20:44 < mosno> krzee: sorry i thought i was in #openwrt 20:44 < krzee> ahh 20:45 < krzee> =] 20:47 -!- p3rror [~mezgani@41.140.46.229] has quit [Read error: Connection reset by peer] 20:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 20:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 20:56 < ljvb> krzee odd.. I could have sworn I had BB installed since titanium backup requires it... but it might be a version built into the rom I am using 21:14 < ljvb> krzee you rock, thank you.. even though I saw that step over and over in my google searches.. it never occured to me to check to make sure the correct version of ifconfig and route were being used, since I assumed that bb was installed it would use those commands 21:37 -!- p3rror [~mezgani@41.140.26.1] has joined #openvpn 21:48 < ljvb> odd, I have to use a client config push dchp reference for my craptastic vista box, but my other boxes work fine without it.. wierd though, nslookup works fine on vista, but ping, tracert, any network traffic gets no dns resolution... 21:50 -!- teddz [~teddz@dtmd-4db23b7d.pool.mediaWays.net] has quit [Quit: Ex-Chat] 22:12 < ljvb> oh well, I found a work around, will figure out why at a later date 22:23 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 22:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 22:40 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 23:08 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 23:13 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 23:13 -!- mode/#openvpn [+o mattock] by ChanServ 23:37 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 23:43 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds] 23:47 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 23:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds] 23:49 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn 23:57 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds] 23:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 23:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 23:59 -!- mick_laptop [~mick@clamwin/admin/mickhome] has quit [Remote host closed the connection] --- Day changed Thu Jan 20 2011 00:01 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 00:05 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 260 seconds] 00:05 -!- Cain [~Geek@41.141.252.98] has joined #openvpn 00:05 -!- Cain [~Geek@41.141.252.98] has quit [Changing host] 00:05 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 00:06 < hyper_ch> ecrist: http://www.theregister.co.uk/2011/01/19/mac_linux_bot_vulnerabilities/ 00:06 <@vpnHelper> Title: Bot attacks Linux and Mac but can't lock down its booty • The Register (at www.theregister.co.uk) 00:17 -!- WinstonSmith [~xxx@e178176159.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection] 00:33 -!- WinstonSmith [~xxx@dslb-088-073-115-198.pools.arcor-ip.net] has joined #openvpn 00:40 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: leaving] 00:46 -!- WinstonSmith [~xxx@dslb-088-073-115-198.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds] 00:58 -!- WinstonSmith [~xxx@e179004161.adsl.alicedsl.de] has joined #openvpn 01:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 01:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro] 01:51 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 02:03 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Quit: Leaving.] 02:23 < Fleck> reiffert well i tried laptop with knoppix live cd and simple tun without auth and crypt and comp... speed is the same, with or without tun 02:25 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn 03:06 <@vpnHelper> RSS Update - forum: Two link in load-balance causing tunnels the stop working 03:07 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn 03:07 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host] 03:07 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 03:12 <@vpnHelper> RSS Update - forum: VM Lab using OpenVPN 03:19 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 03:19 -!- mode/#openvpn [+o mattock] by ChanServ 03:20 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 03:21 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:21 < macsppadic> morning all 03:35 < theDoc> macsppadic: Wanted to update you, :P 03:35 < theDoc> Got it with crypt (password,hash) 03:35 < macsppadic> hey theDoc 03:35 < macsppadic> niiiice! 03:35 < theDoc> It works great with symbols and all now. 03:35 < theDoc> After spending like a gazillion hours on it 03:36 * macsppadic makes a mental note sure to forget after a day or so 03:36 < macsppadic> hold on 03:36 < macsppadic> so ur not using hte salt ? 03:36 < macsppadic> the even 03:36 < theDoc> er, not hash. 03:36 < theDoc> salt even. 03:36 < theDoc> enjoy folks. http://imgur.com/a/5TbPm 03:36 <@vpnHelper> Title: Nobodys Perfect - Imgur (at imgur.com) 03:37 < macsppadic> hehe 03:37 < macsppadic> kewl thats sorted 03:37 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 260 seconds] 03:37 < theDoc> macsppadic: Yeah, little to no sleep. 03:37 < theDoc> Tell me about it. 03:38 -!- takamichi [~pri@83.170.109.106] has joined #openvpn 03:51 -!- master_of_master [~master_of@p57B52CCB.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 03:53 -!- master_of_master [~master_of@p57B56488.dip.t-dialin.net] has joined #openvpn 03:59 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving] 04:02 -!- unspin_ [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 04:16 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 04:20 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 255 seconds] 04:24 <@vpnHelper> RSS Update - forum: Local Lan issue 04:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:36 < djgerm1> Are there many, any, known vulnerabilities with OpenVPN 2.1.1 04:36 < djgerm1> ? 04:48 <@vpnHelper> RSS Update - forum: Can't ping LAN behind VPN server 04:50 -!- common [~common@p5DDA484C.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 04:52 -!- common [~common@p5DDA474F.dip0.t-ipconnect.de] has joined #openvpn 05:16 -!- s7r [~s7r@80.79.116.248] has joined #openvpn 05:18 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Quit: ircN 8.00 for mIRC (20100904) - www.ircN.org] 05:24 -!- takamichi [~pri@83.170.109.106] has quit [Ping timeout: 272 seconds] 05:24 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 05:25 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn 05:26 -!- maxJadi [~maxJadi@dhcp-166-8.nomad.chalmers.se] has joined #openvpn 05:26 -!- maxJadi [~maxJadi@dhcp-166-8.nomad.chalmers.se] has quit [Changing host] 05:26 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 05:33 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 05:35 -!- binBASH [michael@office.cloud.hn] has joined #openvpn 05:41 < binBASH> Hi all, I setup openvpn to accept duplicate cn in certificates. I need some clients to have static ips so I've setup own certifates for these and put them in the client config dir. They are getting static ips now. For the other clients I use a cert with a generic common name. But for those clients the ips of the static clients get assigned as well. What is wrong? 05:49 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 05:56 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn 06:09 < Peer^> hi! is it possible to mix or using both, single certs and pkcs#12 certs on one server config? 06:10 < reiffert> what are the differences between single certs and pkcs12? 06:12 <@vpnHelper> RSS Update - forum: Linux Tap device 10Mbit 06:15 < Peer^> pkcs12 is all in one: client.crt, client.key, ca.crt 06:20 < havoc> gah, no OpenVPN reg keys in win7? 06:23 < havoc> ah, under: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenVPN-GUI 06:34 < Peer^> ok, forget it. it cannot work 07:13 < havoc> too bad there aren't options for ovpnserv.exe 07:13 < havoc> openvpnserv.exe I mean 07:14 < Fleck> why not? 07:14 < havoc> it'd be nice to use the service to start specific configs 07:14 < Fleck> ohh 07:14 < Fleck> nv 07:14 < Fleck> nm 07:36 -!- knightstalker [~knightsta@shellium/member/KnightStalker] has joined #openvpn 07:36 < knightstalker> Hello, 07:36 < knightstalker> Can someone help me with TLS error? 07:37 < knightstalker> (I already googled...) 07:38 < ecrist> sure 07:40 < knightstalker> Thanks,so: 07:41 < knightstalker> server runs fine,and will say 'Initialization sequence completed',when I try to use my client it lags a bit on UDPv4 link local and link remote 07:41 < knightstalker> and would then say TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and handshake failed 07:42 < havoc> knightstalker: firewall on client blocking something from server? 07:42 < knightstalker> ah 07:42 < knightstalker> can be! 07:42 < havoc> that's what I always check when I see tht exect error 07:42 < knightstalker> I asked the server VPS,they told me no firewall there 07:42 < knightstalker> but on client,I have a stupid router 07:42 < knightstalker> which ports I must exactly unblock? 07:43 < havoc> that error has always indicated a client-side firewall issue for me 07:43 < havoc> knightstalker: that I couldn't tell you 07:43 -!- komodo [~komodo@cl-971.mbx-01.si.sixxs.net] has joined #openvpn 07:43 < havoc> but knowing/assuming it's a client-side firewall issue gives you a bit more to google on :) 07:44 < havoc> knightstalker: I've had the issue w/ windows clients, but in those FW configs you allow the program, not a port 07:45 * knightstalker on linux 07:47 < hyper_ch> what ports do you have the vpn server running on? 07:47 < knightstalker> I first had it on 1194,but changed to 1200 07:48 < havoc> make sure you're allowing the correct protocol through on the FW too 07:48 < knightstalker> I selected TCP/UDP 07:51 < hyper_ch> then you have your client firewall to also allow that port 07:51 < knightstalker> yes i do :( 07:52 < knightstalker> hmm,lets restart router and retry 07:53 -!- p3rror [~mezgani@41.140.26.1] has quit [Ping timeout: 240 seconds] 07:54 -!- p3rror [~mezgani@41.140.171.100] has joined #openvpn 07:55 -!- knightstalker_ [~knightsta@109.109.43.139] has joined #openvpn 07:56 < knightstalker_> not helpful 07:57 -!- knightstalker [~knightsta@shellium/member/KnightStalker] has quit [Ping timeout: 240 seconds] 07:59 < komodo> hi, is there any way to setup clients on wndows with cryptoapicert an server on linux ? how shoul i get server cert and key on linux openpvn server? AFAIK i can export CA from certificate store, but what about server key and cert ? 07:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving] 08:01 -!- gladiatr [~gladiatr@openvpn/community/support/gladiatr] has joined #openvpn 08:01 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds] 08:09 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 08:19 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Remote host closed the connection] 08:35 < ljvb> question for anyone who has connected Vista (not my choice...) to openvpn, I'm having a dns issue.. I think, without using the dns push option in the client config on the ovpn server, I get no name resolution, even though using nslookup uses the correct DNS server and works just fine, but no services (ping, tracert, browser, applications etc) appear to be functioning without the push dns option 08:36 < ljvb> not using redirect either 08:40 < binBASH> Hi all, I setup openvpn to accept duplicate cn in certificates. I need some clients to have static ips so I've setup own certifates for these and put them in the client config dir. They are getting static ips now. For the other clients I use a cert with a generic common name. But for those clients the ips of the static clients get assigned as well. What is wrong? 08:41 < ecrist> knightstalker_: sounds like you either have a firewall issue, or someone between you and the server is filtering UDP traffic 08:41 < knightstalker_> hmm 08:42 < ecrist> binBASH: sounds like something is foobar in your config 08:43 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined #openvpn 08:45 < gladiatr> ljvb, what happens when you do use nslookup from the cli? 08:47 < gladiatr> binBASH, does the pool specified in your server definition overlap with your static addresses? 08:47 <@vpnHelper> RSS Update - forum: Can't ping LAN behind VPN server || Local Lan issue 08:47 < binBASH> I found it out guys;) 08:47 < gladiatr> sweet 08:48 < binBASH> I had at first line server 10.8.0.0 255.255.255.0 08:49 -!- jfkw [~jtk@216.115.1.60] has joined #openvpn 08:49 < binBASH> and now I removed it and made server config manually in config with ifconfig and ifconfig-pool 08:49 < binBASH> that seems to work ;) 08:54 < gladiatr> good deal 08:55 < krzee> ljvb, glad it helped 08:56 < krzee> ljvb, i dont see the problem re: needing to change dns 08:56 < ljvb> gladiatr, nslookup from cmd works fine 08:57 < ljvb> krzee its more of an annoyance then a problem.. all the other hosts work fine, just the vista laptop that I need to fiddle with the DNS.. 08:57 < krzee> then dont push the option 08:57 < krzee> just put it in the client config without the push 08:58 < gladiatr> make sure your tap device is ahead of your wireless/wired ethernet devices in your device priority list 08:58 < krzee> or push it in a ccd entry 08:58 < ljvb> its being pushed in the ccd entgry 08:58 < ljvb> that was the fix, but I am curious to know why I only have to do this for the one host (my work laptop) 08:59 < mort_gib> ljvb: You need to use another way of pushing the route in Vista 08:59 < ljvb> XP, android, openbsd and freebsd clients all work fine 08:59 < binBASH> cya all, byez and thx 09:00 -!- binBASH [michael@office.cloud.hn] has left #openvpn [] 09:00 * ljvb hates vista... and for the love of $PICK_YOUR_DIETY.. this thing won't die (turned on in trunk in mid summer in vegas and utah), left in trunk on freezing evenings.. dropped (totally by accident) a few times.. and it keeps on ticking... 09:01 < gladiatr> lol 09:01 < ljvb> mort_gib eh.. pushing the dns server via ccd solved the problem 09:02 < mort_gib> ljvb: Yeah, but you need to add a line in the Vista config for it to work properly 09:02 < ljvb> the exe line? 09:02 < mort_gib> Yes 09:02 < ljvb> route-method exe 09:02 < ljvb> its in there 09:02 < mort_gib> Ok, sorry 09:03 < mort_gib> Had LOT of shit with Vista, this is just one of them! 09:03 < ljvb> I suspect its something in the corp policy, I had to force the client binary to run as administrator 09:03 < ljvb> even though my user has full admin rights 09:03 < ljvb> uac can suck it 09:04 < mort_gib> ljvb: Yes well, now with UAC, all of a sudden we can "safely" allow all users to be in the administrator group... 09:04 <@vpnHelper> RSS Update - forum: Can't ping LAN behind VPN server 09:04 < ljvb> I'm up for a replacement in may, then I get windows 7 (sarcastic) yay... I kept pushing for a macbook pro.. but apparently corp does not want to support it 09:05 < mort_gib> ljvb: Well, in all fairness if you HAVE to use Windows, Win7 is not so bad 09:05 < ljvb> there is no safely allowing users in admin groups.. only reason I have it, is that many of the assessment tools I run require it (not everyone in the corp has admin rights, in fact most don't) 09:06 < mort_gib> I get crap from external consultants, that states "My software XXX" only runs if local users is administrator 09:06 < ljvb> bah.. I am being ejected from my cube.. 09:07 < mort_gib> So it's trying to convince managers EVERY time that it's simply not true! 09:07 < mort_gib> How so, weak economy?? 09:07 < havoc> gah, I can't believe that the only thing preventing a non-admin user (in windows) from running openvpn is adding routes 09:07 < havoc> there's gotta be a way to grant access to just add routes 09:08 < ljvb> no, apparently it was changed from hotelling (free for all office space) to an assigned cube.. I just stole my MD's office heh.. 09:09 < ljvb> havoc yes, change the effective permissions of the route command itself, add the user you to to access it 09:09 < havoc> ljvb: would that be it? 09:09 < ljvb> <-- security consultant.. knows when he needs admin rights.. but also knows what not to do to get violated :) usually 09:09 <@vpnHelper> RSS Update - forum: IP address of client still visible 09:09 < havoc> or would they also need to be in the Network Administrators group or something? 09:10 < havoc> ok, so ovpn use "ip route add" by default, right? 09:10 < havoc> so I'd need to set the client config to use route.exe explicitly, and then add the user to the route.exe ACLs 09:11 < havoc> that sound correct? 09:11 < ljvb> havoc as far as I know.... I forget, but I am sure there is also an option equiv to suid 09:11 < ljvb> for windows 09:12 < havoc> but is the ability to add routes the only thing holding back non-admin users in windows? 09:12 < ljvb> but if you allow openvpn to run as administrator, the route command gets called as administrator 09:12 < ljvb> by non admin users 09:13 < ljvb> you need an admin of course to set that up initially 09:13 < havoc> right 09:14 < ljvb> under compatability properties of the binary (not the shorcut), just check run as adminstrator, problem solved) 09:14 < ljvb> but the downside of course, is that if a vuln/buffer overflow is found in ovpn, the resulting exploit leaves you as an admin 09:14 < havoc> yeah, if that's acceptable to this guy's IT dept 09:15 < gladiatr> ljvb, that's why no-bind should be the default on windows installs :P 09:15 < ljvb> my guess would be, unless its an officially supported application, the IT dep probably will not be very helpful 09:16 -!- mahdi_ja [~mahdi_ja@93.126.3.4] has joined #openvpn 09:16 < mahdi_ja> hi all 09:17 < gladiatr> see, that's where my evil mind would engineer a plot to image off the corporate windows installation, reinstall the laptop with linux then load the corp windows image onto a vm 09:17 < gladiatr> hiya, madi 09:17 < gladiatr> s/d/hd 09:18 < mahdi_ja> can i use openvpn to bypass govermentional internet filtering 09:18 < ljvb> gladiatr.. funny you mention that.. I did exactly that on my old corp dell, but I went the OSX route on the Dell, with p2v image of the original install 09:19 < gladiatr> hehe 09:19 < ljvb> had to.. for exchange support 09:20 < ljvb> mahdi_ja well.. it depends.. what gov it is.. will they hunt you down, torture you and throw yo in jail (say in China...), or are you talkign about US gov entities like DHS, IRS, etc 09:20 < ljvb> in the later, I would not recomend it.. since you will be caught.. and sanctioned 09:20 < gladiatr> indeed. The philosophy of: If Caesar wants to sit in the corner and punch himself in the face, render unto Caesar an appropriate corner of the house to do so--just keep him away from the kitchen. 09:20 < mahdi_ja> ljvb, i want use this personally 09:20 < mort_gib> mahdi_ja: There are other more efficient ways... 09:21 < mahdi_ja> mort_gib, i examine all way but all of them not work in my country and are disabled 09:21 < gladiatr> mahdi_ja, I think you'll find that is the motivation for many of the online businesses that have popped up offering openvpn connections for a fee. 09:21 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn [] 09:22 < mahdi_ja> gladiatr, i want create this free 09:22 < mort_gib> mahdi_ja: Where are you if I may ask?/ 09:22 < mahdi_ja> mort_gib, iran 09:22 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 09:23 < mort_gib> Ok, well Iran had top notch help from the best in the west to keep you guys quiet :-( 09:23 < gladiatr> mahdi_ja, I understand :( 09:24 < mort_gib> http://anonymitynetwork.com/ 09:24 <@vpnHelper> Title: Home ::: AnonymityNetwork.com ::: provide Virtual Private Network (at anonymitynetwork.com) 09:24 < gladiatr> mahdi_ja, the key is that you'll need a system somewhere that internet service is not restricted to connect to. OpenVPN in and of itself is merely a program. 09:24 < ljvb> meeting time 09:24 < mort_gib> https://secretsline.biz/en/manual/read/how-to-hide-my-ip-address/ 09:24 < mahdi_ja> gladiatr, i can not do this i my own system ? 09:24 <@vpnHelper> Title: VPN Service: vpn, openvpn, pptp, double vpn, vpn software, vpn service, windows vpn (at secretsline.biz) 09:25 < gladiatr> mahdi_ja, You certainly could, however, your connection would still be as restricted as the connection to your system. 09:26 < mort_gib> mahdi_ja: Firstly you would need a company, that has servers around the world to do this 09:26 < mahdi_ja> gladiatr, this means i must created openvpn in the other sysem and then connect to it 09:26 < gladiatr> mahdi_ja, correct 09:26 < mort_gib> mahdi_ja: If not, your ISp or the guys they report to would see some very suspicious traffic to one server and nothing to the rest of the Internet 09:27 < mahdi_ja> gladiatr, there is any free server for do it 09:27 < gladiatr> this I do not know. 09:28 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:28 -!- alhadi [~thunderst@92.99.132.49] has joined #openvpn 09:29 -!- anonymus [~yaa@178.177.82.39] has joined #openvpn 09:29 < anonymus> hi 09:29 < alhadi> hi 09:29 < anonymus> could anyone explain me why ip ad sh dev tun0 shows 09:29 < anonymus> inet 192.168.0.1 peer 192.168.0.2/32 scope global tun0 09:30 < anonymus> why /32 09:30 < anonymus> and why 0.2 09:30 < anonymus> ?? 09:30 < gladiatr> anonymus, it's a point to point link 09:30 < anonymus> i got it 09:30 < mahdi_ja> thanks all 09:30 < gladiatr> mahdi_ja, good luck, sir 09:30 -!- mahdi_ja [~mahdi_ja@93.126.3.4] has quit [Quit: Leaving] 09:31 < anonymus> but the opposite link has 192.168.0.5/24 09:31 < gladiatr> !topology 09:31 < anonymus> why does it show /32 0.2 09:31 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 09:31 < krzee> !/30 09:31 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 09:31 < gladiatr> ^^ 09:31 < anonymus> hmm 09:31 < anonymus> i got it 09:32 < krzee> we're talking about making topology subnet the default soon 09:32 < anonymus> its just for information? 09:32 < krzee> maybe in 2.3 09:32 < krzee> anonymus, you asked... 09:32 < anonymus> i mean ip ad sh shown NOT REAL peer& 09:32 < anonymus> ? 09:33 < krzee> huh? 09:33 < anonymus> gtg/ thank u 09:35 -!- anonymus [~yaa@178.177.82.39] has quit [Read error: Connection reset by peer] 09:39 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection] 09:52 < alhadi> hi krzee :) 09:52 < krzee> Thanks go to Eric Crist for his work on #OpenVPN. To OpenVPN Technologies for joining with the community, which I think we all agree is for the better. To punk for phear and loathing in nl. And of course thanks to the Efnet #IRCpimps 09:52 < alhadi> thank you eric crist :) 09:53 -!- teddz [~teddz@dtmd-4d0525a7.pool.mediaWays.net] has joined #openvpn 09:53 < alhadi> love openvpn 09:53 < krzee> thats for my bio in JJK's openvpn book 09:54 < alhadi> is there a book for openvpn? 09:54 < alhadi> recetly? 09:54 < alhadi> i'll buy it :) 09:54 < krzee> it will be out soon 09:54 < alhadi> cool 09:54 < alhadi> let me know :) 09:54 < alhadi> i am waiting for 2.3 version 09:54 < alhadi> openvpn 09:56 -!- Peer^ [~ttt@ks355877.kimsufi.com] has quit [Ping timeout: 240 seconds] 10:02 < ecrist> neat, thanks krzee. :) 10:02 -!- Peer^ [~ttt@ks355877.kimsufi.com] has joined #openvpn 10:04 -!- komodo [~komodo@cl-971.mbx-01.si.sixxs.net] has quit [Quit: Konversation terminated!] 10:06 < krzee> =] 10:08 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving] 10:09 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 10:11 < gladiatr> awesome. I likes me some dead trees. :D 10:12 < gladiatr> who is the publisher? 10:13 <@vpnHelper> RSS Update - forum: UPnP over openVPN, is it possible? 10:13 < krzee> packt publishing 10:14 < krzee> its a good book 10:14 < krzee> if i wasnt getting a free copy ild buy one 10:16 < gladiatr> cool. I'll keep my eyes peeled 10:27 -!- dvl [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"] 10:34 < alhadi> hey ecrist :) 10:34 < alhadi> whats a good book to study openvpn? 10:37 < ecrist> I *have* to buy one now, since my name will be in it. 10:37 < gladiatr> indeed! 10:40 < krzee> ill be linking to it in the bot when it comes out, its a very good book 10:40 < krzee> it covers what we usually cover in here, but it also does some setups i never knew possible 10:42 < krzee> good for learning openvpn, but also taught me a few things 10:43 < krzee> which i kinda expected when i heard JJK was the author 10:49 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 10:54 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 10:58 < ecrist> indeed 11:01 < alhadi> where do i buy? 11:01 < alhadi> oh it will be out 11:02 < alhadi> krzee :) 11:02 < alhadi> my friend would love buying too 11:02 < alhadi> we all are openvpn lover 11:03 < krzee> it will be at !book when it comes out 11:04 < krzee> http://www.amazon.co.uk/OpenVPN-Cookbook-Jan-Just-Keijser/dp/1849510105 11:04 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 11:05 < krzee> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17405.html 11:05 <@vpnHelper> Title: Re: OpenVPN (cook)book - ReadList.com (at readlist.com) 11:06 < krzee> me and Ralf agree 11:07 < gladiatr> Ralf? 11:07 < krzee> from that post in the last link 11:08 < gladiatr> ahh 11:11 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn 11:41 -!- WinstonSmith [~xxx@e179004161.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 11:44 -!- s7r [~s7r@80.79.116.248] has quit [Ping timeout: 264 seconds] 12:20 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 12:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: Leaving] 12:33 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds] 12:34 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 12:34 < fahmad> hello 12:34 < fahmad> is there anyway to disable inactivity timeout ? 12:35 < mete> you mean that you don't get disconnected? 12:35 <@vpnHelper> RSS Update - forum: Random problem with roadwarriors on windows machines 12:36 < fahmad> mete: yes 12:36 < mete> one moment 12:36 < mete> I think I've a option for that in my cfg 12:36 < mete> keepalive 10 60; 12:36 < mete> try this 12:37 < mete> in client and server cong 12:37 < mete> conf 12:38 < fahmad> but it will disconnect 12:38 < fahmad> it check for ping for every 10 seconds 12:38 < fahmad> and then if does not get reponse for 60 seconds then disconnects 12:38 < mete> mine never gets disconnected... 12:40 < fahmad> humm 12:40 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 12:42 -!- anonymus [~yaa@178.176.66.224] has joined #openvpn 12:42 < anonymus> hi again 12:44 < anonymus> !topology 12:44 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc 12:45 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn 12:46 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 12:54 < ecrist> I may need to go buy that book 12:58 <@vpnHelper> RSS Update - forum: Server 2000...tapinstall.exe "not a valid Win32 app" error 13:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 13:04 < djgerm> is there a particularly good reason for locking down access to the openvpn port to only a handful of hosts? 13:04 < djgerm> vulnerabilities in openvpn 2.1.1? 13:05 < ecrist> if you're paranoid. 13:05 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 13:05 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 13:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 13:05 < ecrist> I've never done that, however. 13:05 < mete> with which access right it's good to store the config and key files? 600? 13:05 < hyper_ch> hi ecrist 13:07 < djgerm> other than paranoia haha 13:08 < krzee> ecrist, the book is worth it 13:10 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day] 13:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 13:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:28 <@vpnHelper> RSS Update - forum: OpenVPN tunnel status 13:41 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn 13:41 -!- mode/#openvpn [+o patelx] by ChanServ 13:44 -!- xindz [karz@bounced.by.nbounce.com] has joined #openvpn 13:44 < mete> hi xindz ;) 13:44 < xindz> hi mete :D 13:44 < mete> I think they can help fast :P 13:44 < xindz> Lets see 13:45 < xindz> Hello, When im trying to connect to my OpenVPN server @ my pfsense router on port 443 i get this error: WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link. Whats wrong? 13:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 13:50 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 13:52 < xindz> mete seems dead here :/ 13:53 < dschuett> pretty slow today 13:53 < mete> xD 13:53 < hyper_ch> doesn't openvpn have a cure against a cold? 13:54 < dschuett> it does! - only when using route mode though 13:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 14:02 -!- mezgani_ [~mezgani@41.140.179.31] has joined #openvpn 14:02 < gladiatr> 'dead' means everyone's vpn is chugging along splendidly :) 14:05 -!- p3rror [~mezgani@41.140.171.100] has quit [Ping timeout: 240 seconds] 14:09 -!- Jarpse [~jarpse@cluon.soleus.nu] has quit [Remote host closed the connection] 14:11 -!- mezgani__ [~mezgani@41.140.26.218] has joined #openvpn 14:12 -!- mezgani__ is now known as p3rror 14:12 < hyper_ch> dschuett: yey 14:13 < dschuett> gladiatr: VERY good point :) 14:13 < gladiatr> :D 14:13 -!- mezgani_ [~mezgani@41.140.179.31] has quit [Ping timeout: 240 seconds] 14:15 -!- ucekpolish1 [user@hq.ostc-pl.com] has quit [Ping timeout: 250 seconds] 14:28 <@vpnHelper> RSS Update - forum: Server 2000...tapinstall.exe "not a valid Win32 app" error 14:29 -!- p3rror [~mezgani@41.140.26.218] has quit [Ping timeout: 240 seconds] 14:30 -!- fahmad [~linux@unaffiliated/fahmad] has quit [] 14:33 -!- ucekpolish1 [user@hq.ostc-pl.com] has joined #openvpn 14:34 -!- rot13 [~var@unaffiliated/rot13] has quit [Ping timeout: 240 seconds] 14:36 -!- anonymus [~yaa@178.176.66.224] has quit [Quit: АХХХАХХААХХХАхахахахХхахаАААААААа11] 14:39 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn 14:39 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host] 14:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:44 <@vpnHelper> RSS Update - forum: OpenVPN tunnel status || Linux client problem 14:51 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 14:53 < mete> is there a need to change the psk from time to time? 14:55 < hyper_ch> mete: it depends on your paranoia level 14:55 <@vpnHelper> RSS Update - forum: Internet Connection Sharing with openvpn || (Resolved)Svr 2000...tapinstall.exe "not a valid Win32 app" 14:56 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Ping timeout: 255 seconds] 14:56 < gladiatr> mete, Yeah. If you only have a few clients, it's easy enough to do, but as the number of clients grow, it becomes increasingly difficult. 14:56 < hyper_ch> ecrist: you're not an openvpn dev, are you? 14:57 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 14:58 < mete> is it possible to "secure" the key file? Idea: when I open the connection it asks for a password that the key file can be read? 14:58 < hyper_ch> mete: put it in a truecrypt container 14:59 < hyper_ch> but the auth certs could also be generated with a key IIRC 15:00 -!- knightstalker_ [~knightsta@109.109.43.139] has quit [Quit: Leaving] 15:01 < mete> how to do that hyper_ch? 15:01 < hyper_ch> !howto 15:01 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:01 < mete> if possible, I don't want to use additional software 15:02 < hyper_ch> hmmm, seems I am mistaken 15:04 < mete> hmmh 15:07 < xindz> Hello, When im trying to connect to my OpenVPN server @ my pfsense router on port 443 i get this error: WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link. Whats wrong? 15:07 <@vpnHelper> RSS Update - forum: Tunnel low speed 15:07 < krzee> mete, yes you can secure the private key using an openssl passphrase 15:08 < krzee> mete, what os do you use? 15:10 < mete> krzee: I'm using as server debian 5.0 minimal (linux), client is currently a Windows 7 6bit 15:10 < mete> 64bit 15:11 < krzee> ok so you want to know if the client can change his passphrase on his key? 15:11 < krzee> he can do it from within the GUI 15:12 < krzee> i dont have windows handy to say how exactly, but its not hard to find... the gui doesnt do much 15:12 < mete> ok 15:12 < mete> one moment 15:12 < mete> just starting the box :P 15:13 < dschuett> xindz: are you sure your address is correct that your are trying to connect to 15:14 < dschuett> is 443 open, and it ONLY being used by openvpn? 15:14 < xindz> Yes, 443 is open. But i have a multiwan setup 15:14 < dschuett> and is 443 forwarded to your openvpn server? 15:15 < xindz> yes 15:15 < mete> krzee: I found the option I think "change Password", if I press that button it says: your config gile does not contain any "key" or "pkcs12" option 15:15 < dschuett> i have seen this error when people misstype the DNS name or ipaddress 15:15 < dschuett> xindz ^^ 15:15 < gladiatr> mete, it's an option in the drop-down(up?) of the openvpn-gui icon 15:16 < xindz> dischuett Using http://forum.pfsense.org/index.php/topic,7840.0.html that rule 15:16 <@vpnHelper> Title: OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior) (at forum.pfsense.org) 15:16 < mete> jep gladiatr, this one I've pressed :P 15:16 < gladiatr> are you talking about a client certificate key or the dh key? 15:16 < mete> gladiatr: psk 15:17 < gladiatr> Okay. Yeah. The change passphrase option is just for the private rsa key for a client certificate. 15:17 < mete> I want use psk, and I want that the PSK is not as plain text on the disk 15:17 < dschuett> xindz: did you double check your remote ip address? 15:17 < dschuett> or are you using dns? 15:18 < xindz> using ip to my WAN interface 15:18 < mete> so with certs I can set a password for each certificate (server and client) gladiatr? 15:18 < mete> and on every connect it asks for the password? 15:18 < gladiatr> Yeah. I think the suggestion of using an encrypted container of some sort would be your best bet. I don't know if there's such a thing available under a non-commercial license for windows. 15:18 < gladiatr> mete, yup 15:19 < mete> ok, hmmhh 15:19 < mete> I will search a howto an set a test vpn up on the weekend, sounds like what I'm searching :P 15:19 < gladiatr> cool 15:19 < mete> thank you gladiatr 15:19 < gladiatr> sure 15:20 < mete> is it possible to only protect the server certificate? one client doesn't support ca with password I think 15:22 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 15:22 < gladiatr> Well, if they're running an openvpn client, it supports encryption of the private key. 15:23 < mete> I think this firewall software doesn't xD 15:23 < gladiatr> Even if you start the openvpn client from a command line (in windows or os x or whatever), it will still pause and wait for the user to input a passphrase when it encounters an encrypted key 15:23 < gladiatr> hrm... I'd try it out. It might surprise you. 15:24 < mete> :P 15:24 < mete> otherwise it is possible only to use password for one site on one tunnel? 15:25 < gladiatr> Sure. How you create and disseminate your certificates and keys is totally up to you 15:25 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds] 15:26 < mete> k ;) 15:26 < mete> I will give it a try 15:26 < mete> thank you 15:29 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:41 -!- Fleck [~we@unaffiliated/fleck] has quit [Quit: KVIrc Equilibrium 4.1.1, revision: 5222, sources date: 20101102, built on: 2010-12-23 16:54:09 UTC http://www.kvirc.net/] 15:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn 15:48 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 15:59 -!- tuxx_ [~sometinel@81.95.4.165] has joined #openvpn 15:59 < tuxx_> hey guys... 15:59 < tuxx_> http://pastebin.com/NBM5fzgu 15:59 < tuxx_> /proc/sys/net/ipv4/ip_forward = 1 15:59 < tuxx_> i have those server/client configs 15:59 < tuxx_> and the connection goes up nicely 15:59 < tuxx_> however i wld like to divert all my client's traffic over the server 15:59 < tuxx_> as soon as i connect to the server 16:00 < tuxx_> i have no connectivity to the internet 16:00 < krzee> !linnat 16:00 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) openvz see !openvzlinnat 16:00 < hyper_ch> hi krzee 16:00 < krzee> hey 16:00 < hyper_ch> krzee: you're an openvpn dev? 16:01 < krzee> nope 16:01 < hyper_ch> krzee: that means you don't walk around with a tinfoil hat all day long? 16:01 < krzee> of course i do 16:01 < hyper_ch> :) 16:01 < tuxx_> krzee: thanks ill give that a try. 16:02 < hyper_ch> off to bed... bye bye 16:03 < tuxx_> krzee: that alone doesnt seem to be doing the trick... 16:04 < tuxx_> krzee: as soon as i connect the server my connection is lost.. 16:04 < tuxx_> i added the first iptables command 16:04 < tuxx_> to my server 16:04 < krzee> can you ping 10.8.0.1? 16:06 < tuxx_> krzee: ok my fault .. i wasnt using eth0 16:06 < tuxx_> krzee: works now.. thanks alot mate 16:06 < krzee> np 16:29 -!- p3rror [~mezgani@41.140.46.163] has joined #openvpn 16:39 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 264 seconds] 16:41 -!- mosno [~mosno@unaffiliated/mosno] has joined #openvpn 16:43 -!- p3rror [~mezgani@41.140.46.163] has quit [Ping timeout: 240 seconds] 16:48 -!- gladiatr [~gladiatr@openvpn/community/support/gladiatr] has quit [Ping timeout: 240 seconds] 17:00 -!- p3rror [~mezgani@41.140.38.130] has joined #openvpn 17:09 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Remote host closed the connection] 17:20 <@vpnHelper> RSS Update - forum: os stucking after an big throught put 17:27 -!- p3rror [~mezgani@41.140.38.130] has quit [Ping timeout: 240 seconds] 17:36 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]] 17:49 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn 17:53 < krzee> !wins 17:53 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:53 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Ping timeout: 260 seconds] 17:57 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 260 seconds] 17:57 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn 18:11 -!- tyler_d [~tyler_d@142.68.8.63] has joined #openvpn 18:18 -!- p3rror [~mezgani@41.140.98.135] has joined #openvpn 18:29 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 240 seconds] 18:43 -!- rond [~me@pool-71-170-131-187.dllstx.fios.verizon.net] has quit [Read error: Connection reset by peer] 18:53 -!- tyler_d [~tyler_d@142.68.8.63] has quit [Quit: tyler_d] 18:54 -!- tyler_d [~tyler_d@142.68.8.63] has joined #openvpn 18:54 -!- tyler_d [~tyler_d@142.68.8.63] has left #openvpn [] 18:57 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 18:58 < grendal_prime> what whould be the preferd way of routing just http traffic from the client through the vpn server? 18:59 < grendal_prime> im looking at push "redirect-gateway local def1" 18:59 < grendal_prime> but that seems to do all the traffic 19:00 < |Mike|> Yep. 19:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds] 19:15 -!- patel [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn 19:17 -!- patel is now known as openvpn2009 19:17 -!- openvpn2009 [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Changing host] 19:17 -!- openvpn2009 [~patel@openvpn/corp/admin/patel] has joined #openvpn 19:18 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Ping timeout: 240 seconds] 19:23 -!- jfkw [~jtk@216.115.1.60] has quit [Quit: leaving] 19:51 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 20:10 -!- master_of_master [~master_of@p57B56488.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 20:12 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn 20:18 -!- master_of_master [~master_of@p57B56488.dip.t-dialin.net] has joined #openvpn 20:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 20:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 20:33 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 20:41 -!- p3rror [~mezgani@41.140.98.135] has quit [Ping timeout: 272 seconds] 20:42 < ecrist> hyper_ch: what are you asking? 20:43 < ecrist> grendal_prime: you can't route just web traffic with only openvpn, you need to use something like pf and policy routing 21:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 21:27 -!- corretico [~laguilar@201.201.44.82] has quit [Remote host closed the connection] 21:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds] 21:36 < ljvb> *sigh* killed my phone.. stupid odin.. 21:38 < mosno> does openvpn do any kind of packet filtering itself? 21:38 < mosno> ie. if i can see that netfilter counts a packet being output to the local tun0, can i assume that openvpn sends it to the remote tun0? 21:39 < ljvb> okay.. so android ovpn.. my connect keeps resetting every few seconds and reconnecting (krzee.. you there??) 21:39 < mosno> because i can see ICMP echo replies return to my local tun0 when i ping the IP of the remote tun0, but not when i ping an IP in a subnet of the remote tun0 21:40 < mosno> ie. the local openvpn has a "route 192.168.1.0 255.255.255.0" 21:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 21:51 < ljvb> (sigh).. okay.. anyone who has had android and openvpn working... I cannot keep a stable connection.. last a few seconds then drops and recycles through the connection process 22:00 -!- teddz_ [~teddz@dtmd-4db2e331.pool.mediaWays.net] has joined #openvpn 22:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal] 22:04 -!- teddz [~teddz@dtmd-4d0525a7.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:10 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 22:11 < ljvb> screw it.. will deal with it later, going to sleep 22:35 -!- lkthomas [~lkthomas@058177217070.ctinets.com] has joined #openvpn 22:35 < lkthomas> hey guys 22:36 < lkthomas> I am trying to connect my openvpn client to openvpn server but it shows connection refused 22:36 < lkthomas> anyone have idea why ? 22:37 < mosno> to answer my own question, i think i needed iroute 22:37 < mosno> testing now 22:38 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has joined #openvpn 22:41 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Ping timeout: 255 seconds] 22:42 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 22:43 < grendal_prime> ecrist ya i figured as much. 22:44 < grendal_prime> i guess just grabbing everything would be ok. 22:44 < grendal_prime> forcing all traffic through the vpn would be an ok option to start with 22:48 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 22:58 -!- WinstonSmith [~true@f052101120.adsl.alicedsl.de] has joined #openvpn 22:59 -!- WinstonSmith [~true@f052101120.adsl.alicedsl.de] has quit [Remote host closed the connection] 22:59 -!- WinstonSmith [~true@f052101120.adsl.alicedsl.de] has joined #openvpn 22:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 23:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn 23:09 < lkthomas> anyone still alive ? 23:09 < lkthomas> I could telnet to port 1194 23:09 < lkthomas> but my openvpn client keep complain connection refused 23:14 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 23:15 -!- Zipper_32 [~Zipper_32@184.71.131.82] has joined #openvpn 23:21 < lkthomas> anyone mind to give me some hand please ? 23:22 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 23:46 -!- teddz_ [~teddz@dtmd-4db2e331.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 23:46 < hyper_ch> ecrist: ? --- Day changed Fri Jan 21 2011 00:05 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 00:07 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds] 00:07 -!- Cain` is now known as Cain 00:11 -!- ping_pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 240 seconds] 00:13 -!- ping_pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn 00:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal] 00:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection] 00:30 -!- lkthomas_ [~lkthomas@061093187003.static.ctinets.com] has joined #openvpn 00:33 -!- lkthomas [~lkthomas@058177217070.ctinets.com] has quit [Ping timeout: 240 seconds] 00:33 -!- lkthomas_ is now known as lkthomas 00:34 -!- lkthomas_ [~lkthomas@058177217070.ctinets.com] has joined #openvpn 00:38 -!- lkthomas [~lkthomas@061093187003.static.ctinets.com] has quit [Ping timeout: 246 seconds] 00:38 -!- lkthomas_ is now known as lkthomas 00:50 -!- Zipper_32 [~Zipper_32@184.71.131.82] has quit [Quit: Leaving] 00:50 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: leaving] 00:51 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Ping timeout: 276 seconds] 01:05 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Operation timed out] 01:06 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn 01:13 -!- prettyrobots [~alan@66.93.0.189] has joined #openvpn 01:14 -!- raw_ [~raw@chipotle118.server4you.de] has quit [Ping timeout: 240 seconds] 01:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 01:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 01:27 -!- pfein [~realnames@dynamic-66-243-239-34.ellensburg.fairpoint.net] has joined #openvpn 01:27 -!- raw_ [~raw@chipotle118.server4you.de] has joined #openvpn 01:29 -!- WinstonSmith [~true@f052101120.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 01:38 -!- lkthomas_ [~lkthomas@061093187003.static.ctinets.com] has joined #openvpn 01:39 -!- ping_pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 255 seconds] 01:39 -!- ping_pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn 01:39 -!- lkthomas [~lkthomas@058177217070.ctinets.com] has quit [Ping timeout: 272 seconds] 01:39 -!- lkthomas_ is now known as lkthomas 01:50 -!- prettyrobots [~alan@66.93.0.189] has quit [Quit: prettyrobots] 01:54 -!- lkthomas [~lkthomas@061093187003.static.ctinets.com] has quit [Read error: Connection reset by peer] 01:54 <@vpnHelper> RSS Update - forum: Linux client problem 01:57 -!- common [~common@p5DDA474F.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer] 01:57 -!- common [~common@p5DDA474F.dip0.t-ipconnect.de] has joined #openvpn 01:58 -!- pfein [~realnames@dynamic-66-243-239-34.ellensburg.fairpoint.net] has quit [Remote host closed the connection] 02:01 < kraut> moin 02:07 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 245 seconds] 02:15 < reiffert> moin kraut 02:17 -!- ping_pong is now known as ping-pong 02:21 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 02:30 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Read error: Connection reset by peer] 02:31 -!- void_pointer [~void@173.192.53.132] has joined #openvpn 02:31 -!- void_pointer [~void@173.192.53.132] has quit [Changing host] 02:31 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 02:33 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 02:40 -!- lkthomas [~lkthomas@058177217070.ctinets.com] has joined #openvpn 02:40 < lkthomas> hey guys 02:40 < lkthomas> is it possible to share same pki with multiple users ? 02:46 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 02:48 <@vpnHelper> RSS Update - forum: Can't ping LAN behind VPN server 02:48 < macsppadic> morning all 03:01 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has quit [Ping timeout: 240 seconds] 03:03 -!- Fleck [~we@unaffiliated/fleck] has joined #openvpn 03:03 < Fleck> !smb 03:03 < Fleck> !samba 03:03 <@vpnHelper> "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 03:05 -!- albech [~thomas@124.157.245.126] has joined #openvpn 03:13 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Ping timeout: 246 seconds] 03:15 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic] 03:15 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Operation timed out] 03:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds] 03:15 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 03:16 -!- Nappy [~nappy@97.97.247.123] has joined #openvpn 03:20 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Ping timeout: 272 seconds] 03:21 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 03:25 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn 03:27 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Ping timeout: 250 seconds] 03:27 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn 03:29 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn 03:38 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has joined #openvpn 03:51 -!- master_of_master [~master_of@p57B56488.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 03:52 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Quit: ☃] 03:52 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 03:53 -!- master_of_master [~master_of@p57B52D32.dip.t-dialin.net] has joined #openvpn 04:03 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn 04:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 04:19 -!- LeRrA [~lerra@c-4b9372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn 04:36 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 04:36 <@vpnHelper> RSS Update - forum: os stucking after an big throught put 04:48 -!- common [~common@p5DDA474F.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:52 -!- common [~common@p5DDA488B.dip0.t-ipconnect.de] has joined #openvpn 04:54 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn 04:54 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host] 04:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 04:54 <@vpnHelper> RSS Update - forum: VM Lab using OpenVPN 05:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 05:06 -!- le0 [~fin@host217-43-215-207.range217-43.btcentralplus.com] has joined #openvpn 05:06 -!- le0 [~fin@host217-43-215-207.range217-43.btcentralplus.com] has quit [Changing host] 05:06 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn 05:06 -!- tyler_d [~tyler_d@142.68.8.63] has joined #openvpn 05:06 -!- tyler_d [~tyler_d@142.68.8.63] has left #openvpn [] 05:18 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 05:19 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Client Quit] 05:19 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 05:26 -!- teddz_ [~teddz@dtmd-4db2e331.pool.mediaWays.net] has joined #openvpn 05:30 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal] 05:49 -!- teddz_ [~teddz@dtmd-4db2e331.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 06:26 -!- tyler_d [~tyler_d@142.176.33.186] has joined #openvpn 06:26 -!- tyler_d [~tyler_d@142.176.33.186] has left #openvpn [] 06:31 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 255 seconds] 06:31 -!- takamichi [~pri@194.126.175.219] has joined #openvpn 06:35 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving] 06:51 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 06:59 < ecrist> -21F here this am. fun fun 07:03 < havoc> -9F here, -28F windchill 07:04 < dschuett> 10F here :) 07:11 < Fleck> 28.4F here :D 07:18 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 255 seconds] 07:18 -!- takamichi [~pri@85.232.213.54] has joined #openvpn 07:29 < dschuett> openvpn AND weather channel AIO! 07:29 < Fleck> ;D 07:35 < ljvb> sheesh, where the hell do some of you live.. the arctic? 07:41 < havoc> heh 08:05 < ecrist> Minnesota 08:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:11 * havoc is in WI 08:14 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Quit: Leaving] 08:14 -!- maxJadi [~maxJadi@pontarius/mahdi] has joined #openvpn 08:15 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 08:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 245 seconds] 08:15 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 08:16 -!- maxJadi [~maxJadi@pontarius/mahdi] has quit [Read error: Connection reset by peer] 08:24 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 08:30 -!- teddz [~teddz@dtmd-4db2e331.pool.mediaWays.net] has joined #openvpn 08:30 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds] 08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds] 08:41 * ljvb is from a place where winter is in the 60's.. and thats on a bad day.. 08:42 * ljvb hates snows and ice.. and cold.. 08:49 < ecrist> the coldest I've experienced was -56F with windchill at -79F 08:50 -!- bauruine [~stefan@cust.static.46-14-244-193.swisscomdata.ch] has quit [Remote host closed the connection] 08:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 08:52 -!- gladiatr_afk is now known as gladiatr 08:52 < gladiatr> yeah. that's a bit chilly. 08:57 -!- s7r [~s7r@95.154.230.174] has joined #openvpn 09:01 <@vpnHelper> RSS Update - forum: "TXT_DB error number 2" on build-key.bat client cert 09:16 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 09:20 -!- Fthis [6276ddd4@gateway/web/freenode/ip.98.118.221.212] has joined #openvpn 09:22 -!- iceberg is now known as iceberg_ 09:23 -!- iceberg_ [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has quit [Quit: iceberg_] 09:23 -!- iceberg [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has joined #openvpn 09:23 -!- iceberg is now known as iceberg303 09:23 -!- iceberg303 [~iceberg@rrcs-70-63-54-202.central.biz.rr.com] has left #openvpn [] 09:25 <@vpnHelper> RSS Update - forum: "TXT_DB error number 2" on build-key.bat client cert 09:31 <@vpnHelper> RSS Update - forum: Linux Tap device 10Mbit || [SOLVED] "TXT_DB error number 2" on build-key.bat || IP address of client still visible 09:37 <@vpnHelper> RSS Update - forum: configure open vpn file 09:39 < gladiatr> lkthomas, can you clarify what you mean? 09:40 < gladiatr> lkthomas, pki = public key infrastructure. By definition a PKI serves multiple people/applications. I get the feeling that's not what you're after, though... 09:40 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 09:49 * ecrist wonders if gladiatr is talking to himself. 09:49 < gladiatr> I must be... 09:49 < gladiatr> is it possible to share same pki with multiple users ? 09:50 -!- jfkw [~jtk@216.115.1.60] has joined #openvpn 09:50 < gladiatr> ...and so I'm having a wonderful time, but I'd rather be whistling in the dark... 09:51 < ecrist> when did he say taht... 09:51 < ecrist> oh, nm 09:51 < ecrist> I just need to read up further 09:51 < gladiatr> hehe 09:53 < gladiatr> I just activated timestamps... probably not a bad idea... this fellow probably asked his question at 3am 09:53 < gladiatr> Oh. Yeah. Indeed so. 2:40 cst 10:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 276 seconds] 10:00 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds] 10:10 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn 10:15 -!- p3rror [~mezgani@41.140.31.102] has joined #openvpn 10:22 -!- p3rror [~mezgani@41.140.31.102] has quit [Ping timeout: 240 seconds] 10:28 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 10:28 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 10:28 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 10:34 -!- p3rror [~mezgani@41.140.170.228] has joined #openvpn 10:35 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 10:35 -!- mode/#openvpn [+o mattock] by ChanServ 10:35 -!- mattock [~samuli@openvpn/corp/admin/mattock] has left #openvpn [] 10:36 -!- albech [~thomas@124.157.245.126] has quit [Quit: Ex-Chat] 10:40 -!- p3rror [~mezgani@41.140.170.228] has quit [Ping timeout: 265 seconds] 10:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 10:53 -!- p3rror [~mezgani@41.140.174.215] has joined #openvpn 11:01 -!- p3rror [~mezgani@41.140.174.215] has quit [Ping timeout: 240 seconds] 11:01 -!- grendal_prime [~sgraham@206.128.84.26] has joined #openvpn 11:01 < grendal_prime> hey, is there a way with gateway-redirect to set a different ip as the getway? 11:03 < grendal_prime> i have a bridged setup and i need to push a different gateway to the clients ...the openvpn server is x.x.14.3 and i need the pushed gateway to be x.x.14.1 basically. 11:03 < grendal_prime> can i replace def1 with a specify ip? 11:04 -!- tjz [~pc@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 11:05 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic] 11:06 < gladiatr> I don't think such a thing would work with the redirect-gateway directive; however, you might play around with pushing a 0.0.0.0 [desired gateway IP] route to your bridged client. 11:07 -!- gladiatr is now known as gladiatr_akf 11:07 -!- gladiatr_akf is now known as gladiatr_afk 11:08 -!- s7r [~s7r@95.154.230.174] has left #openvpn [] 11:11 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn 11:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 11:18 -!- p3rror [~mezgani@41.140.33.102] has joined #openvpn 11:22 -!- ljvb [~jason@vps.vanbrecht.com] has quit [Quit: My damn controlling terminal disappeared!] 11:27 -!- djgerm1 [~Your_Moms@adsl-75-24-88-30.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 11:30 -!- Azoff [foobar@c83-252-248-115.bredband.comhem.se] has quit [Quit: reboot] 11:43 -!- p3rror [~mezgani@41.140.33.102] has quit [Ping timeout: 240 seconds] 11:48 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 11:50 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 11:50 -!- mode/#openvpn [+o mattock] by ChanServ 11:50 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Read error: Connection reset by peer] 11:53 -!- gladiatr_afk is now known as gladiatr 11:55 -!- p3rror [~mezgani@41.140.179.88] has joined #openvpn 11:56 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 11:57 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn 11:57 -!- mode/#openvpn [+o mattock] by ChanServ 12:06 <@vpnHelper> RSS Update - forum: IP address of client still visible 12:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 12:12 <@vpnHelper> RSS Update - forum: os stucking after an big throught put 12:13 < mete> http://openvpn.net/index.php/open-source/documentation/howto.html#pki 12:13 <@vpnHelper> Title: HOWTO (at openvpn.net) 12:13 < mete> here is a table of the pki files which were genearted during the process 12:14 < mete> in the last row is written "secret" and then in each line YES or NO 12:14 < mete> if there is written yes, so they must be stored secret? 12:18 < gladiatr> They should be encrypted. 12:19 < mete> ok so they are "save" 12:19 < gladiatr> ... 12:19 < gladiatr> whatcha mean? 12:19 < mete> what? xD 12:19 < mete> hmmh, where is the best to store the ca.key? ^^ 12:20 < gladiatr> The best place is on an encrypted file system that only gets mounted on a system that runs no services and can only be accessed from a console. 12:20 < gladiatr> er... that only gets mounted when needed 12:20 < mete> hmmh ok 12:20 < mete> other question 12:21 < mete> when I set up a ca on a other client 12:21 < mete> as the server 12:21 < mete> which files I need to update on the openvpn server when I add a client? 12:21 < gladiatr> do you mean: when you set up a client with a certificate signed by my ca? 12:22 < gladiatr> meh. pronoun disaster 12:22 < gladiatr> s/you/I 12:22 < mete> yes, and the CA is on another machine as the openvpn server 12:23 < gladiatr> the CA itself needs to stay on a secured system. The server and all of your clients need the ca.crt file. At that point, no changes need to be made on the server. All you have to do is create client certificates (signed by your CA) and distribute them 12:23 < mete> ok 12:24 < gladiatr> All the server needs, at that point, is to be able to see that the client cert has a valid signature 12:24 < mete> how the server knows which client cert is revoked? 12:24 < mete> do I need to revoke the cert on the openvpn server or on the server on which the CA is installed? 12:24 < gladiatr> whenever you revoke a certificate, you need to copy a new version of your crl file to the openvpn server. Depending on how many certs you're planning on dealing with, you can do this manually or automatically 12:25 < gladiatr> client certificates can only be revoked by the CA 12:25 < mete> k 12:29 < mete> where do I need to specify the crl file in the openvpn config? I can't find anything in this config: http://openvpn.net/index.php/open-source/documentation/howto.html#examples 12:29 <@vpnHelper> Title: HOWTO (at openvpn.net) 12:29 < mete> this openvpn is complex -.- 12:30 < gladiatr> !factoids search crl 12:30 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 12:30 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 12:30 < mete> start option 12:30 < mete> alright ;) 12:31 < mete> will set up a crypted VM for CA :) 12:31 < mete> then I will test that ;) 12:31 < gladiatr> :D 12:31 < mete> it sounds very secure then *gg* thanks gladiatr 12:31 < gladiatr> you bethca 12:32 < mete> where are you from gladiatr? 12:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds] 12:33 < gladiatr> NE Kansas, USA. We don't believe in evolution, but, by god, we can crank out a mean vpn config :P :D 12:33 < mete> :PP 12:33 < mete> USa is cool 12:33 < mete> I go this summer to the usa 12:33 < mete> to learn a bit english 12:34 < gladiatr> It doesn't sound likey you have too much more work to do. You certainly understand it better than I understand... anything that isn't English. heh 12:34 < mete> xD 12:35 < mete> written text I understand very good, but sometimes when I'm at the telephone and request support (symantec, hp, vmware) it sounds like a other language to me xD 12:36 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection] 12:37 -!- grendal_prime [~sgraham@206.128.84.26] has quit [Ping timeout: 240 seconds] 12:38 < gladiatr> It can be difficult. With the outsourcing of phone support, it's not uncommon to be speaking with someone who speaks english as a 2nd or 3rd language anyway. As I said: good for them. If it bothered me enough, I'd learn their language and just ask them to speak in their native tongue. 12:38 < gladiatr> so, bravo for your motivation! 12:39 < mete> I'm working in a it consulting firm, so we have often to do with big software firms... 12:39 < mete> and the "good" support from vmware is in usa ;) 12:39 < mete> so I^ve to speak english to them :P 12:40 < mete> each time I call, I say them, that they have to speak fast to me ;) then it's mostly OK to phone with them 12:40 < mete> heh 12:40 < gladiatr> lol 12:41 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds] 12:41 < mete> in india they can speak german, but they haven't a clue to solve my problems :P 12:43 < gladiatr> Indeed. I knew some guys that worked for a contractor that did tier 1 tech support a computer maker here in the states. There was the information they were provided in a 3-ring binder and their own knowledge of troubleshooting Windows and PC issues, but that was it. They had no access to internal troubleshooting databases. 12:43 < mete> hehe 12:43 < mete> we're a 7 people firm :P 12:44 < mete> and we've access to some databases and/or tech support 12:45 < mete> soo, debian netinstall is doing his job xD 12:45 < gladiatr> Yeah. If you can become a recognized support partner for a lot of the larger companies, they let you into their Inner Sanctum of Knowledge (sometimes)( 12:45 < mete> hehe 12:46 < mete> only on bad thing by our company is, that we only have windows machines... :( 12:46 < mete> so all linux stuff is only private -.- 12:46 < mete> good that I startet when I was 14 to set up a linux box, heh 12:47 < gladiatr> hmmm... that's rough. But the nice thing about Windows being so rickety is that there is lots of money to be made maintaining it. 12:47 -!- irssi____ [~irssi@devastation.securewebs.net] has quit [Ping timeout: 265 seconds] 12:47 < gladiatr> indeed 12:47 < mete> jep ;) 12:47 < mete> so, I ned to good :) 12:47 < mete> have a nice day gladiatr 12:48 < gladiatr> thank you very much! And to you as well :) 12:50 -!- xindz [karz@bounced.by.nbounce.com] has quit [Ping timeout: 246 seconds] 12:52 -!- xindz [karz@bounced.by.nbounce.com] has joined #openvpn 13:03 -!- grendal_prime [~sgraham@dhcp64-134-224-30.fpscc.den.wayport.net] has joined #openvpn 13:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds] 13:11 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has quit [Changing host] 13:11 -!- jhelwig [~jhelwig@puppetlabs/development/jhelwig] has joined #openvpn 13:17 -!- Mish12 [~mish@194.28.69.111.dynamic.snap.net.nz] has quit [Ping timeout: 240 seconds] 13:28 -!- dschuett [~dschuett@216.229.21.250] has quit [Ping timeout: 255 seconds] 13:28 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn 13:31 -!- grendal_prime [~sgraham@dhcp64-134-224-30.fpscc.den.wayport.net] has quit [Read error: Operation timed out] 13:34 -!- Zipper_32 [~Zipper_32@72.53.35.91] has joined #openvpn 13:38 < Zipper_32> !welcome 13:38 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:38 < Zipper_32> !route 13:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:39 < Zipper_32> !redirect 13:39 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:39 < Zipper_32> !nat 13:39 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 13:48 -!- Malard [~ident@xbmc/staff/malard] has quit [Read error: Connection reset by peer] 13:49 -!- WinstonSmith [~true@g225028010.adsl.alicedsl.de] has joined #openvpn 13:50 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 13:50 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 13:50 -!- Malard|Home [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 13:50 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn 13:54 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 13:56 -!- WinstonSmith [~true@g225028010.adsl.alicedsl.de] has quit [Read error: Connection reset by peer] 14:04 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 14:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 14:12 -!- p3rror [~mezgani@41.140.179.88] has quit [Ping timeout: 255 seconds] 14:15 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has joined #openvpn 14:17 -!- prettyrobots [~alan@66.93.0.189] has joined #openvpn 14:22 -!- p3rror [~mezgani@41.248.188.84] has joined #openvpn 14:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection] 14:28 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 14:31 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has joined #openvpn 14:39 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 245 seconds] 14:43 -!- Rolybrau [~Rolybrau@62-67.78-83.cust.bluewin.ch] has joined #openvpn 14:43 -!- Rolybrau [~Rolybrau@62-67.78-83.cust.bluewin.ch] has quit [Changing host] 14:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 14:43 < mete> If you would like to password-protect your client keys, substitute the build-key-pass script. 14:43 < mete> can I use that for server key as well gladiatr? :) 14:49 < gladiatr> hrm... well, I use the easy-rsa scripts (version 2), so all I do to password protect keys is ./pkitool --pass --server servername.whee.com (or for clients, I leave out the --server) 14:49 < mete> hmmh 14:49 < mete> one moment xD 14:50 < mete> you have generated the keys 14:50 < mete> and afterwards you use pkitool? 14:52 < gladiatr> No. I generate the certificate and the associated key at the same time with the above pkitool command 14:53 < mete> hmmh okay 14:53 < mete> is there a howto/short tut available? ^^ 14:54 < mete> why there are 100 methods for that? xDDD 14:54 < mete> unbelivable$ 14:55 < gladiatr> Hrm... 14:56 < mete> or can you post the two commands? ^^ 14:56 < mete> then I will try ;) 14:56 < mete> I'll make a snapshot before testing :P 14:57 -!- ljvb [~jason@vps.vanbrecht.com] has joined #openvpn 14:57 < gladiatr> Yeah. It looks like a lot of the how-to's you find from searching google are for version 1. It has been quite a while... I think I just looked at the scripts :) 14:57 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 14:58 < ljvb> openvpn on android.. I just rebooted my phone.. openvpn is disabled in the settings menu.. yet I am watching my vpn server log files.. and its trying to connect (getting bad lzo decompression header, but thats another issue).. why is ovpn even attempting to connect??? 15:01 -!- Malard|Home [~ident@xbmc/staff/malard] has quit [Ping timeout: 276 seconds] 15:04 < gladiatr> out of curiosity, have you checked the support forums (or whatever they've got) for the openvpn package you're using? krzee's is the only voice I've heard in here re: android and haven't seen him on today 15:05 < mete> hmmh, I think it's enoght save if I only crypt the folder, in which the keys are? eg. /etc/openvpn/scripts/keys? 15:05 < gladiatr> mete, that would essentially accomplish the same thing, yes. 15:05 < ljvb> thats who I was hoping would be around.. heg.. I will go hunt down the developer forum when I a done my concall 15:06 < mete> k, that's the easiest way :P 15:06 < mete> for my crypted VM :P 15:10 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 15:10 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has joined #openvpn 15:18 -!- p3rror [~mezgani@41.248.188.84] has quit [Ping timeout: 240 seconds] 15:22 < mete> hmmh 15:25 < mete> ./build-ca -pass 15:25 < mete> :) 15:26 -!- WinstonSmith [~true@g231242201.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 15:27 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn [] 15:31 -!- p3rror [~mezgani@41.140.172.164] has joined #openvpn 15:33 < ljvb> bah.. cannot for the life of me find support forum or channel for the android port// 15:37 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 15:39 -!- WinstonSmith [~true@e177092114.adsl.alicedsl.de] has joined #openvpn 15:42 < mete> so 15:42 < mete> all pem's crt's key's etc are created 15:42 < mete> xD 15:46 < mete> gladiatr: crl file is only generated, when I revoka a certificate? 15:47 < reiffert> yes. 15:47 < mete> k 15:48 < mete> can I create a "null" file and give that as crl file? so that I don't need to modify the command in the future? 15:48 < mete> :P 15:49 < gladiatr> that might work. Or you could make a dummy cert that you immediately revoke to initialize the file 15:50 < gladiatr> I don't imagine that openvpn would choke on an empty file, but I've never tried it 15:50 < mete> k ;) 15:50 < mete> will try 15:50 < mete> :P 15:50 < mete> openvpn is a nice toy :P 15:52 < mete> interesting 15:53 < mete> I start openvpn with the new config file, but no error message 15:53 < mete> and openvpn isn't running 15:53 < mete> xD 15:54 -!- lteo [~lteo@lteo-1-pt.tunnel.tserv3.fmt2.ipv6.he.net] has joined #openvpn 15:58 < gladiatr> try running it from the command line. openvpn --config /etc/openvpn/serverconfig.conf --verb 4 16:00 < mete> jep ;) 16:00 < mete> saw the error 16:00 < mete> heh 16:00 < mete> where do I specify the dh files? 01 and 02.pem? xD 16:00 < mete> dh 01.pem 16:01 < mete> doesn't work as parameter in the config file 16:01 < ljvb> okay.. so I figure the problem for the android port is somewhere within the openvpn settings/startup client front end.. because running openvpn client.ovpn works just fine from adb shell 16:01 < gladiatr> nope... hang on 16:02 < gladiatr> use this to generate your dh file: openssl dhparam -out dh1024.pem 1024 16:03 < mete> k, can I do this on the openvpn server, or must I generate it on the key machine? 16:03 < gladiatr> the server is fine 16:03 < mete> kk ;) 16:05 < ljvb> ssl-admin works great for managing certificates for clients 16:05 < ljvb> well, on fbsd it does, I am sure there is something similar for whatever OS your using 16:05 < dvl> FreeBSD FTW. ;) 16:06 < mete> ^^ 16:06 < mete> console is better 16:06 < mete> :P 16:06 < ljvb> ssl-admin is just a menu driven perl script on the console 16:06 < ljvb> that calls openssl 16:07 < gladiatr> dvl, agreed :) 16:07 < ljvb> so.. yes.. its still console :P 16:07 < mete> ;) 16:07 < mete> :PP 16:07 < mete> so 16:07 < mete> server is startet 16:07 < mete> first step is done 16:07 < mete> xD 16:09 < gladiatr> woot! 16:11 < mete> first I install winscp on the client 16:11 < mete> to copy the files 16:11 < mete> xD 16:13 -!- gladiatr is now known as gladiatr_afk 16:15 -!- dvl [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"] 16:16 < Fthis> VNC/remote desktop sucks over my site-to-site VPN (static key) 16:17 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has joined #openvpn 16:17 < Fthis> it is fine over my TCP server/client setup though 16:17 < lteo> heard from someone today that openvpn will not work on windows 7 with a non-administrative user. is that true? 16:18 < Fthis> it probably just pops up an annoying box that you just click OK on and then it works until it BSOD's anyway so go ahead and try it 16:19 -!- prettyrobots [~alan@66.93.0.189] has quit [Quit: prettyrobots] 16:19 < gladiatr_afk> lteo, you have to be able to run openvpn with admin privileges so it can manipulate the routing table 16:19 -!- gladiatr_afk is now known as gladiatr 16:21 < mete> can I activate tls mode in config file? or is this on the cmd only? :S 16:22 < gladiatr> mete, anything you specify on the command line can be included in the configuration file 16:23 < lteo> gladiatr: thanks. what is the recommended way to give a non-admin user admin privileges to openvpn so that the routing table can be modified? 16:24 < mete> that's good 16:24 < mete> xD 16:24 < tuxx_> hey guys.. im having trouble generating 16:24 < tuxx_> the keys 16:24 < tuxx_> my server.crt is always empty 16:24 < mete> which command you used? 16:25 < tuxx_> . ./vars ; ./clean-all; ./build-server-keys 16:25 < tuxx_> i think 16:25 < gladiatr> lteo, there are two ways that I know of: make the user an "admin" user or give an "non-admin" user a password for an account that has admin privs. Great choices, huh? 16:25 < tuxx_> one sec 16:26 < tuxx_> mete: . ./vars; ./clean-all ; ./build-ca ; ./build-key-server server; ./build-key-server server ; ./build-key client1;./build-key client2 ;./build-dh 16:26 < lteo> gladiatr: wow 16:26 -!- ucekpolish1 [user@hq.ostc-pl.com] has quit [Ping timeout: 246 seconds] 16:27 < gladiatr> lteo, yup. It sucks. dunno. There might be some magical way of getting around that. If so, I do not know what it is. 16:27 < tuxx_> mete: is that the correct way? 16:28 < tuxx_> mete: used from /usr/share/doc/openvpn/examples/easy-rsa/2.0 16:29 -!- gladiatr is now known as gladiatr_afk 16:31 < ljvb> grrrr.. okay.. bunch of issues with the android client.. 1, running it from the command line, and then killing it.. does not actually kill the client... 16:31 < ljvb> need to kill pid 16:32 < mete> should be OK 16:32 < mete> hmmh do I need a additional tls-auth key? xD 16:34 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Ping timeout: 272 seconds] 16:34 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 16:35 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 16:37 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection] 16:39 -!- p3rror [~mezgani@41.140.172.164] has quit [Ping timeout: 260 seconds] 16:44 < ljvb> aha.. resolv-retry infinite is what is causing the android client to puke.. consistently trying to log in to the server multiple times using the same certificate 16:47 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn 16:59 -!- prettyrobots [~alan@76.226.170.139] has joined #openvpn 16:59 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 260 seconds] 17:00 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has joined #openvpn 17:00 -!- Malard [ident@dsl78-143-214-202.in-addr.fast.co.uk] has quit [Changing host] 17:00 -!- Malard [ident@xbmc/staff/malard] has joined #openvpn 17:00 -!- Fthis [6276ddd4@gateway/web/freenode/ip.98.118.221.212] has quit [Quit: Page closed] 17:01 < mete> fuck 17:02 < mete> tap32 driver doesn't work on w7 x64 17:02 < mete> -.- 17:02 < ecrist> thre is a tap driver 17:02 < mete> jep 17:02 < ecrist> that works on win 7 17:02 < mete> xD 17:02 < mete> I had a old openvpn 17:02 < ecrist> simply install the latest version 17:02 < ecrist> :) 17:02 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 17:02 < mete> that worked :P 17:02 < mete> doesn't work 17:02 < mete> .. 17:03 < ecrist> you make no sense. 17:03 < mete> openvpn-2.0.9-gui-1.0.3-install.exe 17:03 < mete> this package I've installed 17:03 < ecrist> that's not the latest. 17:03 * ecrist points to /topic 17:06 < mete> ok th 2.2 beta5 works 17:06 < mete> ;) 17:06 < mete> thx 17:06 < ecrist> 2.1.4 would work, too 17:06 < mete> yessss 17:06 < mete> cert is working 17:06 < mete> hah 17:06 < mete> xD 17:07 < mete> nice 17:07 -!- Guest52298 [43a40ced@gateway/web/freenode/ip.67.164.12.237] has joined #openvpn 17:07 < mete> cool thing 17:07 < ecrist> I though we banned the web client... 17:08 < Guest52298> wait I have a question 17:09 < Guest52298> I have a problem with the openvpn client. It's installed, and I can login, but I constantly get stuck on the "download the openvpn client" page and it never connects... 17:09 < Guest52298> "You will be automatically connected" - never happens 17:09 < ecrist> are you referring to OpenVPN Access Server? 17:10 < reiffert> download the openvpn client sounds like Access Server, does it? 17:10 < ecrist> yeah, it does to me 17:10 < Guest52298> yes 17:10 < Guest52298> openvpn-as 17:10 < reiffert> Guest52298: see here then: 17:10 < reiffert> !as 17:10 <@vpnHelper> "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options 17:10 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 17:11 < Guest52298> ok 17:12 -!- Guest52298 [43a40ced@gateway/web/freenode/ip.67.164.12.237] has left #openvpn [] 17:12 < reiffert> it took quite a while for vpnHelper to answer on !as 17:12 < reiffert> I'd guess it looked like 10 seconds for me. Saw it too? 17:12 < ecrist> I saw it instantly 17:12 < ecrist> but, I'm on the same lan as vpnHelper 17:13 < ecrist> though, he and I are connected to different servers 17:13 < reiffert> at least it's no brain lag on vpnHelper then. 17:13 < ecrist> oh, wait, my IRC client is now on a completely different network. 17:13 < ecrist> and 20 miles away 17:14 < ecrist> AND we're connected to different servers 17:14 < ecrist> I think it's you, reiffert 17:14 < reiffert> glad it's not vpnHelper, like I said 17:15 < reiffert> !as 17:15 <@vpnHelper> "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options 17:15 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support 17:15 < reiffert> normal now 17:17 -!- Malard [ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 17:17 < ljvb> exit 17:18 < ljvb> good thing I was not typing in a password 17:18 < ljvb> heh.... 17:18 < ecrist> lol 17:18 < ecrist> I've done that 17:18 < ecrist> in this very channel 17:18 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn 17:18 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host] 17:18 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn 17:18 < ljvb> I have too.. many times.. hell.. I have been around since this place was linpeople.. very first day my nickserv password went to the channel 17:19 < ljvb> I need to learn to make sure there is a / and mouse focus is on correct window heh.. 17:19 < ljvb> dinner time 17:19 < ljvb> will have to figure out the bad source address issue later.. wife is getting angry.. heh.. 17:20 < reiffert> focus follows mouse can be configured. 17:23 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn 17:24 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Read error: Connection reset by peer] 17:30 -!- djgerm [~Your_Moms@adsl-99-139-49-113.dsl.pltn13.sbcglobal.net] has joined #openvpn 17:32 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds] 17:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out] 17:53 <@vpnHelper> RSS Update - forum: Windows client and Tomcat? 18:02 < ljvb> irssi connectbot is we ierd... 18:04 < ljvb> hmmmm, won't do landscape 18:05 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn 18:05 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host] 18:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 18:05 < ljvb> anyways, openvpn problems seem resolved... 18:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 18:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 18:20 < ljvb> and in the stroke of the finger, iI f'd it all up again... ugg oh well, try later when iI get home 18:33 -!- WinstonSmith [~true@e177092114.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 18:36 -!- djgerm1 [~Your_Moms@adsl-99-139-49-113.dsl.pltn13.sbcglobal.net] has joined #openvpn 18:37 -!- djgerm [~Your_Moms@adsl-99-139-49-113.dsl.pltn13.sbcglobal.net] has quit [Read error: Connection reset by peer] 18:49 -!- WinstonSmith [~true@e177089110.adsl.alicedsl.de] has joined #openvpn 18:55 -!- gladiatr_afk [~sdspence@openvpn/community/support/gladiatr] has quit [Remote host closed the connection] 18:59 < krzee> hey 19:00 < krzee> oh cool you got it working? 19:00 < krzee> ^ @ ljvb 19:12 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.3.2] 19:13 -!- jfkw [~jtk@216.115.1.60] has quit [Quit: leaving] 19:13 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 19:14 -!- batrick [~batrick@nmap/developer/batrick] has quit [Client Quit] 19:15 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 19:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 19:17 <@vpnHelper> RSS Update - forum: Tunnel low speed 19:18 -!- djgerm1 [~Your_Moms@adsl-99-139-49-113.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving.] 19:23 < krzee> !winroute 19:23 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin 19:37 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has joined #openvpn 20:21 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn 20:25 -!- djgerm [~Your_Moms@dsl-63-249-90-234.static.cruzio.com] has quit [Quit: Leaving.] 20:27 -!- prettyrobots [~alan@76.226.170.139] has quit [Quit: prettyrobots] 20:35 -!- agrajag [~agrajag^@c-24-131-78-108.hsd1.pa.comcast.net] has joined #openvpn 20:45 -!- WinstonSmith [~true@e177089110.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 20:45 -!- WinstonSmith [~true@e177089110.adsl.alicedsl.de] has joined #openvpn 20:50 -!- albech [~thomas@119.42.78.253] has joined #openvpn 20:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 255 seconds] 20:55 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 20:57 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn 21:07 -!- krzee [krzee@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 21:10 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 264 seconds] 21:15 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn 21:15 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host] 21:15 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 21:26 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 21:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn 21:34 < tuxx_> hey guys 21:36 < tuxx_> in windows 7 21:36 < tuxx_> i keep getting the following error msg when trying to connect to the server 21:36 < tuxx_> all tap-win32 adapters are in use. 21:38 < tuxx_> i deleted and recreated the tap interfaces 21:38 < tuxx_> also... im using "dev tun" in the config rather than dev tap 21:48 < theDoc> Do you really need briding? 21:48 < theDoc> bridging^ 22:01 -!- teddz_ [~teddz@dtmd-4d0bfc45.pool.mediaWays.net] has joined #openvpn 22:04 -!- teddz [~teddz@dtmd-4db2e331.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds] 22:35 -!- teddz_ [~teddz@dtmd-4d0bfc45.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 22:36 -!- albech [~thomas@119.42.78.253] has quit [Ping timeout: 255 seconds] 22:49 -!- albech [~thomas@124.157.245.126] has joined #openvpn 22:53 -!- WinstonSmith [~true@e177089110.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 22:53 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds] 23:02 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 23:05 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has joined #openvpn 23:05 -!- mant1s [~mant1s@cpe-76-179-27-79.maine.res.rr.com] has quit [Changing host] 23:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn 23:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer] 23:15 -!- WinstonSmith [~true@g231231254.adsl.alicedsl.de] has joined #openvpn 23:38 < grendal_prime> grrrrr --- Day changed Sat Jan 22 2011 00:06 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn 00:07 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds] 00:07 -!- Cain` is now known as Cain 00:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 00:58 < hyper_ch> grendal_prime: awww :( 00:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn 01:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day] 02:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep] 02:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer] 02:21 -!- WinstonSmith [~true@g231231254.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 02:35 -!- WinstonSmith [~true@e177090246.adsl.alicedsl.de] has joined #openvpn 02:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn 02:38 -!- ucekpolish1 [user@hq.ostc-pl.com] has joined #openvpn 02:46 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn 02:49 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Client Quit] 02:54 -!- WinstonSmith [~true@e177090246.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 03:11 -!- WinstonSmith [~true@g231231254.adsl.alicedsl.de] has joined #openvpn 03:19 -!- luneff [~yury@84.51.197.224] has joined #openvpn 03:19 -!- luneff [~yury@84.51.197.224] has quit [Client Quit] 03:23 -!- ucekpolish1 [user@hq.ostc-pl.com] has quit [Ping timeout: 272 seconds] 03:41 <@vpnHelper> RSS Update - forum: Two link in load-balance causing tunnels the stop working 03:52 -!- master_of_master [~master_of@p57B52D32.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 03:53 -!- master_of_master [~master_of@p57B54F2B.dip.t-dialin.net] has joined #openvpn 04:00 -!- WinstonSmith [~true@g231231254.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 04:10 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn 04:16 -!- WinstonSmith [~true@e178180084.adsl.alicedsl.de] has joined #openvpn 04:41 -!- caesay_ [~caesay@173.236.15.70] has quit [Ping timeout: 255 seconds] 04:41 -!- caesay [~caesay@173.236.15.70] has joined #openvpn 04:42 -!- caesay is now known as Guest57877 04:48 -!- common- [~common@p5DDA402D.dip0.t-ipconnect.de] has joined #openvpn 04:49 -!- common [~common@p5DDA488B.dip0.t-ipconnect.de] has quit [Read error: Operation timed out] 04:49 -!- common- is now known as common 04:58 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn 04:58 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host] 04:58 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 05:29 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 05:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn 05:52 -!- xindz [karz@bounced.by.nbounce.com] has quit [Ping timeout: 246 seconds] 05:52 -!- xindz [karz@bounced.by.nbounce.com] has joined #openvpn 06:03 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 06:27 <@vpnHelper> RSS Update - forum: IP address of client still visible 06:29 -!- WinstonSmith [~true@e178180084.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 06:37 -!- teddz_ [~teddz@dtmd-4d0bfc45.pool.mediaWays.net] has joined #openvpn 06:58 <@vpnHelper> RSS Update - forum: OpenVPN Server + WL-500G - Routing over Client LAN 07:08 -!- rooth [rooth@ge.mig.en.redfox.nu] has joined #openvpn 07:17 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: Lost terminal] 07:58 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has joined #openvpn 08:07 -!- void_pointer [~void@unaffiliated/void-pointer/x-0665301] has left #openvpn [] 08:17 -!- jambooda [~cog@unaffiliated/jambooda] has joined #openvpn 08:37 < ecrist> good morning 08:50 -!- bfreis [~bruno@bd21aa1e.virtua.com.br] has joined #openvpn 08:51 < bfreis> Hi, if I have a Root CA that signed a Personnel CA and a Servers CA, then I create a certificate for OpenVPN signed by Servers CA and create certificates for the clients signed by Personnel CA, will it work? 08:51 <@vpnHelper> RSS Update - forum: OpenVPN Server + WL-500G - Routing over Client LAN 08:56 -!- bfreis [~bruno@bd21aa1e.virtua.com.br] has quit [Quit: bfreis] 08:56 -!- jambooda [~cog@unaffiliated/jambooda] has quit [Quit: Leaving.] 08:57 < ecrist> he waited less than 5 minutes for an answer 08:57 <@vpnHelper> RSS Update - forum: Problems with RoadWarrior Setup on Windows Server 2008 08:58 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 08:58 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 09:01 -!- p3rror [~mezgani@41.140.24.150] has joined #openvpn 09:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection] 09:16 < Dougy> ahh impatient people 09:16 < Dougy> just like me 09:25 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn 09:26 < Dougy> howdy jpalmer 09:26 * ecrist thought jpalmer had an openvpn cloak 09:37 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn 09:39 < jpalmer> hey ecrist 09:40 < jpalmer> nah, I never had an openvpn cloak 09:40 < jpalmer> hola Dougy 10:17 -!- p3rror [~mezgani@41.140.24.150] has quit [Ping timeout: 240 seconds] 10:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 250 seconds] 10:20 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn 10:29 -!- Guest57877 is now known as caesay 10:29 -!- caesay [~caesay@173.236.15.70] has quit [Changing host] 10:29 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn 10:48 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving] 10:55 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn 11:08 -!- bragon [~Alexandre@81.93.247.165] has joined #openvpn 11:08 < bragon> Hi 11:08 < bragon> i there a way to unactive the "route push" directive on the client side ? 11:09 < bragon> a serveur push me route, and i don't want it. 11:10 -!- p3rror [~mezgani@41.140.181.130] has joined #openvpn 11:12 < bragon> route-noexec 11:13 -!- p3rror [~mezgani@41.140.181.130] has quit [Read error: Connection reset by peer] 11:14 < bragon> thanks :) 11:28 -!- p3rror [~mezgani@41.140.182.159] has joined #openvpn 11:43 -!- albech [~thomas@124.157.245.126] has quit [Quit: Ex-Chat] 11:46 -!- p3rror [~mezgani@41.140.182.159] has quit [Ping timeout: 240 seconds] 11:53 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined #openvpn 11:55 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn 11:58 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 264 seconds] 11:58 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds] 11:58 -!- openbsdnoob_ is now known as openbsdnoob 12:01 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds] 12:03 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn 12:49 < ljvb> woooo, fixed my android client issues... now not to f it up again 12:50 < ljvb> although, the client sometimes runs ovpn multiple times causing problems 12:50 < ljvb> iI will live 13:01 -!- p3rror [~mezgani@41.140.168.28] has joined #openvpn 13:24 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 13:26 -!- Nappy [~nappy@97.97.247.123] has quit [Read error: Connection reset by peer] 13:29 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Quit: Konversation terminated!] 13:29 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 13:41 -!- T0mmy [~theswedes@76-191-207-53.dsl.dynamic.sonic.net] has joined #openvpn 13:41 < T0mmy> Centimeter by centimeter he watched his cock grow thicker, 13:41 < T0mmy> spreading Christa's cunt ever wider in its wake. Both of her hands came 13:41 < T0mmy> down to grip the base of his cock as she looked down in disbelief. At 13:41 < T0mmy> least six inches were outside of her now, and she had taken him nearly all 13:41 < T0mmy> the way before. Curt opened his eyes and stared in disbelief. He was 13:41 < T0mmy> growing even faster this time! His cumming continued to make him buck 13:41 < T0mmy> like a bronco as his shaft grew ever more horse-like. Thicker and longer 13:41 < T0mmy> -twined with huge, thick veins- his erection plowed into Christa's tight 13:42 < T0mmy> bush like a dog trying to fit into a rabbit hole. 13:42 < T0mmy> "Ahhh! Curt! Omigod ... you're goin' too ... far!" 13:42 < T0mmy> Drastically, Curt tried to pull himself out of Christa before he 13:42 < T0mmy> hurt her. Her moaning and bucking were intense and -just before he could- 13:42 -!- T0mmy [~theswedes@76-191-207-53.dsl.dynamic.sonic.net] has left #openvpn [] 13:45 < ljvb> WTF 13:56 < dvl> easily found via google. 14:02 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn 14:02 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host] 14:02 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn 14:02 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 14:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 14:05 <@vpnHelper> RSS Update - forum: Anonyproz OpenVPN Service Provider 14:18 -!- p3rror [~mezgani@41.140.168.28] has quit [Ping timeout: 240 seconds] 14:28 -!- grendal_prime_ [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn 14:30 < grendal_prime_> ok we got the vpn working with the appliance we need it working with..now...next thing is...i want to restrict to only http/https through the vpn the rest out the local gateway. i need to set up PF ? what is this program? 14:39 -!- p3rror [~mezgani@41.140.25.220] has joined #openvpn 14:40 < dvl> pf is a packet filter provided with BSD (openbsd, freebsd, netbsd, etc). 14:40 < dvl> grendal_prime_: does that help? 14:41 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat] 14:44 -!- alhadi [~thunderst@92.99.132.49] has quit [Changing host] 14:44 -!- alhadi [~thunderst@unaffiliated/alhadi] has joined #openvpn 14:59 <@vpnHelper> RSS Update - forum: Can't ping LAN behind VPN server 15:00 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds] 15:09 < grendal_prime> thanks thats what i though but...well eveyrthing just refers to it as...pf..can it be implimented on the server side?? 15:10 < dvl> yes, pf is on the server side. 15:10 < dvl> I have no idea what 'everything just refers' is. 15:11 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 15:12 < grendal_prime> dude...its like a simple version of iptables? 15:13 < dvl> I have zero experience with iptables. :) 15:14 < grendal_prime> sorry all the info i could find on pf...(thats what i ment by everything) But i dont see how i can force a client to use a difffernt gateway by refusing it traffic on specific ports. 15:14 < grendal_prime> i guuess...if one gateway deosnt work it will try the next? 15:14 < grendal_prime> dont usually configure machines with multiple gateways... 15:15 < grendal_prime> anyway thanks for the help in wrapping my head around just what the hell they are talking about. 15:15 -!- grendal_prime_ [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat] 15:19 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Read error: Operation timed out] 15:19 -!- p3rror [~mezgani@41.140.25.220] has quit [Ping timeout: 260 seconds] 15:23 -!- WinstonSmith [~true@g225025159.adsl.alicedsl.de] has joined #openvpn 15:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds] 15:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 15:34 -!- p3rror [~mezgani@41.248.110.154] has joined #openvpn 15:35 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 15:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 15:42 -!- teddz_ [~teddz@dtmd-4d0bfc45.pool.mediaWays.net] has quit [Ping timeout: 240 seconds] 16:10 -!- tactus^^ [~tactus@35.217.16.62.customer.cdi.no] has joined #openvpn 16:12 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 255 seconds] 16:14 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn 16:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection] 16:15 -!- tactus^^ [~tactus@35.217.16.62.customer.cdi.no] has left #openvpn [] 16:18 -!- areq [~areq@pld-linux/areq] has joined #openvpn 16:18 < areq> !welcome 16:18 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:18 < areq> hi 16:21 < areq> I have openvpn server - dev tap, auth by crt and now I'm searching way to prevent client to change ip obtained from dhcp 16:22 < areq> possible ? 16:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds] 16:34 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Ping timeout: 240 seconds] 16:51 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has quit [Quit: Leaving.] 16:57 -!- djgerm [~Your_Moms@76-191-159-34.static.dsltransport.net] has joined #openvpn 16:59 < Dougy> areq: set static ip's? 16:59 < Dougy> !ccd 17:00 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:01 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 17:03 -!- p3rror [~mezgani@41.248.110.154] has quit [Ping timeout: 240 seconds] 17:16 -!- dmarkey [~dmarkey@188.141.16.113] has joined #openvpn 17:16 < dmarkey> any tips on reducing openvpns memory usage 17:26 < reiffert> how huge is it for you? 17:28 < dmarkey> 4M 17:29 < dmarkey> which isnt much, but this is on an openwrt router 17:29 < krzee> 1993 called and wants its memory usage back 17:31 < dmarkey> I thought maybe there was an easy way like reducing buffers or something 17:32 < roentgen> dmarkey: how many clients? 17:34 < dmarkey> 1 17:34 < dmarkey> maybe 2 17:36 < roentgen> well it surely depends on the clients number ... it's 188M here 17:36 < roentgen> and 1.5 as a client 17:41 < krzee> since its openwrt im sure its single core 17:41 < krzee> you might find playing with the cipher to help 17:45 < dmarkey> i see 17:48 -!- WinstonSmith [~true@g225025159.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds] 17:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection] 18:10 < areq> Dougy: yes, but I can change manul this IP on clien side 18:11 < areq> ip a d 10.9.9.3/24 dev tap0; ip a a 10.9.9.33/24 dev tap0 ; ip r a 10.9.0.0/16 via 10.9.9.1 18:11 < krzee> yes, just set the ip 18:11 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Read error: Connection reset by peer] 18:12 < areq> unfortunately 10.9.9.33 works 18:12 < krzee> unfortunately? 18:12 -!- venom00ut [~asdfds@unaffiliated/venom00] has joined #openvpn 18:13 < areq> on server I have per client IP iptables rules 18:13 < krzee> see --learn-address 18:13 < krzee> then you can dynamicly change firewall rules 18:13 < areq> i read about learn-address 18:13 < krzee> otherwise, the only way to stop clients from being able to change IPs is to use tun with topology net30 18:14 < areq> i'm going to use iptables -m mac --mac-source 18:14 < krzee> can change mac easier 18:15 < areq> yes, but must guess right mac 18:16 < krzee> security by obscurity 18:17 < areq> on tap MAC is random every connection ? 18:17 < krzee> not sure 18:19 -!- WinstonSmith [~true@e179006195.adsl.alicedsl.de] has joined #openvpn 18:20 -!- Zipper_32 [~Zipper_32@72.53.35.91] has quit [Ping timeout: 255 seconds] 18:21 < areq> on windows is the same ;/ on linux changes 18:22 < krzee> --learn-address :-p 18:22 < krzee> also, why do you need tap? 18:22 < krzee> lan gaming? 18:23 -!- venom00ut [~asdfds@unaffiliated/venom00] has quit [Ping timeout: 246 seconds] 18:23 < areq> no, only "historical ballast" 18:23 < areq> now not easy to change - 200 users 18:24 < krzee> 200 users on tap? 18:24 < krzee> ild expect a broadcast storm 18:25 < areq> not concurrent, concurrent < 30 18:26 < areq> tun will be better then tap in general ? 18:27 < krzee> less overhead, no layer2 attacks 18:27 <@vpnHelper> RSS Update - forum: Tap installs, but doesn't show up in ipconfig. 18:30 < areq> tun + net30 - needs 2 IP for one client ? 18:30 < krzee> 4 18:30 < krzee> !/30 18:30 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc 18:31 < areq> ok 18:32 < areq> easy way to bond ip with client common name from crt ? 18:33 < krzee> --client-connect 18:33 < krzee> !client-connect 18:33 <@vpnHelper> "client-connect" is --client-connect